What is the NHS Data Security and Protection Toolkit (DSPT)?

The deadline for organisations to upload their submissions of the NHS Data Security and Protection Toolkit (DSPT) is fast approaching. With final submissions required to be uploaded no later than 30th June 2024, time is beginning to run out. It’s crucial for all that are required to ensure that this is completed in time in order to demonstrate their compliance.

In this article, we’ll go over what the DSPT is, as well as some key changes to the toolkit for 2023/24 so that you can ensure your organisation’s submission covers everything it needs to.

What is the DSPT?

The NHS Data Security and Protection Toolkit – or DSPT – is an online self-assessment tool that allows organisations to demonstrate that their handling of personal data is safe and appropriate. All organisations with “access to NHS patient data or systems” are expected to complete this toolkit to demonstrate their compliance. This is vital, as it gives them the opportunity to provide reassurance that they can be trusted with the personal information of their patients.

This toolkit allows these organisations to measure their performance against the National Data Guardian’s 10 data security standards, under which the DSPT is organised.

The 10 data security standards

The DSPT is built around these 10 standards set out by the National Data Guardian, which organisations have to ensure they adhere to:


1 – Personal confidential data

2 – Staff responsibilities

3 – Staff training

4 – Managing data access

5 – Process reviews

6 – Responding to incidents

7 – Continuity planning

8 – Unsupported systems

9 – IT protection

10 – Accountable suppliers

For a handy resource that outlines these 10 standards, you can fill out the form below to download our DSPT infographic.



Get in touch with us for more resources and support.

The latest changes to the DSPT

It’s paramount that organisations are aware of and understand the changes made in this year’s toolkit. That way, they can be certain that their submission adheres to the requirements and guidelines as they now stand.

These changes put a greater emphasis on supporting a good information governance culture within organisations and highlighting the importance of training in ensuring data protection compliance.

But what specifically are these changes?

Staff training and awareness of data protection and cyber security

The latest version of the NHS DSPT has introduced significant changes surrounding staff training and awareness. Before the updated version was introduced, organisations were expected to train (at minimum) 95% of staff, but this has now been shifted. It’s now required for all staff to hold an “appropriate understanding of information governance and cyber security”.

The new and updated guidance provides that:


  1. All employee contracts contain data security requirements.
  2. Training and awareness activities form part of organisational mandatory training requirements.
  3. Your organisation’s defined training and awareness activities are implemented for and followed by all staff.
  4. You must provide details of how you evaluate your training and awareness activities.


Since the phrase “appropriate understanding” is vague and subjective, organisations are expected to complete a Training Needs Analysis (TNA). This is to help them decide what that term precisely means for them and their employees.

For support in this area, reach out to info@dataprivacyadvisory.com for our TNA template.

Information governance and cyber security culture

Also receiving a shiny, new update is the guidance surrounding how organisations should promote a culture of information governance and cyber security.

This includes:

  1. Ensuring information governance and cyber security matters are prioritised by the board, or equivalent senior leaders. 
  2. Actions are addressed openly and consistently in response to information governance and cyber security concerns.

Information governance and cyber security programmes should be actively shared across organisations, ensuring there is adequate staff engagement and uptake.

Organisation types

The updated guidance also provides for IT suppliers as an organisation type. This is an organisation that is external to the NHS, but has a contract with an NHS or healthcare organisation to provide digital goods and services.

In order to fall into this type, your company will need to meet all of the following criteria:

  1. You have 50+ staff.
  2. You have a turnover of £10 million or higher.
  3. You supply digital goods and services to the NHS and/or care organisation(s).


Click here for further details on the organisation types.

If your organisation falls within this category, you will be required to meet additional obligations under DSPT. For more information and support, please reach out to info@dataprivacyadvisory.com.

Understanding the DSPT changes

These amendments to the DSPT further highlight how essential it is for organisations to implement appropriate levels of training for all staff, training being the foundation upon which an organisation’s data protection compliance is built.

It also further emphasises the importance of fostering a positive data protection culture within an organisation. Anyone involved with the handling or processing of personal data has an important role to play in data protection compliance. After all, patients whose data is being handled deserve to be assured that their privacy is being respected and prioritised.

How can DPAS help with your DSPT submission?

At DPAS, we can support your organisation in ensuring you are sharing data both ethically and safely. We can aid you by auditing your organisation, helping you to meet the requirements set out in the UK GDPR, and those contained within the DSPT.

We provide a number of services that can support your organisation, ranging from the creation of Data Protection Impact Assessments (DPIAs), Data Sharing Agreements (DSAs), Data Processing Agreements (DPAs), contract drafting, and many more. We also offer various training programmes covering data protection and compliance.

If you’d like to talk to us more about how we can help, either give us a call on 0203 3013384 or send us an email at info@dataprivacyadvisory.com – or simply fill in a contact form, and we’ll get in touch. Meeting the requirements set out in the GDPR and NHS DSPT can be a daunting task, so let us make it simple for you.

related posts

Get a Free Consultation