AuditXYZ

Compliance Framework

NHS Data Security and Protection Toolkit

The NHS DSPT is the UK's self-assessment tool for health and social care organizations to measure data security and protection. This guide covers the 10 standards, submission process, and achieving compliance.

$10,000–$100,0002–6 months2024-2025
Request a ConsultationSee process
Issuing BodyNHS England / Department of Health and Social Care (UK)
First Published2018-04-01
Latest Version2024-2025
Typical Cost$10,000–$100,000
Typical Timeline2–6 months
Audit RequiredNo
Audit FrequencyAnnual self-assessment with publication deadline of 30 June each year. Clinical Commissioning Groups and NHS trusts may face independent audits.
Geographyunited-kingdom

NHS DSPT: Data Security and Protection Toolkit Guide

The NHS Data Security and Protection Toolkit (DSPT) is the annual online self-assessment tool that enables health and social care organizations in the UK to measure and publish their performance against the National Data Guardian's 10 data security standards. Completing the DSPT to "Standards Met" status is a prerequisite for accessing NHS patient data and connecting to NHS systems.

What the NHS DSPT Covers

The DSPT is organized around 10 data security standards derived from the National Data Guardian's review. These cover personal confidential data handling, staff responsibilities, training, managing data access, process reviews, responding to incidents, continuity planning, unsupported systems, IT protection, and accountability. Organizations must provide evidence of meeting mandatory assertions within each standard.

The toolkit requires completion of specific evidence items depending on organization type. NHS trusts face the most extensive requirements, while GP practices and smaller social care providers have a streamlined assessment. Technology suppliers must complete the Data Security Standard for Technology Suppliers category.

Who Needs NHS DSPT Compliance

Any organization that has access to NHS patient data or connects to NHS systems must complete the DSPT. This includes NHS trusts, GP practices, clinical commissioning groups, local authorities providing social care, and — critically — technology suppliers and data processors working with NHS organizations. Software vendors, cloud providers, and data analytics companies serving the NHS must all publish a DSPT assessment.

Implementation Approach

Register on the DSPT portal and identify the correct assessment category for your organization. Review all mandatory assertions and evidence requirements. Implement required controls including staff training (95% completion target), incident reporting procedures, access management processes, and technical security measures. Collect and upload evidence throughout the year. Submit your completed assessment before the annual 30 June deadline.

Cost Considerations

The DSPT itself is free to access. Implementation costs range from $10,000 for smaller organizations with good existing practices to $100,000 for larger organizations requiring significant improvements. Key cost drivers include staff training programs, technical security controls, and evidence documentation. For technology suppliers, achieving "Standards Met" status is essential for maintaining NHS contracts.

Get the NHS DSPT starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

gdpr-healthiso-27001hipaa

Get matched with a NHS DSPT auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

GDPR Health
Framework
GDPR imposes heightened requirements on health data as a special category. This guide covers lawful bases for health data processing, DPIAs, patient rights, cross-border transfers, and healthcare-specific compliance.
View
HIPAA
Framework
HIPAA establishes national standards for protecting patient health information in the United States. This guide covers the Privacy Rule, Security Rule, Breach Notification, BAAs, and practical compliance strategies.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View