Log In or Register your organisation to access the Data Security and Protection Toolkit

Frequently asked questions

This list will be subject to ongoing review (updated 5 April 2018).


Q – (INCIDENT REPORTING) If my organisation suffers a data breach / incident, should this be reported via the Data Security and Protection Toolkit, or the old IG Toolkit?

A – Please continue to use the IG Toolkit 14.1 SIRI tool for incident reporting.

We are however working with the Information Commissioner’s Office to develop a new GDPR compliant service prior to 25 May 2018 as part of the Data Security and Protection Toolkit. Further updates will be made available via the news page.


Q – (ORGANISATION PROFILE) We run a hospital but also some GP practices. Which sector should we choose?

A – You should pick the sector which reflects the largest bulk of the work you undertake as an organisation. We will be introducing functionality later in the year to allow organisations to report into other sectors where appropriate.

For more information, please see “organisation types” guidance, available via the help menu.


Q – (ORGANISATION PROFILE) The organisation profile asks if I have NHSmail, I don’t, but I do use another secure email provider (e.g. Office 365). Please can this be added to the organisation profile?

A – Where an organisation confirms NHSmail is the only email system used, there are (up to) three evidence items which the organisation no longer needs to provide.

We recognise that NHSmail is not the only secure email service, however, at this stage we do not intend to add further options.

We do not believe it is feasible for organisations to reliably and consistently self-certify that they have an alternate secure email service, in a way which avoids adding additional complexity and burden to the organisation profile process for all users.

This will be kept under review.


Q – (ORGANISATION PROFILE) Once I have completed my organisation profile, can my responses be changed?

 A – Yes, an organisation profile can be changed at any time by an administrator, by using the admin menu. For example, your organisation may gain Cyber Essentials PLUS accreditation during the year, and you may wish to update your organisation profile accordingly.


 Q – (THE STANDARD) Do requirements vary between sectors?

 A – Yes, the assertions and evidence items are tailored depending on your organisation type. For example, a domiciliary care organisation will see a sub-set of those items which an Acute Trust (for example) would be expected to provide, and the language will be tailored to be appropriate for a smaller organisation.


Q – (THE STANDARD) What has happened to level 1, 2, 3? What does ‘good’ look like? 

A – The new toolkit does not feature levels 1, 2 and 3. To meet the new standard, organisations must respond to all evidence items which are identified as mandatory, and confirm the associated ‘assertions’.

Further guidance on what constitutes a “good” self-assessment will be provided during 2018, along with guidance to support new, smaller organisations to meet the expected standard.


Q – (GENERAL) Our company is made up of several divisions… should we complete one assessment or one for each division?

 A – The general guidance on which organisations need to complete the toolkit is unchanged. 

If you are a single legal entity and have a single ICO registration but have multiple sites, one toolkit could cover them all. If you have multiple legal entities, with multiple ICO registrations, it is unlikely that a single toolkit will cover everything. We would be happy to discuss how atypical organisations can make best use of the toolkit.


Q – (GENERAL) Please can the assertions and evidence items be numbered for ease of reference?

A – This has not been implemented because requirements differ between sectors. One organisation’s “2.4” may be different to another organisation’s “2.4” which may cause confusion. In addition, requirements may be added, or removed over time, which would further complicate any numbering system.

We will speak to users over the coming months to explore this matter further.


Q – (GENERAL) What does “beta” mean?

A – The “beta” logo indicates that the service is still subject to further development. For more information, please see the “system changes and release notes” article on the news page.


Q – (GENERAL) What can different user roles (admin, member and auditor) do?

A – For full details, please refer to section 2.1 of either the quick start guide or the administrator guide, available via the help menu.

In summary: auditor users have “read only” access. Members can add/edit evidence (and confirm assertions where they are the owner). Administrators can add evidence, confirm assertions, allocate assertion owners, complete the organisation profile, publish assessments and create/edit users for their own organisation.


Q – (IG TOOLKIT ACCESS) Will we still be able to access the old toolkit for a period to access past reports?

A – Yes this will remain available throughout 2018/19 and would only be discontinued with prior notice.


Q – (REPORTING) As a CCG, can we quickly identify the status of providers in our area?

A – This functionality will be developed in 2018/19. Information from IG Toolkit 14.1 published assessments will be made available in the usual way.


Q – (BULK SUBMISSIONS) We are a pharmacy chain, where is the bulk submission function?

A - It is planned to be released later this year. Please begin work on your HQ assessment to familiarise yourself with the evidence items and what pharmacies will have to undertake.


Q – (TRAINING) Staff surveys and the e-learning for health data security training are frequently mentioned within the toolkit. Do we have to use this training? Will the e-learning for health system automatically feed the DSP?

A – Organisations are encouraged to use the national e-learning for health training tool.

Use of local training is however acceptable where the SIRO (or equivalent) has formally confirmed that local training is of an equivalent or higher standard.

Where the Data Security and Protection Toolkit requests training KPIs, these should be entered on the system manually (our user research to date has indicated that users prefer no automation).


 Q – (SUPPORT) Who should I contact if I have any queries?

Please contact the helpdesk if you have any queries. Contact details are available from the contact us page.

We appreciate your feedback, but please note that we are unable to respond to specific queries raised through the ‘feedback’ function. Please use the helpdesk for this purpose.