Which DSPT Category? IT Suppliers vs Other Organisations

Confused about your DSPT category? Our UK GDPR guide explains the key differences between IT Suppliers and Other Organisations to ensure you choose correctly.

· DSP Toolkit

Navigating the Data Security and Protection Toolkit (DSPT) can often feel like navigating a complex maze. For any organisation handling health and care data in the UK, it is an essential annual assessment. Yet, one of the first and most significant hurdles is selecting the correct DSPT category for your organisation. This choice dictates the entire scope of your assessment, and getting it wrong can lead to wasted effort or, more critically, a failure to meet the required data protection standards.

This is a common point of anxiety for small businesses, charities, and technology suppliers alike. Are you an 'IT Supplier' or an 'Other Organisation'? The distinction is not always obvious, but the implications for your compliance journey are substantial. This guide will demystify the DSPT category selection process, providing clear definitions and practical scenarios to help you confidently identify where your organisation fits.

By understanding your correct DSPT category, you can ensure your efforts are proportionate, relevant, and effectively demonstrate your commitment to safeguarding sensitive health and care information under UK GDPR.

Understanding the DSPT Framework: Why Your Category Matters

The DSPT is not a one-size-fits-all compliance exercise. It is a sophisticated tool designed to scale its requirements based on an organisation’s size, function, and the level of risk associated with its data processing activities. The DSPT category you select acts as a filter, tailoring the set of questions and evidence requirements you must address.

Choosing the right category is the foundation of a successful submission. If you mistakenly select a category with a higher burden of proof—for instance, classifying your small start-up as a large NHS body—you will be faced with irrelevant and unachievable assertions. Conversely, under-categorising your organisation could mean you fail to address critical security standards applicable to your operations, creating significant compliance gaps and putting data at risk.

This tailored approach ensures the process is proportionate. A small local charity providing befriending services will have different risks and capabilities compared to a multinational company supplying electronic patient record systems to NHS Trusts. The DSPT framework, as detailed on NHS Digital's official DSP Toolkit website, recognises this diversity and adjusts its expectations accordingly.

A Quick Overview of the Main DSPT Category Groups

To understand where you fit, it helps to see the bigger picture. The DSPT is broadly divided into four main categories, each with sub-divisions. While our focus is on the distinction between IT suppliers and other partners, a brief overview provides essential context:

  • Category 1: This is for large NHS organisations, such as NHS Trusts, Integrated Care Boards (ICBs), and Commissioning Support Units (CSUs). They face the most comprehensive and stringent set of requirements, reflecting their central role and the vast amounts of sensitive data they manage.
  • Category 2: This category covers Operators of Essential Services under the NIS Regulations (Network and Information Systems) and large IT suppliers that provide health and care software or services. This is a high-assurance category for significant players in the health-tech ecosystem.
  • Category 3: This is the broadest and most common DSPT category for organisations outside the core NHS. It includes adult social care providers, charities, private medical services (like dentists and opticians), local authorities, and, crucially, smaller IT suppliers.
  • Category 4: This category is reserved specifically for NHS GP Practices, with a tailored set of questions relevant to primary care.

For most businesses and non-profits engaging with the health and care sector, the key decision lies between Category 2 (as a large IT supplier) and Category 3.

Defining an 'IT Supplier': Are You in the Right DSPT Category?

The term 'IT Supplier' in the context of the DSPT has a specific meaning. It is not simply any organisation that uses computers. According to NHS guidance, an IT Supplier is an external organisation that provides IT systems or services used to process health and care data.

Clear examples of IT Suppliers include companies that develop, host, or manage:

  • Electronic Patient Record (EPR) systems.
  • Clinical software for diagnostics or patient management.
  • A mobile application for patients that integrates with NHS systems.
  • Cloud hosting infrastructure where patient-identifiable data is stored.
  • Secure messaging platforms for healthcare professionals.

However, a crucial distinction determines whether an IT supplier falls into the higher-assurance Category 2 or the more proportionate Category 3. The threshold is based on size:

An IT Supplier is placed in Category 2 (non-CAF) if it has both more than 50 employees and an annual turnover exceeding £10 million.

If an IT supplier does not meet both of these criteria, it falls into Category 3. This is a vital point of clarification for the thousands of small and medium-sized enterprises (SMEs) and start-ups innovating in the digital health space. Your function may be technical, but your DSPT category is determined by your scale.

The 'Other Organisations' Category (Category 3): A Broad Church

Category 3 is the designated DSPT category for the vast majority of organisations that partner with, or provide services to, the NHS and social care sector. It is designed to be a proportionate and accessible standard for a diverse range of bodies that handle sensitive data but are not large-scale IT providers or core NHS entities.

Organisations that typically fall into Category 3 include:

  • Adult Social Care Providers: Care homes, home care (domiciliary) agencies, and supported living services.
  • Charities and Third Sector Organisations: Non-profits providing health or wellbeing services, from mental health support to hospice care.
  • Private Healthcare Providers: Dentists, opticians, pharmacies, and private clinics.
  • Local Authorities: Councils processing data for public health or social care functions.
  • Educational Institutions: Universities conducting health-related research.
  • Smaller IT Suppliers: As defined above, tech companies with fewer than 50 staff or less than £10 million in turnover.

The assessment for Category 3 is still rigorous and fully aligned with UK GDPR principles, but it is tailored to the operational realities of these organisations. The evidence required is often less formal, and the focus is on embedding good practice. For many, navigating this category is challenging enough, which is why understanding the common DSP Toolkit struggles can be a helpful starting point.

Practical Scenarios: Choosing Your DSPT Category

Let's apply these definitions to some hypothetical UK organisations to make the choice clearer.

Scenario 1: 'HealthTech Start-up Ltd'
This innovative company has 20 employees and a turnover of £2 million. They have developed a sophisticated mobile app that helps patients manage long-term conditions and securely shares data with their GP surgery. Is their DSPT category based on their technical function or their size?

Answer: Category 3. Although they are clearly an IT supplier, they fall well below the threshold of 50 staff and £10m turnover. They will complete the Category 3 assessment.

Scenario 2: 'Community Care Connections CIC'
A well-established social care provider with 150 staff and a £5 million budget. They use a third-party, cloud-based software to manage client records and care plans. They do not develop or sell this software.

Answer: Category 3. They are a social care provider, not an IT supplier. Their use of technology is as an end-user, so they fit squarely within the 'Other Organisations' group. Their compliance journey is critical, as explained in our guide on why compliance is crucial for contracts.

Scenario 3: 'Enterprise Health Systems plc'
A major player in the health-tech market with 300 employees and an annual turnover of £60 million. They provide the core patient administration systems used by dozens of NHS Trusts across the country.

Answer: Category 2 (non-CAF). As a large IT supplier exceeding both thresholds, they must meet the more stringent requirements of this higher-assurance category. This reflects their systemic importance to the NHS infrastructure.

Key Differences in Compliance: What to Expect

The practical difference between completing a Category 2 (non-CAF) and a Category 3 assessment is significant. While both aim for the same goal—robust data security and protection—the path and evidence burden vary.

Organisations in Category 2 should expect a deeper level of scrutiny. The assertions are more technical, and you will likely need to provide evidence of formal, documented processes. This includes having a comprehensive suite of information governance policies, detailed risk assessment procedures, and potentially external certifications like Cyber Essentials Plus or ISO 27001. Crafting the essential DSPT policies you need is a non-negotiable first step.

For those in Category 3, the approach is more proportionate. While policies and procedures are still necessary, the DSPT allows for less formal evidence. The focus is on demonstrating that you have understood the risks and implemented appropriate controls. For a small business, this might be a straightforward risk log and a clear staff privacy notice, rather than a complex, externally audited management system. However, fundamental cybersecurity remains paramount, and resources like the NCSC's Cyber Security Small Business Guide are invaluable for all categories.

Regardless of your category, all organisations must adhere to the principles of UK GDPR, including the security principle. The ICO's guidance on security provides the overarching legal framework that the DSPT helps you to implement in a health and care context.

Selecting the correct DSPT category is your first and most important step towards demonstrating compliance. It ensures your organisation focuses on the right risks and provides assurance to the NHS, your partners, and the public. By carefully considering whether you are an IT supplier and, if so, your size, you can place yourself on the right track from the very beginning.

If you remain unsure, or if the requirements of your category feel overwhelming, seeking specialist advice can provide the clarity and confidence needed to complete your submission successfully and protect the sensitive data in your care.