NHS Data Security & Protection Toolkit
DSP Toolkit (DSPT)
The DSPT is the NHS's mandatory annual self-assessment for any organisation that handles health and care data — care homes, GP, dental and pharmacy practices, and domiciliary care. We take you from 'Not started' to 'Standards Met' before the 30 June deadline, without the jargon.
Deadline: 30 June (annual)
What you get
- 'Standards Met' status before the 30 June deadline
- Keep your NHSmail, GP Connect and data flows live
- An evidence pack mapped to every assertion
- CQC-ready data security records
Pricing: Request a quote
What the DSPT actually is
The Data Security and Protection Toolkit (DSPT) is an annual online self-assessment run by NHS England. It gives organisations that handle health and adult social care data a structured way to demonstrate that they are protecting personal and confidential information to a nationally recognised standard. Rather than issuing a certificate, the toolkit asks you to work through a set of assertions and evidence items and then declare a status — most commonly “Standards Met” — for the assessment year.
For most care and health providers, the DSPT is the gateway that keeps NHS data flows switched on. If you rely on NHSmail, GP Connect, the Electronic Prescription Service, the Summary Care Record or a proxy data-sharing arrangement, a current and satisfactory DSPT is usually a condition of continued access. It is also increasingly expected by local authority commissioners and referenced by the Care Quality Commission (CQC) under the well-led domain, where good information governance is treated as a marker of a properly run service.
If you are new to the toolkit, our plain-English guide to the DSPT is a useful companion to this page.
Who must complete it — and who is exempt
The DSPT applies to any organisation that accesses or processes NHS patient or service-user data. In the care sector, that typically includes:
- Residential care homes and nursing homes delivering NHS-funded or NHS-linked care
- Domiciliary (home) care, supported living and extra-care providers
- GP practices, dental practices, optometrists and community pharmacies
- Hospices, community health providers and social enterprises delivering NHS services
- Suppliers and IT vendors that connect to NHS systems on behalf of a provider
The practical test is simple: if you send, receive or view NHS patient information — or if you use an NHS-provided system such as NHSmail — you almost certainly need a current DSPT.
Genuine exemptions are narrow. A small business with no access to NHS data and no NHS system connections generally does not need to complete it. But be cautious before assuming you are out of scope: many care providers hold NHS data indirectly through shared care records, discharge information or medication management, and that brings them back within scope. If you are unsure, a short scoping conversation is far cheaper than discovering mid-year that a data flow has been suspended.
How the toolkit is structured
The DSPT is organised around a set of assertions grouped under the ten data security standards, covering areas such as personal responsibility, staff training, managing data access, technical protections and responding to incidents. The exact wording and the number of mandatory evidence items vary by the profile you are assigned, which depends on your organisation type and size. Smaller social care organisations complete a proportionate version rather than the full acute-trust set.
Against each assertion you either confirm a statement is true, upload or reference supporting evidence, or answer a question about your arrangements. The toolkit is honest by design: you are self-declaring, and you are expected to hold evidence that would stand up to scrutiny if you were audited.
The process, step by step
Reaching a confident submission usually follows a predictable path:
- Register and confirm your profile. Make sure your organisation is correctly registered with the right ODS code and assigned the appropriate profile, so you are answering the right question set.
- Map evidence to assertions. Work through each assertion and identify what you already have — policies, training records, access logs, backup arrangements, contracts with processors — and where the gaps are.
- Close the gaps. This is where most of the real work sits: writing or updating policies, rolling out data-security training, tightening user access, confirming backups and testing your incident response.
- Complete and publish. Enter your responses, attach evidence where required, and publish your status for the year.
- Keep the evidence pack live. Store everything in one place so it is ready for reassessment or any audit request, and so next year’s submission is an update rather than a fresh start.
The annual deadline for most organisations is 30 June. Some larger organisations also have an earlier baseline submission. Because the toolkit resets each year, the DSPT is best treated as an ongoing information-governance rhythm rather than a one-off task.
Evidence and documents involved
The exact list depends on your profile, but a typical care-provider evidence pack includes:
| Area | Example evidence |
|---|---|
| Governance | Information governance / data protection policy, named responsible person |
| Staff | Annual data security awareness training records, confidentiality clauses |
| Access | User access controls, joiners/movers/leavers process, unique logins |
| Technical | Supported operating systems, anti-malware, patching, backups |
| Incidents | Incident and breach reporting procedure, records of any incidents |
| Suppliers | Data processing agreements with IT and clinical-system suppliers |
Our DSPT evidence checklist breaks this down assertion by assertion, and you can gauge where you stand with the free DSPT readiness checker.
Making the DSPT an annual rhythm, not a panic
Because the toolkit resets every year and the standard deadline is 30 June, the healthiest way to approach it is as a recurring rhythm rather than a yearly emergency. Organisations that leave everything to June tend to find the same problems each time: training that has lapsed, a policy that was never updated, a supplier agreement that was never signed. Organisations that keep their evidence pack live simply refresh and confirm.
A sensible cadence looks something like this. Shortly after each submission, note anything you had to fix at the last minute and put it on a calendar for the coming year — schedule the staff training, diarise the policy reviews, and check supplier agreements are current. Keep a single, well-organised evidence folder so that when the toolkit reopens you are updating known material rather than hunting for it. Treat data-security incidents, however minor, as learning opportunities and log them, because a mature incident record is itself good evidence. Approached this way, the DSPT stops being a scramble and becomes a light annual confirmation that your information governance is genuinely in good order — which is exactly what commissioners, families and the CQC want to see.
The ten data security standards at a glance
The assertions in the toolkit are grouped under the National Data Guardian’s ten data security standards, which span people, process and technology. In plain terms they ask whether: staff understand their personal responsibility for handling data; confidential information is only accessed by those who need it; that access is removed promptly when roles change; staff receive appropriate training; you can account for how data is used and shared; you have a tested way of responding to cyber incidents; you have a continuity plan for data-security failures; unsupported systems are identified and managed; IT protections such as anti-malware and patching are in place; and your suppliers meet the same standards you hold yourself to. You do not need to memorise the list, but recognising these themes helps you see why each assertion is there — and it makes the connections to Cyber Essentials, UK GDPR and the CQC’s well-led expectations much clearer.
Common mistakes
- Treating it as an IT-only exercise. Much of the toolkit is about governance, training and process — not just technical controls.
- Declaring “Standards Met” without holding the evidence. The status is a self-declaration; you must be able to produce the supporting documents.
- Leaving it to the last week of June. Gap-closing (training, policy updates, technical fixes) takes time, and a rushed submission tends to be a fragile one.
- Forgetting suppliers. If a third party processes NHS data for you, you need a data processing agreement and assurance about their controls.
- Not carrying evidence forward. Rebuilding the pack from scratch each year wastes effort and increases the risk of gaps.
How it relates to the other standards
The DSPT overlaps heavily with the wider information-security and data-protection landscape, so work you do here rarely stands alone:
- Its expectations align closely with Cyber Essentials; achieving Cyber Essentials can satisfy or strengthen several technical assertions.
- The governance and training elements map neatly onto Data Protection and UK GDPR obligations under the ICO’s remit.
- Larger or more security-mature organisations often align the DSPT with an ISO 27001 information security management system, reusing policies and controls across both.
- If you lack in-house data protection expertise, an outsourced DPO can own the governance side of the toolkit year-round.
Terms you meet along the way — such as data controller, processor and personal data — are explained in our glossary.
How 360 Cyber Compliance helps
Most care teams do not have a dedicated IT or information-governance lead, and that is exactly the gap we fill. We work with you remotely, in plain English, on a transparent fixed-fee basis, taking you through a clear delivery process from wherever you are today toward a confident “Standards Met” submission.
In practice that means scoping your profile correctly, mapping your evidence, helping you write or refresh the policies and procedures you are missing, guiding the practical fixes (training, access controls, backups, incident handling) and getting your evidence pack organised so future years are lighter. We provide practical support throughout the assessment rather than promising a particular outcome — the toolkit is your declaration, and we help you make it an honest and well-evidenced one.
If you would like a straightforward starting point, get in touch for a readiness conversation and we will show you where you stand and what a realistic path to submission looks like.
What you'll receive
- A gap assessment against your DSPT profile
- A prioritised compliance action plan
- Reviewed and updated information governance policies
- An evidence checklist mapped to every assertion
- Support completing and reviewing your submission
- Advice to make next year's renewal easier
On your own vs. with 360 Cyber Compliance
| On your own | With us |
|---|---|
| Work out which assertions apply to you | We confirm your profile and map every assertion |
| Write and update policies from scratch | Policy templates tailored to your organisation |
| Chase staff training records yourself | We help you evidence training cleanly |
| Hope your evidence is enough | We review everything before you submit |
A typical timeline
- 1
Week 1
Discovery call, profile check and gap assessment
- 2
Weeks 1–2
Evidence gathering and policy updates
- 3
Week 2
Close outstanding actions — training, access, backups
- 4
Weeks 2–3
Review the full submission against each assertion
- 5
Week 3
Final checks and submission support
Indicative only — your timeline depends on your starting point, size and deadline.
Who we help with DSP Toolkit (DSPT)
Example engagements
Helping a small care home reach Standards Met before the DSPT deadline
A residential home relied on NHSmail for GP and pharmacy correspondence but had never completed the toolkit, and its NHS data flows were at risk with the 30 June deadline approaching.
The home reached a Standards Met submission ahead of the 30 June deadline and kept its NHSmail access uninterrupted.
Read the example →A GP practice catching up on a lapsed DSPT submission
A busy general practice had let its toolkit slip after a change of practice manager, leaving a lapsed status while it depended on GP Connect and the Electronic Prescription Service every day.
The practice restored a current Standards Met status and protected its ongoing access to national NHS systems.
Read the example →DSPT for a domiciliary care provider with a mobile workforce
A home care agency whose staff worked from personal and shared mobile devices in the community struggled to show it controlled access to service-user data across a dispersed team.
The provider achieved a Standards Met submission with access controls that genuinely reflected how its mobile team works.
Read the example →Learn more about DSP Toolkit (DSPT)
Common DSPT mistakes and how to avoid them
The most common DSPT mistakes UK care providers make — from weak evidence to missed deadlines — and practical steps to avoid them before you submit.
DSPT and Cyber Essentials: how they complement each other
How the NHS Data Security and Protection Toolkit and Cyber Essentials relate, where they overlap, and how certification can make several DSPT assertions easier.
DSPT and UK GDPR: how they relate
How the NHS Data Security and Protection Toolkit and UK GDPR overlap, where they differ, and why completing the DSPT strengthens your wider data protection compliance.
DSPT assessment levels and profiles explained
How DSPT assessment levels and organisation profiles work, what determines the questions you're asked, and how to make sure you're completing the right one.
The DSPT deadline and annual cycle: planning ahead
Understand the 30 June DSPT deadline, the annual reset, and how to plan the year so your Data Security and Protection Toolkit submission is never a last-minute rush.
DSPT evidence checklist: what to gather for each assertion
A practical DSPT evidence checklist for UK care providers: which policies, records and technical controls map to the toolkit's assertions before you submit.
DSP Toolkit (DSPT) across London
We support organisations in these boroughs — and remotely across the rest of the UK.
Why choose us for DSP Toolkit (DSPT)
Care & health specialists
DSPT, CQC expectations and NHS data flows are our day job, not a sideline.
Transparent fixed-fee engagements
A clear scope and price agreed up front — no open-ended day rates.
Remote delivery, UK-wide
Almost everything is done remotely, wherever you are in the country.
Award-winning expertise
Led by a BCS Fellow and NEXT CIO 2025, with 20+ years in IT, cyber security and compliance.
Practical, plain-English support
Clear guidance and templates throughout the assessment — no jargon.
Ongoing support
Annual renewals, surveillance audits and everyday advice after you are certified.
Frequently asked questions
Is the DSPT mandatory?
Yes. Any organisation that accesses NHS patient data must complete it annually to keep services such as NHSmail and GP Connect.
When is the DSPT deadline?
The standard annual deadline is 30 June. Some Category 1 and 2 organisations also have an earlier baseline submission.
Can the DSPT be done remotely?
Yes — it is completed entirely remotely through the online toolkit, with calls and secure evidence review.
What happens if we miss the deadline?
Your organisation is shown as not meeting the standard, which can affect NHS data access and is visible to commissioners. It's best to submit on time, even at 'Approaching Standards', and improve from there.
Do care homes need a DSPT?
If you handle NHS patient data or use NHS systems, yes. Most care homes providing NHS-funded care need a current DSPT.
How long does it take?
For a well-prepared small organisation it can be a couple of weeks; if you're starting from scratch, allow longer. Starting early always makes it easier.
Get started with DSP Toolkit (DSPT)
Tell us where you are and we’ll come back within one working day with clear, no-obligation next steps.
- Plain-English, jargon-free advice
- Fixed-price quotes — no surprises
- Delivered remotely across the UK