Requirements for toolkit
As you embark on a toolkit submission mission, you will find that there are requirements above and beyond what is mandated for by the University by and large. This is because we are obligated to maintain the same level of assurance as the National Health Service (as outlined in the data security standards) when handling health and social care information for research, and play our part in maintaining the public trust in the health service and in research as a community.
First things first- Scoping
One of the most important decisions you’ll need to make when embarking on a toolkit completion is the scope. You may wish to undertake toolkit submission as a single research group, as a unit that undertakes high risk research activities within the department, or simply as a collection of research projects operating under the same policies. Either way, NHS Digital can facilitate either approach technically.
Contractually speaking, NHS Digital can audit the University on a number of levels: either by a Data Sharing Agreement (DSA) which was agreed when requesting data, or by a DSPT which can cover more than one data sharing agreement, or more than one research group. The worst case scenario is that they may invoke their right to refuse further sharing of data based on the audit results. You must then ask yourself what impact it will have on the research activities if this happens (even though this may be unlikely), and decide whether to accept the risk, or alternately reduce the risk by controlling the toolkit scope.
An information Security good practice is to always start with a tightly controlled environment, then expand out, rather than having everything within the scope (without having clear understanding of the compliance status of each of the projects).
As this is a compliance activity, knowing exactly what data flows need to adhere to the toolkit is key to understanding and managing the risk within your unit.
Taking Ownership and Assigning Responsibilities
Once you’ve understood the scope of activities that need to be compliant with the toolkit, you can then map out the roles and responsibilities for managing compliance. You will need to assign responsibility for Senior Information Risk Owner (SIRO), Caldicott Guardian should it be applicable, as well as the role of Information Governance (IG) Lead.
Additional roles that could supplement this framework is by assigning Information Asset Owners (IAO), and Information Asset Administrators (IAA) (where a toolkit covers more than one Data Sharing Agreement). They may have hands-on knowledge of the project, and data flows and may be in a better position to provide information around local incidents and assets and software used to process the data provided by NHS Digital.
These roles may sit at the departmental level, or across research themes. Either way, the overall organisational line of accountability for information risk is essential.
We are working with the Information Compliance team and the Data Privacy Champion to co-ordinate the collection and dissemination of answers that are applicable at a University level. This will be published here in due course. Please get in touch at firstname.lastname@example.org should you have any further enquiries.
Check whether there is a toolkit already in place for your unit
If you do, get in touch with the unit head to discuss how to work under the toolkit policies and procedures
If not, you will need to create a new toolkit
Register for an account within the toolkit
You will need your Organisation Code as per NHS, which can be found here
You will need to register as a researcher/department
A University, as per the toolkit, is classified as a large organisation, with all its health and social care data in scope. A researcher/department allows you to define the scope more tightly, and to have to comply with less assertions, due to the lower level of risk within a ‘small organisation’.
You will automatically be assigned the main applicant, or the toolkit owner
Please ensure that the ownership of the toolkit is assigned to the right individual
As the toolkit owner, you then can create further accounts (if needed)
You may wish to use this feature if you have a number of people (i.e. an IG lead, a compliance, or privacy officer, and a research facilitator or IT manager) all working on the same toolkit application, each with their own set of assertions they need to respond to
You can also assign each staff/ individual working on the toolkit assertions in particular
The staff members, once created, can then be assigned these assertions, so that they can add in the information directly on the system. Alternately you can do this offline as well.
Complete the assertions as applicable to the toolkit as a 'researcher/department' (small organisation)
Answers that can be answered across the University have been added to the MSD IGO sharepoint for DSPT, along with links for evidencing and template materials which can be accessed to complete the toolkit.