+44 345 1255400
UK Compliance & Regulation

DSPT (DSPT)

Also known as: Data Security and Protection Toolkit, NHS DSP Toolkit, DSP Toolkit

The Data Security and Protection Toolkit (DSPT) is an annual self-assessment that UK organisations handling NHS patient data are required to complete. It’s managed by NHS England and assesses whether an organisation meets the ten National Data Guardian standards for data security.

DSPT applies to:

  • NHS trusts, GP practices, dental practices, and pharmacies
  • Private healthcare providers that process NHS patient data (direct care or data sharing)
  • Local authorities and social care providers
  • Any supplier to the above that processes NHS patient data

The ten National Data Guardian standards

The standards group into three categories:

Personal responsibility

  1. Staff know their data-protection responsibilities
  2. Senior leadership is accountable for data protection

Process

  1. Information flows are mapped
  2. Data-processing risks are managed
  3. Robust processes and procedures are in place for contracts and agreements
  4. Data breaches are reported, logged, and acted on

Technology

  1. A strategy for information technology is in place
  2. Systems are kept up-to-date and secure
  3. Incidents and near-misses are learned from
  4. Services from suppliers are assessed for data security

The four possible outcomes

Each year, an organisation publishes one of:

  • Standards Met, the target outcome. All mandatory assertions complete and evidenced
  • Standards Not Fully Met, some assertions are still outstanding, with an action plan
  • Approaching Standards, significant gaps, progress being made
  • Not Applicable, for specific organisation types where some standards don’t apply

Deadlines and publication

The DSPT operates on the NHS financial year. The annual submission deadline is 30 June each year, reporting against the previous 12 months. Results are publicly visible on the DSPT portal.

How the toolkit relates to other standards

DSPT overlaps significantly with Cyber Essentials and UK GDPR. Organisations that hold CE or CE Plus can often use that evidence to satisfy specific DSPT assertions. CE certification is increasingly an expected part of reaching Standards Met.

How we help

Completing the DSPT can be daunting for a private healthcare provider or GP practice without dedicated compliance staff. Equate Group works with healthcare clients to map evidence against each assertion, close the gaps, and complete the submission. See our healthcare industry page for detail on how we support medical and dental practices through DSPT.