Data Security & Protection Toolkit (DSPT)
DSPT, without the panic.
We help NHS and care-sector organisations understand and complete the Data Security and Protection Toolkit – in plain English, without tick-box overload.
- Clear explanation of what DSPT actually expects.
- Help mapping what you already have – policies, IT controls, training – to toolkit requirements.
- Guidance on technical controls (Cyber Essentials, testing, monitoring) that support DSPT.
- Support for NHS organisations, GP practices, dentists, pharmacies and social-care providers.
Tell us what type of organisation you are and where you are with DSPT. We'll review and suggest clear next steps.
Built around NHS & social care needs
Support that respects your reality – limited time, tight budgets, and the pressure to keep access to NHS systems and contracts.
What is the Data Security and Protection Toolkit?
The Data Security and Protection Toolkit (DSPT) is an online self-assessment for organisations that access NHS patient data or NHS systems. It asks you to show how you keep information secure – both digitally and on paper.
By completing DSPT, you demonstrate that your organisation is meeting key data protection and cyber security expectations set by health and social care regulators.
For many NHS bodies, primary care providers, social-care organisations and their suppliers, DSPT is not optional. It is a condition of accessing NHS systems and data, and a way of showing commissioners and service users that you take information security seriously.
The toolkit is updated annually and includes standards, assertions and evidence items. Your submission shows your current level of maturity and where you plan to improve over time.
Who DSPT applies to.
In simple terms: if you access NHS patient data or NHS digital services, you are very likely expected to complete DSPT regularly.
NHS organisations
NHS trusts, ICBs and other NHS organisations that handle patient data or use national NHS digital services.
Primary care
GP practices, dentists and community pharmacies using NHS systems and handling patient records.
Social care providers
Adult social care providers, home-care agencies and supported living services connected into NHS or local authority systems.
Charities & private providers
Voluntary and private organisations that use NHS data or systems as part of delivering care or related services.
Suppliers & partners
Technology, data and service suppliers that connect into NHS digital services or process NHS patient data.
Letting DSPT lapse or failing to publish can affect contracts, commissioning decisions and access to NHS systems – which is why many organisations treat it as a core annual task rather than an optional extra.
What DSPT looks at.
You don't need to memorise every assertion. At a high level, DSPT checks whether you're managing information and technology in a safe, organised way.
Governance & leadership
Roles, responsibilities and oversight for data security and protection at board and management level.
Data protection & confidentiality
How you comply with data protection law and protect confidential patient and service-user information.
Staff awareness & training
Whether staff understand their responsibilities, receive regular training and know how to report concerns.
IT security controls & resilience
Technical controls such as access management, patching, anti-malware, backups, device security and secure remote access.
Incident management & reporting
How you detect, respond to and report data security incidents or near-misses, including serious breaches.
Third parties & suppliers
The way you select, manage and review partners who have access to your systems or data, including contracts and assurances.
Where organisations often get stuck.
Most teams don't struggle with caring about security – they struggle with what DSPT is actually asking them to prove.
What organisations struggle with
How we typically help
How we can help with your DSPT.
Every organisation is different. Our role is to support your team, not replace it – and to make sure DSPT fits into your wider security work.
Step 1
Understand where you are today.
Review your current position against DSPT expectations – new, renewal or lapsed – and identify the main pressure points.
Step 2
Explain requirements in plain English.
Translate toolkit language into what it means for your people, processes and IT, so everyone understands the "why".
Step 3
Re-use work you've already done.
Use existing Cyber Essentials work, policies, testing and monitoring as evidence wherever appropriate, to avoid duplication.
Step 4
Suggest improvements that support DSPT.
Recommend technical, process and training improvements that strengthen both DSPT submissions and day-to-day security.
Step 5
Support your team through the toolkit.
Be on hand as you complete or update the online toolkit, so questions get answered quickly and calmly.
How DSPT links to the rest of your security.
DSPT focuses on information governance and security for organisations that work with NHS data and systems. It looks at how you manage information, people and technology across your organisation.
Other work – such as Cyber Essentials, IASME Cyber Baseline, penetration testing, vulnerability scanning, cyber posture reviews and vCISO support – often provides the technical controls and evidence that sit underneath your DSPT submission.
Our goal is to avoid duplication. Where possible, we help you re-use policy work, technical testing and monitoring as evidence for multiple requirements at once, so you're building one joined-up security story rather than a pile of separate projects.
DSPT frequently asked questions.
Short, practical answers to the questions we hear most often from NHS and care-sector teams.
Who has to complete DSPT?▾
Any organisation that accesses NHS patient data or NHS digital services is normally expected to complete DSPT – including NHS bodies, primary care, social care providers and many suppliers. If you're unsure, we can help you confirm what's required in your case.
How often do we need to submit?▾
DSPT is an annual cycle. Most organisations update and publish their assessment once a year, with clear evidence of what has changed and where improvements are planned.
Do we need Cyber Essentials to pass DSPT?▾
Cyber Essentials is not a formal requirement for every DSPT submission, but many organisations use it to evidence strong technical controls (like patching, access management and boundary security). It can make the technical side of DSPT much easier to demonstrate.
What happens if we don't do DSPT?▾
Not completing DSPT, or letting it lapse, can affect access to NHS systems, contracts and commissioning decisions. It can also raise questions from regulators and partners about how seriously you take data security.
Can you work with our existing IT or consultants?▾
Yes. We regularly work alongside internal IT teams, managed service providers and existing consultants. Our role is to help everyone pull in the same direction and make sure technical work is clearly reflected in DSPT.
How long does DSPT normally take?▾
It depends on your size, complexity and how much is already in place. Some smaller providers can complete DSPT in days; larger organisations may plan work over several weeks or months. Our aim is to make the process structured and predictable, rather than last-minute.
Need help with DSPT?
Tell us what type of organisation you are, whether you're new to DSPT, renewing or catching up after a lapse, and any key worries you have right now.
We'll review your situation and come back with suggested next steps and options – in plain English, with no pressure.
We'll review your situation and a member of the team will get back to you as soon as possible.
What to include in your message
- Your organisation type and size.
- Whether DSPT is new, a renewal or has lapsed for a while.
- Any deadlines, contracts or NHS digital services you're concerned about.
- A brief outline of what you already have in place (e.g. Cyber Essentials, policies, testing).