DSPT (Data Security and Protection Toolkit)

Annual self-assessment tool mandated by NHS Digital requiring health and social care organisations to demonstrate compliance with data protection and cyber security standards.

What it is

The Data Security and Protection Toolkit (DSPT) is a mandatory annual self-assessment that all organisations handling NHS patient data must complete. Administered by NHS Digital, it replaced the Information Governance Toolkit in 2018 and requires organisations to demonstrate they meet national data security standards.

The toolkit covers 10 mandatory standards spanning staff responsibilities, secure configuration, network security, managing data access, patching policies, malware protection, monitoring, removable media controls, incident management, and secure disposal of equipment.

Assessment process

Organisations must provide evidence against each standard, with assessments graded as 'Standards Met', 'Standards Not Fully Met', or 'Plan Agreed'. All standards must be met to achieve compliance. The assessment includes mandatory assertions, evidence uploads, and action plans for any gaps.

Completion deadlines typically fall in June each year, with extensions only granted in exceptional circumstances. NHS Digital publishes compliance status publicly, creating transparency around data security practices.

Procurement implications

DSPT compliance is often a mandatory requirement in health sector tenders. Contracting authorities frequently specify that suppliers must maintain 'Standards Met' status throughout contract delivery. Non-compliance can result in contract termination or prevent organisations from accessing NHS systems and data.

For procurement teams, DSPT status serves as a key indicator of supplier data security maturity and ongoing compliance capability.