Skip to content

NHS DSP Toolkit

Overview

The NHS DSP Toolkit (formerly the NHS Data Security and Protection Toolkit) is the primary self-assessment and assurance framework used in England to demonstrate that organisations handle health and social care data securely and in compliance with UK law and NHS standards.

It is mandatory for any organisation that accesses or processes NHS patient data.

The NHS DSP Toolkit is:

  • An online self-assessment tool
  • Managed by NHS England
  • Used to assess compliance with:
    • UK GDPR
    • Data Protection Act 2018
    • National Data Guardian’s Data Security Standards

It is a prerequisite for:

  • Accessing NHS systems
  • Receiving NHS patient data
  • Contracting with NHS organisations

It is not optional and not a certification in the traditional sense.

Who Must Complete It

Completion is required for:

  • NHS Trusts and Integrated Care Boards (ICBs)
  • GP practices and pharmacies
  • Social care providers
  • Private suppliers, software vendors, and SaaS providers
  • Voluntary and third-sector organisations handling NHS data

If your organisation touches NHS patient data in any way, the DSP Toolkit applies.

What the Toolkit Covers

The DSP Toolkit is structured around five assurance areas:

1. Data Protection and Confidentiality

  • Lawful processing
  • Privacy notices
  • Data sharing agreements
  • Handling of special category data

2. Staff Responsibilities

  • Mandatory data security training
  • Confidentiality agreements
  • Clear accountability (e.g. Caldicott Guardian, DPO)

3. Information Risk Management

  • Risk assessments
  • Incident management
  • Business continuity
  • Asset registers

4. Cyber Security

  • Access control
  • Encryption
  • Patch management
  • Secure configuration
  • Network security

5. Data Quality

  • Accuracy and integrity
  • Data standards
  • Records management

Assertion Levels

Organisations must submit one of the following:

  • Standards Met
  • Standards Exceeded
  • Approaching Standards (limited cases)

Supporting evidence must be retained and may be audited.

Relationship to Other Frameworks

Framework Relationship to DSP Toolkit
UK GDPR Legal foundation
Data Protection Act 2018 Legal enforcement
NDG Standards Core security principles
ISO 27001 Strong supporting evidence
Cyber Essentials Often required alongside

DSP Toolkit acts as the operational bridge between law and practice.

Why It Matters (Practically)

  • Required for IGSoC / data sharing agreements

  • Blocking issue for:

  • System integrations

  • Go-live approvals
  • Procurement processes
  • Demonstrates due diligence to the ICO
  • Reduces contractual and reputational risk

Failure to comply can result in:

  • Loss of access to NHS systems
  • Contract termination
  • Regulatory enforcement

Common Misunderstandings

  • “It’s just a tick-box exercise” → Incorrect; evidence must exist and withstand scrutiny.

  • “Only NHS organisations need it” → False; suppliers are equally in scope.

  • “It replaces GDPR” → No; it demonstrates GDPR compliance in a healthcare context.

One-Sentence Summary

The NHS DSP Toolkit is a mandatory self-assessment framework used in England to demonstrate that organisations securely and lawfully handle NHS patient data in line with UK GDPR, the Data Protection Act 2018, and NHS data security standards.