Investor Enquiry
Login to PortalSoon
The NHS Data Security and Protection Toolkit (DSPT) is an annual self-assessment that organisations handling NHS patient data must complete to demonstrate they meet the National Data Guardian's 10 data security standards. Submission is mandatory for any organisation that uses NHS systems or data, including GP practices, hospitals, software suppliers, and care homes.
The Data Security and Protection Toolkit is run by NHS England and based on the National Data Guardian's 10 data security standards, published in 2016. It is the standard mechanism by which any organisation handling NHS patient data demonstrates that it is meeting the legal, regulatory, and contractual requirements for data security and privacy.
Completion is annual. Organisations work through a structured set of assertions covering personal confidential data, staff responsibilities, training, managing data access, process reviews, responding to incidents, continuity planning, unsupported systems, IT protection, and accountable suppliers. Each assertion has supporting evidence requirements and gets scored as Standards Met, Approaching Standards, or Standards Not Met.
For software suppliers like Medflow Dynamics, the DSPT is one of the foundational compliance requirements for working with NHS organisations. It sits alongside Cyber Essentials Plus, ISO 27001, and the NHS Digital Technology Assessment Criteria (DTAC) as the standard set of assurance evidence that NHS commissioners look for.
Yes. All NHS organisations and any organisations that have access to NHS patient data must complete and submit the Data Security and Protection Toolkit annually.
The DSPT submission deadline is 30 June each year, covering the preceding financial year. Organisations should aim to complete the toolkit several months in advance to allow time for evidence gathering and remediation.
The DSPT is the NHS-specific data protection self-assessment based on the 10 National Data Guardian standards. Cyber Essentials is a broader UK government scheme covering basic technical security controls. NHS organisations and suppliers typically need both.
Medflow Assure is built around the standards on this page. Book a walkthrough to see how it works in practice.
Request a demo