Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

DSPT Version 8: Preparing for the latest version

  • Published: November 6, 2025
  • Category: DSPT

Share this post

Avatar photo
Simon Santos

Share this post

The NHS Data Security and Protection Toolkit (DSPT) is a crucial framework for businesses working in the UK health and care market. It’s a mandatory requirement for a wide range of organisations, from NHS Trusts to innovative tech companies, ensuring that patient data is kept safe and secure.

Version 8 of the Data Security Protection Toolkit (DSPT) has recently been published and it can always feel daunting whether you’re facing it for the first or 8th time. That’s what we’re here for. 

In this blog, we’ll guide you through the key changes in Version 8 of the DSPT for organisations submitting the version aligned to the National Data Guardian’s 10 Data Security Standards, so you can navigate this transition with confidence. 

Need help with NHS DSPT? Book a Call with our Expert Team

What is the DSPT

DSPT Version 8 DSPT Version 8: Preparing for the latest version DSPT Version 8,DSPT v8,NHS DSPT V*

The NHS Data Security and Protection Toolkit (DSPT) is an assessment tool developed by NHS England, designed to allow organisations handling patient data within health or social care settings to have the proper measures in place to ensure this information is kept safe and secure. It is a mandatory requirement for Integrated Care Boards, NHS Trusts, innovative technology companies, and CQC-registered service providers alike, forming a requirement of the NHS standard contract.

Introduced in April 2018, the DSPT replaced the Information Governance Toolkit, serving as a comprehensive framework for data security within the healthcare sector. It plays a crucial role in safeguarding sensitive information and maintaining high standards of data protection across the NHS and its partners.

The DSPT breaks down organisations into four groups, each with its own set of requirements. Depending on your category, you’ll need to complete a DSPT based on one of two frameworks:

  1. The National Cyber Security Centre’s Cyber Assessment Framework (CAF) or
  2. The National Data Guardian’s 10 data security standards. 

As such, it’s important to know which category your organisation falls into prior to starting the DSPT, as updates have been made to both types. 

DSPT Categories

Before you begin, it’s important to know which category your organisation falls into, as updates have been made to both. In this blog, we’re focusing on the changes relevant to these categories, which assess themselves against the National Data Guardian’s 10 data security standards:

DSPT Version 8 DSPT Version 8: Preparing for the latest version DSPT Version 8,DSPT v8,NHS DSPT V*

Category 2: IT Suppliers

DSPT Version 8 DSPT Version 8: Preparing for the latest version DSPT Version 8,DSPT v8,NHS DSPT V*

Category 3: Organisations like charities, local authorities, social care providers, and dentists

DSPT Version 8 DSPT Version 8: Preparing for the latest version DSPT Version 8,DSPT v8,NHS DSPT V*

Category 4: Organisations like GPs

Why is DSPT different this year?

The DSPT is updated every year to keep pace with evolving cyber threats, regulatory requirements, and feedback from organisations. The latest version, DSPT Version 8, was released on September 1st, 2025. 

You’ll need to complete your assessment against these new requirements by June 30th, 2026.

 If you fall into one of the three categories described above that need to comply with the older National Data Guardian-aligned framework, these updates will impact the ‘Assertions and Evidence items’ section of your DSPT. You’ll need to make sure your policies and procedures are aligned with the new criteria.

New mandatory requirements

Here’s a quick run-down of the changes.

Another register: Yes, you read that correctly.

Version 8 requires Category 3 organisations to maintain a ‘digital asset register’ which records all the organisation’s hardware and software. If you have completed the DSPT in the past, you may be able to utilise your information asset register to help meet this requirement.

With great power comes great responsibility

Version 8 of the DSPT requires Category 3 organisations to formalise the accountability of their system administrators. These individuals, who have access to more sensitive information, now have to sign a formal agreement that holds them to a higher standard of confidentiality. This is a vital step because these individuals are often targeted by cyberattacks.

Securing software

Category 2 organisations that develop software for health and care are advised, as part of Version 8 of the DSPT, to follow the government’s Software Security Code of Practice, released in May 2025. 

What’s in a name?

It’s no longer enough for Category 3 organisations to simply formally assign someone to be responsible for data security. Version 8 of the DSPT requires a senior officer to actively “own and direct” your security approach. This means they should be regularly leading discussions about security across the whole organisation.

Business continuity plan boosts

Version 8 of the DSPT offers more guidance on what to include in your business continuity plans. They should now outline how you’ll communicate with others—like IT suppliers and patients—if your systems go down. Your plan should also include a prioritised list of systems to recover first, so you can restore critical functions like patient care.

Back ups

Both Category 2 and 3 organisations have stronger requirements for backups in Version 8 of the DSPT. You shouldn’t rely solely on cloud services like OneDrive, SharePoint or Google Drive for your backups. This practice, recommended by the National Cyber Security Centre, prevents a single incident from affecting all your backups at once, allowing for a more reliable recovery of essential services.

Overall, Version 8 of the DSPT is a welcome move towards increased security and privacy protections for health and social care data; however, it will require organisations to think more deeply about their privacy and security practices to ensure they meet the slightly strengthened evidential requirements of Version 8. 

When debating whether it is beneficial to obtain your CE+ moving forward, remember that what sets this certification apart is its external audit. Where it intertwines so frequently with other compliance regulations, such as DTAC and DSPT, it elevates your compliance in the direction of NHS compatibility and makes it a much simpler process to approach.

Your DSPT Checklist

Organisations will be required to submit the DSPT by 30th June 2026. To ensure that your organisation can submit a well-prepared toolkit on time and continue to access NHS systems and patient data without disruption, we recommend starting your preparations as soon as possible. 

Each year, organisations should take the following steps:

  • Gap analysis: Look at your previous DSPT to find areas where your practices fall short. This helps you focus on what needs the most attention.
  • Business Continuity Plan (BCP): Review and practice your BCP to make sure you can maintain patient data access and operations during an incident. Be sure it aligns with the Version 8 requirements.
  • Business Continuity Plan (BCP): Review and practice your BCP to make sure you can maintain patient data access and operations during an incident. Be sure it aligns with the Version 8 requirements.
  • Records of Processing Activities (RoPA) workshop: Host RoPA workshop to ensure your data mapping is accurate and up to date with all personal data flows. Do you have new business processes or suppliers that need to be added? 
  • Information Asset Register: Update your register to get a clear overview of all your information assets, their owners, and associated risks. This will help with the new Version 8 Digital Asset Register requirement.
  • Review policies and procedures: Review and update all relevant policies and procedures to reflect the new Version 8 requirements. Make sure your team knows their responsibilities.

Conclusion

Version 8 of the DSPT is a welcome step toward stronger security for health and social care data, but it requires organisations to think more deeply about their privacy and security practices. Remember, “Good Governance is great business”. Businesses that invest in their governance structures reap the benefits.

We’re here to help you find a route from where you are to where you need to go—with candour, commitment, and quality. Don’t wait until the last minute to begin your preparations. By taking these proactive steps, organisations not only ensure compliance but also build a more robust and resilient data security posture for the future, allowing you to continue providing value to the health system without disruption.

We’re the experts that have your back.

Need support navigating the changes? We’ll guide you through the entire process. Get in touch to schedule a discovery call today.

Book a Call with our Expert Team

Other Articles​

Loading...
DSPT Audit

Preparing for the Category 2 DSPT Audit: What you need to know.

Read More →

March 23, 2026
NHS DSPT Auditor

8foldGovernance approved as DSPT Auditor for IT Suppliers to the NHS

Read More →

March 6, 2026
DSPT for Category 2 Organisations

DSPT for Category 2 Organisations

Read More →

December 13, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept