DSPT independent audit and compliance services

 

The DPO Centre delivers independent audit services and hands-on compliance support, ensuring your organisation meets NHS Data Security and Protection Toolkit (DSPT) standards.  

Fulfilling the DSPT’s assertions and evidence items can be complex and time-consuming. That’s why it’s important to evaluate your current status against the DSPT criteria as early as possible. You can then identify the support you need and make informed decisions about the best expertise for your organisation. 

What is the DSPT?

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool for organisations to measure their performance against either the National Cyber Security Centre’s Cyber Assessment Framework (CAF) or the National Data Guardian’s 10 data security standards. 

Any organisation accessing NHS patient data and systems is required to complete the DSPT on an annual basis and continually demonstrate compliance year-round. 

2024-2025 DSPT deadline 

30 June 2025

HOW OUR DSPT SERVICES HELP YOU ACHIEVE COMPLIANCE 

We provide comprehensive support for your DSPT submission, offering both a gap analysis and an independent audit. Tailored to your organisation, our services can either include a thorough review of all your data protection activities or focus specifically on the requirements of your DSPT submission. 

Benefits of our DSPT Audit and Services: 

  • Assess and identify any gaps in your current data security and protection practices 
  • Receive practical advice and assistance on how to fulfil your obligations 
  • Obtain relevant documentation that ensures you meet all required standards 
  • Gain an independent audit of your Toolkit aligned with the NHS England framework 
The DPO Centre

2024-2025 DSPT ASSESSMENT UPDATES 

For the 2024-2025 assessment period, NHS England has implemented significant updates: 

  • Changes to organisation categories, including Category 2 IT Suppliers 
  • Introduction of the Cyber Assessment Framework (CAF) for Category 1 organisations 
  • Mandatory independent audit for all Category 1 and Category 2 organisations 

 

Full details and information about the updates and category organisations can be found in our blog:

NHS DSPT: A guide to the latest requirements and avoiding common mistakes 

Frequently Asked Questions

Does my organisation have to complete the DSPT?

If you are a public or private organisation accessing NHS patient data or systems in England, you must complete the DSPT self-assessment to measure performance against either the National Cyber Security Centre’s Cyber Assessment Framework or the National Data Guardian’s 10 data security standards, depending on your organisation category. 

How regularly should we complete the DSPT?

You should complete the DSPT and submit annually before the relevant deadline. If you are a Category 1 or Category 2 organisation, you will also need to undertake an independent audit once per year. It is important to keep up to date with your DSPT requirements as changes to your systems, services, and staff can occur throughout the year.  

Does the DSPT support cyber security? Does the DSPT assess our cybersecurity procedures?

A key component of the DSPT is to assess your current cyber security procedures, data protection policies, and processes. The questions are designed to help you review and update your security framework where needed, covering areas such as training, back-ups, password management, storage, and more. The Toolkit also ensures trust and confidence in your practices and demonstrates your commitment to best practice data management.  

Is there any help or advice on how to complete the DSPT?

If youre unsure how to use or complete the DSPT, The DPO Centre can support you by reviewing your current data security and protection procedures, implementing necessary policies and procedures, and guiding you through the submission process. Our assessment can be tailored to either cover all your data protection needs or focus specifically on your DSPT submission. 

Is the DSPT for the whole UK? Is the DSPT required throughout the UK or is it regional?

The DSPT is specifically for organisations that operate in England only. Wales and Scotland each have their own individual data security and protection toolkits governed by their respective national health authorities. 

Alternatively click one of the options below to contact us

Email Call

Enquire Today

Fill in your details and we’ll get back to you as soon as possible