A guide to the Data Security and Protection Toolkit (DSPT)
The Data Security and Protection Toolkit (DSPT) is a framework for organisations handling NHS patient data. It’s designed to help you demonstrate that you’re practising good data security and that you meet the requirements of the NHS Data Security Standards.
Why is the DSPT important?
It’s a mandatory requirement
Any organisation that handles NHS patient data, whether as a care provider, software supplier, or business partner, must complete the DSPT annually to maintain access to NHS systems and services.
It supports cyber resilience
With cyber threats increasing and healthcare a frequent target, the DSPT ensures your organisation is adopting good security practices such as robust access controls, backups, incident response and secure configuration of systems.
It builds patient and partner trust
Completing the DSPT signals to patients, NHS bodies, and commissioners that your organisation is serious about data protection, privacy, and information governance, giving you an edge in a competitive landscape.
It’s often required for contracts, frameworks and access to NHSE data
Many NHS procurement frameworks, CQC inspections, aggregated data sources such as HES, and health tech partnerships require a current DSPT submission. A good rating can open doors, while not completing it can be a blocker.
How is DSPT structured?
The Data Security and Protection Toolkit (DSPT) helps health and social care organisations meet the 10 National Data Guardian Standards. Below is a breakdown of each section, explaining what it means in practice and what’s typically required to meet the DSPT “Standards Met” level.
If you already have Cyber Essentials Plus or ISO 27001 certification, good news! You’re already meeting many of the DSPT’s requirements. These recognised certifications can streamline your DSPT submission, with exemptions available in areas such as IT protection and data access controls. We’ll help you map what you already have in place and make sure you get credit for it.
1 – Personal confidential data
This section is all about treating people’s personal information with the care it deserves. Whether it’s paper records locked away safely or digital files stored on secure servers, the expectation is the same; data must be protected. You’ll need to show that your team knows how to handle, share, and dispose of data securely, and that any data you do use is minimised and only used when absolutely necessary. Think encryption, locked cabinets, and sending things through secure channels like NHSmail.
2 – Staff responsibilities
Everyone in your organisation should understand that data security isn’t just an “IT thing”, it’s part of everyone’s job. This means having clearly defined roles for information governance, such as a Data Protection Officer or Caldicott Guardian, and making sure every member of staff knows what’s expected of them when it comes to keeping data safe. A simple way to do this is through signed codes of conduct and regular reminders about their responsibilities.
3 – Staff training
It’s not enough to just have policies, your team needs to understand them too. This section is about making sure all staff complete annual data security training and that the training is actually meaningful. It should cover things like spotting phishing emails, handling information securely, and knowing how to report something if it goes wrong. Keep a record of who’s done the training and make sure new starters get up to speed quickly.
4 – Managing data access
Not everyone needs access to everything. This part is about making sure that people can only see the information they genuinely need for their role — and no more. Access should be reviewed regularly, especially when someone changes roles or leaves the organisation. You’ll also want a clear process in place for setting up and removing accounts promptly. Think of it as digital housekeeping.
5 – Process reviews
Mistakes happen, but what matters is how you learn from them. This section encourages you to keep a record of any data breaches or near misses and use that insight to improve your processes. It might mean running workshops, retrospectives or post-mortems to discuss what went wrong, or reviewing how a system failed. The goal is to avoid repeat incidents and build a culture of openness and continuous improvement.
6 – Responding to incidents
When a cyber threat strikes, being prepared is everything. You’ll need a plan in place for how you’ll respond to incidents, and your team should know exactly what to do. This also includes staying alert to new threats. NCSC digests and NHS CareCERT bulletins provide useful updates you’ll need to act on. Responding quickly and effectively can make all the difference when something unexpected happens.
7 – Continuity planning
Imagine your systems went down tomorrow, what would you do? This section is about making sure you’ve thought through how to keep going if something serious happens, like a ransomware attack or a flood that damages your office. You’ll need a business continuity and disaster recovery plan, and you should test it now and then to make sure it actually works. Backups are a big part of this too, not just having them, but testing regularly they can be restored.
8 – Unsupported systems
Using outdated software is like leaving your front door wide open, it’s a security risk. This part of the DSPT asks you to make sure everything in your IT estate (your computers, operating systems, browsers, etc.) is supported and regularly updated. If you’re still using Windows 7 or Internet Explorer, it’s definitely time for a change.
9 – IT protection
This section is your frontline defence against cyber attacks. You should have robust endpoint protection in place such as antivirus software, a firewall, and a strategy for keeping everything up to date. Think patching, monitoring for unusual activity, and making sure the basics, like strong passwords and secure configurations, are firmly in place.
10 – Accountable suppliers
If you work with third-party suppliers, especially for IT suppliers who have a high dependency on PaaS/SaaS providers, you need to make sure they take data protection as seriously as you do. This means having proper contracts in place that clearly spell out their responsibilities under UK GDPR and the DPA (2018). You’ll also want to do some checks when you start working with a new supplier and review their performance regularly to make sure they’re still up to standard.
What does it take to be successful with the DSPT?
We’ve supported a range of organisations through the DSPT journey, from first-time submissions to annual reviews. What we’ve found is that success doesn’t come from ticking boxes last-minute. It comes from embedding good habits, having the right people on board, and treating data protection as a shared responsibility. The DSPT can feel a little overwhelming at first as an additional compliance framework, but when approached with the right mindset and structure, it becomes a powerful tool for improvement, not just compliance.
Leadership involvement
To get the most out of the DSPT, senior leadership needs to be visible and involved. Their support gives data protection the importance it deserves and ensures resources are allocated to get things done. When leaders take it seriously, others do too, and it helps the team understand that protecting data isn’t a side project, it’s part of how you do business.
Staff engagement
The people who work with personal data every day are your biggest asset. Involving staff in shaping your processes, and encouraging them to suggest improvements, not only creates better systems but helps everyone feel more invested. It’s important that data protection isn’t just ‘done to’ the team by a manager or IT lead, but is something everyone contributes to.
A mindset of continual improvement
The DSPT isn’t just about proving you’re doing the minimum, it’s about learning and improving over time. That means regularly reviewing how things are working, learning from any issues, and being open to feedback. It’s the organisations who really embrace this mindset, even in small ways, that get the most long-term benefit from the DSPT.
Consistency over time
Doing the DSPT well isn’t about a last-minute scramble in March. The most successful organisations build data protection into their regular routines, whether that’s by spreading out reviews of key processes, running bite-sized training throughout the year, or holding quarterly check-ins on their toolkit progress. Little and often beats once a year, every time.
Need more guidance?
Our consultants are available to support you through the process. We can help you perform a gap analysis to understand where your strengths and weaknesses are, help you with a full implementation, or undertake an independent annual audit of your controls.
