Data Security and Protection Toolkit

Data security and protection are essential for the NHS and its partners, who handle sensitive and personal information for millions of patients. The Data Security and Protection Toolkit (DSPT) helps organisations demonstrate their compliance with best practices for safeguarding and managing data.

DSPT requirements vary according to which category your organisation falls into. For NHS Trusts, Integrated Care Boards (ICBs), Commissioning Support Units, and Arms Length Bodies (Category 1 organisations), the DSPT has been changed for the 2025 submission to align with the National Cyber Centre’s (NCSC) Cyber Assessment Framework (CAF), supplemented with a health and care overlay to cover some of the additional information governance areas required by NHS England but not covered by the standard CAF.

All other organisations, including IT suppliers, will remain on the legacy DSPT until at least the 2026 submission. For these organisations, the DSPT is based on the 10 National Data Guardian’s Data Security Standards, which cover various aspects relating to people, processes and technology as essential components in data security.

The deadline for organisations to submit their 2024-25 DSPT is 30 June 2025.

If you have more than 50 staff, a turnover of over £10m and you supply digital goods and services to the NHS or care, you meet the definition of an IT supplier. IT suppliers fall into Category 2 and need to comply with the relevant requirements in their DSPT assessment.

Healthcare organisations and other NHS partners, including IT suppliers, must undergo an annual independent assessment of their DSPT submission, which evaluates the overall risk rating associated with the organisation’s data security and the accuracy of their self-assessment. This provides external validation and assurance that the organisation is meeting the required standards and expectations for data security and protection.

How we can help

RSM UK is a leading provider of independent DSPT assessments to healthcare organisations and NHS partners, including NHS trusts, ICBs, companies and IT suppliers.

Our assessment is undertaken in line with the DSPT Strengthening Assurance – Independent Assessment and Audit Framework, published by NHS England. Our methodology is fully in line with the NHS England DSPT assessment criteria for DSPT sign-off purposes and we can effectively support you in meeting your annual DSPT submission.

To find out more about how RSM can assist you, please contact Steven Snaith.