Enquire
Latest update 10 October 2024: This blog has been revised to include the most current DSPT submission requirements
In this blog we detail the updated requirements for the 2024-2025 DSPT and provide best practice tips for avoiding common compliance mistakes.
The NHS Data Security and Protection Toolkit (DSPT) is an annual online self-assessment that allows organisations to measure their performance against either the National Cyber Security Centre’s Cyber Assessment Framework or the National Data Guardian’s 10 data security standards. If you are a health or care organisation that processes health data or accesses NHS patient data and systems, you are expected to use the Data Security and Protection Toolkit to demonstrate your compliance.
This year’s DSPT submission must be completed by 30 June 2025.
For the 2024-25 period, NHS England has introduced significant changes to the DSPT. These updates are part of the ongoing development of the Toolkit and support the general shift in approach towards a more systematic assurance model for the UK healthcare sector.
The 2024-2025 DSPT includes changes to organisation categories, reintroducing the previously discontinued Category 2. This category now includes IT Suppliers and Operators of Essential Service (OES) Independent Providers.
These updates help to clarify the responsibilities of different organisations, with these important distinctions:
As before, IT Suppliers (Category 2) are defined as any external organisation that supplies digital goods and services to the NHS and/or care, with 50+ staff and a turnover of £10M.
For more information, see the NHS England guidance on organisation types
Category 1 | Category 2 | Category 3 | Category 4 |
NHS Trusts |
IT Suppliers |
Local Authorities |
General Practitioners (GPs) |
Commissioning Support Units (CSUs) |
Operators of Essential Service (OES) Independent Providers |
Dentists |
|
Arm’s Length Bodies (ALBs) |
Opticians |
||
Integrated Care Boards (ICBs) |
Pharmacies |
||
|
Other in-scope organisations (e.g. Charities) |
||
Social Care Providers |
|||
Universities |
The major change for this year’s submission is the introduction of the Cyber Assessment Framework (CAF). This represents the largest shift in content and approach since the 2018 rebranding from the Information Governance (IG) Toolkit to the Data Security and Protection Toolkit (DSPT).
Category 1 Large NHS organisations, including NHS Trusts, Integrated Care Boards (ICBs), Arm’s Length Bodies (ABLs), and Commissioning Support Units (CSUs), must complete the DSPT against the CAF rather than the National Data Guardian’s 10 data security standards. All other organisations will continue to complete the Toolkit measured against the National Data Guardian’s standards.
Here’s an overview of the essential details:
As highlighted above, for the 2024-2025 period, IT Suppliers must now undertake a mandatory independent audit as part of the DSPT submission requirements by 30 June 2025. Although this option was voluntary for IT Suppliers last year, it is now compulsory for all Category 1 and Category 2 organisations.
Although the focus is on large NHS organisations for this DSPT year, other organisation types, including IT suppliers, should be aware that NHS England intends to roll out the CAF more widely for the 2025/2026 DSPT year and beyond.
As such, it would be beneficial for those organisations to consider a gap analysis against the CAF DSPT submission requirements now, in preparation. This will provide a head start on implementing any required changes.
The DSPT can often be regarded as a tick box exercise that is delayed until the deadline looms. However, if you can foster a culture of data security and embed DSPT requirements into daily operations, yearly submissions become easy and worry free.
Here are some of the common mistakes organisations can make with the DSPT process, along with best practice tips:
Delaying completion until close to the due date is the most common mistake. One of the worst things you can do is try to complete the toolkit with one week left before the deadline.
Tip: Start early and allow sufficient time for a thorough and accurate submission.
For the non-CAF DSPT, there are 4 response types:
For the Yes/No responses, it is important to accurately reflect your organisation’s status. Answering ‘Yes’ to having something in place when this is not the case can result in non-compliance with DSPT requirements.
Health and care organisations that access or process NHS patient data are contractually required to complete the DSPT under the NHS Framework Agreement for the Provision of Services. Failure to meet DSPT standards or misrepresentation of compliance can be considered a breach of contract, leading to potential commercial liabilities and reputational damage.
Tip: Consider responses months in advance. Date and document responses cannot be completed at the last minute. In many cases, the dates and documents should be pinned to senior management or board level approvals and reviews, with preparatory work completed before the June board meeting.
There are some assertions that require cooperation with third parties, which may fall outside your organisation’s direct control and cause problems with submitting the DSPT within the deadline.
Tip: Tasks such as penetration tests, independent audits, and onboarding new technical suppliers to provide firewalls, antivirus, and other IT services, take time to implement and should be considered sooner rather than later.
Failing to address the updated requirements or standards can lead to incomplete submissions, especially if you need to provide new evidence to demonstrate compliance.
Tip: The best way to prevent an incomplete submission is to stay informed. Learn about the latest requirements and provide relevant, up-to-date evidence that reflects the most recent state of your data security measures.
Completing the toolkit in isolation is a common oversight. Failing to collaborate with key departments can result in incomplete or inaccurate evidence collection.
It is recommended that you engage with all relevant departments for an accurate representation of your status. This includes IT, HR, operational/senior leadership, and procurement. Each department will have its own evidence and insights that can contribute to a comprehensive and complete DPST submission.
Here are a few helpful departmental tips:
By systematically addressing these aspects and maintaining a proactive approach, organisations can minimise risks, establish a robust framework for compliance, and streamline the annual DSPT submission.
The DPO Centre offers a comprehensive DSPT Audit service to oversee all of the above. We provide advice and guidance for best practice data security and can identify the gaps in your current data security measures, advising on DSPT submission requirements, providing both a DSPT gap analysis and an independent DSPT audit.
Contact us today to discuss how we can help
______________________________________________________________________________________________________________________________
In case you missed it…
______________________________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
Enquire
Fill in your details below and we’ll get back to you as soon as possible