Version: 7.0.0 | Published: 1 Dec 2025 | Updated: 3 days ago
Data Security and Protection Toolkit
Dataset
Summary
Type:
- Collections
- Information standards
Effective From:
01 July 2024
Applies To:
- All organisations have access to NHS patients and/or to their information
- All organisations which provide support services directly to an NHS organisation
- All organisations which have either direct or indirect access to national informatics services.
- Social care providers that provide care through the NHS Standard Contract
- Any party seeking approval for access to NHS patient information from either the Confidentiality Advisory Group or NHS England
Conformance Date:
30 June 2025
Topics:
- Information codes of practice
- Information governance
- Security, Safety and Privacy
Care Settings:
- Community health
- Dentistry
- GP / Primary care
- Hospital
- Maternity
- Mental health
- Pharmacy
- Social care
- Urgent and Emergency Care
Documentation
Associated Media:
Description:
The Data Security and Protection (DSP) Toolkit is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by
the Department of Health and Social Care, notably the 10 data security standards set by the National Data Guardian and the National Cyber Security Centre Cyber Assessment Framework.
All organisations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. Such
organisations are required to carry out self-assessments of their compliance against the assertions and evidence contained within the DSP Toolkit.
While some elements are mandatory, the DSP Toolkit also provides a mechanism for organisations to continually monitor their own performance and so be able to evidence improvement over time against recommended elements.
The DSP Toolkit standard is reviewed annually. The changes for 2024-25 version 7 standard sees a reduction in the total number of responses required for NHS organisations, Key IT suppliers and Independent
providers who are designated operators of essential services under Network and Information Systems directive (NIS)2 and is unchanged for all other sectors.
Changes made have been:
• NHS organisations (NHS Trusts, Integrated Care Boards, Commissioning Support Units and Arm’s length Bodies utilise the NCSC Cyber Assessment framework introduced into the DSPT in line with the
Cyber Strategy for health and care 3
• Rationalise evidence items where there is overlap between evidence items.
• Reflect feedback from stakeholders particularly:
• Update the requirements for Key IT Suppliers and Independent Providers who have been designated Operators of Essential Services to ensure they are fully applicable to them.
• Update requirements for smaller organisations to align with Information Commissioners Office (ICO) and NCSC guidance from small businesses. Most significantly adding a requirement for multifactor
authentication for remote access as a key lesson from recent cyber security incidents.
A full list of changes can be found in the Change Specification.
Documentation Link:
Dependencies:
[object Object]
Origin
Name:
NHSE-SD Data Catalogue