What is the NHS Data Security and Protection Toolkit?

It’s no secret that harmful cyber activity is growing, and healthcare organisations are often viewed as high-value targets due to the sensitive data they hold.

The Data Security and Protection Toolkit (DSPT) is intended to help raise standards and provide confidence that health and care organisations are protecting the data they hold. In this blog post, we provide a short overview of the DSPT, answer some frequently asked questions and share our top tips alongside some useful resources.

What is the Data Security and Protection Toolkit (DSPT)?

The Data Security and Protection Toolkit is an online self-assessment tool that must be completed annually by all organisations that process health and care data. It measures their performance against the National Data Guardian’s ten data security standards. The DSPT came into force in April 2018, and it is the successor framework to the IG Toolkit.

A number of updates have been made ahead of the 2020/21 submission, including updating most of the mandatory evidence item wording. The deadline for submitting the DSPT is the 30th June 2021.

Who is the DSPT for?

The DSPT must be completed by NHS bodies as well as other organisations that process health and care data. This includes many private organisations such as online pharmacies and private dentists. The results are shared with commissioners and partners like NHS England and CCGs. Consumers can also check the status of organisations, but won’t be able to access the contents of an organisation’s DSPT.

What does the DSP Toolkit involve?

The DSPT consists of a number of mandatory and non-mandatory evidence items, which broadly attempt to understand an organisation approach to staffing and roles, data security, policies and procedures and IT systems and devices.

The number of evidence items an organisation must complete will vary based on the type of organisation:

Category 3 organisations include AQP Clinical Services AQP Non Clinical Services, Charity/Hospice, Company, Dentist (NHS), Dentist (Private), Local Authority, NHS Business Partner, Optician, Pharmacy, Prison, Researcher / Department, Secondary Use Organisation, Social Care, University.

Do you need ISO 27001 and Cyber Essentials Plus to pass?

This is one of the most common questions we’re asked, and in short, the answer is no. Neither ISO 27001 or Cyber Essentials Plus are mandatory, but having these in place does reduce the number of mandatory evidence items.

For example, having these certifications in place would reduce the mandatory evidence items, for a category 3 organisation, to 32 (ISO 27001) or 40 (Cyber Essentials Plus). Holding both certifications reduces the mandatory evidence items to 30.

So while you do not need to have ISO 27001 (an information security management system certification) or Cyber Essentials Plus (a cyber security certification), your organisation should still think about what it’s doing to safeguard its data and improve its resilience to a cyber security attack.

What’s the difference between ‘expectations met’ and ‘expectations exceeded’?

The DSPT includes a publicly accessible organisation search function, and the majority of organisations display an ‘expectations met’ status. If an organisation achieves ‘standards met’ and has a current Cyber Essentials Plus certification recorded in its Organisation Profile then it’s DSPT status will be displayed as ‘standards exceeded’.

Top tips

  1. Start by conducting a GAP analysis around 2-3 months before the DSPT deadline
  2. Most organisations will identify gaps, so plan to remediate these gaps, with a focus on understanding any key dependencies, e.g. information required from suppliers
  3. Don’t think about compliance items such as the DSPT as a tick-box exercise. By thinking strategically, you can reduce the cost of compliance over the medium term and improve your organisation’s resilience. For example, think about how you embed DSPT aspects like data security training and awareness into your business-as-usual activities. This will make completing your DSPT easier going forward, while also making your organisation more resilient to both harmful cyber activity and staff errors that may result in a data breach


Useful resources

If you’re new to completing a DSPT, then it may seem daunting. However, a range of high quality and free resources are available to help you understand the requirements and fill any gaps identified:

  1. Start by accessing the 2020/21 requirements. The excel version can be found here. The guidance provided for each evidence item is typically very clear and is therefore a really great starting point
  2. A series of videos that expand on the requirements have been created. These bitesize clips may help if you need further guidance with specific evidence items
  3. If any policy documents are missing or if you’d like to sense check your existing documentation, a number of editable templates are available here

Predatech is a cyber security consultancy that offers a range of services including CREST accredited penetration testing, Cyber Essentials/Cyber Essentials Plus assessments, as well as DSPT support. What makes us different? We combine expert cyber security with great customer service and value for money. Please contact us if you’re interested in a free consultation.

Latest Posts