DSPT Independent Audit and Compliance Services
The DPO Centre delivers independent audit services and hands-on compliance support, ensuring your organisation meets NHS Data Security and Protection Toolkit (DSPT) standards.
Fulfilling the DSPT’s assertions and evidence items can be complex and time-consuming. That’s why it’s important to evaluate your current status against the DSPT criteria as early as possible. You can then identify the support you need and make informed decisions about the best expertise for your organisation.
What is the DSPT?
The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool for organisations to measure their performance against either the National Cyber Security Centre’s Cyber Assessment Framework (CAF) or the National Data Guardian’s 10 data security standards.
Any organisation accessing NHS patient data and systems is required to complete the DSPT on an annual basis and continually demonstrate compliance year-round.
2025-2026 DSPT deadline
30 June 2026
HOW OUR DSPT SERVICES HELP YOU ACHIEVE COMPLIANCE
We provide comprehensive support for your DSPT submission, offering both a gap analysis and an independent audit. Tailored to your organisation, our services can either include a thorough review of all your data protection activities or focus specifically on the requirements of your DSPT submission.
Benefits of our DSPT Audit and Services:
- Assess and identify any gaps in your current data security and protection practices
- Receive practical advice and assistance on how to fulfil your obligations
- Obtain relevant documentation that ensures you meet all required standards
- Gain an independent audit of your Toolkit aligned with the NHS England framework
2025-2026 DSPT ASSESSMENT UPDATES
For the 2025-2026 assessment period, NHS England has implemented some changes.
The Cyber Assessment Framework (CAF) now applies to:
- Category 1 NHS organisations
- Category 2 Operators of Essential Services (OES) Independent Providers
- Genomics organisations (as nominated by the Department of Health and Social Care)
The non-CAF DSPT will continue to apply to:
- Category 2 Key IT Suppliers
- Category 3 organisations
- Category 4 organisations
An independent audit remains mandatory for all Category 1 and Category 2 organisations.
Frequently Asked Questions
If you are a public or private organisation accessing NHS patient data or systems in England, you must complete the DSPT self-assessment to measure performance against either the National Cyber Security Centre’s Cyber Assessment Framework or the National Data Guardian’s 10 data security standards, depending on your organisation category.
You should complete the DSPT and submit annually before the relevant deadline. If you are a Category 1 or Category 2 organisation, you will also need to undertake an independent audit once per year. It is important to keep up to date with your DSPT requirements as changes to your systems, services, and staff can occur throughout the year.
A key component of the DSPT is to assess your current cyber security procedures, data protection policies, and processes. The questions are designed to help you review and update your security framework where needed, covering areas such as training, back-ups, password management, storage, and more. The Toolkit also ensures trust and confidence in your practices and demonstrates your commitment to best practice data management.
If you’re unsure how to use or complete the DSPT, The DPO Centre can support you by reviewing your current data security and protection procedures, implementing necessary policies and procedures, and guiding you through the submission process. Our assessment can be tailored to either cover all your data protection needs or focus specifically on your DSPT submission.
The DSPT is specifically for organisations that operate in England only. Wales and Scotland each have their own individual data security and protection toolkits governed by their respective national health authorities.
Enquire Today
Fill in your details and we’ll get back to you as soon as possible