If you’re a care provider, GP Federation, charity, IT supplier, or subcontractor working with NHS data, you’ve likely heard of the Data Security and Protection Toolkit (DSPT). Completing it annually is mandatory — but many organisations struggle to get it right.
In this post, we’ll look at the most common stumbling blocks and how to resolve them without delay, even if you don’t have a dedicated information governance team.
Understanding the Problem: It’s Not Just a Tick-Box Exercise
The DSP Toolkit is designed to help organisations prove they are protecting NHS data appropriately. It’s more than a form — it’s a full self-assessment across key areas of data protection, confidentiality, cyber security, and staff training.
Yet, the majority of problems we see fall into just a few predictable categories — and they’re often the same, whether you’re a:
- Local charity providing counselling or support
- Social prescribing organisation
- PCN managing local shared care records
- IT vendor hosting health apps or analytics tools
- Private firm offering NHS-commissioned diagnostic services
- Small care home supporting older adults
Common Areas Where Providers Struggle
1. No Named Information Governance (IG) Lead
Every organisation completing the Toolkit must identify someone with overall responsibility for information governance.
Why it matters:
Without a named lead, there’s no accountability or ownership. Many organisations simply default to the registered manager or business director — which is fine, but only if they understand the role.
Fix:
Nominate a lead formally, add the role to their job description, and provide them with basic IG training and support resources.
2. Missing or Outdated Policies
Many providers either have no written policies or rely on outdated ones pulled from unrelated NHS templates.
Commonly missing documents:
- Records Management Policy
- Data Protection Policy
- Incident Response Procedure
- Confidentiality Agreement
- Staff Acceptable Use Policy
- Subject Access Request (SAR) procedures
Fix:
Use tailored templates written for smaller organisations. Avoid over-complex language. All staff should be able to understand what the policy means in their day-to-day work.
3. Training Gaps and No Evidence of Completion
The DSP Toolkit requires evidence that staff receive annual training on data protection and IG. Unfortunately, many providers:
- Don’t have any training materials
- Can’t prove who’s completed what
- Have inconsistent induction processes
Fix:
Set up simple online training modules with automated certificates. Keep a training log with names, dates, and module titles. If you’re a charity or subcontractor, ensure volunteers or temporary staff are included.
4. No Records of Risk Assessments or DPIAs
A Data Protection Impact Assessment (DPIA) is required when introducing new services, IT systems, or processes involving personal data. Most small providers miss this completely.
Example risks:
- A new counselling app used by a charity
- A cloud platform used to store referral data
- A courier firm transporting pathology samples
Fix:
Have a DPIA template ready. Keep a log of completed assessments, even if the result shows “low risk.”
5. Unclear Roles Between Commissioners and Subcontractors
Many organisations operate as subcontractors under NHS or local authority contracts. But responsibility for data protection is shared, and some mistakenly assume the “main contractor” will handle everything.
Fix:
Clarify roles in contracts or data sharing agreements. All parties — even secondary subcontractors — must complete the DSP Toolkit independently if they process NHS patient data.
Real-World Example: A Small Social Care Provider
A supported living provider commissioned by the ICB was unaware they needed to complete the DSP Toolkit. They had:
- No records management policy
- No breach response procedure
- No staff training beyond basic safeguarding
Within four weeks of support:
- They nominated an IG lead
- Implemented six core policies
- Completed staff training via an online platform
- Submitted the Toolkit — and passed with “Standards Met”
How a Gap Analysis Can Help
A professional gap analysis is one of the fastest and most efficient ways to fix these issues. It tells you:
- What documents are missing
- Where staff need training
- What evidence is required
- Which Toolkit questions still need answers
You’ll get:
- A written report
- A clear action plan
- Practical tools to close each gap
It’s especially useful for:
- GP Federations managing multiple practices
- IT vendors supplying NHS-hosted systems
- Public health teams engaging external delivery partners
- Charities managing sensitive health records
Don’t Let Compliance Gaps Become Contract Risks
Commissioners, NHS partners, and CQC expect providers to demonstrate robust data handling. Non-compliance with the DSP Toolkit is no longer tolerated as a minor issue — it could affect future funding, contracts, or regulatory ratings.
Take Action Today
Most organisations struggle with the same issues — and the good news is, they can all be fixed with the right support.
Even if you’re not an NHS body, if you handle NHS data, you’re responsible for managing it safely, securely, and in line with UK law.
Call to Action:
📋 Want to know where your organisation stands? Download our free DSPT gap-check template to get started.