What it is, who it applies to, and how Tickbox helps.
What is the DSPT?
The Data Security and Protection Toolkit (DSPT) is the NHS’s online self-assessment used by organisations to measure and publish how well they meet the National Data Guardian’s (NDG) 10 data security standards. It’s an annual assessment, you review, evidence, and publish each year. The DSPT also includes functionality to report security incidents and data breaches via the toolkit.
Why it matters for organisations
Completing DSPT is a formal way to show that you have appropriate controls in place to protect health and care information and manage cyber/data risk. From an official standpoint, DSPT is positioned as:
- A requirement for organisations with access to NHS patient data and systems
- A mechanism to provide assurance aligned to the NDG’s 10 data security standards
- A route for incident and breach reporting, reflecting GDPR requirements (and where relevant, NIS Regulations)
Key point: You must ensure you have published at least one assessment by the annual deadline of 30 June.
Who is in scope?
At a high level, any organisation that has access to NHS patient data and/or NHS systems must use the DSPT. The DSPT help guidance also explains that completion is:
- A contractual requirement (referencing the NHS Standard Contract conditions), and
- DHSC policy that bodies processing NHS patient information provide assurances via DSPT, and
- Necessary for organisations using national systems such as NHSmail and the e-referral service.
Organisation types and categories
The DSPT “Organisation types” guidance includes examples of organisation types and the category view they map to, such as:
- NHS Trust → Category 1 (CAF-aligned view)
- Integrated Care Board (ICB) / Arm’s Length Body (ALB) / Commissioning Support Unit (CSU) → Category 1
- Large IT Supplier → Category 2 (with scope focused on the health and care data you process)
- Many other sectors (e.g., Local Authority, Social Care, Pharmacy, Opticians, Universities, “Other”) → typically Category 3 (again, often scoped to the health/adult social care data you process)
- General Practice (GP) → Category 4
Key point: The toolkit is tailored, the number of mandatory questions depends on your organisation type, and your “Organisation Profile” answers further tailor what you’re asked to evidence.
The status system: Approaching Standards, Standards Met, Standards Exceeded
The DSPT tiers of status level.
| Standards Met | Approaching Standards | Standards Exceeded |
| The DSPT guidance describes aiming to complete a ‘Standards Met’ assessment by answering all MANDATORY evidence items and confirming the assertions. Once complete, you can publish. | The DSPT overview explains that Social Care organisations are eligible to complete a one-off ‘Approaching Standards’ assessment to indicate progress where ‘Standards Met’ has not yet been reached. | The DSPT overview explains: – For certain organisations (e.g., NHS Trusts, ICBs, ALBs, CSUs, Genomics, and Independent Providers designated as OES), Standards Exceeded indicates going beyond ‘Standards Met’ and links to expected achievement levels. – For all other organisations, if you achieve Standards Met and have a current Cyber Essentials Plus certification recorded in your Organisation Profile, your status will display as Standards Exceeded. |
The DSPT FAQ also confirms Cyber Essentials Plus is not mandatory to complete a toolkit assessment.
What the process of “doing DSPT” actually involves
Most organisations experience DSPT as a structured set of requirements organised around the 10 NDG standards, where you:
- Register (needs an email and your ODS code)
- Complete your Organisation Profile (this tailors your question set)
- Work through standards → assertions → evidence items (upload documents, complete confirmations, and provide responses)
- Publish once mandatory items are complete (and keep it current if you update evidence during the year)
How Tickbox helps
Tickbox supports organisations through DSPT and geared to reducing effort year-on-year.
What you’ll get from a Tickbox DSPT engagement
- Fast, calm onboarding
- Gap assessment against your DSPT requirements
- Evidence pack + “audit-ready” structure
- Submission support
Note: If you’re aiming for Standards Exceeded, we’ll help you understand what that means for your organisation type (including how Cyber Essentials Plus interacts with status for many organisations).
Get in touch to discuss how we can support your DSPT audit needs.
