Data Security and Protection Toolkit (DSPT)

The Data Security and Protection Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards.

The Data Security and Protection Toolkit replaced the previous Information Governance toolkit in April 2018.

This year 2018/19 saw the first Bridgewater submission of the toolkit

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

The trust was able to demonstrate that it met all 10 standards:

  1. Personal Confidential Data
  2. Staff Responsibilities
  3. Training
  4. Managing Data Access
  5. Process Reviews
  6. Responding to Incidents
  7. Continuity Planning
  8. Unsupported Systems
  9. IT Protection
  10. Accountable Suppliers

More information about the DSPT can be found at:

What is data protection by design

Data protection by design is ultimately an approach that ensures we consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle.

  • We will put in place appropriate technical and organisational measures designed to implement the data protection principles; and
  • integrate safeguards into our processing so that we meet the General Data Protection Regulations (GDPR) requirements and protect the individual rights.

Data protection by design has broad application and to ensure we embed data protection by design into Bridgewater, a Data Protection Impact Assessment  (DPIA) will be completed whenever we intend to implement a new system and/or change and existing system or change the purpose of processing personal information.

Since GDPR was implemented Bridgewater has undertaken 3 Data Protection Impact Assessments (DPAIs).

What is data protection by default?

Data protection by default requires us to ensure that we only process the data that is necessary to achieve your specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation.

We have to process some personal data to achieve our purpose(s). Data protection by default means we need to specify this data before the processing starts, appropriately inform individuals and only process the data we need for our purpose.

How do we do this in practice?

We have  developed a set of practical, actionable guidelines that we use in our organisation (DPAI), framed by our assessment of the risks posed and the measures available to us.

The key is to take an organisational approach that achieves certain outcomes, such as ensuring that:

  • We consider data protection issues as part of the design and implementation of systems and services.
  • We make data protection an essential component of the core functionality of our processing systems and services.
  • We only process the personal data that we need in relation to our purposes(s), and that we only use the data for those purposes.
  • personal data is automatically protected in any IT system, service, product, and/or business practice, so that individuals should not have to take any specific action to protect their privacy.
  • the identity and contact information of those responsible for data protection are available both within our organisation and to individuals.

For further guidance on how we keep your information secure, please read the Privacy Notice.

View our Patient Privacy Notice.