Security assurances required for applications to the CAG - Update to DSPT assurances in England

Last updated on 4 Oct 2024

Background

It is a policy of the Department of Health and Social Care that all bodies processing patient information in England provide assurances via the Data Security and Protection Toolkit (DSPT). This is undertaken on a yearly self-assessment basis, with the outputs published on the NHS England website NHS England - DSPT toolkit

It is also a policy position of the Department of Health and Social Care that all bodies processing confidential patient information in England under a CAG application have their DSPT self-assessment submission additionally reviewed by NHS England, to provide assurances that the organisation has achieved the appropriate ‘standards met’ status. This is required annually for the duration of the support. The NHS England assurance is provided on an organisation basis. Once the assurance is provided it is valid for all studies within the organisation to process confidential patient information without consent.

Please note that evidence is required that NHS England have reviewed the organisation’s DSPT and determined that standards have been met. Evidence of the organisation’s self-assessed grade is not sufficient.

How to provide security assurance for ‘section 251’ applications.

In order to provide evidence that DSPT standards have been met, you should undertake the following:

  1. Contact the DSPT Team at NHS England (exeter.helpdesk@nhs.net) to request review of organisational DSPT submissions relevant to the CAG application. Do not contact any other function within NHS England as you may be given inaccurate advice
  2. Provide the following in the email:
    1. Inform them a review of the relevant DSPT submission is required to progress a ‘section 251 application’
    2. The CAG application reference number(s) (if known)
    3. The full name of all organisations physically processing information under support under the CAG reference number
    4. The relevant DSPT submission references / ODS Code (if known)
  3. Once complete, NHS England will email you directly to confirm ‘Standards Met’ in relation to the review.
  4. This email will be copied to the CAG and include the application reference..

What version of DSPT is accepted?

We are currently accepting NHS England confirmation of security assurances for the 2023/24 DSPT submission.

The 2023/24 organisation DSPT deadline for publication was 30 June 2024. From this date we have transitioned from accepting NHS England DSPT assurances from 2022/23 to 2023/24. The table below provides information of the deadline for which the 2022/23 DSPT assurance will no longer be accepted.

Please note that for submissions that are being processed prior to 16 August 2024 the Confidentiality Advice Team will provide early advice on the DSPT status to enable applicants to request the relevant DSPT assurances from NHS England as early as possible to prevent any delays in support. Applicants who are preparing submissions in the near future are strongly encouraged to contact NHS England exeter.helpdesk@nhs.net to arrange for the 2023/24 DSPT submissions to be reviewed.

Submission Type Deadline Date Version of DSPT Accepted
New or resubmitted application All outcomes issued after 16 August 2024 2023/24 DSPT
Response to a provisional outcome Outcome issued after 16 August 2024 2023/24 DSPT
Amendments Outcome issued after 16 August 2024 2023/24 DSPT
Annual Reviews Review completed after 16 August 2024 2023/24 DSPT

Security assurances for organisations processing confidential patient information generated within Wales.

Security assurances for confidential patient information generated within Wales are provided by either a Caldicott Principles in Practice (CPiP) Report or a completed Welsh Information Governance Toolkit. The relevant CPIP out-turn report, or IG Toolkit, is provided directly by Digital Health and Care Wales (DHCW) to CAG.

Alternatively, where a Welsh organisation has a DSPT assured by NHS England this will also be accepted.

Security assurances for organisations processing confidential patient information generated within Scotland.

An approval letter from the Public Benefit and Privacy Panel (PBPP), where processing is taking place in Scotland, is accepted as evidence of adequate security assurance for organisations in Scotland.

Alternatively, where a Scottish organisation has a DSPT assured by NHS England this will also be accepted.

If you have questions about security assurances please email cag@hra.nhs.uk

Back to guidance for cag applicants