NHS Data Security and Protection Toolkit compliance

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that all organisations handling NHS patient data must complete annually. It demonstrates you meet the data security standards required to access NHS systems and patient information.

If you supply services to the NHS, provide healthcare that accesses NHS patient records, or process NHS data in any capacity, you almost certainly need to complete the DSPT. Failure to achieve "Standards Met" status can result in losing access to NHS systems and being excluded from NHS contracts.

Who must complete the DSPT

The DSPT is mandatory for:

NHS organisations - Trusts, foundation trusts, Integrated Care Boards (ICBs), commissioning support units
Primary care providers - GP practices, dental practices, pharmacies, opticians
Social care providers - Care homes and domiciliary care providers accessing NHS patient data
NHS suppliers - Any organisation with access to NHS patient data or systems under contract
Local authorities - Those with access to NHS data for social care purposes

If you are bidding for NHS contracts or need to connect to NHS systems such as the Summary Care Record, NHS Spine, or NHSmail, you will be required to demonstrate DSPT compliance.

NHS Data Security and Protection Toolkit (DSPT) requirements

Mandatory annual self-assessment for NHS organisations and partners, including Version 7 updates adopting NCSC Cyber Assessment Framework and NIS Regulations compliance.

The Data Security and Protection Toolkit (DSPT) is NHS England's online self-assessment tool covering data security and protection requirements, including NIS Regulations compliance. It is mandatory for all NHS organisations and partner organisations with access to NHS patient data.

Version 7 (September 2024) represents a major update adopting the NCSC Cyber Assessment Framework (CAF) as its foundation, with more rigorous cyber security requirements aligned with national standards.

Who must complete DSPT: All NHS organisations and partner organisations handling NHS patient data (e.g., GPs, pharmacies, social care providers)
Submission frequency: Annual submission required
Current version: Version 7 (September 2024)
Major Version 7 change: Adoption of NCSC Cyber Assessment Framework (CAF) as foundation
Version 7 enhanced focus areas: Network security, access control, vulnerability management, incident management
DSPT scope: Broad information governance + cyber security + NIS Regulations compliance (single assessment)
How to complete: Online toolkit at dsptoolkit.nhs.uk with evidence upload and senior management sign-off
Assurance levels: Standards Met or Standards Not Met (requires improvement plan)
Consequences of not meeting standards: May lose access to NHS systems, contractual breach for suppliers, reputational damage, may affect commissioning decisions
Relationship to Cyber Essentials: Not universally mandatory for NHS but increasingly required, some contracts specify it, NHS Digital recommends it
NIS Regulations coverage (healthcare): NHS trusts, foundation trusts, Integrated Care Boards (ICBs), certain independent providers
NIS incident reporting (healthcare OES): Report to NHS England within 72 hours for incidents with adverse effect on security or significant impact on continuity
NIS enforcement powers (healthcare): Secretary of State for Health & Social Care can issue enforcement notice or penalty notice up to £17 million
Geographic variations (NIS OES): Scotland: NHS Scotland health boards; Wales: Local Health Boards; NI: Health and Social Care Trusts

Understanding Version 7 changes

Version 7 of the DSPT, introduced in September 2024, represents a significant update. The key change is alignment with the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), which means more rigorous cyber security requirements.

The main areas of enhanced focus in Version 7 are:

Network security - Stronger requirements for network segmentation, monitoring, and boundary protection
Access control - Enhanced requirements for multi-factor authentication (MFA) and privileged access management
Vulnerability management - More rigorous patch management and vulnerability scanning expectations
Incident management - Detailed incident response planning and testing requirements

If you previously achieved Standards Met under Version 6, you should not assume automatic compliance with Version 7. Review your existing controls against the new requirements carefully.

Completing the DSPT: step-by-step process

Step 1: Register and access the toolkit

Access the DSPT at dsptoolkit.nhs.uk. You will need an NHS mail account or approved email domain to register. If you do not have access, contact your NHS commissioning organisation who can arrange access for suppliers.

Step 2: Select your organisation type

The DSPT presents different question sets depending on your organisation type. Categories include:

NHS trusts and foundation trusts
GP practices
Pharmacies
Social care providers
IT suppliers
Non-IT suppliers with data access

Selecting the correct category is important as it determines which mandatory assertions you must meet. Smaller organisations and suppliers typically have fewer mandatory requirements than NHS trusts.

Step 3: Complete mandatory assertions

The toolkit contains a series of assertions about your data security practices. For each assertion, you must:

Confirm whether you meet the requirement
Upload evidence demonstrating compliance
Provide explanatory notes where required

Evidence can include policies, procedures, training records, technical configurations, audit reports, and screenshots. The more comprehensive your evidence, the stronger your submission.

Step 4: Address the 10 National Data Guardian standards

The DSPT is structured around the 10 National Data Guardian (NDG) data security standards:

Personal confidentiality: All staff ensure that personal confidential data is handled, stored and transmitted securely
Staff responsibilities: All staff understand their responsibilities under the National Data Guardian data security standards
Training: All staff complete appropriate annual data security training
Managing data access: Personal confidential data is only accessible to staff who need it
Process reviews: Processes are reviewed at least annually to identify and improve processes which have caused breaches
Responding to incidents: Cyber attacks are identified, resisted and action is taken to learn from them
Continuity planning: A continuity plan is in place to respond to threats to data security
Unsupported systems: No unsupported operating systems, software or internet browsers are used
IT protection: A strategy is in place for protecting IT systems from cyber threats
Accountable suppliers: IT suppliers are held accountable via contracts for data protection

Each standard has multiple mandatory and non-mandatory assertions. You must meet all mandatory assertions to achieve Standards Met.

Step 5: Senior management sign-off

Before submission, the DSPT requires sign-off from a senior responsible officer. This is typically:

For NHS organisations: the Senior Information Risk Owner (SIRO) or Caldicott Guardian
For suppliers: a director or senior manager with accountability for data protection

The sign-off confirms that the organisation has completed an honest assessment and that appropriate governance is in place. This is not a mere formality - the signatory is personally accountable for the accuracy of the submission.

Step 6: Submit by the deadline

The DSPT operates on an annual cycle. The standard submission deadline is 30 June each year, though this may vary. Check the current year deadlines on the DSPT portal.

Organisations that miss the deadline or fail to achieve Standards Met are published on the non-compliant list, which is visible to NHS commissioners and can affect contract awards.

Achieving "Standards Met" status

After submission, your DSPT is assessed against the mandatory requirements. Possible outcomes are:

Standards Met: You have demonstrated compliance with all mandatory assertions
Standards Not Met: One or more mandatory assertions are not satisfactorily evidenced
Standards Not Met (Improvement Plan): You have gaps but have submitted an improvement plan to address them
Not Published: Assessment not yet submitted or awaiting review

If you receive Standards Not Met, you must submit an improvement plan setting out how and when you will address the gaps. Some NHS commissioners will accept an improvement plan as evidence you are working towards compliance, but others require full Standards Met status.

Tip: Do not wait until the deadline to discover gaps. Complete a baseline assessment early in the year, identify areas needing improvement, and implement changes throughout the year.

Cyber Essentials certification levels and costs

Two certification levels (basic and Plus), costs, validity period, and what's included in each level.

Cyber Essentials is a government-backed, industry-supported scheme to help organisations protect against common online threats. It protects against approximately 80% of common cyber security threats and is administered by the National Cyber Security Centre (NCSC).

Over 215,000 certificates have been awarded, with 49,248 issued in the past 12 months. Organisations implementing the controls see a 92% reduction in insurance claims.

Basic Cyber Essentials cost: £300-£600 + VAT (tiered by organisation size)
Micro businesses (0-9 employees): £320 + VAT
Average cost (basic): £500 + VAT
Cyber Essentials Plus cost: £999-£3,000 + VAT
Typical range (Plus): £1,500-£3,000 + VAT
Certificate validity: 12 months (annual renewal required)
Basic level process: Self-assessment questionnaire reviewed by Certification Body (1-3 business days)
Plus level process: First obtain basic certification, then technical audit with authenticated vulnerability scanning
Plus includes: Authenticated vulnerability scanning, configuration checks, validation of all five controls
Effective date of 2025 updates: 28 April 2025 (Willow Question Set)
Accreditation body: IASME (sole accreditation body since April 2020)
Number of Certification Bodies: Over 350 across UK and Crown Dependencies
Government contract requirement: Mandatory for suppliers bidding on certain public sector contracts involving personal data or ICT services

Relationship between DSPT and Cyber Essentials

While Cyber Essentials certification is not universally mandatory for NHS suppliers, it is increasingly required and strongly recommended. Many NHS contracts now specify Cyber Essentials Plus as a procurement requirement.

There is significant overlap between DSPT and Cyber Essentials requirements. Both address:

Access control and authentication
Patch management and software updates
Malware protection
Firewall configuration

If you hold Cyber Essentials certification, you can use this as evidence for relevant DSPT assertions. However, the DSPT covers broader information governance requirements that Cyber Essentials does not address, so certification alone is not sufficient for DSPT compliance.

Consequences of non-compliance

Failing to achieve DSPT Standards Met status can have serious consequences:

Loss of NHS system access: Your access to NHS Spine services, NHSmail, and other NHS systems may be suspended
Contract termination: NHS organisations may terminate or not renew contracts with non-compliant suppliers
Procurement exclusion: You may be excluded from bidding for new NHS contracts
Reputational damage: Non-compliant organisations are published, visible to commissioners and the public
NIS Regulations enforcement: For designated Operators of Essential Services (OES), enforcement action up to £17 million fines

NHS trusts and other organisations designated as Operators of Essential Services under the NIS Regulations face additional regulatory scrutiny. Significant incidents must be reported to NHS England within 72 hours, and non-compliance can result in substantial penalties.

Getting help with the DSPT

If you need assistance, contact the DSPT helpdesk via the portal for technical issues. NHS Digital publishes detailed guidance documents for each organisation type. Your NHS commissioning organisation can often provide sector-specific advice, and you may wish to engage information governance specialists if you have complex requirements.

Business Context Testing

Content Graph

Guvnor

NHS Data Security and Protection Toolkit compliance

Who must complete the DSPT

Understanding Version 7 changes

Completing the DSPT: step-by-step process

Step 1: Register and access the toolkit

Step 2: Select your organisation type

Step 3: Complete mandatory assertions

Step 4: Address the 10 National Data Guardian standards

Step 5: Senior management sign-off

Step 6: Submit by the deadline

Achieving "Standards Met" status

Relationship between DSPT and Cyber Essentials

Consequences of non-compliance

Getting help with the DSPT

Compliance Assistant

🧪 Business Context Testing

◉ Content Graph

Who must complete the DSPT

Understanding Version 7 changes

Completing the DSPT: step-by-step process

Step 1: Register and access the toolkit

Step 2: Select your organisation type

Step 3: Complete mandatory assertions

Step 4: Address the 10 National Data Guardian standards

Step 5: Senior management sign-off

Step 6: Submit by the deadline

Achieving "Standards Met" status

Relationship between DSPT and Cyber Essentials

Consequences of non-compliance

Getting help with the DSPT

Related guides in Data Protection

Business Context Testing

Content Graph