client logo
Version: 7.0.0 | Published: 1 Dec 2025 | Updated: 45 days ago

Data Security and Protection Toolkit

Dataset
CONTACT

Summary

Reference Code:
DAPB0086 Amd 21/2023
Publication Version:
7.0.0
Type:
  • Collections
  • Information standards
Effective From:
01 July 2024
Applies To:
  • All organisations have access to NHS patients and/or to their information
  • All organisations which provide support services directly to an NHS organisation
  • All organisations which have either direct or indirect access to national informatics services.
  • Social care providers that provide care through the NHS Standard Contract
  • Any party seeking approval for access to NHS patient information from either the Confidentiality Advisory Group or NHS England
Conformance Date:
30 June 2025
Topics:
  • Information codes of practice
  • Information governance
  • Security, Safety and Privacy
Care Settings:
  • Community health
  • Dentistry
  • GP / Primary care
  • Hospital
  • Maternity
  • Mental health
  • Pharmacy
  • Social care
  • Urgent and Emergency Care
Publication Date:
30 September 2024

Contact Point

Contact Point:
https://www.dsptoolkit.nhs.uk/Home/Contact

Documentation

Associated Media:
DSP Toolkit website
Description:
The Data Security and Protection (DSP) Toolkit is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care, notably the 10 data security standards set by the National Data Guardian and the National Cyber Security Centre Cyber Assessment Framework. All organisations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. Such organisations are required to carry out self-assessments of their compliance against the assertions and evidence contained within the DSP Toolkit. While some elements are mandatory, the DSP Toolkit also provides a mechanism for organisations to continually monitor their own performance and so be able to evidence improvement over time against recommended elements. The DSP Toolkit standard is reviewed annually. The changes for 2024-25 version 7 standard sees a reduction in the total number of responses required for NHS organisations, Key IT suppliers and Independent providers who are designated operators of essential services under Network and Information Systems directive (NIS)2 and is unchanged for all other sectors. Changes made have been: • NHS organisations (NHS Trusts, Integrated Care Boards, Commissioning Support Units and Arm’s length Bodies utilise the NCSC Cyber Assessment framework introduced into the DSPT in line with the Cyber Strategy for health and care 3 • Rationalise evidence items where there is overlap between evidence items. • Reflect feedback from stakeholders particularly: • Update the requirements for Key IT Suppliers and Independent Providers who have been designated Operators of Essential Services to ensure they are fully applicable to them. • Update requirements for smaller organisations to align with Information Commissioners Office (ICO) and NCSC guidance from small businesses. Most significantly adding a requirement for multifactor authentication for remote access as a key lesson from recent cyber security incidents. A full list of changes can be found in the Change Specification.
Documentation Link:
https://digital.nhs.uk/data-and-information/information-standards/governance/latest-activity/standards-and-collections/dapb0086-data-security-and-protection-toolkit
Dependencies:
[object Object]

Review & Status

Contributor:
Department of Health and Social Care
Sponsor:
Phil Huggins, National Chief Information Security Officer for Health and Care, Department of Health and Social Care
Approval Date:
20 August 2024
Business Lead:
John Hodson
Post Implementation Review Date:
30 June 2026
Scope:
Health Services, NHS Services, Adult Social Care
SRO:
Michael Owen, Deputy Director, Cyber Operations, NHS England
Technical Committee:
Data Alliance Partnership Board (DAPB)
Dataset Identifier:
1b0dbe9f-6ffc-4c06-bf81-4d52681b1f24
Mandated:
Yes
Status:
active

Legal Authority 1

Legal Authority:
Section 250 of the Health and Social Care Act 2012
Legal Authority Description:
This information standard is published under section 250 of the Health and Social Care Act 2012

Legal Authority 2

Legal Authority:
NHS standard contract
Legal Authority Description:
This collection is published under the NHS Standard Contract.

Origin

Name:
NHSE-SD Data Catalogue
URL:
https://sd-asc-uat5-ui-sd.metadata.works
Link:
https://sd-asc-uat5-ui-sd.metadata.works/browser/dataset/285209/0