When is a DSPT audit not an audit?

The DSPT in brief

The NHS Data Security and Protection Toolkit is an annual self-assessment framework developed by NHS England. Organisations that access NHS data or systems must use it to demonstrate how they meet the National Data Guardian’s 10 Data Security Standards. Completion of the toolkit is usually required as part of NHS supplier assurance and onboarding processes. The toolkit must be completed and submitted every year, in a similar way to frameworks such as Cyber Essentials.

Where formal audits come in

DSPT applies to a wide range of organisations, so they are grouped into four tiers depending on their size and role within the healthcare system.

• Tier 1 – NHS trusts and major healthcare organisations
• Tier 2 – Large suppliers, including major IT providers
• Tier 3 – Smaller digital service providers and suppliers
• Tier 4 – Organisations such as GP practices

Only Tier 1 and Tier 2 organisations are subject to formal, independent and external audits as part of their DSPT assurance.

However, most smaller organisations fall into Tier 3 or Tier 4, meaning that DSPT is currently completed through self-assessment supported by evidence.

What does an internal readiness review look like?

Tier 3 and Tier 4 organisations undergo an internal readiness review before applying for the DPST toolkit. The purpose of the review is to check whether the organisation can evidence compliance, rather than simply asserting it.

A DSPT readiness review typically asks questions such as:

• Do we meet each requirement in practice?
• Do we have documentation to support this?
• Is our evidence current, accurate and consistent?
• Would this stand up to scrutiny from an NHS client?

This type of review is particularly valuable for organisations completing DSPT for the first time, or renewing after changes to systems, suppliers or staffing.

What a DSPT readiness review typically covers

Although the exact evidence required evolves slightly each year, DSPT submissions usually require organisations to demonstrate consistent governance and security practices across several core areas:

Governance and accountability

Confirming that responsibility for data protection and information security is clearly defined, that appropriate policies exist, and that they reflect how the organisation actually operates.

Staff responsibilities and training

Reviewing employment contracts, confidentiality clauses and records demonstrating that staff complete regular data security awareness training.

Data protection fundamentals

Checking ICO registration, privacy notices and records of processing activities to ensure personal and confidential data is properly documented.

Access controls and system security

Assessing how access to systems and data is granted, restricted and reviewed, including authentication methods and least-privilege controls.

Incident management

Ensuring there is a documented process for identifying, reporting and managing data security incidents, including escalation and notification procedures.

Business continuity and resilience

Reviewing plans to maintain services and protect data during disruption, including cyber incidents or infrastructure failures.

Asset and system management

Confirming that systems are supported, patched and maintained, and that hardware and software assets are recorded — an area that has received increased emphasis as cyber security risks have grown.

Supplier assurance

Checking that third-party suppliers with access to NHS or personal data are subject to appropriate contractual security requirements and due diligence.

Common issues uncovered during DSPT reviews

Even organisations that believe they are broadly compliant often discover gaps during a readiness review.

Typical issues include:

• Policies that exist but are out of date or overly generic
• Training completed but not properly recorded
• Unclear ownership of incident response procedures
• Incomplete asset or system inventories
• Reliance on informal processes that are not documented
• Evidence that exists but cannot easily be produced during submission

These gaps do not necessarily indicate poor practice, but they need to be addressed before the toolkit is submitted.

How organisations prepare for DSPT submission

DSPT accreditations need to be submitted annually, and smaller organisations preparing their DSPT submission typically take one of three approaches.

Internal review

Using the DSPT questions as a checklist and gathering evidence internally. This can work well where there is in-house data protection or information security expertise.

Guided review

Using external guidance or templates to structure the process while retaining ownership of responses and evidence.

Independent readiness check

Asking a specialist to review documentation, highlight gaps and confirm that responses align with NHS expectations before submission.

For many smaller suppliers, the real task is gathering and validating the evidence required to support their responses, rather than completing the questions themselves, so it’s important to allow sufficient time. DSPT audits are far more effective when treated as part of ongoing governance, rather than a task rushed through close to the deadline.

DSPT as an annual governance discipline

Organisations must resubmit the toolkit each year, and the requirements evolve over time. In recent versions of DSPT, NHS England has increasingly aligned requirements with broader cyber security principles promoted by the National Cyber Security Centre (NCSC). The emphasis is gradually shifting from simple box-ticking towards demonstrating that organisations are achieving key security outcomes.

For suppliers providing digital services to the NHS, maintaining DSPT evidence therefore becomes an ongoing governance discipline rather than a periodic compliance task.

This direction of travel is closely aligned with the National Cyber Security Centre’s Cyber Assessment Framework (CAF), which is structured around four key objectives: managing security risk, protecting against cyber attack, detecting cyber security events, and minimising the impact of cyber security incidents.

Within the NHS context, a fifth objective is effectively overlaid: ensuring comprehensive information governance across health and care. Together, these objectives provide a clear indication of how DSPT expectations are evolving, with increasing emphasis on demonstrable security outcomes rather than purely documented controls.

Equivalent frameworks in other parts of the UK

Organisations working with the Welsh NHS may encounter a similar framework known as the Information Governance Toolkit. The underlying principles, tiers and expectations broadly align with DSPT. This means organisations providing services across England and Wales often need to prepare similar types of evidence for both frameworks.

In summary

Many organisations do not undergo a formal DSPT audit. For Tier 3 and Tier 4 suppliers, it is currently an evidence-based self-assessment, demonstrating that appropriate data security and governance practices are in place.

A structured readiness review before submission helps ensure that evidence is complete, accurate and defensible, reducing the risk of delays or requests for additional information from NHS clients. For organisations providing digital services into healthcare, from software platforms to specialist suppliers, understanding how DSPT works in practice is an important step toward maintaining access, credibility and trust within the NHS ecosystem.

Looking for DSPT support?

If you would like assistance with your DSPT compliance, learn about JVR’s DSPT compliance service and the structured approach we use to help organisations prepare, submit and maintain their DSPT status.