Empowering Your Business with a Comprehensive Data Security and Protection Toolkit

Any organisation that accesses, processes, stores, or shares NHS patient data must complete the Data Security and Protection Toolkit (DSPT). This includes those connecting to NHS systems such as NHSmail or the Summary Care Record.

It’s mainly organisations such as hospitals, GP surgeries, and other health and care providers delivering services on behalf of the NHS that are required to complete the DSPT to demonstrate they meet national data security and protection standards.

Additionally, third-party suppliers, such as IT providers or data processors, must also complete the DSPT if they handle NHS patient data or support services involving access to NHS systems.

The Data Security and Protection Toolkit must be completed and published annually. The deadline for submission is typically on the 30th June every year, including this year.

The time it takes to complete a DSPT submission can vary depending on the size of your organisation, how much documentation you already have in place, and whether you’ve completed the DSPT before. For organisations new to the process, it can take a few weeks to gather the necessary evidence and work through each section of the toolkit.

With Privacy Helper’s support, we aim to make the process as efficient and straightforward as possible. We’ll begin by assessing where you currently stand and then guide you through what’s needed to meet the required standards. If much of your documentation is already in place, the submission can often be completed in a matter of days.

Throughout the process, we’ll keep you informed with regular updates. You’ll know what stage we’re at, what’s left to complete, and where we might need your input. We aim to give you the confidence that this process is in the right hands, and part of that includes keeping you in the loop.

In cases where significant changes occur within your organisation, you may decide that your DSPT submission should be reviewed and updated to reflect that. While not mandatory outside of the annual submission, keeping the DSPT up-to-date can help demonstrate accountability and commitment to a high standard of data protection practices.

Privacy Helper can help you identify which parts need updating and guide you through any necessary revisions. Just like with your annual submission, we’ll keep you informed every step of the way.

The DSPT divides organisations into four categories, each with specific requirements based on their size and role within the healthcare system.

Category 1: Includes large organisations such as hospitals and integrated care boards. These organisations must meet the full set of DSPT requirements and provide comprehensive evidence of their data security and protection measures.

Category 2: Covers smaller organisations like GP surgeries, dental practices, and pharmacies. They follow a simplified version of the DSPT with fewer mandatory evidence items, making compliance more manageable, while still maintaining a high-level of data protection standards.

Category 3: Consists of social care providers, including care homes and domiciliary care agencies. Many of DSPT requirements for this focuses on building data security appropriate to the adult social care sector.

Category 4: Refers to commercial third parties such as IT suppliers and data processors. These organisations must demonstrate they meet high standards of information security to ensure the protection of NHS patient data and compliance with contractual obligations.

Privacy Helper will tailor our approach to the DSPT based on the specific needs and category of your organisation. This means you can be confident that you are provided with the right level of support and guidance throughout your compliance journey.