The NHS Data Security and Protection Toolkit (DSPT), replacing the previous NHS IG Toolkit, is an online self-assessment that allows Digital Health, MedTech or IT suppliers to measure their performance against the National Data Guardian’s 10 data security standards.
All organisations that have access to NHS patient data and systems must use this toolkit to assure NHS partners that they are following information governance best practices.
If you’re a Digital Health, MedTech or IT Supplier, our in-house team of Information Governance and Data Protection experts can help.
Our in-house team work with Startups, SME’s and Enterprises to curate, manage and audit their DSPT submissions, ensuring robust governance and effective management of sensitive and special category data.
DSPT is an essential standard required of suppliers and can be integrated with other standards such as ISO 27001 and HIPAA.
Whether you’re submitting for the first or tenth time, we can provide an impartial audit of your submission to ensure effectiveness and compliance.
Our team are here to help.
With recent changes to the DSPT framework, it’s important for Digital Health, MedTech, and IT suppliers to understand which submission category they must complete.
Learn more about how we supported RTN Mental Health to meet the requirements of the DSPT and establish a robust, scalable Information Governance framework—building on the same approach we’ve used to help other healthcare and digital health teams strengthen compliance, reduce risk, and move faster with confidence.
8foldGovernance was the experienced partner we needed. They didn’t just ensure compliance; they built a dynamic governance model that reduces administrative burden and supports our sustainable growth with the NHS.
Matthew Jolly, CEO at RTN Mental Health
IT suppliers and technology providers currently operate under the standard DSPT framework.
While NHS organisations are transitioning toward a CAF-aligned model, suppliers continue to be assessed against the established criteria tailored to their specific role in the ecosystem.
While CAF alignment is not yet a formal requirement for the supply chain, the introduction of the Cyber Security Charter for suppliers suggests that assurance standards will continue to rise.
Our services are built to bridge the gap between today’s compliance needs and tomorrow’s maturity expectations. This is how we build Good Governance into the fabric of every organisation we work with.
The DSPT is an online self-assessment designed to help NHS suppliers and health and care organisations measure their data security and protection practices against national standards.
Organisations must complete a DSPT if they are processing NHS healthcare data or accessing NHS system.
Yes – Digital Health companies must complete the DSPT each year under the relevant category for their organisation.
Yes – every organisation must submit their DSPT even if they have certification to ISO 27001 with a UKAS certification body. Many of the controls in ISO 27001 align with DSPT so there are opportunities to consolidate evidence.
If you are submitting as a Category 2 organisation, you will still need to provide all of your evidence via the portal; however, you will also be asked for an Audit Report. You will need to undertake an impartial third-party audit to validate your controls. This is something we can help you with.
Yes, it is a mandatory requirement essential for organisations to achieve a ‘Standards Met’ status on the DSPT portal.
The Cyber Assurance Framework (CAF) is a security and risk management framework developed by the UK National Cybersecurity Centre (NCSC). It outlines key objectives for organisations to enhance their security posture, focusing on four main areas: managing security risk, protecting against cyber attacks, detecting cybersecurity events, and minimising the impact of cybersecurity incidents.
Explore how our tailored support can help you build strong governance foundations and compliance to do business with the NHS.
| Cookie | Duration | Description |
|---|---|---|
| cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |