New year, new NHS Data Security and Protection Toolkit (DSPT) submission.
If your organisation works with NHS patient data or connects to NHS systems, the DSPT Toolkit is an annual requirement that cannot be ignored. For some organisations, the process has become more complex in recent years with the introduction of the Cyber Assessment Framework (CAF) and changes to DSPT categorisation.
You may be wondering whether you need to complete the NHS DSPT, which category you fall into, whether an audit is required, or how the CAF affects your submission. This guide provides you with all the DSPT support you need for 2026.
What is the Data Security and Protection Toolkit (DSPT)?
The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool provided by NHS England. It allows organisations to measure their performance against the National Data Guardian’s data security standards when handling NHS patient data.
The DSPT demonstrates that an organisation has appropriate controls in place for:
Data protection
Information governance
Cyber security
It is a key assurance mechanism used across health and social care.
DSPT, DSP Toolkit, Information Governance Toolkit – what’s the difference?
You may hear the DSPT referred to as:
DSP Toolkit
DSPT Toolkit
NHS Data Protection Toolkit
Information Governance Toolkit
In reality, these all refer to the same thing – the NHS Data Security and Protection Toolkit.
The confusion is understandable. The “T” already stands for Toolkit, but just as people commonly say “PAT testing” (Portable Appliance Testing), “DSPT Toolkit” has become part of our everyday language.
Who needs to complete the NHS DSPT?
If your organisation:
Has access to NHS patient data, or
Has access to NHS systems
…then you are required to complete the NHS DSPT.
This applies to NHS organisations, suppliers, social care providers, charities, and many private sector organisations working with the NHS.
What are the National Data Guardian’s 10 data security standards?
The DSPT is organised under the National Data Guardian’s 10 data security standards, which all health and care organisations are expected to implement for data security. These standards are:
Personal confidential data:
All staff must ensure that personal confidential data is handled, stored, and transmitted securely, whether in electronic or paper form.
Staff responsibilities:
All staff must understand their responsibilities under the National Data Guardian’s Data Security Standards.
Staff training:
All staff must have appropriate understanding of information governance and cyber security, with an effective range of approaches taken to training and awareness.
Managing data access:
Personal confidential data should only be accessible to staff who need it for their current role and access is removed as soon as it is no longer required.
Process Reviews:
Past security breaches and near misses must be recorded and used to inform periodic workshops to identify and manage problem processes.
Responding to incidents:
Cyber-attacks against services must be identified and resisted, and CareCERT security advice must be responded to.
Continuity planning:
A continuity plan must be in place to respond to threats to data security, including significant data breaches or near misses.
Unsupported systems:
No unsupported operating systems software or internet browsers should be used within the IT estate.
IT protection:
A strategy must be in place for protecting IT systems from cyber threats.
Accountable suppliers:
IT suppliers must understand their obligations as data processors under the UK GDPR.
Further guidance on these security standards and useful resources can be found here.
How do I access the DSPT Toolkit?
You can register for an account or log in to the DSPT Toolkit here.
Once registered, your organisation will be assigned a DSPT category, which determines what evidence you must provide and whether an audit will apply.
How do you complete the DSPT Toolkit?
To complete the DSPT Toolkit, you must submit evidence against every item marked Mandatory.
Each mandatory evidence item:
Has an assigned owner
Requires supporting documentation or confirmation
Allows comments to support your self-assessment
NHS England provides helpful guidance alongside each requirement, outlining what is expected. Once all mandatory items are completed, your submission can be made ahead of the annual deadline.
The above is taken from our Toolkit. Here you can see that there is a link to assign an owner, submit the evidence, and a ‘Mandatory’ label to the side.
When you select the link for the evidence item, such as 3.4.1, you get a pop up that looks similar to this:
You can tick the evidence box and provide comments to support your self-assessment.
NHS England typically provides helpful breakdowns of what they are asking for, as you can see above.
You essentially complete this for each mandatory step (and beyond if you so desire) and then you are ready to submit come June 30th.
DSPT categories explained
Why does my DSPT Toolkit look different to someone else’s?
The DSPT sorts organisations into different categories. They are helpfully referred to as Category 1, Category 2, Category 3 and Category 4. These categories are based on size, function, and risk profile, determining how many evidence items you must complete. Category 4 will have the fewest, then Category 3 and so on.
Generally, the sectors are as follows:
DSPT Category
Category 1
Sector
NHS Trusts, CSU, Arm’s Length Body, Integrated Care Board (ICB), Genomics, OES Independent Provider
Category 2
IT Supplier
Category 3
Dentist, Local Authority, Optician, Pharmacy, Other (including Charities and NHS Business Partners), Social Care, University (including researcher/department/secondary use)
Category 4
GP
If you are unsure about which category you fall into you can contact NHS England to help assign your category.
Do I need a DSPT audit?
Audit requirements depend on your DSPT category:
Category 1 organisations must undergo a mandatory audit of their CAF-aligned DSPT
Category 2 organisations must undergo a mandatory DSPT audit
Category 3 and Category 4 organisations are not required to have their DSPT audited
Understanding whether an audit applies to you is essential, as DSPT audit preparation can be time-consuming.
Am I an IT Supplier (DSPT Category 2)?
Since you move from Category 3 to 2 if you mis-categorise yourself here, it is important that you understand when you are an IT Supplier and when you are an Other. Mis-categorisation is a common issue and can significantly increase your compliance requirements.
Under the DPST, you are considered an IT Supplier if all three of the following apply:
You have 50 or more staff
Your turnover exceeds £10 million
You supply digital goods or services (software or hardware) to the NHS
If your organisation does not meet all three criteria, you should select Category 3 (Other).
When is the NHS DSPT deadline for 2026?
The DSPT submission deadline is 30 June 2026.
Late or incomplete submissions may impact:
NHS contract eligibility
System access
Supplier assurance status
What is the Cyber Assessment Framework (CAF)?
The CAF is a cyber security framework developed by the National Cyber Security Centre (NCSC).
Last year, NHS England introduced the CAF for Category 1 organisations. This year, some Category 2 organisations from previous years have been moved to Category 1 and are now submitting the CAF-aligned DSPT.
CAF version 3.4 and the CAF-aligned DSPT
For the 2026 submission, the CAF-aligned DSPT is aligned to CAF version 3.4.
It is designed to allow organisations to develop a long-term roadmap of yearly incremental improvement. It is not meant to be something that an organisation achieves completely in a single year.
The focus is on achieving outcomes rather than passing or failing the defined security controls of the standard DSPT.
Does the CAF apply to me?
At present, you are only required to submit the CAF-aligned DSPT if you are Category 1.
While NHS England has indicated that CAF requirements may expand in future years, Categories 2, 3, and 4 do not currently submit CAF-aligned Toolkits.
Can DPAS help with any of this?
If you need help with your DSPT Toolkit, NHS DSPT audit, or CAF-aligned submission, we can help you prepare with confidence.
At DPAS, we support organisations across all DSPT categories.
Our DSPT and CAF support includes:
DSPT audits for Category 2 organisations
CAF-aligned DSPT audits for Category 1 organisations
DSPT preparation, gap analysis, and remediation support
We provide a number of services that can support your organisation, ranging from the creation of Data Protection Impact Assessments (DPIAs), Data Sharing Agreements (DSAs), Data Processing Agreements (DPAs), contract drafting, and much more. We also offer various training programmes covering data protection and compliance.
If you’d like to talk to us more about how we can help, either give us a call on 0203 3013384, send us an email at info@dataprivacyadvisory.com,or simply fill in a contact form, and we’ll get in touch with you.
