Skip to main content
BETA A NHS service powered by standards. Feedbackopens in a new window will help us improve.

Data Security and Protection Toolkit

The Data Security and Protection (DSP) Toolkit is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care.

Contents

Documentation
View documentation for this standard

About this standard

Publisher
NHS England
Reference code
DAPB0086 Amd 21/2023
Publication date
18/08/2023
Status
Active
Show definitions of statuses

Active. Active standards are stable, maintained and have been approved, assured or endorsed for use by qualified bodies.

Deprecated Deprecated standards are available for use and are maintained, but are being phased out, so new functionality will not be added.

Retired standards Retired standards are not being maintained or supported and should not be used.

Standard type
  • Collections
  • Information standards
Show definitions of standard types

Collections. A Collection is a systematic gathering of a specified selection of data or information for a particular stated purpose from existing records held within health and care systems and electronic devices.

Extractions. An extraction is a type of collection that is pulled from an operational system by the data controller and transmitted to the receiver without additional processing or transcription by the sender.

Information standards. Information standards are agreed ways of doing something, written down as a set of precise criteria so they can be used as rules, guidelines, or definitions.

Technical Standards and specifications. Technical standards and specifications specify how to make information available technically including how the data is structured and transported.

Contact point

https://www.dsptoolkit.nhs.uk/Home/Contact

Using this standard

Applies to
  • All organisations have access to NHS patients and/or to their information
  • All organisations which provide support services directly to an NHS organisation
  • All organisations which have either direct or indirect access to national informatics services.
  • Social care providers that provide care through the NHS Standard Contract
  • Any party seeking approval for access to NHS patient information from either the Confidentiality Advisory Group or NHS England
Associated medias
Conformance date
30/06/2024
Effective from
01/08/2023

Topics and care settings

Topic
  • Information codes of practice
  • Information governance
  • Security
Care setting
  • Community health
  • Dentistry
  • GP / Primary care
  • Hospital
  • Maternity
  • Mental health
  • Pharmacy
  • Social care
  • Urgent and Emergency Care

Dependencies and related standards

Dependencies

Full details and help information is available on NHS England's Data Security and Protection Toolkit website.

Review Information

Scope
Health Services, NHS Services, Adult Social Care
Sponsor

Phil Huggins, National Chief Information Security Officer for Health and Care, Department of Health and Social Care

Senior Responsible Officer

Michael Owen, Deputy Director, Cyber Operations, NHS England

Business Lead
John Hodson
Contributor
Department of Health and Social Care
Approval date
27/07/2023
Post Implementation review Date
30/06/2025

Legal basis and endorsements

Legal authority

  • Section 250 of the Health and Social Care Act 2012

    This information standard is published under section 250 of the Health and Social Care Act 2012

  • NHS standard contract

    This collection is published under the NHS Standard Contract.

More information

This online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care, notably the 10 data security standards set by the National Data Guardian.

All organisations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. Such organisations are required to carry out self-assessments of their compliance against the assertions and evidence contained within the DSP Toolkit. While some elements are mandatory, the DSP Toolkit also provides a mechanism for organisations to continually monitor their own performance and so be able to evidence improvement over time against recommended elements.

About this change

The DSP Toolkit standard is reviewed annually. The changes for 2023-24 are to further align with policy requirements and improve the clarity of language used in the toolkit.

Changes have been made to:

  • Reflect feedback from stakeholders and users of the DSPT
  • Make specific improvements on Multi-factor authentication to reflect updated policy
  • Re-categorise key IT System Providers as category 1 organisations
  • Update the requirement for staff training to allow larger organisations more flexibility on how it is delivered

A full list of changes can be found in the Change Specification.

Page last updated: 04 May 2024