DAPB0086: Data Security and Protection Toolkit

The Data Security and Protection Toolkit (DSPT) is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care, notably the 10 data security standards set by the National Data Guardian.

The DSPT is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care, notably the 10 data security standards set by the National Data Guardian and the National Cyber Security Centre Cyber Assessment Framework.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. Such organisations are required to carry out self-assessments of their compliance against the assertions and evidence contained within the DSPT.

This information standard is published under section 250 of the updated Health and Social Care Act 2012.

Publication information

Updates	Version 8 released. A summary of changes include: independent providers who are designated operators of essential services under Network and Information Systems directive (NIS) and Genomics organisations utilise the NCSC Cyber Assessment framework introduced into the DSPT in line with the Cyber Strategy for health and care rationalise evidence items where they are not applicable to the sector Reflect feedback from stakeholders, particularly: update requirements for primary care and social care in response to the threat landscape update requirements to respond to difficulties in interpretation experienced by organisations undertaking the DSPT in 2024-25 update the requirements for IT suppliers to include the Department of Science Innovation and Technology code of practice for software vendors to improve the security of software provided to health and care organisations
Scope	Health Services, NHS Services, Social Care
Type	Standard
Schedule of submission	Annually
Responsible authority	Data Assurance Board
Date of approval	8 August 2025
Publication date	12 August 2025
Release name	Amd 21/2025
Release number	Version 8
Stage/Status	Implementation
Implementation date	1 August 2025
Full conformance date	30 June 2026
End date of assurance	30 June 2027
Legislation	This information standard is published under Section 250 of the Health and Social Care Act 2012, as amended by the Health and Care Act 2022, and persons subject to this information standard must comply with the information standard where it is relevant and may be subject to enforcement action if they fail to do so within the required timeframes.
Failure to comply	Bodies that fail to submit a DSPT return may be subject to enforcement action under the powers in the Health and Social Care Act 2012, which may include fines.
Key documents	Change specification (Amd 21/2025) Implementation Guide (Amd 21/2025) Requirements Specification (Amd 21/2025) The information standards notice used to be an attachment. We have incorporated it into this web page. Please contact [email protected] if you require a PDF copy.
Supporting information	Appendix 1 Appendix 2
Further information	Data Security and Protection Toolkit
Contact details	Contact us - Data Security and Protection Toolkit

Earlier updates

25 September 2024

Version 7.0 released.

Summary of changes include:

NHS organisations (NHS trusts, integrated care boards, commissioning support units and arm’s-length bodies utilise the NCSC Cyber Assessment Framework introduced into the DSPT in line with the cyber strategy for health and care
updates to the requirements for key IT suppliers and independent providers who have been designated operators of essential services to ensure they are fully applicable to them
update to requirements for smaller organisations to align with Information Commissioners Office (ICO) and NCSC guidance from small businesses
addition of a requirement for multifactor authentication for remote access

2023

19 September 2023

A minor editorial change has been made to Requirements Specification: Appendix 1 (uplifted to version 1.5). Headers in rows F-H have been updated to reflect all organisation types in Category 1.

2022

6 September 2022

Publication of Corrigendum in respect of Version 5.0 (Amd 23/2022), supported by changes to the Requirements Specification: Appendix 1 (uplifted to document version 1.2). See Corrigendum in the table 'Release for 2022-23 (3 August 2022 to 30 June 2023)' above, for full details.

11 August 2022

Following publication of Version 5.0 (Amd 23/2022) on the 3 August 2022, an error was identified in the Requirements Specification - Appendix 1, in relation to mandatory nature of three requirements: 10.2.4, 8.1.3 and 10.2.3. The Requirements Specification - Appendix 1 document has now been updated with the corrections.

In addition, the 'Total number of mandatory evidence items 2022-23 v5' for Category 1 organisations has been adjusted in the Change Specification (figure 2, page 7) from 112 to 113.

Both updated documents are available in the 2022-23 release table above (as 'Version 1.1').

19 May 2022

Publication of Corrigendum in respect of Version 4.0 (Amd 36/2021), supported by changes to the Change Specification, Change Specification: Appendix A and Requirements Specification: Appendix 1 (all uplifted to document version 1.1). See Corrigendum in the table 'Release for 2021-22 (20 July 2021 to 30 June 2022)' above, for full details.

2020 and 2021

12 February 2021

Following publication of Version 3.1 in December 2020, an error was identified in the the Change Specification and Information Standards Notice (ISN), in relation to the description of the changes. This has now been corrected, and the correction has been signposted with a footnote in the updated documents, which are are available above (as 'Version 2.0').

10 December 2020

Note that Version 3.0 of the DSP Toolkit (Amd 89/2019) was released in April 2020 but, due to the extension to the conformance date of Version 2.0 of the DSP Toolkit, Version 3.0 was not implemented. Version 3.0 is now withdrawn as it is wholly superseded by Version 3.1 (above). Documents for Version 3.0 have been removed from this page but are available on request from [email protected].

Earlier releases

Read the earlier releases.

Release for 2024-25 (30 September 2024 to 30 June 2025)

Release date	25 September
Release number	Amd 33/2024
Release title	Version 7.0
Stage	Implementation
Key documents	Change specification (Amd 33/2024) Implementation Guide (Amd 33/2024) Requirements Specification (Amd 33/2024) Information Standards Notice (Amd 33/2024)
Further information	Full details and help information is on the NHS England's Data Security and Protection toolkit.

Release for 2023-24 (18 August 2023 to 30 June 2024)

Release date	18 August 2023
Release number	Amd 21/2023
Release title	Version 6.0
Stage	Implementation
Key documents	Information Standards Notice (Amd 21/2023) Requirements Specification (Amd 21/2023) Appendix 1 - Assertions and Evidence Statements v1.5 (Amd 21/2023) Change Specification (Amd 21/2023) Implementation Guide (Amd 21/2023)
Further information	Full details and help information is available on the NHS England's Data Security and Protection Toolkit website.

Release for 2022-23 (3 August 2022 to 30 June 2023)

Release date	3 August 2022
Release number	Amd 23/2022
Release title	Version 5.0
Stage	Superseded by Amd 21/2023
Key documents	Information Standards Notice (Amd 23/2022) Requirements Specification (Amd 23/2022) Appendix 1 - Assertions and Evidence Statements v1.2 (Amd 23/2022) Change Specification v1.1 (Amd 23/2022) Implementation Guide (Amd 23/2022) Corrigendum (Amd 23/2022) (September 2022)
Further information	Full details and help information is available on the NHS England's Data Security and Protection Toolkit website.

Release for 2021-22 (20 July 2021 to 30 June 2022)

Release date	20 July 2021
Release number	Amd 36/2021
Release title	Version 4.0
Stage	Superseded by Amd 23/2022
Key documents	Information Standards Notice (Amd 36/2021) Requirements Specification (Amd 36/2021) Appendix 1 - Assertions and Evidence Statements v1.1 (Amd 36/2021) (May 2022) Change Specification v1.1 (Amd 36/2021) (May 2022) Appendix A - DSP Toolkit 2020-21 (version 3.1) to 2021-22 (version 4.0) mapping v1.1 (Amd 36/2021) (May 2022) Implementation Guide (Amd 36/2021) Corrigendum (Amd 36/2021) (May 2022)

Release for 2020-21 (10 December 2020 to 30 June 2021)

Release date	10 December 2020
Release number	Amd 71/2020
Release title	Version 3.1
Stage	Superseded by Amd 36/2021
Key documents	Information Standards Notice (Amd 71/2020) (Version 2.0) Requirements Specification (Amd 71/2020) Appendix 1 - Assertions and Evidence Statements (Amd 71/2020) Change Specification (Amd 71/2020) Version 2.0) Appendix A - DSP Toolkit 2019-20 (version 2) to 2020-21 (version 3.1) mapping (Amd 71/2020) Implementation Guide (Amd 71/2020)

Release for 2019-20 (1 April 2019 to 30 September 2020)

Release date	29 May 2019
Release number	Amd 9/2019
Release title	Version 2.0
Stage	Superseded by Amd 71/2020
Key documents	Information Standards Notice (Amd 9/2019) Requirements Specification (Amd 9/2019) Appendix 1 - Assertions and Evidence Statements (Amd 9/2019) Change Specification (Amd 9/2019) Appendix A - DSP Toolkit 2018-19 (version 1) to 2019-20 (version 2) mapping (Amd 9/2019) Implementation Guide (Amd 9/2019)

Release for 2018-19 (1 April 2018 to 31 March 2019)

Release date	8 March 2018
Release number	Amd 58/2017
Release title	Version 1.0
Stage	Superseded by Amd 9/2019
Key documents	Requirements Specification (Amd 58/2017) Appendix 1 - Assertions and Evidence Statements (Amd 58/2017) Change Specification (Amd 58/2017) Appendix A - IG Toolkit to DSP Toolkit Mapping (Amd 58/2017) Implementation Guide (Amd 58/2017) Information Standards Notice (Amd 58/2017)

Last edited: 28 August 2025 3:47 pm