DSPT

Medical Data Guard provides independent compliance support to ensure your organisation meets the NHS Data Security and Protection Toolkit (DSPT) standards.

Fulfilling the DSPT’s assertions and evidence requirements can be complex and time-consuming. That’s why it’s crucial to evaluate your current compliance status early in the process. This allows you to identify the support you need and make informed decisions about the expertise required to achieve and maintain compliance.

What is the DSPT?

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that organisations use to measure their performance against either the National Cyber Security Centre’s Cyber Assessment Framework (CAF) or the National Data Guardian’s 10 data security standards.
Any organisation accessing NHS patient data and systems is mandated to complete the DSPT annually and continually demonstrate ongoing compliance throughout the year.

How Our DSPT Services Help You Achieve Compliance

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that organisations use to measure their performance against either the National Cyber Security Centre’s Cyber Assessment Framework (CAF) or the National Data Guardian’s 10 data security standards. Any organisation accessing NHS patient data and systems is mandated to complete the DSPT annually and continually demonstrate ongoing compliance throughout the year.

Benefits of Our DSPT Audit and Services:

  • Assess and identify gaps in your current data security and protection practices.
  • Receive practical advice and assistance to meet your obligations.
  • Obtain relevant documentation to ensure compliance with all required standards.
  • Gain an independent audit of your Toolkit aligned with the NHS England framework.
  • 2025-2026 DSPT Assessment Updates.

For the 2025-2026 assessment period, NHS England has introduced some important changes:

The Cyber Assessment Framework (CAF) now applies to:

  • Category 1 NHS organisations
  • Category 2 Operators of Essential Services (OES) Independent Providers
    Genomics organisations (as nominated by the Department of Health and Social Care)
    The non-CAF DSPT will continue to apply to:
  • Category 2 Key IT Suppliers
  • Category 3 organisations
  • Category 4 organisations
    An independent audit remains mandatory for all Category 1 and Category 2 organisations.

Frequently Asked Questions

Does my organisation have to complete the DSPT?
If your organisation is a public or private entity accessing NHS patient data or systems in England, you are required to complete the DSPT self-assessment. This helps measure your performance against either the National Cyber Security Centre’s Cyber Assessment Framework or the National Data Guardian’s 10 data security standards, depending on your organisation’s category.
You should complete and submit the DSPT annually before the designated deadline. For Category 1 and Category 2 organisations, an independent audit is also required once per year. It’s important to stay up-to-date with your DSPT requirements, as changes to systems, services, and staff can occur throughout the year.
Yes. A key component of the DSPT is to evaluate your current cybersecurity measures, data protection policies, and processes. The questions help you review and update your security framework where necessary, covering areas such as staff training, backups, password management, storage, and more. Completing the DSPT demonstrates your commitment to best practices and builds trust and confidence in your data management.
If you need support, Medical Data Guard can assist by reviewing your current data security procedures, helping you implement necessary policies, and guiding you through the submission process. Our support can be tailored to cover all your data protection needs or focus specifically on your DSPT requirements.
The DSPT is specifically for organisations operating in England. Wales and Scotland have their own individual data security and protection frameworks governed by their respective national health authorities.