What is the NHS Data Security and Protection Toolkit (DSPT)?

What is the DSPT?

The Data Security and Protection Toolkit (DSPT) is a mandatory annual online self-assessment developed by NHS England.

Its purpose is to ensure that organisations which access NHS data or systems can demonstrate that they meet the National Data Guardian’s 10 Data Security Standards, alongside wider UK data protection and cybersecurity expectations.

DSPT is not a certification in the traditional sense. Rather, it is a structured assurance mechanism that requires organisations to:

• Assess their data protection and security arrangements
• Provide written responses to specific evidence questions
• Upload or reference supporting documentation
• Publish an annual compliance status

That published status is visible to NHS organisations and is routinely checked during procurement and onboarding.

Who needs to complete the DSPT?

DSPT doesn’t only apply to NHS trusts and large healthcare bodies.

You are likely required to complete the DSPT if your organisation:

• Sells IT or digital services into the NHS
• Supports, integrates with or maintains NHS systems
• Accesses NHS platforms such as NHSmail
• Processes personal, confidential or health data under an NHS contract

This includes many small IT service providers, software suppliers, managed service providers and digital consultancies.

In practical terms, DSPT is a prerequisite for working with the NHS.

DSPT categories explained

The DSPT groups organisations into categories based on their size, risk profile and role. These categories determine the level of assessment required.

For small IT suppliers, the key distinction is between:

• Organisations that meet both the threshold of 50+ staff and £10m+ turnover and…
• Those that do not

Most small suppliers fall into the latter group and should register under the “Other” organisation type, which places them into Category 3.

What does Category 3 mean?

Category 3 is designed to be proportionate for smaller organisations. It:

• Aligns directly to the National Data Guardian’s 10 Data Security Standards
• Requires around 40+ mandatory evidence items
• Does not require an independent audit

While less onerous than higher categories, Category 3 still requires careful preparation and documented evidence.

What does the DSPT actually assess?

DSPT focuses on how organisations manage data across people, process and technology.

For Category 3 organisations, this typically includes evidence covering:

• Data protection policies and privacy information
• Staff responsibilities and annual data security training
• Access controls and user management
• Incident and breach response arrangements
• Business continuity and resilience planning
• Use of supported, patched systems
• Technical security controls such as encryption and MFA
• Supplier and third-party assurance
• Digital asset management, including a digital asset register

These are not tick-box declarations. Each requirement must be supported by documentation or clear written explanation showing how the standard is met in practice.

What’s changed in recent DSPT versions?

DSPT is updated annually to reflect evolving risks and NHS expectations.

For the 2025/26 assessment year, Version 8 introduced additional emphasis on:

• Understanding and documenting digital assets
• Evidencing technical controls more clearly
• Demonstrating that policies reflect real operational practice

This means that organisations cannot simply reuse previous submissions without review. Evidence must be refreshed each year to remain accurate.

Why DSPT matters beyond compliance

While DSPT is a compliance requirement, its impact is primarily commercial.

A valid, published DSPT status:

• Enables participation in NHS procurement
• Supports access to NHS systems and services
• Reassures NHS clients that data security is taken seriously

Conversely, an absent or lapsed submission can:

• Exclude organisations from tenders
• Delay onboarding
• Place existing contracts at risk

DSPT results are publicly visible, so non-compliance is not hidden.

What about NHS Wales?

Organisations selling into NHS Wales should be aware that Wales operates a separate assurance framework: the Welsh Information Governance Toolkit.

Although it serves a similar purpose to DSPT and overlaps in many evidence areas, it:

• Uses a different platform
• Has a different question structure
• Requires a separate submission

Organisations operating across England and Wales may need to complete both assessments.

Getting DSPT right in practice

For small IT service providers, DSPT is often underestimated. Category 3 is proportionate, but it still requires:

• Clear understanding of the requirements
• Accurate documentation
• Alignment between policies and real working practices
• Enough time before the annual deadline

Approaching DSPT as an ongoing governance process, rather than a last-minute exercise, makes compliance far more manageable.

Looking for DSPT support?

If you want to understand how DSPT compliance support works in practice, our DSP Toolkit compliance service page explains the structured approach we use to help organisations prepare, submit and maintain their DSPT status.