Skip to content
360 Cyber Compliance

DSPT · 1 July 2026

DSPT assessment levels and profiles explained

Not every organisation completes the same Data Security and Protection Toolkit (DSPT). The set of questions you’re asked depends on the profile your organisation falls into. Getting that profile right matters, because it determines what “done” looks like for you. This guide explains how the levels and profiles work and how to make sure you’re on the correct path.

Why the DSPT isn’t one-size-fits-all

A large NHS trust and a small care home clearly don’t face the same data risks, so it wouldn’t make sense to ask them identical questions. The DSPT reflects this by tailoring the assessment to the type and size of organisation completing it. NHS England structures this so that the expectations are proportionate — smaller providers see a more focused set of assertions, while larger and more complex organisations answer a broader range.

What determines your profile

Several factors influence which assessment applies to you:

  • The type of organisation you are — for example, a social care provider, GP practice, dental practice, pharmacy or NHS body
  • How you connect to NHS data and systems — such as NHSmail, GP Connect or the Electronic Prescription Service
  • Your size and complexity — the volume of data you handle and the scale of your operations

When you register and set up your organisation on the toolkit, these details shape the assertions you’re presented with. That’s why it’s so important to describe your organisation accurately from the start.

Getting your profile right from the outset

If your profile is set incorrectly, you can end up answering the wrong questions — either more than you need to, or too few to properly demonstrate your data security. A few practical checks:

  1. Confirm your organisation type carefully during registration.
  2. Reflect how you actually use NHS systems, not how you might in future.
  3. Keep your registration details current if your services change.
  4. Read the current guidance on the toolkit, since NHS England refreshes the structure between years.

If you’re unsure which category fits, it’s far better to check before you begin than to redo the assessment later.

Levels of assurance

Beyond the profile, it helps to think about the level of assurance you’re providing. At its simplest, the toolkit distinguishes between confirming that essential, foundational controls are in place and demonstrating the fuller set of expectations that apply to you. The sector-specific guides below show how this plays out in practice for different provider types:

Whatever your profile, the destination is the same in spirit: a status that shows you’re handling health and care data responsibly.

How profile relates to your final status

Your profile decides which assertions you must satisfy; your evidence decides whether you satisfy them. Once you’ve completed the assessment for your profile, you’ll land on a status such as Standards Met or Approaching Standards. The profile sets the bar; your controls and evidence determine whether you clear it. For more on those outcomes, see our guide to Standards Met vs Approaching Standards.

A quick comparison

AspectWhat it means for you
Organisation typeSets the broad category of assertions
Use of NHS systemsAdds relevant data-security expectations
Size and complexityAdjusts the depth of the assessment
Registration accuracyEnsures you complete the right toolkit
Evidence qualityDetermines your final status

What happens if your organisation changes

Your profile isn’t fixed forever. If your services grow, you start using a new NHS system, or you merge sites, the assessment that applies to you may change. It’s worth revisiting your registration details whenever something significant shifts, rather than discovering at renewal that you’ve outgrown your original profile. Keeping your organisation record accurate ensures you’re always answering the right set of assertions — and that partners relying on your status see a picture that matches reality.

Don’t over-scope or under-scope

Two opposite errors trip people up. Under-scoping means describing your organisation too narrowly, so you complete a lighter assessment than you should — which can leave genuine gaps and undermine the value of your status. Over-scoping means taking on assertions that don’t truly apply, creating unnecessary work and evidence you don’t need. The aim is an honest, accurate profile: enough to properly reflect the data you handle, but no more than your circumstances warrant. When in doubt, describe what you actually do today and check the current guidance rather than guessing.

A note on proportionality

It’s worth stressing that the DSPT is designed to be achievable. Smaller providers sometimes worry they’ll face the same burden as a large hospital, but the profile system exists precisely to avoid that. The expectations placed on a small care setting are proportionate to its size and risk. Understanding this early tends to take the anxiety out of the process — the toolkit is asking you to demonstrate sensible, good-practice data security, not to build enterprise-grade infrastructure.

Check your starting point

Not sure which profile you sit in or how much is involved? Our DSPT readiness checker gives you a quick sense of your position, and the glossary explains any unfamiliar terms. It’s also worth reviewing the DSPT evidence checklist so you know what each assertion will expect.

How we can help

Working out the right profile and interpreting the assertions can feel fiddly, especially the first time round. We offer a clear, fixed-fee engagement that confirms the correct assessment for your organisation, explains what each part expects in plain English, and supports you through to submission. If you’d welcome that, explore our DSPT service or get in touch for a friendly chat.

Need help in practice? See our DSP Toolkit (DSPT) service.

Need a hand with this?

Book a free, no-obligation readiness check.