The clinic had been receiving NHS-referred patients for several years but had never formally evidenced their compliance with the Data Security and Protection Toolkit. Their commissioning team had written to warn them that referrals would be paused unless they submitted a completed assessment within 8 weeks.

The practice manager was handling everything from booking to invoicing with no IT background. Their setup was a mix of a cloud-based clinical system (Cliniko), a shared Windows laptop two physios used for report writing, personal email addresses for all staff communication, and a consumer Dropbox account where patient letters were being stored. None of the staff had received any formal data protection training.

WHAT WE DID

We began with a data mapping exercise, walking through every system the clinic used, what patient data passed through it, who had access, and whether it was encrypted in transit and at rest. The biggest gaps against the DSP Toolkit's 10 data security standards were: unencrypted devices, no formal access control policy, patient data in a personal Dropbox account with no data processing agreement, and no evidence of staff training.

We moved the clinic onto Microsoft 365 Business Basic, giving each staff member a proper email address, OneDrive for Business with encryption and audit logging, and Teams for internal communication. The two shared Windows laptops were enrolled in Intune, BitLocker enabled, and a basic compliance policy applied requiring PIN and automatic screen lock. The Dropbox account was retired, all files migrated to a permissioned SharePoint library. We ran a 90-minute staff training session with signed completion records, then helped the practice manager work through the DSP Toolkit submission question by question, supplying screenshots, policy documents, and training records for each assertion.

SERVICES INVOLVED

• Microsoft 365 Migration
• Device Management (Intune)
• DSP Toolkit / Compliance Support
• Staff Security Training