1. Overview and introductory guidance

This page provides an overview of the Data Security and Protection Toolkit (DSPT).

1. Introduction

This page provides an overview of the DSPT and its core functionality.  We aim for the DSPT to be usable without reference to detailed guidance.  

If you need further support please contact the Helpdesk, watch the videos, access the 'Standards Met' guidance, Completing for a second time or join a webinar.   Once logged in, you can use the feedback form to give us feedback and suggestions.


2. What is the DSPT?

This is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
It is also an annual assessment.  As data security standards evolve, the requirements of the DSPT are reviewed and updated to ensure they are aligned with current best practice.  Organisations with access to NHS patient data must therefore review and submit their annual assessment each year before the deadline.
The DSPT also provides organisations with a means of reporting security incidents and data breaches.


3. Why complete a DSPT assessment?

All organisations that have access to NHS patient information must provide assurances that they have the proper measures in place to ensure that this information is kept safe and secure.  Completion of the DSPT is therefore a contractual requirement specified in the NHS England Standard Conditions contract and it remains Department of Health and Social Care policy that all bodies that process NHS patient information for whatever purpose provide assurances via the DSPT.
Completion of the DSPT is also necessary for organisations which use national systems such as NHSmail and the e-referral service.


4. Registration

To register, you will need an email address and your organisation’s ODS code.  You can look up your ODS code by searching for your organisation on the ODS portal.  If you do not have a valid organisation code or cannot find your organisation on the portal, you should log a query with the ODS team via the Exeter Helpdesk.
If you attempt to register and receive a message stating that your organisation already has an administrator, then you will have to contact this person directly as they will be responsible for adding new users for your organisation.  If you do not know the identity of your organisation’s administrator, then please contact the Exeter Helpdesk.


5. First steps (organisation profile)

When you register and log in for the very first time, you will be asked to choose the most appropriate sector for your organisation, to provide details of key roles and whether you have any relevant certifications?  This is called the 'Organisation Profile'.  The answers you give here will tailor the questions you need to respond to in your assessment (see below).  You can change your answers later and will be prompted to check this information when you publish an assessment.


6. The requirements

The requirements for the DSPT are tailored to your organisation type.  Organisations such as NHS Trusts and Clinical Commissioning Groups will have to complete a more extensive assessment than a smaller organisation such as a dentist or an optician.  Guidance on selecting the correct Organisation Type for your organisation can be found on our Help page.
Information regarding the DSPT Standard and a full list of the 2023/24 Requirements for all organisation types are provided on the News page.


7. 'Standards Met' assessment

Following successful registration, you should aim to complete a ‘Standards Met’ assessment by responding to all the questions within the assessment which are indicated as being MANDATORY.  A guide is available at 'Standards Met' guidance.  The number of mandatory questions are determined by your organisation type.  
The DSPT is organised under the 10 data security standards.  Under each standard there are a number of 'Assertions' which you will need to work through.  To complete each assertion, you are required to provide evidence items which demonstrate compliance with the assertion.
Once all the mandatory evidence items have been completed, and all assertions confirmed, you will be able to publish your assessment.  If you need to make any changes at a later date to information you have provided, you can update and republish your assessment any time throughout the year.  You must however ensure that your organisation has published at least one assessment by the deadline of 30 June every year.
Step by step guidance on completing the DSPT for Social Care organisations is additionally available.  This guidance may be of interest to any smaller organisation.  Please see section 12, below or see the 'Standards Met' guidance


8. 'Approaching Standards' assessment

Social Care organisations are eligible to complete an ‘Approaching Standards’ assessment, indicating care providers that have demonstrated good progress but have not yet reached 'Standards Met'.


9. 'Standards Exceeded' assessment

If an organisation achieves 'Standards Met' and also has a current Cyber Essentials PLUS certification recorded in its Organisation Profile, then it's status will be displayed as 'Standards Exceeded'.


10. Visibility of assessments

Once you have published your assessment, you will receive a confirmation email.  Your completed status can also be confirmed by using the Organisation Search function on the Toolkit – the content of which is updated every 10 minutes.

This displays your organisation’s toolkit status.  No information on the content within your toolkit is available publicly.


11. Adding more users

Administrators can add additional users from the ‘Manage Users’ screen.  This facility is available to administrators only via the ‘Admin’ drop-down menu.  It includes a description of the permissions / roles which are available.  If you require access, please speak to your local administrator.


12. Completing the Data Security and Protection Toolkit to receive NHSmail

If your organisation is interested in adopting NHSmail, please visit the NHSmail support pages.  A dedicated NHSmail helpdesk is also available.


13. Support to Social Care organisations

In order to support Social care organisations that are new to the DSPT, specific Social Care guidance is available including responses to questions which are frequently asked by care providers.


14. Headquarters (HQ) assessments (organisations with multiple sites / branches)

If your organisation is made up of multiple sites or branches, which all follow the same policies and exist as a single legal entity, then you may choose to publish a single assessment at HQ level.  This assessment can then be applied to all the sites listed under the HQ.  The process for publishing an HQ assessment depends on your organisation type as follows:


14.1 HQ assessments for Social Care, Pharmacy or Optician organisations

You should complete the DSPT under the ODS code for your HQ or Head Office organisation.
When you come to publish your assessment, the list of sites related to the HQ will be displayed, allowing you to select which ones you want to include in the submission.  You can check your list of sites before you publish.  The list of related sites is taken from ODS data.  If this is list is incorrect, please contact the Exeter Helpdesk at the earliest opportunity.
You may wish to publish for selected sites initially and then publish a further assessment later (including additional sites, when the list is corrected).
Detailed guidance on registering and publishing assessments (including those with complex legal structures) is also available.  This guidance was initially written for Social Care but will also be helpful for other types of organisations.


14.2 HQ assessment for other sectors

Other sectors with a HQ / site structure should firstly publish their assessment, then raise a call with the Exeter Helpdesk.  In the request, provide the list of organisation names and their ODS codes (in either table or spreadsheet format) and confirm that all sites follow the same processes as the organisation which has published.

Detailed guidance on registering and publishing assessments (including those with complex legal structures) is also available.  This guidance was initially written for Social Care but will also be helpful for other types of organisations.
The DSPT support team will then apply the published assessment to the list of sites you have provided.


15. Providing evidence for multiple separate organisations

For users who complete a separate toolkit for multiple organisations, there is a function which allows you to see how each organisation you support has responded to specific evidence items.  It also allows you to provide a new response to text, date and checkbox questions in bulk for multiple separate organisations in one go.
When you log in, you will see an option to ‘Provide evidence for multiple organisations in one go’.
For evidence items that require a document response, it is only possible to REVIEW responses in bulk.  Expansion of this functionality will be kept under consideration as we monitor usage of the new tool.


16. Incident reporting

It is the duty of all health and care organisations that process personal data to report any data breaches to the Information Commissioner’s Office (ICO) via the DSPT within 72 of discovering an incident.  See further guidance on Incident Reporting.


17. Completing the DSPT using the incorrect ODS code

Where an organisation has registered and completed their assessment under the wrong ODS code, their user accounts and assessments can be transferred to the correct code.  In this instance please contact the Helpdesk.


18. Cyber Essentials PLUS and ISO 27001 Certifications

If your organisation has a Cyber Essentials PLUS certification covering all of your health and care data processing, you can record this in the Organisation Profile (available from the Admin menu).  If your organisation has an ISO 27001 certification but does not have an option to record this in the Organisation Profile, please contact the Helpdesk.


19. Further help

If you require any further help, please see our responses to Frequently Asked Questions (FAQs)