dspt submissions

All organisations that require access to NHS patient data and systems must use the Data Security and Protection Toolkit (DSPT) to prove good data security and personal information handling practices.

What is the Data Security and Protection Toolkit?

The Data Security and Protection Toolkit (or DSPT) is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s ten data security

All organisations that are required to comply with the DSPT must resubmit annually by 31 March with a self-assessed grade—which is then reviewed and confirmed by the NHS:

  • ‘Standards not met’ – the organisation has not completed all mandatory assertions
  • ‘Standards met’ – the organisation has completed all mandatory assertions
  • ‘Standards exceeded’ – the organisation has completed all mandatory assertions and at least one of the non-mandatory assertions

A status of ‘standards not met’ is undesirable because it could lead to an organisation being denied access to information sharing tools, such as NHSmail.

We're here to make your DSPT submission easier

Your DSPT submission is in good hands with our Information Assurance Consultants. Contact us today to get a quote.

I'm ready to make my life easier

How PGI can help you reduce the burden on your team

With the day-to-day requirements of an organisation’s information governance and security, there is never a ‘right’ time to prepare for a DSPT submission or audit. PGI’s Information Assurance Consultants can take the burden off your internal team, to enable them to focus on the important ongoing activities that keep your organisation’s information secure.

We can undertake all or part of your DSPT submission depending on your requirements; from identifying the correct scope to undertaking a gap analysis and then implementing the controls. Once the ‘Standards met’ status as been achieved, we can help your organisation remain compliant, which facilitates submission in future years.

Our team can also take responsibility for your mandatory audit depending on your organisation profile.

  • Establishing your organisation profile Read more Read less

    Determining the correct organisation profile can prevent over‐resourcing, saving time and reducing costs.

    Providing evidence of any Cyber Essentials+ or ISO 27001 certifications held by your organisation may also reduce the number of mandatory assertions.

    PGI can help review the suitability of your organisation’s categorisation and of any certifications held.

  • Gap analysis Read more Read less

    Gap analysis involves comparing what you are currently doing against what you must do within the DSPT to achieve a ‘Standards Met’ status. It informs where there are shortfalls in compliance and where efforts must be concentrated to meet all mandatory requirements.

    PGI consultant’s expertise in the DSPT allow them to accurately assess your organisation’s current levels of compliance and provide pragmatic recommendations.

    With the help of PGI a gap analysis can be performed more efficiently and effectively than by internal staff, who are likely to hold other responsibilities, and may not be as familiar with the mandatory assertions.

  • Implementation Read more Read less

    Completing the DSPT is a contractual requirement for those organisations who provide care through the NHS Standard Contract.

    Failure to implement the necessary controls means the organisation is not compliant and will not achieve a ‘Standards Met’ status. This can increase the risk of data breaches and may impact your ability use NHS data and systems, such as NHSmail.

    With PGI’s support, your organisation can be assured that control measures implemented are pragmatic and provide the appropriate levels of assurance.

    As an example, PGI consultants can apply their expertise to develop best practice security policies and procedures, allowing your workforce to focus efforts on
    other implementation activities.

    PGI can also perform penetration tests and vulnerability assessments against your systems. Our consultants will guide you through the DSPT and help you complete the assessment.

  • Independent audit Read more Read less

    Category 1 and 2 organisations (incl. Acute Hospital Trusts, Mental health Trusts, Ambulance Trusts, Community Support Trusts and Clinical Commissioning Groups) are required to demonstrate that an independent audit of their DSPT submission has been completed.

    Category 3 and 4 organisations may also find benefit in having an independent audit of their submission, offering reassurance that it has been completed to a suitable standard.

    PGI can conduct an independent audit of your DSPT submission and provide a full report in line with NHS Digital best practice to enable you to evidence this assertion.

  • Continuous improvement Read more Read less

    Organisations must maintain their compliance with the DSPT and must re‐submit an assessment of their compliance annually.

    PGI can provide ongoing compliance support, including offering expertise on how to improve security controls and reviewing any business changes and their impact to your DSPT submission. PGI can also provide:

    • Annual data security training, as per assertions 3.2, 3.3, 3.4 and 3.5
    • Support to achieve Cyber Essentials + or ISO 27001 which can reduce your organisation’s mandatory assertions.
    • Penetration Testing
    • Vulnerability Assessments

  • Further simplify your DSPT submission

    There are also steps you can take to further reduce the burden of the submission on your team, such as additional accreditation that will add real value to the information governance and security of your organisation at the same time. We can work with you to help identify what additional accreditations can aid your DSP Toolkit submission.


    In some cases, a Cyber Essentials Plus or ISO 27001 accreditation may be an appropriate means to reduce the overall burden of compliance to your organisation and PGI can provide a plan to implement these. We will take into account your existing policies, processes and procedures, allowing you to maximise the impact of compliance best practice which, in many cases, your organisation may already achieve.

Ready to simplify your DSPT submission

Your DSPT submission is in good hands with our Information Assurance Consultants. Contact us today to get a quote.

Let's go!

Why choose PGI to help you with your DSPT submission

Since 2013, PGI has been helping organisations of all sizes achieve compliance with a range of frameworks, including DSPT,  ISO 27001, PCI DSS and GDPR.

We also offer a wide range of cyber security services, including vulnerability assessments and penetration tests, which may be required to achieve the DSPT ‘Standards met’ status.

Understanding the threats that your organisation and industry are up against will help you defend your data, infrastructure and reputation. Talk to our team to discuss your cyber and information security needs and how we can help.

Want to find out more?

Contact Us:

t: +44 20 4566 6600

e: info@pgitl.com