The Data Security and Protection Toolkit (DSPT) is the official self-assessment tool for all organisations that access or process NHS patient data. Whether you’re a care provider, GP Federation, charity, public health team, or an IT supplier, completing the DSP Toolkit annually is not optional — it’s a requirement.
In this guide, we’ll break down:
- What the DSP Toolkit is
- Who needs to complete it
- Why it’s important (especially for CQC-inspected services)
- How to make compliance easier, even for small or non-NHS organisations
What is the DSP Toolkit?
The DSP Toolkit is an online self-assessment developed by NHS England and the Department of Health and Social Care. It helps ensure that health and care organisations are meeting the standards for:
- Data protection (UK GDPR and Data Protection Act 2018)
- Cyber security
- Confidentiality of patient information
- Good records management
By completing the Toolkit, organisations demonstrate that they are handling NHS data securely, lawfully, and transparently — which is essential for patient trust, legal compliance, and ongoing NHS relationships.
Who Needs to Complete the DSP Toolkit?
If your organisation accesses, stores, processes, or transmits NHS patient data — even occasionally — you must complete the DSP Toolkit.
This includes:
- GP Federations and Primary Care Networks (PCNs)
- Care homes, supported living, and domiciliary care agencies
- Charities and voluntary organisations delivering NHS-funded services
- Local authority public health teams
- CCG/ICB-commissioned providers (e.g. counselling, dermatology, MSK services)
- Social prescribing services
- IT vendors and hosting suppliers
- Health analytics and business intelligence services
- Medical courier firms and diagnostic labs
- Document scanning and archiving services
- Subcontractors to NHS Trusts or primary care providers
Even if you are not directly employed by the NHS, if you handle NHS data — you’re within scope.
Why Does It Matter?
The DSP Toolkit is a condition of the NHS Standard Contract. For subcontractors and commissioned services, it’s often written into agreements, funding terms, or Service Level Agreements (SLAs).
Failing to complete the Toolkit can result in:
- CQC scrutiny or enforcement (for registered care services)
- Loss of NHS contracts or referrals
- ICO investigations for data breaches
- Reputational damage with partners or commissioners
Some NHS organisations now refuse to engage with external providers who haven’t met the ‘Standards Met’ status in the DSP Toolkit — especially for IT, analytics, or records services.
What’s in the Toolkit?
The Toolkit includes a series of evidence-based questions that cover:
- Staff training
- Information governance policies
- Data Protection Impact Assessments (DPIAs)
- Records retention and disposal
- Incident reporting procedures
- Secure handling of digital and paper data
You must upload or reference actual evidence — not just say “we do this.” For example:
- A data protection policy
- Staff training records
- A risk register
- A breach response flowchart
But We’re Only a Small Organisation…
The NHS recognises that one size doesn’t fit all. The DSP Toolkit has different levels of requirement depending on your organisation type. For example, a small care home won’t be expected to meet the same evidence threshold as an NHS Trust or large IT contractor.
However, all organisations are expected to show:
- A clear understanding of data protection responsibilities
- Basic cyber hygiene
- Appropriate staff training
- Documented policies and procedures
Even if you only handle a small volume of NHS data, the expectation is that any handling of patient information is done securely.
How to Make It Easier: The Easy Compliance Approach
Many smaller providers, charities, and external contractors struggle with the DSP Toolkit because they don’t have a dedicated Information Governance (IG) lead or in-house compliance resources.
That’s why some choose a simplified support model:
- Policy templates written for non-NHS providers
- Step-by-step action plan based on your organisation type
- Tailored staff training
- Guidance through the submission process
This ensures that you stay compliant — without being overwhelmed by jargon or NHS documentation.
What Happens After You Submit?
Once your submission is complete, your Toolkit will be publicly visible via the DSPT portal. Commissioners and NHS bodies can search and confirm your status, which may influence future contracting decisions.
You’ll need to:
- Keep policies under review
- Repeat the submission annually
- Update your evidence if any processes change
Don’t Let Compliance Hold You Back
The DSP Toolkit isn’t just a form — it’s a legal and ethical obligation for anyone handling NHS data. But it doesn’t have to be difficult or time-consuming.
With the right support, even the smallest provider or subcontractor can meet their requirements and continue working safely and confidently with the NHS.
Call to Action:
👉 Need help navigating the DSP Toolkit? Download our free gap-check checklist or contact us for support tailored to your organisation.