One of the most common pain points in completing the Data Security and Protection Toolkit (DSPT) is creating or updating the policies needed to support your answers. Many organisations either don’t know what policies are required or try to reuse outdated NHS Trust templates that don’t match their services.
In this post, we’ll show you:
- Which policies you need to meet DSP Toolkit requirements
- Why your policies must be tailored to your type of organisation
- What good policy evidence looks like
- Where to find templates designed for GP Federations, care providers, charities, and NHS suppliers
Why Policies Matter for the DSP Toolkit
The DSP Toolkit isn’t just about saying you protect data — it requires you to prove it.
That means uploading or referencing actual documents that demonstrate:
- Staff responsibilities
- Information security procedures
- Breach reporting processes
- Confidentiality standards
- Legal compliance (e.g. UK GDPR, Data Protection Act 2018)
Without the right policies in place, your Toolkit submission may be marked as incomplete — or not meet the “Standards Met” threshold.
The Core Policies You’ll Need
Here’s a breakdown of the most commonly required policies, all of which should be reviewed annually and made accessible to staff.
1. Information Governance (IG) Framework
This is your overarching document that explains:
- Who’s responsible for IG
- What systems and policies are in place
- How your organisation ensures ongoing compliance
- Your link to national standards, such as the NHS Records Management Code
2. Data Protection and Confidentiality Policy
Covers how you handle:
- Personal and special category (health) data
- Consent
- Confidentiality agreements
- Data subject rights (access, correction, objection)
This policy should align with UK GDPR principles and include the lawful bases for your processing of NHS data.
3. Records Management Policy
Sets out how you:
- Store, archive, and dispose of records
- Use retention schedules
- Organise digital and paper information
- Manage access to active and historic records
This should reflect the NHS Records Management Code of Practice 2023.
4. Incident and Breach Reporting Procedure
Details how your organisation:
- Detects, investigates, and reports data breaches
- Notifies the ICO when required
- Reviews incidents and implements learning
This policy must include how staff escalate concerns and timelines for reporting.
5. Staff Acceptable Use Policy (AUP)
Outlines rules for:
- Using computers, phones, tablets, and systems
- Sending and receiving emails
- Accessing patient data from remote locations
- Social media usage and confidentiality
6. Subject Access Request (SAR) Procedure
Explains how individuals can request their personal information and how your organisation responds, including timeframes and responsibilities.
Why Generic NHS Templates Don’t Work
NHS Trust policies are often:
- Overly complex — designed for much larger teams
- Full of jargon — making them inaccessible to frontline staff
- Not relevant — including references to systems, processes, or committees you don’t have
As a result, many non-NHS providers either don’t use them or do so incorrectly, leading to compliance failures.
Tailored Policies for Non-NHS Providers
You don’t need to reinvent the wheel — but you do need documents that reflect how your organisation works.
Examples of tailored policy needs:
- A medical courier firm may require vehicle-based data handling guidance
- A voluntary sector organisation may need simplified confidentiality policies for volunteers
- A GP Federation will require guidance on data sharing between practices
- A digital health company may need an in-depth cyber security protocol
- A records scanning company will need a documented chain of custody for physical media
Each of these settings has different risks, responsibilities, and workflows — and your policies should reflect that.
What Makes a Good DSPT Policy?
To meet the DSP Toolkit standard, your policy should be:
- Relevant: Reflects the services you provide and how you use data
- Current: Reviewed in the last 12 months and dated
- Accessible: Staff can read and understand it (avoid unnecessary legal jargon)
- Approved: Signed off by a responsible person (e.g. director, IG lead, board)
- Linked to evidence: Shows how the policy is used in practice (e.g. referenced in training, forms, SOPs)
Where to Get Support
Many organisations choose to use pre-written templates that are:
- Written in plain English
- Reviewed against NHS and ICO standards
- Fully editable for your organisation’s name, services, and roles
- Designed specifically for care providers, charities, federations, and contractors
By starting with templates like these, you can save hours of time and focus on implementation, not document drafting.
Real-World Scenario: Community Health Charity
A small charity providing mental health support under an NHS contract had no formal policies in place. They:
- Used a shared Google Drive for all data
- Had no breach response flow
- Stored old paper notes in unlocked filing cabinets
With basic support, they:
- Implemented five key policies within one week
- Trained staff on confidentiality and records access
- Secured client files
- Achieved “Standards Met” on the Toolkit and retained their NHS grant
Policy Doesn’t Have to Be Painful
Policy writing can feel overwhelming — especially when you’re running services, managing staff, and navigating contracts.
But with the right resources, you can quickly implement policies that are not just legally compliant, but useful, understandable, and relevant to your team.
Call to Action:
📄 Need policy templates that actually work for your setting? Download our free Records Management Policy sample for care providers and external suppliers.