Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

NHS Data Security and Protection Toolkit (DSPT) Support

The Mandatory Security Requirement for Suppliers to the NHS

dspt toolkit icon, data security and protection icon

Achieve DSPT Compliance with Confidence

The NHS Data Security and Protection Toolkit (DSPT), replacing the previous NHS IG Toolkit, is an online self-assessment that allows Digital Health, MedTech or IT suppliers to measure their performance against the National Data Guardian’s 10 data security standards.

All organisations that have access to NHS patient data and systems must use this toolkit to assure NHS partners that they are following information governance best practices. 

If you’re a Digital Health, MedTech or IT Supplier, our in-house team of Information Governance and Data Protection experts can help.

Get Support Now

How we help with the DSPT

Our in-house team work with Startups, SME’s and Enterprises to curate, manage and audit their DSPT submissions, ensuring robust governance and effective management of sensitive and special category data.

DSPT Data Security & Protection (DSPT) DSPT,DSP Toolkit,Do I need a named Data Protection Officer ?,Do I need a DPO ?,data security and protection toolkit,Data Security & Protection,What is a DSP toolkit?,What is the deadline for completing the DSP Toolkit?,dspt consultants,dspt submission help,dspt standards,dspt audit,complete the dspt

Submitting DSPT
for the first time?

We offer custom IG Framework development or integrations, ensuring you meet all DSPT assertions.
Get Started
DSPT Data Security & Protection (DSPT) DSPT,DSP Toolkit,Do I need a named Data Protection Officer ?,Do I need a DPO ?,data security and protection toolkit,Data Security & Protection,What is a DSP toolkit?,What is the deadline for completing the DSP Toolkit?,dspt consultants,dspt submission help,dspt standards,dspt audit,complete the dspt

Need help managing
DSPT?

DSPT is an essential standard required of suppliers and can be integrated with other standards such as ISO 27001 and HIPAA.

Learn More
DSPT Data Security & Protection (DSPT) DSPT,DSP Toolkit,Do I need a named Data Protection Officer ?,Do I need a DPO ?,data security and protection toolkit,Data Security & Protection,What is a DSP toolkit?,What is the deadline for completing the DSP Toolkit?,dspt consultants,dspt submission help,dspt standards,dspt audit,complete the dspt

Require an Audit of your
DSPT?

Whether you’re submitting for the first or tenth time, we can provide an impartial audit of your submission to ensure effectiveness and compliance.

Learn More

Need to find a specialist Auditor capable of reviewing your DSPT submission as a Category 2 organisation?

  Our team are here to help.

Learn More
8foldGovernance team — UK healthcare compliance experts
Category 2 DSPT Audit

Defining your Category

With recent changes to the DSPT framework, it’s important for Digital Health, MedTech, and IT suppliers to understand which submission category they must complete.

Which DSPT category am I?

DSPT Data Security & Protection (DSPT) DSPT,DSP Toolkit,Do I need a named Data Protection Officer ?,Do I need a DPO ?,data security and protection toolkit,Data Security & Protection,What is a DSP toolkit?,What is the deadline for completing the DSP Toolkit?,dspt consultants,dspt submission help,dspt standards,dspt audit,complete the dspt

Category 2 Requirements

IT Suppliers, Operators of Essential Services

  • 50 or more Staff
  • £10 million or more Revenue
  • Enhanced Information Security and CyberSecurity Requirements
  • Independent Audit required to validate controls.
DSPT Data Security & Protection (DSPT) DSPT,DSP Toolkit,Do I need a named Data Protection Officer ?,Do I need a DPO ?,data security and protection toolkit,Data Security & Protection,What is a DSP toolkit?,What is the deadline for completing the DSP Toolkit?,dspt consultants,dspt submission help,dspt standards,dspt audit,complete the dspt

Category 3 Requirements

Other suppliers, local authorities

  • Less than 50 staff
  • Less than £10 million Revenue
  • Alignment with National Data Guardians 10 Data Security Standards and GDPR.
  • Does not require an independent Audit.

Case Study

Learn more about how we supported RTN Mental Health to meet the requirements of the DSPT and establish a robust, scalable Information Governance framework—building on the same approach we’ve used to help other healthcare and digital health teams strengthen compliance, reduce risk, and move faster with confidence.

DSPT Data Security & Protection (DSPT) DSPT,DSP Toolkit,Do I need a named Data Protection Officer ?,Do I need a DPO ?,data security and protection toolkit,Data Security & Protection,What is a DSP toolkit?,What is the deadline for completing the DSP Toolkit?,dspt consultants,dspt submission help,dspt standards,dspt audit,complete the dspt

8foldGovernance was the experienced partner we needed. They didn’t just ensure compliance; they built a dynamic governance model that reduces administrative burden and supports our sustainable growth with the NHS.

Matthew Jolly, CEO at RTN Mental Health

DSPT Data Security & Protection (DSPT) DSPT,DSP Toolkit,Do I need a named Data Protection Officer ?,Do I need a DPO ?,data security and protection toolkit,Data Security & Protection,What is a DSP toolkit?,What is the deadline for completing the DSP Toolkit?,dspt consultants,dspt submission help,dspt standards,dspt audit,complete the dspt
Loading...
DSPT Data Security & Protection (DSPT) DSPT,DSP Toolkit,Do I need a named Data Protection Officer ?,Do I need a DPO ?,data security and protection toolkit,Data Security & Protection,What is a DSP toolkit?,What is the deadline for completing the DSP Toolkit?,dspt consultants,dspt submission help,dspt standards,dspt audit,complete the dspt
Avatar photo
Lily Stevens

Case Study: RTN Mental Health Solutions

Posted In: Case Studies
Read article

Cyber Assessment Framework (CAF) aligned DSPT

IT suppliers and technology providers currently operate under the standard DSPT framework. 

While NHS organisations are transitioning toward a CAF-aligned model, suppliers continue to be assessed against the established criteria tailored to their specific role in the ecosystem. 

While CAF alignment is not yet a formal requirement for the supply chain, the introduction of the Cyber Security Charter for suppliers suggests that assurance standards will continue to rise.

Our services are built to bridge the gap between today’s compliance needs and tomorrow’s maturity expectations. This is how we build Good Governance into the fabric of every organisation we work with. 

Start your Governance Journey

Frequently Asked Questions About DSPT.

What is the Data Security and Protection Toolkit (DSPT)?

The DSPT is an online self-assessment designed to help NHS suppliers and health and care organisations measure their data security and protection practices against national standards.

Who is required to complete a DSPT?

Organisations must complete a DSPT if they are processing NHS healthcare data or accessing NHS system.

Do Digital Health companies need to complete the DSPT?

Yes – Digital Health companies must complete the DSPT each year under the relevant category for their organisation.

I have ISO 27001 certification - do I still need to submit a DSPT?

Yes – every organisation must submit their DSPT even if they have certification to ISO 27001 with a UKAS certification body. Many of the controls in ISO 27001 align with DSPT so there are opportunities to consolidate evidence.

When do I need to complete a Category 2 DSPT submission?

If you are submitting as a Category 2 organisation, you will still need to provide all of your evidence via the portal; however, you will also be asked for an Audit Report. You will need to undertake an impartial third-party audit to validate your controls. This is something we can help you with.

Is an Audit of my submission mandatory for a Category 2 DSPT submission?

Yes, it is a mandatory requirement essential for organisations to achieve a ‘Standards Met’ status on the DSPT portal.

What is CAF?

The Cyber Assurance Framework (CAF) is a security and risk management framework developed by the UK National Cybersecurity Centre (NCSC). It outlines key objectives for organisations to enhance their security posture, focusing on four main areas: managing security risk, protecting against cyber attacks, detecting cybersecurity events, and minimising the impact of cybersecurity incidents.

Meet your DSPT requirements with our Expert Team

Explore how our tailored support can help you build strong governance foundations and compliance to do business with the NHS. 

Get Started
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept