Digital Threat Digest Insights Careers Let's talk

Changes to the Data Security and Protection Toolkit (DSPT) for 2019/2020


Keeping data safe is an ongoing process—once a regulation or process is in place, the body responsible for monitoring compliance will always be looking into ways to improve the measures. This ongoing development process ensures that customer and patient data remains secure.

The NHS Data Security and Protection Toolkit is an online self-assessment tool for all organisations that have access to NHS patient data and systems. It allows these organisations to measure their performance against the National Data Guardian’s 10 data security standards. They are required to use this toolkit to provide assurance that they are practicing good data security and that personal information is handled correctly.

All organisations that are required to comply with the DSPT must resubmit annually by 31 March with a self-assessed grade—which is then reviewed and confirmed by the NHS:

  • ‘Standards not met’ – the organisation has not completed all mandatory assertions
  • ‘Standards met’ – the organisation has completed all mandatory assertions
  • ‘Standards exceeded’ – the organisation has completed all mandatory assertions and at least one of the non-mandatory assertions

A status of ‘standards not met’ is undesirable as it could lead to an organisation being denied access to information sharing tools, such as NHSmail.

While each organisation may not be required to comply with all 179 assertions, there are 116 mandatory assertions—which of the non-mandatory assertions don’t apply will depend on the type of organisation. To make things easier, some assertions will be satisfied if an organisation has a Cyber Essentials Plus or ISO 27001 certification in place.

The change for 2020

The Data Security and Protection Toolkit Standard (DSPT) has been reviewed by NHS Digital for 2019-20. The new standard builds on the work and learning from 2018-19.

One of the new requirements within the 2019/2020 (v2) submission introduces the need for an independent audit of an organisation’s DSPT submission:

Clause 9.4.6, ‘What level of assurance did the independent audit of your Data Security and Protection Toolkit provide to your organisation?’

This requires Category 1 (Acute Hospital/Trust; Ambulance Trust; Community Services Provider; Mental Health Trust) and Category 2 (Arm’s Length Body; Client Commissioning Group; Commissioning Support Unit) organisations to provide details of the audit and include a copy of the report with their submission. Other organisations may wish to complete this assertion if they want to achieve ‘Standards Exceeded’.

How PGI can help

Our Information Assurance team are experienced in undertaking and auditing a wide range of regulatory compliance frameworks, including ISO 27001, PCI DSS and GDPR. In particular, the team can assist you in reviewing your DSPT submission acting as your independent auditor.

We can offer a comprehensive service that includes a gap analysis, penetration testing, a GDPR framework, Cyber Essentials Plus certification and/or ISO 27001 implementation. We will work with you to determine what you need, so you’re only spending what you must.

If you would like to discuss how we can help you meet your requirements, please contact us for a chat.