NHS DSPT FAQ: Common Questions Answered for NHS and Social Care Providers
The NHS Data Security and Protection Toolkit is a mandatory annual self-assessment for all organisations that access NHS patient data or connect to NHS systems. Yet it generates consistent confusion about who exactly needs to complete it, what counts as adequate evidence, what happens if you fall short, and how it relates to GDPR. This FAQ addresses the most common questions from NHS and social care providers.
The DSPT deadline is 30 June each year — organisations that miss it or achieve only Approaching Standards risk losing NHS system access.
DSPT Frequently Asked Questions
Frequently Asked Questions
Who must complete the NHS DSPT?
All NHS organisations (trusts, foundation trusts, CCGs/ICBs, arm's length bodies), GP practices, dental practices, pharmacies, optometrists, and any social care provider with access to NHS systems or patient data. Independent healthcare providers who hold NHS contracts are also required to complete it. Private providers without NHS contracts are not required to complete DSPT but are still subject to UK GDPR.
What is the DSPT submission deadline?
The annual DSPT submission deadline is 30 June. NHS organisations must achieve at least Approaching Standards by the deadline to maintain NHS system access. Standards Met is required for full compliance and is expected for contract renewal purposes.
What is the difference between Approaching Standards and Standards Met?
Approaching Standards means you have assessed all requirements and have plans in place to meet any outstanding items, but have not yet completed all evidence. Standards Met means all mandatory assertions are completed and all required evidence has been uploaded. NHS England uses Standards Met as the benchmark for full compliance — Approaching Standards is a temporary state that indicates work in progress.
What happens if our organisation doesn't achieve Standards Met?
Consequences of failing to achieve Standards Met include: loss of access to NHS network services and NHSmail; ICB/CCG contract conditions not being met; CQC Well-led inspection findings citing information governance failures; and ICO consideration of whether the failure represents inadequate technical and organisational measures under GDPR. For GP practices, NHS England can refer persistent failures to NHS Resolution.
Does the DSPT replace GDPR compliance?
No. DSPT compliance demonstrates you are meeting NHS information security standards, but it does not replace your obligations under UK GDPR and the DPA 2018. DSPT evidence does contribute to demonstrating "appropriate technical and organisational measures" under GDPR Article 5(1)(f) and Article 32, which can be relevant in an ICO investigation.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.