Data Security and Protection Toolkit Submission Deadline 2019/20 – COVID-19 (updated 16:35 16 March)

Update on the 2019/20 deadline

It is critically important that the NHS and Social Care remains resilient to cyber attacks during this period of COVID-19 response.  The Data Security & Protection Toolkit helps organisations check that they are in a good position to do that. Most organisations will already have completed, or be near completion of, their DSPT return for 2019/20.     

However, in light of events NHSX recognises that it will be difficult for many organisations to fully complete the toolkit without impacting on their COVID-19 response.  NHSX has therefore taken the decision to push back the final deadline for DSPT submissions to 30 September 2020.  Organisations can choose to complete DSPT before that date. If they do so, and if they fully meet the standard, those organisations will be awarded 'Standards Met' status, as in previous years. 

Where organisations have separate agreements with commissioners or information sharing partners, the existing deadline remains unchanged unless agreed between relevant parties.

Whilst the DSPT submission deadline is being relaxed to account for COVID-19, the cyber security risk remains high.  All organisations must continue to maintain their patching regimes. Trusts, CSUs and CCGs must continue to comply with the strict 48hr and 14 day requirements in relation to acknowledgment of, and mitigation for, any High Severity Alerts issued by NHS Digital (allowing for frontline service continuity).

Further advice for organisations completing their Data Security and Protection Toolkit assessment is available from

This message will be emailed to users.