Reminder to submit a Baseline (Interim) Publication for your 23-24 Data Security Protection Toolkit (24 February 2024)

For NHS Trusts, Integrated Care Boards, DHSC Arms Length Bodies and Commissioning Support Units

NHS Trusts, Integrated Care Boards, DHSC Arms Length Bodies and Commissioning Support Units are required to publish a ‘baseline’ (interim) Data Security Protection Toolkit assessment by 29 February 2024.

We know many of you have already submitted but can you check that you have included the requirement for an update on multi-factor authentication in evidence item 4.5.3.

This is part of the Data Security Protection Toolkit Data Co-ordination Board (DCB) 0086 information standard.

Why is a baseline assessment required?

A baseline is not a full assessment of your toolkit submission. It is an interim assessment to indicate that your self-assessment is under way. It may also highlight to your organisation, areas which need particular focus ahead of the full assessment deadline of 30 June 2024.

The baseline assessment is not formally assessed by NHS England, but it allows NHS England Cyber Operations Team to review interim responses to evidence items and determine whether further guidance is required.

There is an additional requirement for this year’s baseline submission, in the Multifactor Authentication Policy. Phil Huggins National CISO will separately be writing to CEOs highlighting the importance of MFA and its upcoming compliance check.

For the baseline DSPT submission organisations are required to provide:

  • confirmation of full compliance with the policy; or
  • confirmation that plans are in place to achieve full compliance by 30 June 2024, and a copy of the plans.

This should be included in the comments box on evidence item 4.5.3, in the format of either:

“Central England NHS Trust can confirm it has achieved compliance with the MFA policy.”


“Central England NHS Trust has not currently achieved compliance with MFA Policy but has a plan in place to achieve compliance by 30th June 2024.

The key milestones of the plan are:

XXX to be completed by 1st February 2024;

XXX to be completed by 1st April 2024;

XXX to be completed by 1st June 2024;

Confirmation of full compliance to be signed off by the June 2024 Cyber Group

How to publish a baseline assessment

You can publish a ‘baseline’ assessment by following the ‘publish baseline assessment’ link on the assessment page. You will receive an email confirmation once you have published your baseline assessment.

There are no minimum number of evidence items required to be completed before you can publish your baseline assessment as it is a snapshot of current progress.

Be aware, if all mandatory evidence items are answered and all sections in your assessment are confirmed, the Data Security and Protection Toolkit will assume this is your full assessment.

Please publish your baseline assessment by 29 February 2024.

Log into the portal here:

Further information

A reminder email is also being sent out to SIROs, IG Leads and last logged in DSPT administrator users.

If you have any queries about the baseline publication, please contact us.

We will cover the baseline publication in the February DSP Toolkit large organisation webinars, further details at:

Kind Regards,

DSP Toolkit Team