NHS DSP Toolkit (Data Security and Protection Toolkit)

compliance tool regulatory securityprivacycompliancehealthcare
Source: internal System: https://www.dsptoolkit.nhs.uk Code: DSP Toolkit Reviewed: 31/01/2026 License: CC-BY-4.0

NHS DSP Toolkit (Data Security and Protection Toolkit)

One-sentence definition: The NHS Data Security and Protection (DSP) Toolkit is a mandatory annual self-assessment that all organizations handling NHS patient data must complete and submit to demonstrate compliance with the National Data Guardian’s 10 Data Security Standards and UK data protection law.

Full Definition

The NHS DSP Toolkit is an online self-assessment platform operated by NHS England (formerly NHS Digital). It provides a structured framework of evidence requirements, assertions, and mandatory standards that organizations must assess themselves against and submit annually, with submissions published publicly.

The Toolkit replaced the previous Information Governance (IG) Toolkit in 2018, aligning compliance requirements with the National Data Guardian (NDG) framework and GDPR (now UK GDPR following the UK’s exit from the EU). It is the primary governance mechanism through which NHS England ensures that organizations with access to NHS patient data — whether NHS trusts, GP practices, private healthcare providers with NHS contracts, or third-party technology suppliers — are managing that data securely and lawfully.

DSP Toolkit compliance is not optional for organizations contracted with the NHS. Data Security and Protection Requirements are a contractual condition of NHS contracts. Organizations that fail to complete their submission or demonstrate non-compliance may have their access to NHS systems and data suspended or their contracts terminated.

For the UK’s broader regulatory framework for health data — UK GDPR, Caldicott Principles, NHS data standards, and API security requirements — see the canonical reference → NHS and UK Data Standards.

Context and Usage

Where This Term Appears

The DSP Toolkit appears in:

  • NHS contract requirements — Data Security and Protection Requirements (DSPR) in NHS Standard Contracts reference Toolkit completion as a contractual obligation
  • NHS procurement and supplier assurance — suppliers of technology to NHS organizations must complete a DSP Toolkit assessment relevant to the data they handle
  • NHS Digital/NHS England audit and monitoring — compliance status is tracked; non-completion triggers follow-up from NHS England
  • Data protection impact assessments (DPIAs) — Toolkit evidence items often reference or inform DPIAs conducted under UK GDPR Article 35
  • Information governance teams and CCIOs — the Toolkit is the primary compliance document those functions manage

Common Usage Examples

In conversation: “We can’t go live until the trust has completed their DSP Toolkit submission and their information governance lead signs off on the DPIA.”

In documentation: “Third-party suppliers handling NHS patient data must achieve Standards Met status on the DSP Toolkit before accessing live data environments.”

In procurement contexts: An NHS trust’s supplier assurance team will ask a health IT vendor for evidence of DSP Toolkit completion or equivalent accreditation before approving access to clinical systems.

Why NHS DSP Toolkit Exists

NHS patient data is among the most sensitive personal information processed in the UK. Before the DSP Toolkit, organizations handling NHS data were assessed against the IG Toolkit — a tool that critics found inconsistent, insufficiently rigorous, and difficult to audit. Repeated high-profile data breaches and cyber incidents in the NHS (including the WannaCry ransomware attack in 2017) demonstrated that baseline data security practices were inadequate across large parts of the NHS supply chain.

The NDG’s review (2016) established 10 mandatory data security standards grounded in three leadership obligations: people, processes, and technology. The DSP Toolkit was designed to operationalize these standards as a structured, annual, evidence-based self-assessment with public accountability — replacing a check-the-box approach with demonstrated compliance requirements.

Key Components

Mandatory Evidence Items

The DSP Toolkit is organized into evidence items across the 10 NDG Data Security Standards. Each standard has associated mandatory evidence items — specific actions, policies, or technical controls that must be in place and documented. Evidence items must be completed and supported by documentary evidence that can be reviewed during an audit.

Standards cover areas including: data security leadership and governance, staff awareness training, data handling policies, access controls and user management, asset and system management, incident response, business continuity, data flows and personal data mapping.

Assertion Requirements

Beyond evidence items, the Toolkit requires named responsible individuals (typically the Senior Information Risk Owner / SIRO and Caldicott Guardian) to make formal assertions that the organization has completed the assessment honestly and that evidence is available to support each claim. These named assertions create personal accountability for compliance claims.

Standards Met Status

Completing a DSP Toolkit submission results in one of three outcomes:

  • Standards Met: all mandatory evidence items are completed and the organization’s assertions confirm compliance. This is the required status for most NHS contracted organizations.
  • Standards Not Yet Met: incomplete items or identified gaps; the organization must produce an action plan and timeline for achieving compliance.
  • Approach Not Applicable: for a small number of organization types with genuinely different circumstances.

Published submissions are visible to NHS England, commissioning bodies, and prospective NHS partners.

Compliance Process

Annual Submission

The DSP Toolkit operates on an annual assessment cycle, typically opening in April and with submissions due by June 30. Organizations must reassess and resubmit each year — prior year completion does not roll over. This ensures that compliance is maintained rather than demonstrated once and forgotten.

Evidence Collection

Completing the Toolkit requires gathering evidence across the organization: IT system audit logs, staff training completion records, data flow registers, business continuity plans, GDPR-compliant data processing records, and incident logs. For technology suppliers, this often involves demonstrating specific security controls (penetration testing results, ISO 27001 certification, Cyber Essentials Plus status) as evidence for relevant items.

NHS DSP Toolkit and FHIR

API-based health data exchange — including FHIR APIs deployed in NHS environments — operates within the DSP Toolkit compliance framework. Organizations building or deploying FHIR APIs that access NHS patient data must ensure:

  • Access control policies meet NDG standards (appropriate authentication, role-based access, audit logging)
  • Data flows involving the API are documented in the organization’s data flow register
  • Any third-party service receiving NHS patient data via FHIR API has its own DSP Toolkit submission or equivalent assurance
  • NHS login (the national patient-facing identity service) and NHS API authentication mechanisms align with Toolkit-compliant security controls

The NHS API Platform and NHS Digital developer portal have their own assurance processes that reference DSP Toolkit compliance as a prerequisite for production access to NHS data.

Relationship to Other Terms

  • FHIR — the technical standard used for NHS API-based data exchange; DSP Toolkit compliance is required for organizations accessing NHS patient data via FHIR APIs

Common Misconceptions

Misconception 1: DSP Toolkit is Optional

  • Incorrect belief: Completing the DSP Toolkit is a voluntary good practice rather than a contractual requirement, and organizations can defer it without consequence.
  • Reality: For any organization under an NHS Standard Contract or with a Data Sharing Agreement for NHS patient data, DSP Toolkit completion is mandatory. Non-completion can result in contract suspension, loss of access to NHS systems, or referral to NHS England for action. For NHS trusts, it is a regulatory expectation monitored by NHS England.
  • Why it matters: Technology suppliers that treat DSP Toolkit completion as optional will encounter procurement blocks and delayed go-live timelines. Information governance teams at NHS organizations must treat annual completion as a hard deadline, not a best-efforts target.

Misconception 2: DSP Toolkit is Just a Form

  • Incorrect belief: The DSP Toolkit is a paper exercise — fill out the online form, check the boxes, and compliance is demonstrated without requiring meaningful security controls.
  • Reality: While DSP Toolkit is a self-assessment, the evidence items require genuine documentation: policies that exist and are followed, training completion rates above minimum thresholds, active data flow registers, documented incident response plans, and technical security controls in production. NHS England and commissioning bodies can and do audit organizations’ evidence packs. Inaccurate self-assessment creates legal exposure under UK GDPR and NHS contractual terms.
  • Why it matters: Organizations that approach the Toolkit as a documentation exercise without underlying security controls face real audit risk and, in the event of a data breach, potential ICO enforcement action compounded by failure to meet declared compliance standards.

Why NHS DSP Toolkit Matters

The DSP Toolkit is the primary accountability mechanism for NHS patient data security and information governance in England. It translates the National Data Guardian’s standards, UK GDPR obligations, and NHS contractual requirements into a structured annual compliance process accessible to the full range of NHS-contracted organizations — from large acute trusts to small GP practices to third-party technology suppliers.

For health IT teams building systems for the NHS market, DSP Toolkit compliance is a go-live prerequisite — not a compliance activity that follows deployment. Understanding the evidence requirements, particularly for data flows, access controls, and third-party assurance, early in a project prevents delays at the point of NHS contract signing or API production access approval.

Cross-References

  • FHIR — the API standard for NHS data exchange; DSP Toolkit compliance applies to organizations deploying FHIR APIs with NHS patient data

Last reviewed: January 31, 2026 Definition authority: NHS England Content status: Canonical reference