NHS DSPT Compliance: What Every NHS Organisation Must Have in Place

What the NHS DSPT Requires

The Data Security and Protection Toolkit is an online self-assessment tool that measures how well your organisation protects NHS patient data. All NHS trusts, GP surgeries, dental practices, pharmacies, and social care providers with access to NHS systems must submit an annual DSPT return. The ten data security standards cover:

• Personal confidential data — staff understand and comply with data protection obligations
• Staff responsibilities — all staff complete annual data security and protection training
• Training — annual mandatory training completion rates of 95% or above
• Managing data access — access to patient data is need-to-know only
• Process reviews — business continuity plans are regularly tested
• Responding to incidents — all incidents are reported and managed appropriately
• Continuity planning — business continuity and disaster recovery plans exist and are tested
• Unsupported systems — no unsupported operating systems or software on the network
• IT protection — firewalls, patch management, and malware protection are in place
• Accountable suppliers — third-party suppliers are contractually bound to the standards

DSPT Status Levels and NHS Consequences

DSPT submissions are rated as Standards Not Met, Approaching Standards, or Standards Met. NHS England requires Standards Met for continued access to NHSmail, NHS network connectivity, and DSP toolkit-dependent contracts. GP practices that fail to achieve Standards Met risk losing CQC registration conditions. Integrated Care Boards can withhold payments to providers who consistently fail DSPT requirements. Beyond compliance, the ICO uses DSPT evidence in its assessment of whether organisations had "appropriate technical and organisational measures" in place — relevant to any data breach investigation.