Asides

The Data Security and Protection Toolkit (DSPT) is the official self-assessment tool for all organisations that access or process NHS patient data. Whether you’re a care provider, GP Federation, charity, public health team, or an IT supplier, completing the DSP Toolkit annually is not optional — it’s a requirement. In this guide, we’ll break down: What is the DSP Toolkit? The DSP Toolkit is an online self-assessment developed by NHS England and the Department of Health and Social Care. It helps ensure that health and care organisations are meeting the standards for: By completing the Toolkit, organisations demonstrate that they are handling NHS data securely, lawfully, and transparently — which is essential for patient trust, legal compliance, and ongoing NHS relationships. Who Needs to Complete the DSP Toolkit? If your organisation accesses, stores, processes, or transmits NHS patient data — even occasionally — you must complete the DSP Toolkit. This includes: Even if you are not directly employed by the NHS, if you handle NHS data — you’re within scope. Why Does It Matter? The DSP Toolkit is a condition of the NHS Standard Contract. For subcontractors and commissioned services, it’s often written into agreements, funding terms, or Service Level Agreements (SLAs). Failing to complete the Toolkit can result in: Some NHS organisations now refuse to engage with external providers who haven’t met the ‘Standards Met’ status in the DSP Toolkit — especially for IT, analytics, or records services. What’s in the Toolkit? The Toolkit includes a series of evidence-based questions that cover: You must upload or reference actual evidence — not just say “we do this.” For example: But We’re Only a Small Organisation… The NHS recognises that one size doesn’t fit all. The DSP Toolkit has different levels of requirement depending on your organisation type. For example, a small care home won’t be expected to meet the same evidence threshold as an NHS Trust or large IT contractor. However, all organisations are expected to show: Even if you only handle a small volume of NHS data, the expectation is that any handling of patient information is done securely. How to Make It Easier: The Easy Compliance Approach Many smaller providers, charities, and external contractors struggle with the DSP Toolkit because they don’t have a dedicated Information Governance (IG) lead or in-house compliance resources. That’s why some choose a simplified support model: This ensures that you stay compliant — without being overwhelmed by jargon or NHS documentation. What Happens After You Submit? Once your submission is complete, your Toolkit will be publicly visible via the DSPT portal. Commissioners and NHS bodies can search and confirm your status, which may influence future contracting decisions. You’ll need to: Don’t Let Compliance Hold You Back The DSP Toolkit isn’t just a form — it’s a legal and ethical obligation for anyone handling NHS data. But it doesn’t have to be difficult or time-consuming. With the right support, even the smallest provider or subcontractor can meet their requirements and continue working safely and confidently with the NHS. Call to Action:👉 Need help navigating the DSP Toolkit? Download our free gap-check checklist or contact us for support tailored to your organisation.