Regulatory compliance
Jun 28, 2022

The Data Security and Protection Toolkit explained

Need help with completing the Data Security and Protection Toolkit (DSPT)? We've collected some of the great resources that offer help from all over the web.

Every year social care providers are asked to publish their Data Security and Protection Toolkit (DSPT). For a non-techie like me that can seem like quite the daunting task. Luckily, there’s lots of help out there. Digital Social Care and Better Security, Better Care have done a great job of creating really useful resources to guide you through the process of publishing your DSPT. To save you some time we’ve curated some of the great support offers we’ve found out there in the web.

What is the DSPT?

The Data Security and Protection Toolkit (DSPT) is a free, online self-assessment for health and social care providers that helps you evaluate your organisation’s data security and protection policies, procedures and processes. It was developed by the NHS and has been updated based on feedback from care providers to make it more social-care friendly.

It’s important to highlight that the DSPT is not just about digital security; it’s about demonstrating that that the information you hold about any person – staff, clients, funders, partners or visitors – is handled correctly and safely, be it in digital or paper form.

By answering a set of questions, you can demonstrate that your organisation is compliant with data protection legislation and the data security standards set out for social care.

Why does it matter?

The DSPT is considered the official tool to evaluate a care service’s compliance with legal requirements and data security standards. Central and local government bodies, local authorities, CCG commissioners, the Care Quality Commission (CQC) and the National Data Guardian all recognise the DSPT as official evidence for good security processes, policies and procedures. And a ‘Standards Met’ score is seen as a requirement for access to key services such as NHSmail or shared care records.

In England, all CQC-registered providers are required to complete the DSPT once a year. So are providers that are under NHS contract.

There are also additional benefits to completing the DSPT:

  • It’s a great way to evaluate and improve your data and cyber security arrangements – and it doesn’t cost you anything.
  • It can help you reduce the risk of a breach and the associated consequences such as loss of reputation or potential fines.
  • It reassures your service users, their families and your staff that you're managing their data safely.
  • It helps you answer the CQC’s Key Line of Enquiry questions about how you manage your data securely.
  • It allows you to evidence that you’re meeting the legal requirements.

What scores are there?

When completing the DSPT there are three levels you can achieve:

  • Approaching Standards aka you’re meeting the minimum legal standards. When completing for this level, you’ll need to attach an action plan detailing how you plan to achieve the remaining mandatory standards. This will allow you to apply for NHSmail.
  • Standards Met aka you’re meeting more than just the basic legal requirements. You can reassure people using your service that you’re keeping their data safe. This is also the level most authorities expect and which you will need if you want to access NHS data or have a NHS contract.
  • Standards Exceeded aka you’re doing really well with your cyber security and data protection efforts. You probably have additional measures such as the Cyber Essentials Plus certification in place.

What categories are being evaluated?

Broadly speaking the data security standards evaluated in the DSPT can be grouped into three categories: people, processes and technology.


  • Handling, transmission and storage of confidential data.
  • Staff accountability and responsibilities.
  • Staff training in data protection and security.


  • Managing data access.
  • Annual process reviews.
  • Responding to cyber security incidents.
  • Continuity and incident response planning.


  • Unsupported operating systems, applications or browsers.
  • Implementation of a suitable strategy or framework to protect IT systems.
  • Contractual accountability for IT suppliers.

Resources helping with the DSPT

Digital Social Care, Better Security Better Care and the NHS have put together some great resources for you to use when completing the DSPT.

When using the DSPT for the first time

When completing at ‘Approaching Standards’

  • How-To-Guide (Digital Social Care) - guides you through the tool and explains each standard necessary for ‘Approaching Standards’

When completing at ‘Standards Met’

Better Security, Better Care

Free support programme to help care providers understand their responsibilities and to complete the DSPT.

Additional resources

  • Big picture guides (NHS Digital) – explain definitions used in the standards, what the standards are asking you, suggestions and examples, other useful resources
  • Video guides (Digital Social Care) – explain how to complete the DSPT
  • Templates (Digital Social Care) – variety of templates for policies and procedures
  • FAQs (Digital Social Care) – Answers to the most frequently asked questions
Facebook icon
Twitter logo
Linkedin logo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By clicking 'Accept', you agree to the storing of cookies on your device to enhance site navigation, analyse site usage and assist in our marketing efforts. View our Cookie Policy for more information.