Home » Health Professionals » News and resources » Information Governance » Data Security and Protection Toolkit (DSPT)

Data Security and Protection Toolkit (DSPT)

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s (NDG) 10 data security standards.  The Toolkit was developed in response to the NDG Review (Review of Data Security, Consent and Opt-Outs) published in July 2016 and the government response published in July 2017 (see section 3).

What is the purpose of the assessment? 

The DSPT provides a mechanism for organisations to demonstrate that they can be trusted to maintain the confidentiality and security of personal information. This in turn increases public confidence that ‘the NHS’ and its partners can be trusted with personal data.  This will minimise the number of individuals who 'opt out' of the sharing of their personal identifiable data.

Who needs to complete an annual DSPT Assessment? 

All organisations that have access to NHS patient data and systems must provide assurance that they are practising good data security and that personal information is handled correctly.  Using the Data Security and Protection Toolkit to evidence and publish an annual assessments provides this assurance.

Checking an Organisation's Compliance

The current DSPT status of participating organisations is publicly available.

The NDG Data Security Standards

The Data Security and Protection Toolkit was introduced in April 2018 and is the successor framework to the IG Toolkit.  The IG Toolkit assessed performance against three levels (1, 2 and 3); organisations were required to provide evidence of compliance with (at least) level 2 for all elements of their assessment.  The DSPT does not include levels, instead it requires compliance with assertions and (mandatory) evidence items within the 10 NDG Data Security Standards (listed below).  The classification of Toolkit that an Organisation is required to complete is determined by their Organisational Type i.e. 'Large', 'Small' or 'General Practice'.

  1. Personal Confidential Data
  2. Staff Responsibilities
  3. Training
  4. Managing Data Access
  5. Process Reviews
  6. Responding to Incidents
  7. Continuity Planning
  8. Unsupported Systems
  9. IT Protection
  10. Accountable Suppliers

Individual 'Big Picture' Guides for the 10 Data Security Standards.

The Overall Guide to the Data Security Standards.

09/09/2020