What is the Data Security and Protection Toolkit (DSPT) in Health and Social Care?

Hours Updated
What is the Data Security and Protection Toolkit (DSPT) in Health and Social Care

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool used across health and social care in England. Organisations complete the DSPT to demonstrate that they manage and protect personal and confidential information properly. The toolkit sets out clear expectations and standards for data security and data protection. Meeting these standards is a requirement for NHS contracts and a way to comply with data protection law.

NHS Digital manages the toolkit. It applies to any organisation that accesses NHS patient data or systems, including hospitals, GP practices, pharmacies, care homes, and some third-party suppliers.

Why the DSPT Matters

Health and social care organisations handle large amounts of personal and sensitive information. This information might relate to a person’s health, social care needs, or family situation. Confidentiality, integrity, and availability of this information protect people’s privacy and safety. Damage, loss, or unlawful access to this data can have serious consequences for individuals and organisations.

The DSPT helps organisations:

  • Show they meet legal and regulatory requirements
  • Protect people’s rights and privacy
  • Stay eligible for NHS contracts
  • Reduce the risk of data breaches

Every organisation processing health and care information must complete the assessment once a year.

Areas Covered by the DSPT

The Toolkit helps organisations focus on ten data security standards. These standards reflect best practice set by the National Data Guardian (NDG). The ten standards break down into clear, practical steps.

The Ten Data Security Standards

The ten standards are:

  • All staff understand their responsibility to handle information safely
  • All staff complete annual data security training
  • Leaders actively manage data security
  • Policies and procedures are in place and up to date
  • Information is accessible, accurate, and usable when required
  • Unauthorised access is prevented
  • Data is stored and disposed of securely
  • IT systems are protected against cyber-attacks
  • Incidents are reported and lessons are learned
  • Data sharing follows legal and good practice guidelines

These standards help organisations build a culture of data protection and minimise risks.

How Does the DSPT Work?

The DSPT asks a series of questions about policies, procedures, training, IT security, physical security, and governance. Each question prompts an organisation to check their current practice. The questions are grouped into sections such as:

  • Management and staff training
  • Data protection and confidentiality
  • Data quality and records management
  • IT security and resilience
  • Transparency and data sharing

The online tool provides guidance and resources for each section. By working through the questions, organisations identify strengths and areas for improvement.

Organisations submit their answers through the digital platform. They may need to upload documents to prove compliance, such as training records or policies.

Who Needs to Use the DSPT?

Anyone handling NHS patient data or using NHS digital systems must complete the DSPT. This includes:

  • GP practices
  • Hospitals and clinics
  • Community care providers
  • Pharmacies
  • Dentists
  • Opticians
  • Residential and nursing homes
  • Domiciliary care providers
  • Voluntary and charitable organisations with access to NHS data
  • Commercial suppliers working with the NHS

Each organisation must complete the Toolkit every year by a published deadline.

The Assessment Process

Each organisation appoints a responsible person, often a senior manager or data protection lead, to oversee the DSPT. They gather information and evidence from across the organisation to complete the assessment.

The assessment steps typically include:

  1. Registering for the Toolkit: Set up an online profile.
  2. Reviewing Requirements: Read through what is needed for your organisation type.
  3. Collecting Evidence: Gather relevant documentation, such as policies, training logs, and risk assessments.
  4. Answering Questions: Respond to questions honestly and fully.
  5. Uploading Evidence: Attach key documents when prompted.
  6. Reviewing Responses: Senior staff check the completed assessment.
  7. Submitting the Toolkit: Send the completed assessment for review.

The DSPT website saves progress so users can return to finish sections as needed.

Evidence and Documentation

You need to provide evidence that your organisation meets the standards. For each section, you may be asked for:

  • Copies of data protection and IT security policies
  • Records of staff training sessions and completion rates
  • Incident reports showing how data breaches or near misses are managed
  • Examples of risk assessments and actions taken
  • Procedures for secure disposal of records and equipment

The level of evidence required varies, depending on the size and type of the organisation. Larger or more complex organisations, such as NHS trusts, must provide more detailed evidence.

Linking to Legal and Regulatory Obligations

The DSPT covers key legal duties in the UK, such as:

  • Data Protection Act 2018
  • General Data Protection Regulation (GDPR)
  • NHS contractual requirements
  • Confidentiality: NHS Code of Practice
  • Care Quality Commission (CQC) standards

By completing the toolkit, organisations can demonstrate compliance and readiness for inspections or audits. The DSPT also helps organisations identify and address gaps before they become a problem.

Benefits for Health and Social Care

Completing the DSPT brings many benefits, such as:

Accountability and Transparency

Everyone knows their role in protecting data. Organisations can demonstrate to service users, staff, and partners that they take confidentiality seriously.

Ongoing Improvement

The DSPT shows what is working well and where further action is needed. Learning from incidents and sharing best practice supports continuous progress.

Eligibility for NHS Data Sharing

Many NHS contracts require a completed DSPT. Without it, organisations cannot access NHS patient data or IT systems such as NHSmail or Summary Care Records.

Reduced Risk

Clear policies and staff training reduce the likelihood of mistakes or breaches. Good IT security lowers the risk of cyber-attacks, such as ransomware or hacks.

Staff Confidence

Staff who have information and support make better decisions. They know how to respond if something goes wrong and where to find help or guidance.

Support for Completing the DSPT

Many organisations, particularly smaller care providers, can feel unsure about their requirements. To help, NHS Digital and partner bodies have published:

  • Step-by-step guidance and video tutorials
  • Templates for policies and procedures
  • Approved online training modules
  • Helplines and email support
  • Local workshops or information events

Large organisations usually have a dedicated data protection officer or IT team. In smaller organisations, the responsibility might fall to the registered manager or business owner. Using the support on offer helps everyone comply with the standards.

Questions and Sections in Detail

The specific questions in the DSPT ask about:

  • Appointing a Data Protection Officer or lead
  • Regular risk assessments for data protection and cyber security
  • Keeping records up to date and accurate
  • Procedures for reporting and learning from incidents
  • Staff training on confidentiality and information security
  • Access controls for IT systems and physical records
  • Safe sharing of information with other professionals or agencies
  • Reviewing and updating policies each year

Organisations respond to each point, then upload documents or provide summaries.

Key terms explained:

  • Data breach: Any event where personal or confidential information is lost, accessed by the wrong person, changed without permission, or destroyed.
  • Data controller: The person or organisation responsible for deciding how and why information is used.
  • Data processor: Someone who uses or processes information on behalf of a controller.
  • Encryption: Turning information into a code to stop unauthorised people reading it.

Levels of Compliance

The DSPT allows organisations to self-assess at different levels. These are:

  • Approaching Standards: Some requirements are in place, but actions remain to be completed.
  • Standards Met: All mandatory requirements are complete, and evidence has been provided.
  • Standards Exceeded: Extra steps have been taken, such as deeper audits, enhanced training, or tighter controls.

You must reach “Standards Met” for your organisation to work with NHS data or systems. Exceeding the standards is optional, but encouraged when practical.

Consequences of Not Completing the DSPT

If an organisation does not complete the assessment or fails to meet the standards, the consequences can be serious. For example:

  • Loss of NHS contracts or funding
  • Suspension from NHSmail or connected digital services
  • Regulatory investigation, fines, or prosecution under data protection law
  • Damage to reputation and trust among service users and staff

Data breaches often appear in the media, leading to public questions about how information is managed.

Keeping Up to Date

The DSPT is updated often to reflect new risks and legal expectations. Cyber threats change, and new technologies emerge. NHS Digital reviews and adjusts guidance every year. Organisations must check the revised requirements and update their practice as needed.

Leadership teams look at outcomes from previous years and plan improvements for the coming year.

Collaborating with Partners

Many health and social care services work with a wide range of partners. Information is shared between GPs, hospitals, pharmacies, local authorities, and voluntary providers. Some organisations employ technology partners to manage their data.

Each partner organisation must demonstrate their own compliance through the DSPT. Data sharing agreements and contracts must reference the DSPT, confirming that everyone handles data responsibly.

Top Tips for a Smooth Assessment

  • Start early—collect evidence throughout the year.
  • Talk to your IT and HR teams before you start, so no important information is missed.
  • Ask for help if you do not understand a question—resources and support are available.
  • Review your last assessment to spot areas that need work.
  • Involve senior leadership in checking final answers.

A Practical Example

A small care provider completing the DSPT would:

  • Review whether staff receive regular training in confidentiality and cyber security
  • Check that laptops and mobile devices are properly encrypted and password protected
  • Confirm they have an up-to-date data protection policy, reviewed every year
  • Assess how they collect, store, and dispose of written records safely
  • Make sure there is a clear procedure if a data breach happens, and staff know what to do

A larger NHS Trust would need to provide more detailed evidence, such as results from independent audits, details of IT infrastructure, and more staff training statistics.

The Role of the Data Protection Officer

A Data Protection Officer (DPO) oversees data security and privacy matters. The DPO gives expert advice, carries out spot checks or audits, and helps train staff. Any organisation processing large volumes of personal data or providing digital services for the NHS must appoint a DPO. This role is protected under law, giving the DPO authority to challenge poor practice or recommend improvements.

Final Thoughts

The Data Security and Protection Toolkit forms the standard for managing information safely in health and social care. Each organisation working with NHS data must complete it every year. Using the Toolkit, providers show that they protect privacy, respond to risks, and meet strict legal requirements. Training, regular checks, and good leadership all play a part in keeping information safe.

Health and social care settings use the DSPT to protect people’s information from loss, theft, misuse, or mistakes. Meeting the standards builds trust and keeps services running smoothly. The online resources and support make it easier for all types of providers to take responsibility for data protection. The DSPT keeps health and social care data safe for everyone.

How useful was this?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you! We review all negative feedback and will aim to improve this article.

Let us improve this post!

Tell us how we can improve this post?

Share:

Subscribe to Newsletter

Get the latest news and updates from Care Learning and be first to know about our free courses when they launch.

Care Learning Team
Care Learning Team

Our team has more than 15 years’ combined experience across adult social care, the NHS, mental health services, and the charity sector. We regularly update our resources using guidance from CQC, NICE, Skills for Care and other UK health and social care bodies. We’re committed to raising care standards through high-quality training and by sharing practical, evidence‑based insights.

Related Posts