Data Security and Protection Toolkit (DSPT)

Legally Trained Consultants

Do you process NHS data?

If you are an organisation which has access to or processes NHS patient information, you must provide assurances to the NHS that you are practicing good information governance. This is assurance is undertaken by submitting a Data Security and Protection Toolkit (DSPT), an annual submission your organisation needs to submit by 30 June every year.

If you deliver services under an NHS contract, use a shared health and care records system or apply for NHS mail, you must complete one. You are contractually required (under the NHS standard conditions and Department of Health and Social Care policy) to provide these assurances if you process NHS patient information. Similarly, all CQC-registered organisations are strongly encouraged to complete a DSPT submission even if they do not necessarily process NHS patient information to demonstrate their compliance.

Depending on what type of organisation you are, you are required to give differing levels of assurance to the NHS, split across 4 categories. This means that everyone’s DSPT is different, and often requires different assertions on the level of your compliance.

We are experts at completing DSPTs, and have built a reputation for helping organisations meet the standards where their previous providers have failed. Not only will we help make sure you achieve ‘Standards Met’, we will help you stand up to audit from the NHS, and we will speak to the auditors on your behalf if you are ever audited.

When you procure us to help complete your DSPT, we will work diligently to collect all the relevant information from you, draft responses and collate documentation into evidence folders which stand up to audit. We will send the toolkit off on your behalf, only consulting you with appropriate risks you need to be aware of. We provide a full post-DSPT report, detailing areas to improve of in next year’s submission as well as our honest assessment of how your organisation handles data security and protection.


This toolkit assesses 10 security standards as set out by the National Data Guardian:

  1. Personal Confidential Data;
  2. Staff Responsibilities;
  3. Training;
  4. Managing Data Access;
  5. Process Reviews;
  6. Responding to Incidents;
  7. Continuity Planning;
  8. Unsupported Systems;
  9. IT Protection;
  10. Accountable Suppliers.

We go every extra mile to complete the toolkit to the very best of our ability, and using us to complete your DSPT gives you the peace of mind that you are in safe hands and that you will meet the standards of the DSPT. Where you don’t have a practice in place which is required, we will draft any necessary documentation and work with you to get that practice in place before the submission is due.

DSPT submissions cannot be completed overnight, so the earlier you get in contact with us, the better your submission and overall practices is going to be.

When it comes to DSPTs, we offer two main styles of services:

  1. Full DSPT Service Package: We will take a proactive approach to work with you to ensure that we have all of the evidence required to submit the DSPT and we will complete the toolkit on your behalf.
  2. DSPT Support Package: If you are comfortable taking the lead in providing the evidences, we will assist you in checking the evidences against the requirements and reviewing the documentation and evidences you present. We will advise any recommendations and changes to be made for the submission.

Organisations hugely vary, so please get in touch with us to arrange a 30 minute free consultation or to get a quote on how we can help you.

Legally Trained Consultants

Giving Peace of Mind You Will Meet The Standards of the DSPT

We are here to assist:

Our Services

We provide a full data protection and information governance consultancy service to all our clients who engage with us. We provide flexible packages and services to make sure that you only pay for what you need, so you aren’t paying for unnecessary services. Whatever you and your organisation need, we are here to help.

Data Protection Advice and Consultancy

Data Protection Impact Assessment (DPIA)

External Independent Reviews


Data Protection Officer Services

Fair Processing Materials

Data Protection Health Check

Assistance with Policy Development

Data Security and Protection Toolkit (DSPT)

Record of Processing Activities (ROPA) & Information Asset Registers (IAR)

Packaged Services

Other Services

Send Us A Message