Skip to content
360 Cyber Compliance

DSPT · 1 July 2026

DSPT evidence checklist: what to gather for each assertion

The hardest part of the Data Security and Protection Toolkit (DSPT) usually isn’t answering the questions — it’s finding the evidence that backs up your answers. This guide walks through the kinds of records you should have ready and how they map to the toolkit’s assertions, so you can gather everything once rather than hunting for documents at the last minute.

How the DSPT is structured

The DSPT is built around a set of assertions grouped under broad data-security themes such as staff responsibilities, secure systems, and managing incidents. Each assertion is supported by evidence items — the specific things you confirm or upload. Your job is to show that a control genuinely exists in your organisation, not simply to tick a box.

Because the exact question wording is refreshed each year by NHS England, treat the list below as durable categories rather than a line-by-line map. If you have strong evidence in each category, you’ll be well placed whatever the current phrasing.

The core evidence categories

1. Governance and accountability

  • A named person with overall responsibility for data protection and security (often the registered manager or a director)
  • A named information governance or Caldicott lead, where relevant
  • An up-to-date information governance or data protection policy
  • Evidence that leadership reviews data security — for example, minutes where it appears as an agenda item

2. Staff training and awareness

  • Records showing all staff complete annual data security and information governance training
  • Dates of completion and a way to chase anyone overdue
  • Evidence that new starters are trained as part of induction
  • Confidentiality clauses in contracts or a signed confidentiality agreement

3. Records of what data you hold

  • An information asset register listing the personal and health data you hold, where it lives, and who is responsible for it
  • A record of processing activities (ROPA), which also supports your UK GDPR obligations
  • A list of systems and suppliers that process data on your behalf

4. Managing third parties and contracts

  • Data processing agreements or contract clauses with suppliers handling personal data
  • Assurance that key suppliers take security seriously (their own DSPT status or equivalent)
  • A register of data sharing arrangements with the NHS, commissioners and partners

5. Technical and cyber controls

  • Evidence that devices and servers receive security updates
  • Anti-malware protection in place and kept current
  • Password and access controls, including how you remove access when someone leaves
  • Secure configuration of laptops, phones and tablets
  • A recent, tested backup of important data

This category overlaps closely with Cyber Essentials; holding that certification makes several DSPT answers straightforward.

6. Access and account management

  • A joiners, movers and leavers process
  • Records showing access is limited to what each role needs
  • Evidence that shared accounts are avoided or tightly controlled

7. Incidents and business continuity

  • An incident and data breach response procedure
  • A log of incidents and near misses, with lessons learned
  • Awareness of how to report a notifiable breach to the ICO within 72 hours
  • A business continuity or disaster recovery plan you have actually reviewed

Mapping evidence to assertions

A simple way to stay organised is a single tracker. For each assertion, note the evidence, where it is stored, who owns it, and when it was last reviewed.

ThemeExample evidenceOwnerLast reviewed
GovernanceIG policy, leadership minutesRegistered manager
TrainingTraining log, induction recordsTeam lead
Data heldAsset register, ROPAIG lead
SuppliersProcessing agreementsManager
Cyber controlsPatch and backup recordsIT support
IncidentsBreach procedure, incident logIG lead

Keeping a live tracker like this means next year’s submission starts from a strong position rather than a blank page.

Common evidence gaps

The items providers most often struggle to produce are a complete training log, a genuine information asset register, evidence that backups have been tested (not just scheduled), and confirmation that leavers lost their access promptly. If you focus your early effort on these four, you’ll close the gaps that most frequently hold up a submission.

You can get a quick sense of where you stand using our DSPT readiness checker. It’s also worth reviewing our guide to common DSPT mistakes so you can sidestep them from the outset.

Keep evidence proportionate and genuine

A quick word of caution: the aim is real, working controls, not a mountain of documents for their own sake. A short policy that your staff actually follow is worth far more than a lengthy one nobody has read. When gathering evidence, favour records that reflect what genuinely happens in your organisation — a training log that’s kept up to date, a backup you’ve actually restored, a leavers process people really use. Auditors and commissioners can tell the difference between living evidence and a folder assembled the week before submission, and so, frankly, can you when something goes wrong and you need those controls to hold.

Store it so next year is easy

Finally, decide where your evidence lives and keep it there. A single, clearly structured folder — whether digital or physical — with each item dated and owned means you’re never hunting at the last minute. Because the toolkit resets each year, everything you gather now will be needed again, so an organised evidence pack turns future renewals into a quick refresh rather than a repeat of the whole exercise. It also makes handover straightforward if the person completing the DSPT changes from one year to the next.

How we can help

Pulling this evidence together is very doable, but it takes time that busy care teams rarely have spare. We offer a clear, fixed-fee engagement that maps your existing records against every assertion, tells you plainly what’s missing, and supports you through to submission. If you’d like a hand, explore our DSPT service or get in touch for a friendly, no-obligation chat.

Need help in practice? See our DSP Toolkit (DSPT) service.

Need a hand with this?

Book a free, no-obligation readiness check.