Loading page content…
Loading page content…
DSPT (Data Security and Protection Toolkit) is an annual self-assessment NHS organisations and their suppliers must complete to demonstrate compliance with data protection and cyber security standards.
The Data Security and Protection Toolkit (DSPT) is a mandatory annual self-assessment that NHS organisations and their suppliers must complete to demonstrate they meet the required standards for data protection and cyber security. Introduced by NHS Digital, the DSPT replaced the Information Governance Toolkit in 2018 and serves as the primary mechanism for assessing and evidencing compliance with the National Data Guardian's 10 data security standards.
You need DSPT compliance if you're: - An NHS organisation (including trusts, foundation trusts, and clinical commissioning groups) - A supplier providing services to the NHS that involve processing personal or confidential data - A third-party organisation working with NHS data under contract - Any organisation connecting to the Health and Social Care Network (HSCN)
The toolkit must be completed annually, with submissions typically due by 30 June each year. Organisations must achieve 'Standards Met' status to continue accessing NHS systems and data. Failure to meet DSPT requirements can result in suspension of data sharing agreements and exclusion from NHS contracts.
The DSPT covers 10 National Data Guardian standards across three main areas: - People: Staff responsibilities, training, and awareness - Process: Policies, procedures, and incident management - Technology: Technical security measures and system controls
Organisations must provide evidence of compliance through mandatory evidence items, including policies, training records, audit results, and penetration testing reports. The assessment includes both self-declaration and submission of supporting documentation that may be subject to audit by NHS Digital.
For procurement professionals, DSPT compliance is often a mandatory requirement in NHS tender documentation. Suppliers must demonstrate current DSPT status and commitment to maintaining compliance throughout the contract period. This requirement should be clearly specified in procurement documentation, with DSPT compliance forming part of the selection criteria rather than an optional consideration.
Organisations should plan for DSPT submission well in advance of deadlines, as the process can be complex and time-consuming, particularly for first-time submissions or organisations with significant changes to their data processing activities.