What is the NHS Data Security & Protection Toolkit (DSPT), and how do you remain compliant?

The NHS Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s ten data security standards. All organisations that process health data are expected to complete this toolkit to demonstrate their compliance.

This year, there have been some key changes to the DSPT, putting a greater emphasis on supporting a good information governance culture within organisations and highlighting the importance of training in ensuring data protection compliance. In this article, we’ll go over the key changes to the Data Security and Protection Toolkit for 2023/24 so that you can ensure your organisation’s submission covers everything it needs to.

The 10 data security standards


The DSPT is organised under the National Data Guardian’s 10 data security standards, which all health and care organisations are expected to implement for data security. These standards are:


  1. Personal confidential data:

    All staff must ensure that personal confidential data is handled, stored, and transmitted securely, whether in electronic or paper form.

  2. Staff responsibilities:

    All staff must understand their responsibilities under the National Data Guardian’s Data Security Standards.

  3. Staff training:

    All staff must have appropriate understanding of information governance and cyber security, with an effective range of approaches taken to training and awareness.

  4. Managing data access:

    Personal confidential data should only be accessible to staff who need it for their current role and access is removed as soon as it is no longer required.

  5. Process Reviews:

    Past security breaches and near misses must be recorded and used to inform periodic workshops to identify and manage problem processes.

  6. Responding to incidents:

    Cyber-attacks against services must be identified and resisted, and CareCERT security advice must be responded to.

  7. Continuity planning:

    A continuity plan must be in place to respond to threats to data security, including significant data breaches or near misses.

  8. Unsupported systems:

    No unsupported operating systems software or internet browsers should be used within the IT estate.

  9. IT protection:

    A strategy must be in place for protecting IT systems from cyber threats.

  10. Accountable suppliers:

    IT suppliers must understand their obligations as data processors under the UK GDPR.


Further guidance on these security standards and useful resources can be found here.

Key changes to the DSPT


Staff training and awareness of data protection and cyber security


The latest version of the NHS DSPT has introduced significant changes surrounding staff training and awareness. Before the updated version, organisations had to train (at minimum) 95% of staff, but this has now been shifted. It’s now required for all staff to hold an “appropriate understanding of information governance and cyber security”.

The new and updated guidance provides that: 


  1. All employee contracts contain data security requirements.
  2. Training and awareness activities form part of organisational mandatory training requirements.
  3. Your organisation’s defined training and awareness activities are implemented for and followed by all staff.
  4. You must provide details of how you evaluate your training and awareness activities.


Organisations are expected to complete a Training Needs Analysis (TNA), to decide what “appropriate understanding” means for your employees and organisation. Please reach out to info@dataprivacyadvisory.com for our template.

Information governance and cyber security culture


The guidance surrounding how organisations should promote a culture of information governance and cyber security has also been updated.

This includes:


  1. Ensuring information governance and cyber security matters are prioritised by the board, or equivalent senior leaders. 
  2. Actions are addressed openly and consistently in response to information governance and cyber security concerns.
  3. Information governance and cyber security programmes should be actively shared across organisations, ensuring there is adequate staff engagement and uptake.


Organisation types


The updated guidance also provides for IT suppliers as an organisation type. This is an organisation that is external to the NHS, but has a contract with an NHS or healthcare organisation to provide digital goods and services. In order to fall into this type, your company will need to meet all of the following criteria:


  1. You have 50+ staff.
  2. You have a turnover of £10m+.
  3. You supply digital goods and services to the NHS and/or care organisation(s).


For further details on this, please click here.

If your organisation falls within this category, you will be required to meet additional obligations under DSPT. For more information and support, please reach out to info@dataprivacyadvisory.com.

Key takeaways


The amendments to the NHS DSPT further highlight how essential it is for organisations to implement appropriate levels of training for all staff, with training being the foundation upon which an organisation’s data protection compliance is built.

It also further emphasises the importance of fostering a good data protection culture within organisations. Anyone involved with the handling or processing of personal data has an important role to play in an organisation’s data protection compliance. Employees should keep this fact at the front of their minds so that they understand their responsibilities and take them seriously.

Your organisation will need to review the current list of organisation types, to see where you fit under the DSPT obligations.


How can DPAS help with your DSPT submission?


At DPAS, we can support your organisation in ensuring you are sharing data both ethically and safely. We can aid you by auditing your organisation, helping you to meet the requirements set out in the UK GDPR, and those contained within the DSPT.

We provide a number of services that can support your organisation, ranging from the creation of Data Protection Impact Assessments (DPIAs), Data Sharing Agreements (DSAs), Data Processing Agreements (DPAs), contract drafting, and many more. We also offer various training programmes covering data protection and compliance.

If you’d like to talk to us more about how we can help, either give us a call on 0203 3013384 or send us an email at info@dataprivacyadvisory.com – or simply fill in a contact form, and we’ll get in touch with you.

Meeting the requirements set out in the GDPR and NHS DSPT can be a daunting task, so let us make it simple for you.

related posts

Get a Free Consultation