We have set up a helpline for the duration of the Covid-19 crisis. Call us on 0208 133 3430 (Mon-Fri 9-5) or email [email protected] for free support.

When should I complete the DSPT?

The DSPT should be completed every year, usually by 31st March. However, due to COVID-19, the deadline for 2020/21 has been extended to 30th June 2021.

This means that, if you have a continuing healthcare contract or you already use systems that access NHS patient data, to remain compliant you will need to complete the 2020/21 DSPT by 30th June 2021.

Other services should aim to complete it by June 2021 for residential and nursing homes, and by October 2021 for other services.

I completed and published the DSPT Standard that I reached before September 2020. Do I now need to do it again?

Yes – the toolkit you published between April and September 2020 will count as your submission for the year 2019/20. Because it is an annual process, to remain compliant you will need to complete the 2020/21 toolkit between now and the new deadline of 30th June 2021.

I’ve been working on the DSPT over the last few months but not yet published it. Will the answers and evidence I have put in be transferred into the new toolkit in March 2021, or will I need to start again?

For most questions, your answers and evidence will be transferred across automatically.  There are just a few questions that are new or have changed too much for that to be possible.

Why has Entry Level been removed?

Reflecting the need for adult social care services to operate in a way which meets the national data security standards, the option of publishing at Entry Level was always a temporary arrangement.

A new Approaching Standards level has been introduced on 5 March 2021 as a new stepping stone towards Standards Met. If you have done most of the DSPT but have a bit more work left to do, you’ll be able to get credit for the progress you have made by publishing at “Approaching Standards.” To do this, you’ll need to submit an improvement plan saying how and when you will complete the remaining items.

If you have already published at Entry Level for 2020/21, you should review and republish at Approaching Standards as a minimum by 30 June 2021.

See guidance on Approaching Standards and Standards Met.

When you talk about “publishing” the DSPT, what do you mean?

The only information that is published is that fact that you have completed the DSPT on a particular date, and the level at which you completed it. The answers you give when you complete the DSPT and the documents you upload won’t be published.

The information will be published on the DSPT toolkit website, where you can search for organisations that have completed it.

How can people check whether my service has completed the DSPT?

They can search on the website https://www.dsptoolkit.nhs.uk/OrganisationSearch. Please note however that, if your organisation has only completed the DSPT at HQ level, and not for your individual service, your service may not show as having completed the DSPT, and you won’t get the benefits of having done so.

Luckily, if an organisation is confident that its individual services are compliant, it is a quick process to get each service showing on the website individually.

Please see the guidance at Registering for the Data Security and Protection Toolkit and call the Digital Social Care helpline if you are not sure what to do.

Does the DSPT apply to services that are run directly by local councils?

Yes, it applies equally. Every council which operates adult social care services is already registered with the DSPT. While some councils have already completed the DSPT, most of their individual services are not yet showing on the website https://www.dsptoolkit.nhs.uk/OrganisationSearch as having done so.

Provided that a council is confident that its individual services are compliant, it can use the same process as independent sector organisations to transfer HQ completion across to individual site completion.

How will completing the DSPT help me with my CQC inspection?

Completing the DSPT will help you demonstrate that you meet CQC expectations.  In particular, question C3.3 from the Key Lines of Enquiry (KLOE) asks: “How are people assured that information about them is treated confidentially…?” Question W2.8 asks: “How does the service satisfy itself that it has robust arrangements… in line with data security standards?”

Will organisations applying for NHSmail have to have completed the DSPT first?

Any organisation seeking to register for NHSmail for the first time after 30 June 2021 will need to be published at Approaching Standards. Therefore, if a care provider has already published at Entry Level but does not have NHSmail, and they want to register for it they will need to republish at Approaching Standards.

Where organisations have already published at Entry Level for this year and they currently have access to NHSmail, there are no current plans to remove access to NHSmail. Any changes to this will be clearly flagged well in advance.

How can I get help and advice with the DSPT?

A national and local support programme has been established to help care providers to use the DSPT and improve their cyber security. This includes support at a national level, plus a network of local support partners.

For details, see information on the Better Security, Better Care programme.

Please register for updates via the Digital Social Care newsletter.

The Digital Social Care helpline is open between 9am and 5pm Monday to Friday by calling 0208 133 3430 or by email on [email protected]

Does the DSPT cover all of Great Britain or the UK?

The DSPT is for care services based in England only.

Wales has the Welsh Information Governance Toolkit

Scotland has the Scottish Information Sharing (IS) Toolkit

Northern Ireland  has the General Data Protection Toolkit for charities. The Northern Ireland Department of Health also points to other resources to support improvement for Good Management Good records.