NHS Data Security and Protection Toolkit (DSPT): A Guide for Organisations and Their Auditors
The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool managed by NHS England that allows organisations to measure their performance against the National Data Guardian's ten data security standards. Any organisation that has access to NHS patient data and systems is required to complete the DSPT annually. This includes NHS trusts, GP practices, clinical commissioning groups, local authorities, and the growing number of private sector suppliers and technology providers that process NHS data.
What is the DSPT and why does it matter?
The DSPT replaced the former Information Governance Toolkit in 2018 and is aligned with the National Data Guardian's ten data security standards, which themselves draw upon the Caldicott Principles and the UK GDPR. Completing the DSPT is not optional: it is a contractual requirement under the NHS Standard Contract and the Data Processing Agreement for non-NHS organisations. Failure to achieve a 'Standards Met' status can result in the loss of access to NHS systems such as NHSmail, the NHS network (HSCN), and national clinical systems.
Who needs to complete the DSPT?
- •NHS trusts and foundation trusts, including acute, mental health, community and ambulance trusts.
- •GP practices and primary care networks.
- •Clinical commissioning groups and integrated care boards.
- •Local authorities that provide social care or public health services and access NHS data.
- •Private sector suppliers, software vendors and IT service providers with access to NHS patient data or systems.
- •Pharmacies, opticians and dental practices that connect to NHS systems.
Annual submission requirements
Organisations must publish their DSPT assessment by 30 June each year. The toolkit contains a series of assertions grouped under the ten data security standards, covering areas such as staff training, managing data access, responding to incidents, continuity planning and ensuring accountability. For each assertion, the organisation must provide evidence demonstrating compliance. The level of evidence required varies by organisation type, with NHS trusts facing more extensive requirements than smaller GP practices or suppliers.
The ten data security standards
| Standard | Focus area |
|---|---|
| 1. Personal confidential data | Staff understand their responsibilities for handling personal confidential data |
| 2. Staff responsibilities | Staff are appropriately trained and supported to handle data securely |
| 3. Training | All staff complete annual data security awareness training |
| 4. Managing data access | Access to personal data is controlled and only granted where appropriate |
| 5. Process reviews | Processes are reviewed to ensure they comply with data security standards |
| 6. Responding to incidents | Cyber security incidents are identified, reported and investigated |
| 7. Continuity planning | Plans are in place to respond to data security threats and ensure continuity |
| 8. Unsupported systems | No unsupported operating systems, software or internet browsers are used |
| 9. IT protection | A strategy is in place to protect IT systems from cyber threats |
| 10. Accountable suppliers | IT suppliers are held accountable for protecting data they process |
How an IT audit supports DSPT compliance
An independent IT audit provides valuable support for DSPT compliance in several ways. Auditors can conduct a gap analysis before your submission deadline, identifying areas where your evidence is insufficient or your controls need strengthening. For NHS trusts and larger organisations, an independent audit of the DSPT submission is often required by commissioners and regulators. The auditor will verify that the evidence submitted genuinely reflects the organisation's practices, test the effectiveness of technical and organisational controls, and provide recommendations for improvement. This independent assurance helps build confidence amongst patients, commissioners and partner organisations.
Need help with your DSPT submission or looking for an independent audit of your data security controls? IT-Audit Directory connects you with IT auditors experienced in NHS data security requirements across the United Kingdom. Compare providers by specialism to find the right support for your organisation.
Looking for an IT auditor?
Compare auditors and request a free, no-obligation quote via IT-Audit Directory.
View auditors