checklist
DSPT Evidence Checklist
A practical DSPT evidence checklist for UK care providers: the policies, records and technical controls to gather before you declare Standards Met.
Related service: DSP Toolkit (DSPT)
Use this checklist to gather the evidence that supports your Data Security and Protection Toolkit (DSPT) assertions before you submit. The DSPT publication deadline is 30 June each year, so aim to have these items in place well ahead of that date. Tick each item once you hold a current, dated record you could show an assessor. New to the toolkit? Start with our guide to the DSPT.
Governance and accountability
- Named senior person accountable for data security (often the SIRO or an equivalent lead) recorded in writing
- Named Caldicott Guardian where you handle patient/service-user confidential information
- Data Protection Officer (DPO) appointed or a documented decision on why one is not required
- Information governance responsibilities written into relevant job descriptions
- Board or management-level review of data security discussed and minuted at least annually
Policies and procedures
- Data protection and confidentiality policy, dated and version-controlled
- Data security / acceptable use policy covering staff use of devices and systems
- Records management and retention schedule
- Data quality procedure
- Incident and near-miss reporting procedure, including how to report a breach
- Business continuity / disaster recovery plan covering loss of IT and data
Staff training and awareness
- Annual data security and protection training completed by all staff (target: at least 95% of staff)
- Training completion records dated within the current assessment year
- Induction covering data handling for new starters
- Evidence that staff know how to report an incident
Records of processing and information assets
- Record of Processing Activities (ROPA) covering what personal data you hold and why
- Information asset register listing systems, devices and where data is stored
- List of data flows in and out of the organisation
- Data sharing agreements or contracts with third parties who process data on your behalf
Technical and cyber security controls
- Supported, up-to-date operating systems and software (no unsupported versions in use)
- Antivirus / anti-malware deployed and updating on all devices
- Firewall or equivalent boundary protection in place
- Automatic security updates enabled, or a documented patching routine
- Unique user accounts with no shared logins; administrator access restricted and recorded
- Multi-factor authentication enabled on email and remote access where available
- Encryption on laptops, mobile devices and removable media
- Regular, tested backups stored separately from live data
Incident readiness
- Process to notify the ICO within 72 hours of becoming aware of a reportable personal data breach
- Route to report incidents to NHS England via the DSPT where required
- Log of incidents and the lessons learned from them
Third parties and supply chain
- Assurance that key IT suppliers meet appropriate security standards
- Cyber Essentials certificate (yours or your provider’s) where relevant
- Contracts include data protection and security clauses
Working through the DSPT for the first time, or need a second pair of eyes before you declare Standards Met? We can help you gather and map this evidence as part of a fixed-fee engagement — see our DSPT support service.