Skip to content
360 Cyber Compliance

NHS Data Security & Protection Toolkit

DSP Toolkit (DSPT)

The DSPT is the NHS's mandatory annual self-assessment for any organisation that handles health and care data — care homes, GP, dental and pharmacy practices, and domiciliary care. We take you from 'Not started' to 'Standards Met' before the 30 June deadline, without the jargon.

Deadline: 30 June (annual)

Try the free DSPT readiness checker

What you get

  • 'Standards Met' status before the 30 June deadline
  • Keep your NHSmail, GP Connect and data flows live
  • An evidence pack mapped to every assertion
  • CQC-ready data security records

Pricing: Request a quote

What the DSPT actually is

The Data Security and Protection Toolkit (DSPT) is an annual online self-assessment run by NHS England. It gives organisations that handle health and adult social care data a structured way to demonstrate that they are protecting personal and confidential information to a nationally recognised standard. Rather than issuing a certificate, the toolkit asks you to work through a set of assertions and evidence items and then declare a status — most commonly “Standards Met” — for the assessment year.

For most care and health providers, the DSPT is the gateway that keeps NHS data flows switched on. If you rely on NHSmail, GP Connect, the Electronic Prescription Service, the Summary Care Record or a proxy data-sharing arrangement, a current and satisfactory DSPT is usually a condition of continued access. It is also increasingly expected by local authority commissioners and referenced by the Care Quality Commission (CQC) under the well-led domain, where good information governance is treated as a marker of a properly run service.

If you are new to the toolkit, our plain-English guide to the DSPT is a useful companion to this page.

Who must complete it — and who is exempt

The DSPT applies to any organisation that accesses or processes NHS patient or service-user data. In the care sector, that typically includes:

  • Residential care homes and nursing homes delivering NHS-funded or NHS-linked care
  • Domiciliary (home) care, supported living and extra-care providers
  • GP practices, dental practices, optometrists and community pharmacies
  • Hospices, community health providers and social enterprises delivering NHS services
  • Suppliers and IT vendors that connect to NHS systems on behalf of a provider

The practical test is simple: if you send, receive or view NHS patient information — or if you use an NHS-provided system such as NHSmail — you almost certainly need a current DSPT.

Genuine exemptions are narrow. A small business with no access to NHS data and no NHS system connections generally does not need to complete it. But be cautious before assuming you are out of scope: many care providers hold NHS data indirectly through shared care records, discharge information or medication management, and that brings them back within scope. If you are unsure, a short scoping conversation is far cheaper than discovering mid-year that a data flow has been suspended.

How the toolkit is structured

The DSPT is organised around a set of assertions grouped under the ten data security standards, covering areas such as personal responsibility, staff training, managing data access, technical protections and responding to incidents. The exact wording and the number of mandatory evidence items vary by the profile you are assigned, which depends on your organisation type and size. Smaller social care organisations complete a proportionate version rather than the full acute-trust set.

Against each assertion you either confirm a statement is true, upload or reference supporting evidence, or answer a question about your arrangements. The toolkit is honest by design: you are self-declaring, and you are expected to hold evidence that would stand up to scrutiny if you were audited.

The process, step by step

Reaching a confident submission usually follows a predictable path:

  1. Register and confirm your profile. Make sure your organisation is correctly registered with the right ODS code and assigned the appropriate profile, so you are answering the right question set.
  2. Map evidence to assertions. Work through each assertion and identify what you already have — policies, training records, access logs, backup arrangements, contracts with processors — and where the gaps are.
  3. Close the gaps. This is where most of the real work sits: writing or updating policies, rolling out data-security training, tightening user access, confirming backups and testing your incident response.
  4. Complete and publish. Enter your responses, attach evidence where required, and publish your status for the year.
  5. Keep the evidence pack live. Store everything in one place so it is ready for reassessment or any audit request, and so next year’s submission is an update rather than a fresh start.

The annual deadline for most organisations is 30 June. Some larger organisations also have an earlier baseline submission. Because the toolkit resets each year, the DSPT is best treated as an ongoing information-governance rhythm rather than a one-off task.

Evidence and documents involved

The exact list depends on your profile, but a typical care-provider evidence pack includes:

AreaExample evidence
GovernanceInformation governance / data protection policy, named responsible person
StaffAnnual data security awareness training records, confidentiality clauses
AccessUser access controls, joiners/movers/leavers process, unique logins
TechnicalSupported operating systems, anti-malware, patching, backups
IncidentsIncident and breach reporting procedure, records of any incidents
SuppliersData processing agreements with IT and clinical-system suppliers

Our DSPT evidence checklist breaks this down assertion by assertion, and you can gauge where you stand with the free DSPT readiness checker.

Making the DSPT an annual rhythm, not a panic

Because the toolkit resets every year and the standard deadline is 30 June, the healthiest way to approach it is as a recurring rhythm rather than a yearly emergency. Organisations that leave everything to June tend to find the same problems each time: training that has lapsed, a policy that was never updated, a supplier agreement that was never signed. Organisations that keep their evidence pack live simply refresh and confirm.

A sensible cadence looks something like this. Shortly after each submission, note anything you had to fix at the last minute and put it on a calendar for the coming year — schedule the staff training, diarise the policy reviews, and check supplier agreements are current. Keep a single, well-organised evidence folder so that when the toolkit reopens you are updating known material rather than hunting for it. Treat data-security incidents, however minor, as learning opportunities and log them, because a mature incident record is itself good evidence. Approached this way, the DSPT stops being a scramble and becomes a light annual confirmation that your information governance is genuinely in good order — which is exactly what commissioners, families and the CQC want to see.

The ten data security standards at a glance

The assertions in the toolkit are grouped under the National Data Guardian’s ten data security standards, which span people, process and technology. In plain terms they ask whether: staff understand their personal responsibility for handling data; confidential information is only accessed by those who need it; that access is removed promptly when roles change; staff receive appropriate training; you can account for how data is used and shared; you have a tested way of responding to cyber incidents; you have a continuity plan for data-security failures; unsupported systems are identified and managed; IT protections such as anti-malware and patching are in place; and your suppliers meet the same standards you hold yourself to. You do not need to memorise the list, but recognising these themes helps you see why each assertion is there — and it makes the connections to Cyber Essentials, UK GDPR and the CQC’s well-led expectations much clearer.

Common mistakes

  • Treating it as an IT-only exercise. Much of the toolkit is about governance, training and process — not just technical controls.
  • Declaring “Standards Met” without holding the evidence. The status is a self-declaration; you must be able to produce the supporting documents.
  • Leaving it to the last week of June. Gap-closing (training, policy updates, technical fixes) takes time, and a rushed submission tends to be a fragile one.
  • Forgetting suppliers. If a third party processes NHS data for you, you need a data processing agreement and assurance about their controls.
  • Not carrying evidence forward. Rebuilding the pack from scratch each year wastes effort and increases the risk of gaps.

How it relates to the other standards

The DSPT overlaps heavily with the wider information-security and data-protection landscape, so work you do here rarely stands alone:

  • Its expectations align closely with Cyber Essentials; achieving Cyber Essentials can satisfy or strengthen several technical assertions.
  • The governance and training elements map neatly onto Data Protection and UK GDPR obligations under the ICO’s remit.
  • Larger or more security-mature organisations often align the DSPT with an ISO 27001 information security management system, reusing policies and controls across both.
  • If you lack in-house data protection expertise, an outsourced DPO can own the governance side of the toolkit year-round.

Terms you meet along the way — such as data controller, processor and personal data — are explained in our glossary.

How 360 Cyber Compliance helps

Most care teams do not have a dedicated IT or information-governance lead, and that is exactly the gap we fill. We work with you remotely, in plain English, on a transparent fixed-fee basis, taking you through a clear delivery process from wherever you are today toward a confident “Standards Met” submission.

In practice that means scoping your profile correctly, mapping your evidence, helping you write or refresh the policies and procedures you are missing, guiding the practical fixes (training, access controls, backups, incident handling) and getting your evidence pack organised so future years are lighter. We provide practical support throughout the assessment rather than promising a particular outcome — the toolkit is your declaration, and we help you make it an honest and well-evidenced one.

If you would like a straightforward starting point, get in touch for a readiness conversation and we will show you where you stand and what a realistic path to submission looks like.

What you'll receive

  • A gap assessment against your DSPT profile
  • A prioritised compliance action plan
  • Reviewed and updated information governance policies
  • An evidence checklist mapped to every assertion
  • Support completing and reviewing your submission
  • Advice to make next year's renewal easier

On your own vs. with 360 Cyber Compliance

On your ownWith us
Work out which assertions apply to youWe confirm your profile and map every assertion
Write and update policies from scratchPolicy templates tailored to your organisation
Chase staff training records yourselfWe help you evidence training cleanly
Hope your evidence is enoughWe review everything before you submit

A typical timeline

  1. 1

    Week 1

    Discovery call, profile check and gap assessment

  2. 2

    Weeks 1–2

    Evidence gathering and policy updates

  3. 3

    Week 2

    Close outstanding actions — training, access, backups

  4. 4

    Weeks 2–3

    Review the full submission against each assertion

  5. 5

    Week 3

    Final checks and submission support

Indicative only — your timeline depends on your starting point, size and deadline.

DSP Toolkit (DSPT) across London

We support organisations in these boroughs — and remotely across the rest of the UK.

Why choose us for DSP Toolkit (DSPT)

Care & health specialists

DSPT, CQC expectations and NHS data flows are our day job, not a sideline.

Transparent fixed-fee engagements

A clear scope and price agreed up front — no open-ended day rates.

Remote delivery, UK-wide

Almost everything is done remotely, wherever you are in the country.

Award-winning expertise

Led by a BCS Fellow and NEXT CIO 2025, with 20+ years in IT, cyber security and compliance.

Practical, plain-English support

Clear guidance and templates throughout the assessment — no jargon.

Ongoing support

Annual renewals, surveillance audits and everyday advice after you are certified.

Frequently asked questions

Is the DSPT mandatory?

Yes. Any organisation that accesses NHS patient data must complete it annually to keep services such as NHSmail and GP Connect.

When is the DSPT deadline?

The standard annual deadline is 30 June. Some Category 1 and 2 organisations also have an earlier baseline submission.

Can the DSPT be done remotely?

Yes — it is completed entirely remotely through the online toolkit, with calls and secure evidence review.

What happens if we miss the deadline?

Your organisation is shown as not meeting the standard, which can affect NHS data access and is visible to commissioners. It's best to submit on time, even at 'Approaching Standards', and improve from there.

Do care homes need a DSPT?

If you handle NHS patient data or use NHS systems, yes. Most care homes providing NHS-funded care need a current DSPT.

How long does it take?

For a well-prepared small organisation it can be a couple of weeks; if you're starting from scratch, allow longer. Starting early always makes it easier.

Get started with DSP Toolkit (DSPT)

Tell us where you are and we’ll come back within one working day with clear, no-obligation next steps.

  • Plain-English, jargon-free advice
  • Fixed-price quotes — no surprises
  • Delivered remotely across the UK

By submitting you agree to our privacy policy. We never share your details.