Healthcare & Social Care

NHS Data Security and Protection Toolkit compliance

How to complete the NHS Data Security and Protection Toolkit (DSPT) annual self-assessment if you handle NHS patient data. Covers the two assessment tracks (CAF-aligned and standards-based), evidence gathering, submission process, and achieving Standards Met status.

UK-wide
Guide summary

Complete the NHS Data Security and Protection Toolkit (DSPT) annually if you handle NHS patient data. You must show you meet security standards to keep access to NHS systems. Version 7 has stricter rules from September 2024.

  • Complete the DSPT online at dsptoolkit.nhs.uk
  • Submit evidence annually by the deadline
  • Meet Version 7 requirements from September 2024
  • Use the NCSC Cyber Assessment Framework (CAF)
  • Focus on network security and access control
  • Report NIS incidents within 72 hours
  • Achieve 'Standards Met' status to avoid penalties
  • Lose NHS access if standards are not met
  • Check if Cyber Essentials is required for your contract
  • Keep records of policies and training
On this page
UK-wide

Related guides in Data Protection

Cyber insurance for businesses

Understanding what cyber insurance covers, when your business needs it, and how UK GDPR obligations create financial exposure …

Get Cyber Essentials certified

How to achieve Cyber Essentials certification for your business. Covers the five technical controls, certification levels and costs, …

Respond to a ransomware attack

Emergency response guide for ransomware attacks. Covers immediate containment, recovery options, reporting requirements, and ransom payment decisions. For …

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that all organisations handling NHS patient data must complete annually. It demonstrates you meet the data security standards required to access NHS systems and patient information.

If you supply services to the NHS, provide healthcare that accesses NHS patient records, or process NHS data in any capacity, you almost certainly need to complete the DSPT. Failure to achieve "Standards Met" status can result in losing access to NHS systems and being excluded from NHS contracts.

Who must complete the DSPT

The DSPT is mandatory for:

  • NHS organisations - Trusts, foundation trusts, Integrated Care Boards (ICBs), commissioning support units
  • Primary care providers - GP practices, dental practices, pharmacies, opticians
  • Social care providers - Care homes and domiciliary care providers accessing NHS patient data
  • NHS suppliers - Any organisation with access to NHS patient data or systems under contract
  • Local authorities - Those with access to NHS data for social care purposes

If you are bidding for NHS contracts or need to connect to NHS systems such as the Summary Care Record, NHS Spine, or NHSmail, you will be required to demonstrate DSPT compliance.

Two assessment tracks: CAF-aligned and standards-based

The DSPT now runs on two tracks, and which one you follow depends on your organisation type. The 2025-26 toolkit is version 8, aligned with version 3.4 of the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF).

  • CAF-aligned track - NHS trusts and foundation trusts, arm's-length bodies, commissioning support units, integrated care boards, and organisations designated as operators of essential services complete a CAF-aligned assessment, recording Achieved, Partially Achieved or Not Achieved against each CAF outcome
  • Standards-based track - GP practices, dental practices, pharmacies, opticians, social care providers, suppliers and local authorities continue to self-assess against the 10 National Data Guardian data security standards

The CAF-aligned track brings more rigorous cyber security expectations, including:

  • Network security - Stronger requirements for network segmentation, monitoring, and boundary protection
  • Access control - Enhanced requirements for multi-factor authentication (MFA) and privileged access management
  • Vulnerability management - More rigorous patch management and vulnerability scanning expectations
  • Incident management - Detailed incident response planning and testing requirements

If you previously achieved Standards Met under an earlier version, you should not assume automatic compliance with the current toolkit. Review your existing controls against the current year's requirements carefully.

Completing the DSPT: step-by-step process

Step 1: Register and access the toolkit

Access the DSPT at dsptoolkit.nhs.uk and register for an account. If you have difficulty registering, contact the DSPT helpdesk or your NHS commissioning organisation, who can arrange access for suppliers.

Step 2: Select your organisation type

The DSPT presents different question sets depending on your organisation type. Categories include:

  • NHS trusts and foundation trusts
  • GP practices
  • Pharmacies
  • Social care providers
  • IT suppliers
  • Non-IT suppliers with data access

Selecting the correct category is important as it determines which assessment track you follow (CAF-aligned or standards-based) and which mandatory assertions you must meet. Smaller organisations and suppliers typically have fewer mandatory requirements than NHS trusts.

Step 3: Complete mandatory assertions

The toolkit contains a series of assertions about your data security practices. For each assertion, you must:

  • Confirm whether you meet the requirement
  • Upload evidence demonstrating compliance
  • Provide explanatory notes where required

Evidence can include policies, procedures, training records, technical configurations, audit reports, and screenshots. The more comprehensive your evidence, the stronger your submission.

Step 4: Address the 10 National Data Guardian standards (standards-based track)

For organisations on the standards-based track, the DSPT is structured around the 10 National Data Guardian (NDG) data security standards. (Organisations on the CAF-aligned track are assessed against the CAF objectives and outcomes instead.)

  1. Personal confidentiality: All staff ensure that personal confidential data is handled, stored and transmitted securely
  2. Staff responsibilities: All staff understand their responsibilities under the National Data Guardian data security standards
  3. Training: All staff complete appropriate annual data security training
  4. Managing data access: Personal confidential data is only accessible to staff who need it
  5. Process reviews: Processes are reviewed at least annually to identify and improve processes which have caused breaches
  6. Responding to incidents: Cyber attacks are identified, resisted and action is taken to learn from them
  7. Continuity planning: A continuity plan is in place to respond to threats to data security
  8. Unsupported systems: No unsupported operating systems, software or internet browsers are used
  9. IT protection: A strategy is in place for protecting IT systems from cyber threats
  10. Accountable suppliers: IT suppliers are held accountable via contracts for data protection

Each standard has multiple mandatory and non-mandatory assertions. You must meet all mandatory assertions to achieve Standards Met.

Step 5: Senior management sign-off

Before submission, the DSPT requires board-level sign-off from a senior responsible officer. This is typically:

  • For NHS organisations: the Senior Information Risk Owner (SIRO), with the Caldicott Guardian expected to be involved in the assessment
  • For suppliers: a director or senior manager with accountability for data protection

The sign-off confirms that the organisation has completed an honest assessment and that appropriate governance is in place. This is not a mere formality - the signatory is personally accountable for the accuracy of the submission.

Step 6: Submit by the deadline

The DSPT operates on an annual cycle. The standard submission deadline is 30 June each year, though this may vary. Check the current year deadlines on the DSPT portal.

Organisations that miss the deadline or fail to achieve Standards Met are published on the non-compliant list, which is visible to NHS commissioners and can affect contract awards.

Achieving "Standards Met" status

After submission, your DSPT is assessed against the mandatory requirements. On the standards-based track, the possible statuses are:

  • Standards Met: You have demonstrated compliance with all mandatory assertions
  • Standards Exceeded: You have met all mandatory assertions and demonstrated additional good practice
  • Approaching Standards: You have gaps but have submitted an improvement plan to address them
  • Standards Not Met: One or more mandatory assertions are not satisfactorily evidenced
  • Not Published: Assessment not yet submitted or awaiting review

Organisations on the CAF-aligned track instead record Achieved, Partially Achieved or Not Achieved against each CAF outcome.

If you receive Standards Not Met, you must submit an improvement plan setting out how and when you will address the gaps. Some NHS commissioners will accept an improvement plan as evidence you are working towards compliance, but others require full Standards Met status.

Tip: Do not wait until the deadline to discover gaps. Complete a baseline assessment early in the year, identify areas needing improvement, and implement changes throughout the year.

Relationship between DSPT and Cyber Essentials

While Cyber Essentials certification is not universally mandatory for NHS suppliers, it is increasingly required and strongly recommended. Many NHS contracts now specify Cyber Essentials Plus as a procurement requirement.

There is significant overlap between DSPT and Cyber Essentials requirements. Both address:

  • Access control and authentication
  • Patch management and software updates
  • Malware protection
  • Firewall configuration

If you hold Cyber Essentials certification, you can use this as evidence for relevant DSPT assertions. However, the DSPT covers broader information governance requirements that Cyber Essentials does not address, so certification alone is not sufficient for DSPT compliance.

Consequences of non-compliance

Failing to achieve DSPT Standards Met status can have serious consequences:

  • Loss of NHS system access: Your access to NHS Spine services, NHSmail, and other NHS systems may be suspended
  • Contract termination: NHS organisations may terminate or not renew contracts with non-compliant suppliers
  • Procurement exclusion: You may be excluded from bidding for new NHS contracts
  • Reputational damage: Non-compliant organisations are published, visible to commissioners and the public
  • NIS Regulations enforcement: For designated Operators of Essential Services (OES), enforcement action up to £17 million fines

NHS trusts and other organisations designated as Operators of Essential Services under the NIS Regulations face additional regulatory scrutiny. The competent authority for the health sector in England is the Secretary of State for Health and Social Care (the Department of Health and Social Care), with functions exercised through NHS England. Significant incidents must be reported within 72 hours, and non-compliance can result in substantial penalties.

Getting help with the DSPT

If you need assistance, contact the DSPT helpdesk via the portal for technical issues. NHS England publishes detailed guidance documents for each organisation type. Your NHS commissioning organisation can often provide sector-specific advice, and you may wish to engage information governance specialists if you have complex requirements.

Official guidance