We have set up a helpline for the duration of the Covid-19 crisis. Call us on 0208 133 3430 (Mon-Fri 9-5) or email [email protected] for free support.

NHS Digital’s Data Security and Protection Toolkit (DSPT) is a free, online self-assessment of your compliance with:

It is not just about your technology. It is about any information you hold about any person – staff, residents or visitors.

The toolkit was updated in November 2020 to ensure it is relevant and easy for care providers to use. And it provides practical tips and directs you to relevant guidance, templates and legislation to make completing the self-assessment even easier.

What is the DSPT?

The DSPT is a really helpful annual self-assessment for health and care organisations. It shows you what you need to do to keep people’s information safe, and to protect your business from the risk of a data breach or a cyber attack. Once you’ve completed the DSPT, it will help you demonstrate, to the people you support, your commissioners, GPs and other NHS services, that you are handling information securely.

Who needs to complete the DSPT?

  • All adult social care services in England, including residential and nursing homes, supported living, homecare, extra care, shared lives and day services, are strongly recommended to complete the DSPT. It’s increasingly what local authorities and CCGs will expect to see.
  • If you use NHSmail, there is a requirement for you to register with the DSPT now. If you don’t register with the DSPT, then at some point in the future, you may no longer be able to use NHSmail.
  • You’ll need to complete the DSPT before your service can be part of any of the projects and initiatives that allow care services to directly access NHS patient information systems, for example, GP records and shared care records.
  • If you have services funded by the NHS, for example under continuing healthcare, there is a legal requirement to complete the DSPT every year.
  • You don’t need to have completed or to register with the DSPT just to have video appointments with NHS services, but it is strongly recommended.

How to register on the Data Security and Protection Toolkit

You can register online at https://www.dsptoolkit.nhs.uk/Account/Register

If you need support registering for the Toolkit, we have produced guidance on how to do this: Registering for the Data Security and Protection Toolkit

This includes

  • What ODS codes are and how to find yours.
  • Guidance on what to do if your organisation has more than one site.

This guidance is particularly useful for large multisite providers, domiciliary care organisations and providers offering multiple services as the process does vary depending on how your own organisation manages its data.

Guidance for Completing Entry Level

We have produced a how-to guide and a range of templates to help you complete Entry Level.

If you are a commissioner who is supporting care providers to complete the toolkit in your region, we also have materials for you to use.

Guidance for Completing Standards Met

We have produced a how-to guide and a range of templates to help you to complete Standards Met.

DSPT – Frequently Asked Questions

My service is already registered with the DSPT. Do I need to re-register for the new version of the DSPT?

No – your current registration will continue.

When should I complete the DSPT?

The DSPT should be completed every year, usually by 31st March. However, due to COVID-19, the deadline for 2019/20 was extended to 30th September 2020, and the deadline for 2020/21 has been extended to 30th June 2021. This means that, if you have a continuing healthcare contract or you already use systems that access NHS patient data, to remain compliant you will need to complete the 2020/21 DSPT by 30th June 2021. Other services should aim to complete it by June 2021 for residential and nursing homes, and by October 2021 for other services.

I completed and published the DSPT at standards met between April 2020 and September 2020. Do I now need to do it again?

Yes – the toolkit you published between April and September 2020 will count as your submission for the year 2019/20. Because it is an annual process, to remain compliant you will need to complete the 2020/21 toolkit between now and the new deadline of 30th June 2021.

I’ve been working on the DSPT over the last few months but not yet published it. Will the answers and evidence I have put in be transferred into the new toolkit, or will I need to start again?

For most questions, your answers and evidence will be transferred across automatically.  There are just a few questions that are new or have changed too much for that to be possible.

Will Entry Level be continuing?

Reflecting the need for adult social care services to operate in a way which meets the national data security standards, the option of publishing at entry level will come to an end on 31st December 2020. However, from April 2021, if you have done most of the DSPT but have a bit more work left to do, you’ll be able to get credit for the progress you have made by publishing at “Approaching Standards.” To do this, you’ll need to submit an action plan saying how and when you will complete the remaining items.

When you talk about “publishing” the DSPT, what do you mean?

The only information that is published is that fact that you have completed the DSPT on a particular date, and the level at which you completed it. The answers you give when you complete the DSPT and the documents you upload are completely confidential.

How can people check whether my service has completed the DSPT?

They can search on the website https://www.dsptoolkit.nhs.uk/OrganisationSearch. Please note however that, if your organisation has only completed the DSPT at HQ level, and not for your individual service, your service won’t show as having completed the DSPT, and you won’t get the benefits of having done so. Luckily, if an organisation is confident that its individual services are compliant, it is usually a quick process to get each service showing on the website individually. Please see the guidance at Registering for the Data Security and Protection Toolkit and call the Digital Social Care helpline if you are not sure what to do.

Does the DSPT apply to services that are run directly by local councils?

Yes, it applies equally. Every council which operates adult social care services is already registered with the DSPT. While some councils have already completed the DSPT, most of their individual services are not yet showing on the website https://www.dsptoolkit.nhs.uk/OrganisationSearch as having done so. Provided that a council is confident that its individual services are compliant, it can use the same process as independent sector organisations to transfer HQ completion across to individual site completion. The Local Government Association is currently developing guidance that will ask councils to do this and which will guide them through the process.

How will completing the DSPT help me with my CQC inspection?

Completing the DSPT will help you demonstrate that you meet CQC expectations.  In particular, question C3.3 from the Key Lines of Enquiry (KLOE) asks: “How are people assured that information about them is treated confidentially…?” Question W2.8 asks: “How does the service satisfy itself that it has robust arrangements… in line with data security standards?”

Will organisations applying for NHSmail after 30th September 2020 have to have completed the DSPT first?

No, but organisations are asked to register with the DSPT straightaway and to complete it as soon as they can do.

How can I get help and advice with the DSPT?

A national and local support programme has been established to help care providers to use the DSPT and improve their cyber security.

For details, see information on the Better Security, Better Care programme.

Further support will be announced in January 2021. If you are registered on the toolkit, you will be automatically told about the new support. Otherwise, register for updates via the Digital Social Care newsletter.

If you don’t have a local contact for help and advice, please contact the Digital Social Care helpline.

Our helpline will be open between 9am and 5pm Monday to Friday by calling 0208 133 3430 or by email on [email protected]