4. Policy
4.1 – The Data Security and Protection Toolkit is an online self-assessment tool that Primrose Healthcare Services Ltd and all social care providers must use if they have access to NHS patient data and systems. As a result of this requirement, Primrose Healthcare Services Ltd recognizes the importance of data security and cyber protection and is committed to maintaining systems that support confidentiality and the wider understanding of how data must be
There are two stages on the pathway:
– Approaching Standards
– Standards Met
4.2 – The Data Security and Protection Toolkit allows Primrose Healthcare Services Ltd to measure its performance against the National Data Guardian’s 10 Data Security Standards, which are:
Standard 1 :
All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes
Standard 2:
All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches
Standard 3:
All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit
Standard 4:
Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals
Standard 5:
Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security
Standard 6:
Cyber attacks against services are identified and resisted. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection
Standard 7:
A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management
Standard 8:
No unsupported operating systems, software or Internet browsers are used within the IT estate
Standard 9:
A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually
Standard 10:
IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards
4.3 – If Primrose Healthcare Services Ltd does not provide care through the NHS Standard Contract, there is no required action to
However, it is recommended that all social care providers consider compliance with the new Data Security and Protection (DSP) Toolkit.
This will help to demonstrate best practice and ensure compliance with the 10 Data Security Standards.
4.4 – The CQC includes a focus on the use of technology and sharing information for the benefit of the care to the
Whilst the prompts under KLOE W2 do not specifically reference the Data Security and Protection (DSP) Toolkit, it details that providers should operate within a framework that demonstrates robust
arrangements around the security, availability, sharing and integrity of confidential data, records and data management standards.
4.5 – It has been recognised that social care services such as Primrose Healthcare Services Ltd can be very different to health services, and this has been reflected in the revised approach to the Data Security and Protection (DSP) Toolkit for social
The requirements for Social Care have been broken down in to four key areas within the DSPT.
Each category will have a subset of requirements that, once completed, will enable Primrose Healthcare Services Ltd to achieve “Standards Met” status.
4.6 – Meeting the Standards
The ‘Approaching Standards’ status was introduced as a new status available to care providers who have demonstrated good progress but have not yet reached ‘Standards Met’.
The Data Security and Protection Toolkit: Standards Met Guidance for Social Care Providers will help any providers who are working towards achieving ‘Standards Met’.
4.7 – This policy and wider data security management are supported by the comprehensive range of data protection policies, templates and guidance that are available within the QCS Management System.This Data Security and Protection (DSP) policy will support Primrose Healthcare Services Ltd in understanding responsibilities with regard to data management and security. When the Toolkit is completed, it will support compliance with data protection requirements, and add to Primrose Healthcare Services Ltd assurances regarding:
In addition, it will provide supporting evidence towards meeting the CQC KLOEs.