The NHS Data Security and Protection Toolkit (DSPT) is an online self-assessment tool used by organisations that access or process NHS patient data to demonstrate their compliance with UK data protection and security standards.
Contents
🛡️ What is the NHS DSPT?
The DSPT is managed by NHS England and is a requirement for any organisation handling NHS patient data, including:
- GP practices
- Hospitals and trusts
- Care homes and charities
- IT service providers
- Data processors (third parties)
Completing the DSPT demonstrates that your organisation is handling personal and sensitive data securely, and in line with:
- The Data Protection Act 2018
- The UK GDPR
- The NHS Data Security Standards
🔍 Key Features of the DSPT
| Area | Description |
|---|---|
| Online Toolkit | A portal-based system where organisations answer questions and upload evidence |
| Annual Submission | Mandatory for most NHS-connected organisations |
| Standards Framework | Based on the 10 National Data Guardian (NDG) standards |
| Graded Outcomes | Organisations can be rated as “Standards Not Met”, “Approaching Standards”, or “Standards Met” |
| Evidence & Action Plans | Requires real documentation and improvement plans for gaps |
📋 The 10 Data Security Standards
The DSPT aligns with the 10 NDG standards, which cover:
- Personal Confidential Data is handled lawfully
- Staff understand responsibilities
- Training is completed
- Access is restricted and logged
- Security patches are applied
- Software is up-to-date
- Data is backed up securely
- Incident response is in place
- Lessons are learned from incidents
- Suppliers meet data protection requirements
🧰 Why It Matters
| Benefit | Explanation |
|---|---|
| ✅ Legal Compliance | Meets GDPR and UK-specific data rules |
| ✅ Trust & Assurance | Demonstrates to patients and NHS partners your organisation takes security seriously |
| ✅ Contractual Requirement | Required for NHS contracts or access to patient data (e.g. through N3/HSCN) |
| ✅ Risk Mitigation | Helps proactively identify and resolve vulnerabilities |
🛠️ Tools & Resources to Help
- ICO’s Accountability Framework
- NHS DSPT Toolkit Portal: https://www.dsptoolkit.nhs.uk
- Templates: Many ICS/ICB support organisations provide pre-filled policies and toolkits
- Cyber Essentials: Often overlaps with DSPT requirements
- NHS Data Security Centre: Offers guidance, alerts, and best practices
🧪 Example Scenario
A care home wants to continue receiving referrals through NHSmail. They must submit a completed DSPT, showing:
- All staff have completed annual data security training
- Firewalls and antivirus are up to date
- A secure backup plan is in place
- They have a plan for reviewing and reporting data breaches
🏁 Submission Deadlines
- Usually 31 March annually
- Organisations that miss it may face contract issues or lose NHSmail access