Skip to main content
Beta version A NHS service powered by standards. Feedbackopens in a new window will help us improve.

Data Security and Protection Toolkit

The Data Security and Protection (DSP) Toolkit is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care.

Contents

Documentation
View documentation for this standard

About this standard

Publisher
NHS England
Also known as
DSPT
Reference code
DAPB0086 Amd 21/2025
Publication date
12 August 2025
Publication version
8.0.0
Status
Active
Show definitions of statuses

Active. Active standards are stable, maintained and have been approved, assured or endorsed for use by qualified bodies.

Deprecated Deprecated standards are available for use and are maintained, but are being phased out, so new functionality will not be added.

Retired standards Retired standards are not being maintained or supported and should not be used.

Standard type
  • Collections
  • Information standards
Show definitions of standard types

Collections. A Collection is a systematic gathering of a specified selection of data or information for a particular stated purpose from existing records held within health and care systems and electronic devices.

Extractions. An extraction is a type of collection that is pulled from an operational system by the data controller and transmitted to the receiver without additional processing or transcription by the sender.

Information standards. Information standards are agreed ways of doing something, written down as a set of precise criteria so they can be used as rules, guidelines, or definitions.

Technical Standards and specifications. Technical standards and specifications specify how to make information available technically including how the data is structured and transported.

Frequency

Dataset publication or collection occurs once a year.

Contact point

https://www.dsptoolkit.nhs.uk/home/contact

Using this standard

Associated medias
DSP Toolkit website
Access to the DSP Toolkit is through the dedicated website.
Applies to
  • All organisations have access to NHS patients and/or to their information
  • All organisations which provide support services directly to an NHS organisation
  • All organisations which have either direct or indirect access to national informatics services.
  • Social care providers that provide care through the NHS Standard Contract
  • Any party seeking approval for access to NHS patient information from either the Confidentiality Advisory Group or NHS England
Effective from
1 August 2025

Topics and care settings

Topic
  • Information codes of practice
  • Information governance
  • Security, Safety and Privacy
Care setting
  • Community health
  • Dentistry
  • GP / Primary care
  • Hospital
  • Maternity
  • Mental health
  • Pharmacy
  • Social care
  • Urgent and Emergency Care

Dependencies and related standards

Dependencies

Full details and help information is available on NHS England's Data Security and Protection Toolkit website.

Review Information

Scope
Health Services, NHS Services, Adult Social Care
Contributor
Department of Health and Social Care
Approval date
8 August 2025
Post Implementation review Date
30 June 2026
Technical Committee

Data Assurance Board (DAB)

Legal basis

Legal authority

  • Section 250 of the Health and Social Care Act 2022

    This information standard is published under Section 250 of the Health and Social Care Act 2012, as amended by the Health and Care Act 2022, and persons subject to this information standard must comply with the information standard where it is relevant and may be subject to enforcement action if they fail to do so within the required timeframes. Bodies that fail to submit a DSPT return may be subject to enforcement action under the powers in the Health and Social Care Act 2012, which may include fines.

  • NHS standard contract

    This collection is published under the NHS Standard Contract.

More information

The DSPT is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care, notably the 10 data security standards set by the National Data Guardian and the National Cyber Security Centre Cyber Assessment Framework. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. Such organisations are required to carry out self-assessments of their compliance against the assertions and evidence contained within the DSPT. Version 8 released. A summary of changes include:

  • independent providers who are designated operators of essential services under Network and Information Systems directive (NIS) and Genomics organisations utilise the NCSC Cyber Assessment framework introduced into the DSPT in line with the Cyber Strategy for health and care
  • rationalise evidence items where they are not applicable to the sector
Reflect feedback from stakeholders, particularly:
  • update requirements for primary care and social care in response to the threat landscape
  • update requirements to respond to difficulties in interpretation experienced by organisations undertaking the DSPT in 2024-25
  • update the requirements for IT suppliers to include the Department of Science Innovation and Technology code of practice for software vendors to improve the security of software provided to health and care organisations

Page last updated: 13 May 2026