The NHS Data Security and Protection Toolkit (DSPT) is a crucial framework for businesses working in the UK health and care market. It’s a mandatory requirement for a wide range of organisations, from NHS Trusts to innovative tech companies, ensuring that patient data is kept safe and secure.
Version 8 of the Data Security Protection Toolkit (DSPT) has recently been published and it can always feel daunting whether you’re facing it for the first or 8th time. That’s what we’re here for.
In this blog, we’ll guide you through the key changes in Version 8 of the DSPT for organisations submitting the version aligned to the National Data Guardian’s 10 Data Security Standards, so you can navigate this transition with confidence.
The NHS Data Security and Protection Toolkit (DSPT) is an assessment tool developed by NHS England, designed to allow organisations handling patient data within health or social care settings to have the proper measures in place to ensure this information is kept safe and secure. It is a mandatory requirement for Integrated Care Boards, NHS Trusts, innovative technology companies, and CQC-registered service providers alike, forming a requirement of the NHS standard contract.
Introduced in April 2018, the DSPT replaced the Information Governance Toolkit, serving as a comprehensive framework for data security within the healthcare sector. It plays a crucial role in safeguarding sensitive information and maintaining high standards of data protection across the NHS and its partners.
The DSPT breaks down organisations into four groups, each with its own set of requirements. Depending on your category, you’ll need to complete a DSPT based on one of two frameworks:
- The National Cyber Security Centre’s Cyber Assessment Framework (CAF) or
- The National Data Guardian’s 10 data security standards.
As such, it’s important to know which category your organisation falls into prior to starting the DSPT, as updates have been made to both types.
Before you begin, it’s important to know which category your organisation falls into, as updates have been made to both. In this blog, we’re focusing on the changes relevant to these categories, which assess themselves against the National Data Guardian’s 10 data security standards:
Category 2: IT Suppliers
Category 3: Organisations like charities, local authorities, social care providers, and dentists
Category 4: Organisations like GPs
The DSPT is updated every year to keep pace with evolving cyber threats, regulatory requirements, and feedback from organisations. The latest version, DSPT Version 8, was released on September 1st, 2025.
You’ll need to complete your assessment against these new requirements by June 30th, 2026.
If you fall into one of the three categories described above that need to comply with the older National Data Guardian-aligned framework, these updates will impact the ‘Assertions and Evidence items’ section of your DSPT. You’ll need to make sure your policies and procedures are aligned with the new criteria.
New mandatory requirements
Here’s a quick run-down of the changes.
Another register: Yes, you read that correctly.
Version 8 requires Category 3 organisations to maintain a ‘digital asset register’ which records all the organisation’s hardware and software. If you have completed the DSPT in the past, you may be able to utilise your information asset register to help meet this requirement.
With great power comes great responsibility
Version 8 of the DSPT requires Category 3 organisations to formalise the accountability of their system administrators. These individuals, who have access to more sensitive information, now have to sign a formal agreement that holds them to a higher standard of confidentiality. This is a vital step because these individuals are often targeted by cyberattacks.
Securing software
Category 2 organisations that develop software for health and care are advised, as part of Version 8 of the DSPT, to follow the government’s Software Security Code of Practice, released in May 2025.
What’s in a name?
It’s no longer enough for Category 3 organisations to simply formally assign someone to be responsible for data security. Version 8 of the DSPT requires a senior officer to actively “own and direct” your security approach. This means they should be regularly leading discussions about security across the whole organisation.
Business continuity plan boosts
Version 8 of the DSPT offers more guidance on what to include in your business continuity plans. They should now outline how you’ll communicate with others—like IT suppliers and patients—if your systems go down. Your plan should also include a prioritised list of systems to recover first, so you can restore critical functions like patient care.
Back ups
Both Category 2 and 3 organisations have stronger requirements for backups in Version 8 of the DSPT. You shouldn’t rely solely on cloud services like OneDrive, SharePoint or Google Drive for your backups. This practice, recommended by the National Cyber Security Centre, prevents a single incident from affecting all your backups at once, allowing for a more reliable recovery of essential services.
Overall, Version 8 of the DSPT is a welcome move towards increased security and privacy protections for health and social care data; however, it will require organisations to think more deeply about their privacy and security practices to ensure they meet the slightly strengthened evidential requirements of Version 8.
When debating whether it is beneficial to obtain your CE+ moving forward, remember that what sets this certification apart is its external audit. Where it intertwines so frequently with other compliance regulations, such as DTAC and DSPT, it elevates your compliance in the direction of NHS compatibility and makes it a much simpler process to approach.
Your DSPT Checklist
Organisations will be required to submit the DSPT by 30th June 2026. To ensure that your organisation can submit a well-prepared toolkit on time and continue to access NHS systems and patient data without disruption, we recommend starting your preparations as soon as possible.
Each year, organisations should take the following steps:
- Gap analysis: Look at your previous DSPT to find areas where your practices fall short. This helps you focus on what needs the most attention.
- Business Continuity Plan (BCP): Review and practice your BCP to make sure you can maintain patient data access and operations during an incident. Be sure it aligns with the Version 8 requirements.
- Business Continuity Plan (BCP): Review and practice your BCP to make sure you can maintain patient data access and operations during an incident. Be sure it aligns with the Version 8 requirements.
- Records of Processing Activities (RoPA) workshop: Host RoPA workshop to ensure your data mapping is accurate and up to date with all personal data flows. Do you have new business processes or suppliers that need to be added?
- Information Asset Register: Update your register to get a clear overview of all your information assets, their owners, and associated risks. This will help with the new Version 8 Digital Asset Register requirement.
- Review policies and procedures: Review and update all relevant policies and procedures to reflect the new Version 8 requirements. Make sure your team knows their responsibilities.
Conclusion
Version 8 of the DSPT is a welcome step toward stronger security for health and social care data, but it requires organisations to think more deeply about their privacy and security practices. Remember, “Good Governance is great business”. Businesses that invest in their governance structures reap the benefits.
We’re here to help you find a route from where you are to where you need to go—with candour, commitment, and quality. Don’t wait until the last minute to begin your preparations. By taking these proactive steps, organisations not only ensure compliance but also build a more robust and resilient data security posture for the future, allowing you to continue providing value to the health system without disruption.
We’re the experts that have your back.
Need support navigating the changes? We’ll guide you through the entire process. Get in touch to schedule a discovery call today.