Patient data application under a DSP toolkit

As a researcher in need of a Section 251 Confidentiality Advisory Group (CAG) approval, or as a researcher who would like secondary use data from the national data custodians within England and UK, you are required to have organisational governance processes and controls in place in order to facilitate the safe and secure processing of patient information outside of the National Health Services and outside of primary care setting.

In the past year, the Information Security Team, as part of MSD IGO-as-a-Service, have developed a strategy and framework for applying for Data Security and Protection toolkit (DSP Toolkit) at a unit or departmental level for staff in Medical Sciences Division. In addition, we submitted a toolkit for the division under the researcher/department scope to allow for a less burdensome research data application process for research staff in units without a toolkit submission or IG staff in place to support this. This guide describes the requirements for research projects to be affiliated with a departmental agnostic, system specific, toolkit application for their  data application needs.

At a glance

  • Check whether you require a DSP Toolkit reference as an assurance for research data application
  • Check whether your department already has a DSP Toolkit in place
  • Get in touch if MSD IT High Compliance System can be used to process your research data 



What you need to do

Before you embark on a DSP Toolkit application, make sure you check whether you’re based in a department that already has a toolkit in place.

How to do this:

What to do:

  • If you have a toolkit in place in the Department: speak to your unit’s IG lead about being included in the scope for the toolkit

  • If you do not have a toolkit in place in your unit: continue reading to assess whether the University toolkit would be a suitable alternative

Selecting IT Systems:

The DSP toolkit for the Medical Sciences Division is primarily designed for studies who wish to become compliant with the requirements for the toolkit for the purposes of limited processing of identifiable data without consent (i.e. with a Section 251 approval). The primary requirement for this is that you receive and process the datasets within the MSD IT’s High Compliance System. Read about the service here.

Please contact the MSD IT Services Systems Team ( for more information or if you want to start using the High Compliance System.

Please note that the High Compliance System is currently not intended to be a repository or archive of sensitive data, but rather a controlled environment within which sensitive data can be manipulated and de-classified for further processing as required by regulatory bodies.

If your requirements for data use is not compatible with the MSD IT’s High Compliance System offering, please get in touch with your Departmental IG lead to request support for a DSP Toolkit application as soon as possible. Limited support for this can be provided to IG leads as per our guide here.

Defining the scope:

The first question to ask is whether you’re already in the throes of a data application or IRAS/Section 251 application process, or whether you’re considering this at an earlier stage in your study. If you’re in need of a toolkit application in order to renew an existing data sharing agreement which was previously approved through other means, please let us know at

In any case, the scope for the toolkit application would be strictly limited to the data that is shared under a Data Sharing Agreement with NHS Digital. If you are requesting data from Public Health England (PHE) or another data provider under the toolkit application, these datasets would also need to sit within MSD IT’s High Compliance System in order to be included in the scope for the toolkit.

That being said, it’s worth considering the project data flows, and data management at a project level in order to help you assess which of the data flows would and wouldn’t fall under the requirements for the DSP Toolkit.

So how do you decide which data flows would fall under toolkit scope?

You define the requirements for Confidentiality, Integrity, and Availability of the datasets collected and processed throughout the project lifecycle. Some of the data flows would inevitably have a higher requirement than the others, due to conditions from the sponsors, the funders, data providers, and/or clinical partners. For research handling personal identified or identifiable data from NHS England, it is a requirement that you define also the legal basis under GDPR, as well as the legal basis under Common Law Duty of Confidentiality, for all processing of data. 


Your departmental or divisional Data Privacy champion can help you understand your obligations for data privacy for research under GDPR. 

All research which includes processing personal identified or identifiable data (including pseudonymised data) should undertake a Data Privacy Screening Assessment and, subsequently, as indicated by the screening, either a Data Privacy Impact Assessment or a lighter touch Data Privacy Asessment. For new applications this procedure is likely to be integrated into the ethical review or sponsorship process. 

You will also be expected to provide privacy notices (also termed transparency information) either within the context of participant information sheets or as stand alone notices on your study website. 

If you process identifiable or pseudonymised data in order to anonymise it then you should undertake a screening and assessment. If you receive de-identified (i.e. anonymous) data from some providers the agreement may require you to publish a privacy notice. 

Common Law duty of Confidentiality

For Common Law, the legal bases for research are either participant consent, or Section 251 approval from Confidentiality Advisory Group (CAG). Get in touch with your sponsor, and research contracts specialists team, to find out more information on making data applications and planning your research data applications early on in research. 

Good practice guide on data protection and confidentiality for research as defined by CUREC advocates the de-identification of participant information at the earliest opportunity possible.

Please contact us at if you need help with drafting data flows and clarifying requirements for confidentiality, integrity, and availability for your project datasets or for clarifying contact points for your research paperwork. 

Asset Register:

Once the relevant privacy requirements are completed, you need to complete the following asset register, to be answered at the project level, and verified by the Information Security Team via

The asset register is intended to be a repository of information around the project. Covering people, processes, and technology, the scope of asset register should include information about project, the data, the staff who will handle the data, transparency information location, as well as records of checks and reviews on the training status, system updates, and data retention requirements for the data flows within the scope of the DSP toolkits.

The Projects tab requires you to note down the objectives, data requirements, as well as funders, data providers, and transparency information links.

The Roles and Training tab will need you to note down the staff involved in the handling of patient information, their roles in the project, and their requirements and records of training in Information Security and Privacy. Using the template Training Needs Analysis document, read through and complete the activity with support from your IG lead or the Information Security Team. Once you’ve identified and allocated the necessary IG roles and responsibilities, ensure your staff complete the available training and provide you with a copy of the certificate. This will need to be kept in a restricted location, and its link provided in the asset register in the required field.

The Data Holdings tab should include information on all the data sources included in the project. This should include data requested from data custodians both national and international, even if only NHS Digital, or Public Health England datasets may fall within the scope of this application. Including the Data Sharing Agreement references relating to the various data flows would help you draft the requirements for data security, processing, and destruction.

Systems and Software tab should include, by staff member within the project, a list of all the systems and software used in your research. For those wishing to be included in the University DSP Toolkit scope, you should only be using MSD IT High Compliance System

Last but not least, the Incidents tab is an ongoing record of any data security incidents and near misses. For Personal data breaches, you are required to report this immediately to, who are the authority for investigating and reporting data breaches on behalf of the University. For any security incidents, report to and complete the asset register to investigate root cause and add mitigating controls to prevent recurrence as part of good practice in research.

Once all but the last of the tabs are completed, send this to We will then reply to request access to review and verify the information you gave us in the asset register. This may be as a minuted meeting, or email correspondence, typically. We may conduct additional checks, policy reviews, and/or security risk assessments before including your project in scope of the DSP toolkit for the division. This will be typically an email confirmation of the toolkit scope expansion. NHS Digital shall be verifying the scope of the DSP toolkit for each relevant DARS or CAG application, and we shall respond accordingly with verification email and supporting documents on your behalf, so please ensure all relevant documents are completed, kept up to date, and kept safe for review.

As an ongoing activity for the duration of the project data requirements, there shall be annual reviews and compliance checks as well as your requirement to maintain the asset register information, and update it as required. End of the data retention period would need you to renew the data application, or request data destruction from the MSD IT team.

You are required to update the asset register when:

  • When staff roles, and responsibilities change
  • When staff joins, moves, or leaves the project or department
  • Annually for training data
  • As and when there are data breaches or near-misses
  • At the end of data retention periods or when data provider requirements change
  • When systems and software used are updated
  • When project data requirements change
  • When data is archived or destroyed
  • When project closes

What we will do:

Information Security team will work through and double check your Training Needs Analysis documentation, Completion of Training, your Business Continuity Planning for Research, and refer to Data Privacy and Information Compliance Team for completion of Data Privacy by Design Procedures before confirming that your project has been added to the scope of the toolkit. 


Get in touch with us at for more information and support.


In order to enable data flows without consent, or patient data for research purposes, the DSP Toolkit is a widely used standard for demonstrating that an organisation has the appropriate data security and protection toolkit in place to facilitate the safe handling of patient information. Designed to be typically completed by NHS, CCG and health and social care organisations, the Higher Education and research sector have to abide by a subset of these requirements in order to facilitate safe handling of patient data.

For more information on Applying to DSP Toolkit, please check out our introductory guides here and find out how to make a data application to NHS Digital.

The 10 Data Security Standards

The National Data Guardian’s Review of Data Security, Consent and Opt-Outs sets out ten data security standards clustered under three leadership obligations to address people, process and technology issues. The Data Security and Protection Toolkit is largely seen as a way to embed the standards into every day working practices.

Leadership Obligation 1: People: ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.

Data Security Standard 1

All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes


Data Security Standard 2

All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches

Data Security Standard 3

All staff complete appropriate annual data security training and pass a mandatory test, provided through the DSPT



Leadership Obligation 2: Process: ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.

Data Security Standard 4

Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals


Data Security Standard 5

Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security


Data Security Standard 6

Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection (NB: University requires incidents to be reported to within 4 working hours of discovery).


Data Security Standard 7

A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management


Leadership Obligation 3: Technology: ensure technology is secure and up-to-date.

Data Security Standard 8

No unsupported operating systems, software or internet browsers are used within the IT estate. Data Security Standard Overall Guide


Data Security Standard 9

A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually


Data Security Standard 10

IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards