Data Security and Protection Toolkit: An Overview

The Data Security and Protection Toolkit, often referred to as DSPT, is an online self-assessment tool that allows organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care.

Who must complete the Data Security and Protection Toolkit?

Any organisation in England that has access to NHS systems or patient data must complete this assessment to confirm that they have adequate data protection practices and are handling personal data appropriately.

How often must the Data Security and Protection Toolkit be completed?

The Data Security and Protection Toolkit must be completed and published annually. The deadline for submission and publication is typically on the 30th June every year. This includes 2025.

Why does the Data Security and Protection Toolkit matter?

The DSPT is more than just an annual tick-box exercise. It’s a fundamental requirement for organisations to ensure their internal activities are keeping individuals’ personal health data secure and in line with regulatory requirements.

Below are just a few of the benefits to completing the DSPT:

Greater regulatory compliance: The DSPT allows your organisation to demonstrate compliance with relevant data protection regulations, such as GDPR, the Data Protection Act 2018 and NHS data security standards.

Improved data security practices: It encourages continuous improvement of processes and activities to remain in line with DSPT requirements.

Identifying risks and points of weakness: Completing the DSPT can help identify gaps which could increase the likelihood of your organisation having a data breach or being hit by a cyber attack. For example, one requirement is for staff to undergo annual data security training. This can help staff identify attempted attacks on the business, like phishing attacks, which if successful, could be devastating to an organisation.

Demonstrate credibility and trust: Reassures service users, patients, and partners that your organisation takes data protection seriously.

What does the toolkit include?

The Data Security and Protection Toolkit is structured around a series of assertions, which are statements that organisations must confirm they meet to demonstrate compliance with the National Data Guardian’s 10 Data Security Standards.

These standards cover areas of good data protection and information governance practice, such as:

Staff awareness and training
Information security and system access
Use of supported technology
Data sharing and confidentiality
Handling and reporting incidents
Backup and business continuity planning

Organisations using the DSPT are asked to provide evidence for each assertion, either by uploading documents, describing their processes, or linking to relevant documents. This includes training records, policies, and details on procedures.

Working through these assertions can help organisations demonstrate that they are not only meeting NHS contractual requirements, but also have strong measures in place to keep the data they store and process secure.

What do the levels of compliance mean?

The DSPT assigns compliance status levels depending on how well an organisation meets the requirements:

Standards Exceeded: The organisation meets all mandatory requirements and additional optional requirements

Standards Met: The organisation meets all mandatory requirements.

Approaching Standards Met: Most requirements are in place, but further action is needed.

Standards Exceeded: The organisation goes beyond the minimum requirements.

Not Published: The toolkit hasn’t yet been submitted or published.

For continued access to NHS data and systems, an organisation must reach Standards Met, with all mandatory requirements being achieved.

Advice for completing the Data Security and Protection Toolkit

Completing the DSPT can seem daunting, especially for smaller organisations. Fortunately, PRIVACY HELPER can provide comprehensive, support that’s tailor-made to suit the needs of your organisation.

Completing the DSPT can be zero-fuss with support from PRIVACY HELPER. Our independent, expert guidance helps ensure your submission is accurate, complete, and aligned with current requirements, saving you time and reducing stress. We’ll also help you implement any necessary changes required as a result of this task, which will be designed to integrate with your existing operations.

Get in touch today and let us handle the heavy lifting, so you and your team can stay focused on running your services, knowing your data protection obligations are being met with confidence. Independent support also brings a fresh, objective perspective, helping identify potential gaps or risks that may otherwise be overlooked.

Dan Brooks-Tonkin

Dan Brooks-Tonkin is a Data Protection and Information Governance Apprentice at PRIVACY HELPER. PRIVACY HELPER is a pioneering data protection consultancy aimed at assisting companies in navigating the complexities of compliance with the new data protection legislation. Click here to learn about how PRIVACY HELPER can aid your business in an ever changing data protection landscape.