Skip to main content
Beta version A NHS service powered by standards. Feedbackopens in a new window will help us improve.

Data Security and Protection Toolkit

The Data Security and Protection (DSP) Toolkit is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care.

Contents

Documentation
View documentation for this standard

About this standard

Publisher
NHS England
Reference code
DAPB0086 Amd 21/2023
Publication date
30 September 2024
Publication version
7.0.0
Status
Active
Show definitions of statuses

Active. Active standards are stable, maintained and have been approved, assured or endorsed for use by qualified bodies.

Deprecated Deprecated standards are available for use and are maintained, but are being phased out, so new functionality will not be added.

Retired standards Retired standards are not being maintained or supported and should not be used.

Standard type
  • Collections
  • Information standards
Show definitions of standard types

Collections. A Collection is a systematic gathering of a specified selection of data or information for a particular stated purpose from existing records held within health and care systems and electronic devices.

Extractions. An extraction is a type of collection that is pulled from an operational system by the data controller and transmitted to the receiver without additional processing or transcription by the sender.

Information standards. Information standards are agreed ways of doing something, written down as a set of precise criteria so they can be used as rules, guidelines, or definitions.

Technical Standards and specifications. Technical standards and specifications specify how to make information available technically including how the data is structured and transported.

Contact point

https://www.dsptoolkit.nhs.uk/Home/Contact

Using this standard

Applies to
  • All organisations have access to NHS patients and/or to their information
  • All organisations which provide support services directly to an NHS organisation
  • All organisations which have either direct or indirect access to national informatics services.
  • Social care providers that provide care through the NHS Standard Contract
  • Any party seeking approval for access to NHS patient information from either the Confidentiality Advisory Group or NHS England
Associated medias
Conformance date
30 June 2025
Effective from
1 July 2024

Topics and care settings

Topic
  • Information codes of practice
  • Information governance
  • Security
Care setting
  • Community health
  • Dentistry
  • GP / Primary care
  • Hospital
  • Maternity
  • Mental health
  • Pharmacy
  • Social care
  • Urgent and Emergency Care

Dependencies and related standards

Dependencies

Full details and help information is available on NHS England's Data Security and Protection Toolkit website.

Review Information

Scope
Health Services, NHS Services, Adult Social Care
Sponsor

Phil Huggins, National Chief Information Security Officer for Health and Care, Department of Health and Social Care

Senior Responsible Officer

Michael Owen, Deputy Director, Cyber Operations, NHS England

Business Lead
John Hodson
Contributor
Department of Health and Social Care
Approval date
20 August 2024
Post Implementation review Date
30 June 2026
Technical Committee

Data Alliance Partnership Board (DAPB)

Legal basis and endorsements

Legal authority

  • Section 250 of the Health and Social Care Act 2012

    This information standard is published under section 250 of the Health and Social Care Act 2012

  • NHS standard contract

    This collection is published under the NHS Standard Contract.

More information

The Data Security and Protection (DSP) Toolkit is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care, notably the 10 data security standards set by the National Data Guardian and the National Cyber Security Centre Cyber Assessment Framework. All organisations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. Such organisations are required to carry out self-assessments of their compliance against the assertions and evidence contained within the DSP Toolkit. While some elements are mandatory, the DSP Toolkit also provides a mechanism for organisations to continually monitor their own performance and so be able to evidence improvement over time against recommended elements. The DSP Toolkit standard is reviewed annually. The changes for 2024-25 version 7 standard sees a reduction in the total number of responses required for NHS organisations, Key IT suppliers and Independent providers who are designated operators of essential services under Network and Information Systems directive (NIS)2 and is unchanged for all other sectors. Changes made have been: • NHS organisations (NHS Trusts, Integrated Care Boards, Commissioning Support Units and Arm’s length Bodies utilise the NCSC Cyber Assessment framework introduced into the DSPT in line with the Cyber Strategy for health and care 3 • Rationalise evidence items where there is overlap between evidence items. • Reflect feedback from stakeholders particularly: • Update the requirements for Key IT Suppliers and Independent Providers who have been designated Operators of Essential Services to ensure they are fully applicable to them. • Update requirements for smaller organisations to align with Information Commissioners Office (ICO) and NCSC guidance from small businesses. Most significantly adding a requirement for multifactor authentication for remote access as a key lesson from recent cyber security incidents. A full list of changes can be found in the Change Specification.

Page last updated: 12 May 2025