Policy Pros
Written by Joanne Hughes, Policy & Compliance SpecialistLast reviewed Published

What is the DSPT?

The NHS Data Security and Protection Toolkit (DSPT) is a mandatory framework for all organisations that handle NHS patient data.

It is designed to ensure that all such organisations adhere to high data security and protection standards and provide a consistent approach to data governance across the NHS.

The DSP Toolkit contains a range of policies and procedures that must be implemented to meet its requirements. These policies and procedures cover a range of areas, including:

  • Information governance includes policies and procedures for ensuring that patient data is handled securely and appropriately and that authorised individuals only access it.
  • Cybersecurity includes policies and procedures for protecting patient data from cyber-attacks and other unauthorised access or disclosure forms.
  • Data protection includes policies and procedures for complying with the General Data Protection Regulation (GDPR) and other relevant data protection laws and regulations.
  • Incident management includes policies and procedures for responding to data security incidents and breaches, including reporting and notification requirements.

What Is Required for the DSPT?

Organisations must have robust policies and procedures covering each area to comply with the Data Security and Protection Toolkit. These may include, for example, policies on password management, data retention and disposal, and access controls.

It may also require implementing technical measures, such as firewalls and encryption, to protect patient data from unauthorised access or disclosure. Overall, the Data Security and Protection Toolkit is an essential framework for organisations that handle NHS patient data.

Ensuring that robust policies and procedures are in place helps to protect the security and confidentiality of this sensitive information and to ensure that it is used only for the purposes for which it was collected.

How We Can Help

Our company offers a variety of standard, custom, and fully bespoke IT security policies. Please contact us using the form provided below for more information.

What the DSPT Is

The Data Security and Protection Toolkit is an annual online self-assessment that every organisation with access to NHS patient data and systems must complete. It is run by NHS England and was extensively updated in 2024-2025 to align with the Cyber Assessment Framework (CAF).

Submission deadlines run on the NHS financial year (with a typical baseline assessment due in June and full submission in September). The toolkit grades organisations as "Standards Met", "Standards Not Met" or "Approaching Standards" against the National Data Guardian standards.

Who Must Submit

  • NHS organisations and trusts.
  • Independent sector providers of NHS-funded care.
  • Local authorities providing adult social care.
  • Suppliers and subcontractors with access to NHS systems or patient data.
  • Pharmacies, GP practices and dental practices providing NHS services.

Common Submission Pitfalls

  • Information governance policies dated more than 12 months ago.
  • Staff training compliance below the 95% threshold.
  • Cyber Essentials certification expired or not held.
  • Data breach log not contemporaneously maintained.
  • Asset register not aligned to the toolkit's required fields.
  • No documented evidence of board-level information governance oversight.

Frequently Asked Questions

Do we need Cyber Essentials for the DSPT?

Yes, for all categories of submitter except the very smallest. Cyber Essentials Plus is required for some categories such as larger trusts and certain commissioning bodies.

What is the difference between DSPT and CAF?

The DSPT is the annual submission framework. CAF is the underlying assessment methodology, developed by the NCSC and now embedded into the DSPT for higher-tier organisations.

How long does first DSPT compliance take?

For an organisation building from scratch, eight to twelve weeks is realistic, including Cyber Essentials certification, policy library refresh, training rollout, and submission.

What Policy Pros Delivers

Our DSPT package includes the full information governance and security policy set mapped to current toolkit requirements, the Cyber Essentials documentation pack, training materials, and submission support. We also offer ongoing review through our Monthly Document Support service.

Share:
Get a QuoteBrowse All Articles
Trustpilot Reviews - 5 Stars