The Data Security and Protection Toolkit (DSPT)


The DPO Centre can assist your organisation to complete the self-assessment process to meet the required standards set by the National Health Service Data Security and Protection Toolkit (DSPT).

What is the DSPT?

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that organisations can complete to measure their performance against the National Data Guardian’s ten data security standards. Any organisation accessing NHS patient data is required to complete the DSPT on an annual basis and therefore demonstrate an acceptable level of compliance on an ongoing basis.

Whilst naturally applying to NHS organisations, such as Trusts and Clinical Commissioning Groups (CCGs), it also applies to many other categories of organisations across the public and private sector. Completing the DSPT is a contractual condition when working with the NHS and where you process or access NHS data.

The Toolkit provides assurance that organisations are processing personal data responsibly and practicing good data security. It is essential for all organisations to complete their submissions prior to the 30th of June each year. Depending on which (if any) data security/protection framework your organisation already employs, fulfilling the required assertions and evidence items can be resource intensive. It is therefore advisable to start reviewing your status against the criteria of the DSPT as soon as possible and therefore assist you to decide on the level of assistance you will require.


“We have received an extremely professional service from our outsourced DPO, and where needed, the rest of the DPO Centre team. The knowledge and advice provided is exceptional.”

National Healthcare Data Management Organisation

Alternatively click one of the options below to speak to us


Email Call

How the Service Works

To assist you in this process, we offer a solution which will: 

  • Assess and identify gaps in your current data security and protection practices
  • Deliver practical advice and assistance on how to fulfil the ten data security standards
  • Provide relevant documentation where necessary to enable you to meet the required standards


Depending on your specific needs, we can tailor your assessment to review the entirety of your data protection activities, or focus solely on the requirements of your DSPT submission.

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible

Frequently Asked Questions

We’ve compiled a series of FAQs but if you can’t find the answer here please contact us to find out more. 

How regularly should we complete the Data Security and Protection Toolkit (DSPT)?

You should complete the DSPT and make your submission annually prior to the relevant deadline. It is likely there will be ongoing changes to your systems, services and staff, so it is advisable to keep up to date with the DSPTs requirements.

Does the DSPT support cyber security? Does the DSPT assess our cybersecurity procedures?

A key part of the DSPT is to uncover more detail about your current cyber security procedures, data protection policies, procedures and processes. The questions are designed to help you review and update your security framework where needed, addressing areas such as training, back-ups, password management, storage and more. The toolkit also ensures trust and confidence in your practices and shows that you take data management seriously.

Does my organisation have to complete the DSPT?

A wide range of public and private organisations use the DSPT to measure their performance against the ten data security standards laid out by the National Data Guardian. You must complete the DSPT if your organisation delivers services under an NHS contract, use a shared healthcare and records system, or if you are applying to use NHSmail.

Is there any help or advice available on how to complete the DSPT?

If you are unsure how to use and correctly complete the DSPT, The DPO Centre can support you by helping to review your current data security and protection procedures, implement the necessary policies and procedures and complete the submission process. Our assessment can be tailored to encompass all of your data protection requirements or help you solely in the submission of your DSPT.

Is the DSPT for the whole of the UK? Is the DSPT required throughout the whole of the UK, or is it regional?

The DSPT is for care services that operate in England only. Wales, Scotland and Northern Ireland each have their own individual data security and protection toolkits governed by their respective national health authorities.

Alternatively click one of the options below to speak to us


Email Call



Alex Aucutt-Ford

Spencer Hospitals

“Our DPO from the DPO Centre has been excellent. They are happy to answer any questions we have, and have been a great sounding board for our Information Governance team which has supported all the great work the team does. By helping to provide a clear and prioritised plan of action, our DPO has ensured that we stay on track to meet our compliance goals.”