Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

5 common mistakes made on the NHS Data Security Protection Toolkit (DSPT)

  • Published: May 29, 2024
  • Category: DSPT

Share this post

Avatar photo
Simon Santos

Share this post

What is the NHS Data Security Protection Toolkit (DSPT)

The NHS Data Security Protection Toolkit (DSPT) is a self-assessment framework required for all suppliers that handle identifiable data as part of their engagements with health or social care. It is mandatory for Integrated Care Boards (ICB’s), NHS Trusts, innovative technology companies and CQC registered service providers working with the NHS. Its intention is to illustrate compliance and alignment with the National Data Guardians 10 Data Security Standards as well as UK GDPR.  But it’s not easy..  After over 10-years of supporting organisations to address the requirements of the NHS DSPT, we have summarised 5 common mistakes made when submitting for the 1st or 10th time, especially with recent changes made to Version 6 of the toolkit.   

DSPT Category 1 or Category 3: Choosing the right category 

Until Version 6 of the DSPT, the majority of external companies working with the NHS were expected to submit a DSPT in line with Category 3 guidance, but this has now changed based on new guidance and expectations. This has caused some confusion in the submission process and led organisations to address enhanced requirements.  For the most part, innovative technology companies would make their submission under the   ‘Other’ sector definition of the DSPT following the Category 3 guidance. Now, if a technology or IT supplier meets the conditions of having over 50 staff and £10 million of revenue, they must complete a Category 1 submission. This is a much more detailed and comprehensive submission, focusing on both the expectations of the National Data Guardian and enhancing the technical and procedural controls in place.  Ensuring you choose the right category is essential for success in completing your submission, so if in doubt, get in touch.   

Registration with the Information Commissioner’s Office (ICO) 

The ICO is the data protection regulator in the UK and exists to ensure businesses handling personal and identifiable information take measures to protect its integrity. As a standard expectation for any business working in healthcare, whether through technology or services, they must be registered with the ICO.  This is a common gap in the knowledge base of businesses that are just starting out on their journey to complete DSPT for the first time and is an easy task that can be completed here. It’s essential that businesses have their ICO registration number in order to complete and submit the DSPT.   

Appointing a UK Representative

For International companies looking to begin operations in the UK, as an often forgotten principle of UK GDPR, they must appoint a UK Representative based in the UK if they are not registered as a private limited company (Ltd).  The UK Representative role is often aligned with the Data Protection Officer (DPO) and is responsible for ensuring your organisation upholds its obligations to meet UK GDPR. This role can be fulfilled by an individual or company for those without a registered entity (Ltd company) in the UK.  This role is an important tenet of DSPT and is often missed by businesses who are completing the submission for the first time. It’s also required as part of registration with the ICO ensuring the UK regulator can interact with an appointed representative incase of enforcement or investigation.   

Not Performing Internal Audits 

For organisations that have completed DSPT previously, it’s important to understand the importance of performing internal audits. The DSPT encompasses many essential business functions and processes and without stress testing policies and procedures, it can prove difficult to evidence their effectiveness which is important for subsequent submissions.  Successfully performing an internal audit does require a multi-stakeholder engagement ranging from the HR to Technology teams. Whilst perhaps considered a burden to busy teams, it lays the foundation for best practice in Information Security Management and instils a culture of Test, Evaluate, Adjust, Repeat which is the groundwork for international standards. By making this part of usual business practices, complying with standards like ISO 27001 will be less of a shock to internal teams going forward.   

Limited time to complete submission  

Compliance is often identified early and delivered hastily and this is a common mistake made with frameworks like the DSPT. As already summarised, completing the DSPT takes involvement from multiple stakeholders in your business and can often be held back by a failure to establish a clear project plan and controls to ensure the business practises what it preaches.  Each component requires a plan and evidence of its implementation. For instance, the Training Needs Analysis expects a clear set of principles applied to staff that may come into contact with identifiable or personal data and 95% of those staff having completed adequate training for their role. Without prior planning, this is often unattainable.   

DSPT as a ‘tick box’ exercise 

Following and adhering to the principles of the DSPT enables businesses working with the NHS to evidence their commitment to information security and safety. It can be considered the groundwork for many compliance initiatives in healthcare from HIPAA, to GDPR, to ISO 27001 and is worth investing time and energy in completing to a suitably high standard. It should not be considered a ‘tick box’ exercise, but rather a means of ensuring the business is following best practice and that policies and procedures still resonate in the organisation.  By following some of the recommendations for action made here, businesses can effectively complete DSPT year after year. If you’ve lost your way with DSPT and need help addressing the requirements – we’ve got your back. We offer a fully integrated Information Governance function that can help address and embed the DSPT year after year and support preparation and compliance with International Standards such as ISO 27001

Other Articles​

Loading...
DSPT Audit

Preparing for the Category 2 DSPT Audit: What you need to know.

Read More →

March 23, 2026
NHS DSPT Auditor

8foldGovernance approved as DSPT Auditor for IT Suppliers to the NHS

Read More →

March 6, 2026
DSPT for Category 2 Organisations

DSPT for Category 2 Organisations

Read More →

December 13, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept