Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

What’s New in NHS DSPT Version 7? A Guide to the Latest Updates

  • Published: March 13, 2025
  • Category: DSPT

Share this post

Headshot of an 8fold team member
Lily Stevens

Share this post

nhs dspt v7, NHS DSPT Version 7

The NHS Data Security and Protection Toolkit (DSPT) is a vital compliance requirement for organisations managing identifiable data within the health and social care sectors. With data security and compliance requirements constantly evolving, staying on top of the latest DSPT updates is essential for ensuring both regulatory compliance and the protection of patient and service user information. 

This blog explores the latest updates, including those introduced in NHS DSPT Version 7, and highlights what organisations need to know to stay aligned with new requirements. It also provides an overview of future changes to help organisations prepare for what’s ahead.

Need Help with DSPT? Get Expert Guidance Now

What is the NHS DSPT?

The NHS Data Security and Protection Toolkit (DSPT) is an assessment tool developed by NHS England, designed to allow organisations handling patient data within health or social care settings to have the proper measures in place to ensure this information is kept safe and secure. It is a mandatory requirement for Integrated Care Boards, NHS Trusts, innovative technology companies, and CQC-registered service providers alike, forming a requirement of the NHS standard contract.

The DSPT allows organisations to evaluate their data security practices against the National Data Guardian’s ten data security standards and ensure compliance with UK GDPR. By completing the DSPT, organisations can demonstrate legal compliance, build trust with service users and staff, and contribute to broader health and care initiatives, such as e-Referrals.

Introduced in April 2018, the DSPT replaced the Information Governance Toolkit, serving as a comprehensive framework for data security within the healthcare sector. It plays a crucial role in safeguarding sensitive information and maintaining high standards of data protection across the NHS and its partners.

NHS DSPT Categories

The DSPT categorises organisations into four distinct groups, each with tailored requirements mapping an organisation’s type and size to a pre-defined set of data security measures. Understanding these categories is crucial for organisations to accurately comply with the DSPT standards accordingly and is a common pitfall we see with those who have not submitted the DSPT before or who have grown since their last submission.

Category 1

Category 1 encompasses key NHS bodies responsible for delivering and overseeing essential health services.

  • NHS Trusts: Including Acute Trusts, Ambulance Trusts, Community Services Providers, and Mental Health Trusts.
  • Integrated Care Boards (ICBs): Organisations responsible for planning and commissioning health services in their local areas.
  • Commissioning Support Units (CSUs): NHS organisations that provide support services to ICBs and other commissioners.
  • Arm’s Length Bodies (ALBs): Such as NHS England and the Medicines and Healthcare Products Regulatory Agency (MHRA).

These organisations handle critical functions and are integral to the NHS infrastructure, necessitating comprehensive data protection measures.

Category 2

  • IT Suppliers: External organisations that provide digital goods and services to the NHS and/or care sectors. To fall under Category 2, these suppliers must meet specific criteria:  Employ 50 or more staff, Have an annual turnover of £10 million or more.
  • Operators of Essential Services (OES) Independent Providers: Independent health and care providers designated as operators of essential services under the Network and Information Systems (NIS) Regulations.

Category 3

  • Other In-Scope Organisations: This includes charities, some companies, and NHS business partners involved in health and care services. Those that provide digital goods and services to the NHS and/or care sectors but do not have over 50 members of staff and a turnover of £10 million or over fall into this category. This is the category many digital health Startups and SMEs need to utilise in their submission. 
  • Dentists: Practices providing NHS clinical and educational dental services or private dental services.
  • Local Authorities: County, shire, district, borough, or city councils responsible for public services within a defined geographical area.
  • Opticians: Providers offering NHS primary eye health services, such as sight testing.
  • Pharmacies: Community pharmacies that have agreements to provide NHS pharmaceutical services.
  • Social Care Providers: Organisations delivering adult social care services, including domiciliary care, care homes, and day services.
  • Universities: Institutions processing patient information for secondary purposes, such as research.

Category 4

Category 4 is designated for General Practices (GPs). GPs provide a range of medical services, including comprehensive and continuing medical care to patients. They are required to complete the DSPT with evidence items specific to their operations, ensuring that data security measures are appropriately implemented within primary care settings.

By identifying their appropriate category, organisations can effectively align their data protection practices with the DSPT requirements, ensuring compliance and safeguarding sensitive information.

Why does the DSPT change every year?

The NHS Data Security and Protection Toolkit (DSPT) is regularly updated to reflect evolving cyber threats, regulatory requirements, and best practices in data security. As technology advances and new risks emerge, the DSPT ensures that organisations handling NHS data stay aligned with the latest legal, ethical, and security standards. The NHS, when publishing this year’s updates, stated that they feel the changes will support:

  • An emphasis on good decision-making around compliance which puts more emphasis on ownership of information risk at the local level. 
  • Support a culture of improvement, which will encourage organisations to evaluate their practices and focus on what works rather than just complying with standards. 
  • Encourage better practices to enable organisations to stay updated on new security measures and emerging threats.

Staying informed about these changes is crucial for organisations that process identifiable health or social care data. Regular updates to the DSPT may introduce new compliance requirements, enhanced security measures, or revised best practices, all of which can impact how organisations manage and protect sensitive information.

Failing to meet updated DSPT requirements could lead to compliance risks, operational disruptions, or even loss of NHS contracts. By keeping up to date with changes, organisations can not only maintain compliance but also strengthen their data security posture, ensuring continued trust from patients, service users, and healthcare partners

What's new in NHS DSPT Version 7?

In September 2024, the Data Security and Protection Toolkit (DSPT) introduced significant updates in its Version 7 release for the 2024/25 period. The largest change is the adoption of the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as the foundation for cybersecurity and information governance assurance. This shift aims to promote better decision-making and a culture of continuous improvement in managing information risks.

The CAF is structured around four primary security objectives:
  • Managing Security Risk: Focuses on governance, risk management, asset management, and supply chain security at the organisational level.
  • Protecting Against Cyber Attacks: Emphasises policies, processes, access control, data security, system security, and resilient networks to ensure robust defences.
  • Detecting Cyber Security Events: Highlights the necessity for security monitoring and proactive event discovery.
  • Minimising the Impact of Cyber Security Incidents: Addresses incident response, recovery planning, and lessons learned to enhance organisational resilience.

Organisations such as NHS Trusts, Commissioning Support Units (CSUs), Arm’s Length Bodies (ALBs), and Integrated Care Boards (ICBs) will encounter a revised DSPT interface aligned with CAF principles. This new approach encourages organisations to assess their compliance levels as “Not Achieved,” “Partially Achieved,” or “Achieved” for each outcome, fostering a focus on continuous improvement rather than mere compliance.  

Although not as substantial, other changes could significantly impact NHS suppliers and partners. These include the mandatory requirement for multi-factor authentication on all remotely accessible user accounts across all organisations and the obligation to audit returns of larger Category 2 organisations.

These updates underscore the DSPT’s commitment to evolving with the cybersecurity landscape, ensuring that organisations handling NHS data maintain robust and up-to-date security practices. This pattern will continue through the next 2 years, with the CAF-aligned DSPT rolled out to Category 2 organisations in September 2025 and then extended across all other categories of the DSPT by September 2026.

What is the impact of these changes on healthcare organisations?

Category 1 organisations will experience a significant shift to the new CAF-aligned model, requiring careful planning and adaptation. However the changes for other organisations and the potential resource demands they make should not be overlooked. 

The new mandatory assertion for Multi-Factor Authentication (MFA) in the Category 3 submission will see the digital health Startups and SMEs need to review whether they conform to this currently and if not how they may do so.

Additionally, this may then feed into the ongoing maintenance, adjustments, and continuous improvement organisations should be making between DSPT submissions year on year.

The annual requirements such as GDPR training, business continuity exercises, and updating the Record of Processing Activities (RoPA) can be time-consuming and may need to be adjusted on account of this change. These tasks should be strategically planned well in advance of the DSPT submission deadline in June to ensure compliance and avoid last-minute challenges.

What to expect from Version 8 of the DSPT?

While the exact details of DSPT Version 8 have not been officially confirmed, healthcare organisations should prepare for significant enhancements, particularly in the realm of cybersecurity. Following the introduction of mandatory Multi-Factor Authentication (MFA) in Version 7, future updates are expected to include additional security protocols to further safeguard sensitive data.

Moreover, the introduction of the Cyber Assessment Framework aligned DSPT for Category 2 organisations will fundamentally alter the way compliance information is submitted. This shift promises to bring more rigorous standards and greater alignment with national cybersecurity strategies, reinforcing the ongoing commitment to robust digital security across the healthcare sector.

NHS DSPT Version 7 What’s New in NHS DSPT Version 7? A Guide to the Latest Updates NHS DSPT Version 7

Ready to meet the new DSPT requirements with ease?

With years of experience supporting organisations through the submission process, we’re here to guide you every step of the way. Let us help you navigate the complexities, ensuring a smooth and stress-free experience.

Book a Call with our Expert Team

Other Articles​

Loading...
DSPT Audit

Preparing for the Category 2 DSPT Audit: What you need to know.

Read More →

March 23, 2026
NHS DSPT Auditor

8foldGovernance approved as DSPT Auditor for IT Suppliers to the NHS

Read More →

March 6, 2026
DSPT for Category 2 Organisations

DSPT for Category 2 Organisations

Read More →

December 13, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept