Changes to the Data Security and Protection Toolkit 25/26
In a previous Digital Bulletin, I said that it looks like there wouldn’t be any significant changes to the 25/26 DSPT. DHSC have just announced that there have been some changes to the existing questions including an additional two mandatory questions and several new non-mandatory questions, bringing the total number of questions in the Standards Mets DSPT to 45.
The 25/26 DSPT should go live on Monday September 1st.
Digital Care Hub will be running an online workshop to review all of the changes on October 1st at 14:30 and you can register here.
You can also message RCPA’s Daniel Plummer for any questions and support related to the 25/26 DSPT. Daniel.plummer@rcpa.org.uk
New mandatory questions
4.3.1 Question – Have all the administrators of your organisation’s IT system(s) signed an agreement to hold them accountable to higher standards?
Tooltip – The people within your organisation who are IT system administrators may have access to more information than other staff. Therefore, they need to be held accountable in a formal way to higher standards of confidentiality than others.
This requirement applies to IT system administrators working in external companies who support your organisation’s IT systems. This formal agreement could be part of a job description or a contract with your IT support company and/or systems supplier/s.
If your organisation does not use any IT systems, then ‘tick’ and write “”Not applicable”” in the comments box.
7.1.1 Question – Do you have a digital asset register detailing your organisation’s hardware and software, which is kept up to date?
Tooltip – The digital asset register is a list of digital devices (hardware) and computer software your organisation uses. The register should have been reviewed at least once in the last 12 months.
You can have a separate list of digital assets or combine it into one document with your Information Asset Register (see 1.1.2). An example digital asset register is available at: This will be available on Digital Care Hub soon, a link will be available via the DSPT website.
New non-mandatory questions
1.3.6 Questions – What are the top three data and cyber security risks in your organisation and how does your organisation plan to reduce those risks?
Tooltip – All organisations have risks and should be able to identify what they are. Thinking about your responses to all of the questions in the toolkit, consider which three areas carry the most risk for your organisation.
Provide a brief headline for each risk and say what your organisation plans to do to reduce that risk.
4.4.1 Question – The person with responsibility for IT confirms that IT administrator activities are logged and those logs are only accessible to appropriate personnel.
7.1.5 Question – Your asset register priorities assets according to their importance, and includes dependencies (such as power, cooling, data, people etc.) that support the assets.
7.3.6 Question – Are your backups kept separate from your network (offline) and secured from unauthorised access?
8.3.8 Question – Your organisation is registered for and actively using the NCSC early warning service.
8.4.3 Question – You identify and understand security vulnerabilities in your systems, such as through regular vulnerability testing.
Questions & tooltips that have had their wording changed but largely remain unchanged
The changes can be simple additions to the tooltip or rewording the whole questions.
1.3.1 – Tooltip updated that now expects your privacy notices to be available in a range of formats.
1.1.5 – The question has been reworded. Previously asking who has responsibility for data security, now asks: Your organisation’s approach to security is owned and directed by senior responsible individuals, with regular discussions driven by individuals who have overall accountability for security.
1.3.1 – This question around what data protection policies you have in place has been updated to ensure your policies align with good practice and (where applicable) national polices.
3.2.1 – The tooltip around the 95% of staff being data security trained now asks you to think about training methods to ensure all staff are reached by the training.
7.1.2 – The tooltip around business continuity now expects you to communicate our BC plan with other organisations and stakeholders.
7.3.4 – The tooltip around data backups now expects your plan to include which systems need to be restored and in what order.
8.3.5 – The question around up to date software now asks how this is done promptly.
