Each year, certain healthcare organisations must complete a self-assessment via the DSP (Data Security and Protection) Toolkit to demonstrate their data security and information governance compliance.

The deadline is normally 31 March, but in light of the COVID-19 pandemic, the cut-off for 2020 submissions was pushed back to 30 September 2020 and the conformance date to 31 March 2021.

Why you need to comply

If your organisation is within scope, you are legally required to comply with the DSP Toolkit. This will be the case if you:

  • Have access to NHS patients’ personal data;
  • Provide support services to an NHS organisation; or
  • Have access to national informatics services.

The compliance requirements differ depending on which of four categories your organisation falls into.

Category 1 covers NHS trusts; Category 2 covers arms-length bodies, clinical commissioning groups and commissioning support units; Category 3 covers an assortment of other organisations, including care homes, pharmacies, NHS business partners and secondary-use organisations; and Category 4 covers GP practices.

The compliance requirements become less rigorous as you move down through categories, reflecting the lower level of risk those organisations face.

Although the requirements might seem like a burden, there are benefits. For example, you can be sure that your services – as well as those of third parties – are more reliable, making life as easy as possible for patients and staff.

Confirming your compliance

DSP Toolkit compliance is externally validated during Care Quality Commission inspections, which rate the organisation’s activities based on certain KLOEs (key lines of enquiry).


The ratings are based on evidence from the organisation’s submissions. If rated ‘good’ or ‘outstanding’, the requirements have been met; a ‘requires improvement’ or ‘inadequate’ rating means they have not.

It’s worth emphasising that the DSP Toolkit standard was updated for 2019–20 and the previous version withdrawn.

Among its changes, version 2 incorporates the requirements of the Cyber Essentials scheme, the MCSS (Minimum Cyber Security Standard) and the NIS Regulations 2018, and rationalises some of the evidence items related to the GDPR (General Data Protection Regulation).

How to achieve DSP Toolkit compliance

Depending on which compliance category you fall into, your route to meeting the DSP Toolkit’s requirements may be more or less burdensome.

You can find out what you need to do by downloading DSP Toolkit – A compliance guide.

This free guide explains the applicability and scope of the Toolkit, as well as the steps you should take to plan and coordinate your compliance project.

Find out more

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: