Call us on 0208 133 3430 (Mon-Fri 9-5) or email [email protected] for free support.

Who should complete the Data Security and  Protection Toolkit (DSPT)?

All adult social care providers in England should complete the Data Security and Protection Toolkit on an annual basis – including inhouse services run by local authorities.

If a care provider has an NHS contract to deliver services (e.g. a continuing healthcare contract) or if they use systems that access NHS patient data, to remain compliant they need to complete the DSPT on an annual basis.

The NHS Standard Contract – paragraph 21.2 states:

“The Provider must complete and publish an annual information governance assessment in accordance with, and comply with the mandatory requirements of, the NHS Data Security and Protection Toolkit, as applicable to the Services and the Provider’s organisation type.”

Reaching Standards Met on the DSPT also opens up access to take part in local shared records projects where these projects are available. The current DSPT information standard says:

“All organisations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.”

CQC inspectors do encourage care providers to use the officially recognised DSPT and LGA guidance for commissioners recommends councils require annual DSPT completion within their contracts with care providers going forward.

When should I complete the DSPT?

The DSPT should be completed every year, usually by 31st March. However, due to COVID-19, the deadline for 2020/21 has been extended to 30th June 2021.

This means that, if you have a continuing healthcare contract or you already use systems that access NHS patient data, to remain compliant you will need to complete the 2020/21 DSPT by 30th June 2021.

Other services should aim to complete it by June 2021 for residential and nursing homes, and by October 2021 for other services.

I completed and published the DSPT Standard that I reached before September 2020. Do I now need to do it again?

Yes – the toolkit you published between April and September 2020 will count as your submission for the year 2019/20. Because it is an annual process, to remain compliant you will need to complete the 2020/21 toolkit between now and the new deadline of 30th June 2021.

I was working on the DSPT  before the new version was introduced in March 2021. Will the answers and evidence I have put in be transferred into the new version, or will I need to start again?

For most questions, your answers and evidence will be transferred across automatically.  There are just a few questions that are new or have changed too much for that to be possible.

Why has Entry Level been removed?

Reflecting the need for adult social care services to operate in a way which meets the national data security standards, the option of publishing at Entry Level was always a temporary arrangement.

A new Approaching Standards level has been introduced on 5 March 2021 as a new stepping stone towards Standards Met. If you have done most of the DSPT but have a bit more work left to do, you’ll be able to get credit for the progress you have made by publishing at “Approaching Standards.” To do this, you’ll need to submit an improvement plan saying how and when you will complete the remaining items.

If you have already published at Entry Level for 2020/21, you should review and republish at Approaching Standards as a minimum by 30 June 2021.

See guidance on Approaching Standards and Standards Met.

When you talk about “publishing” the DSPT, what do you mean?

The only information that is published is that fact that you have completed the DSPT on a particular date, and the level at which you completed it. The answers you give when you complete the DSPT and the documents you upload won’t be published.

The information will be published on the DSPT toolkit website, where you can search for organisations that have completed it.

How can people check whether my service has completed the DSPT?

They can search on the website Please note however that, if your organisation has only completed the DSPT at HQ level, and not for your individual service, your service may not show as having completed the DSPT, and you won’t get the benefits of having done so.

Luckily, if an organisation is confident that its individual services are compliant, it is a quick process to get each service showing on the website individually.

Please see the guidance at Registering for the Data Security and Protection Toolkit and call the Digital Social Care helpline if you are not sure what to do.

Does the DSPT apply to services that are run directly by local councils?

Yes, it applies equally. Every council which operates adult social care services is already registered with the DSPT. While some councils have already completed the DSPT, most of their individual services are not yet showing on the website as having done so.

Provided that a council is confident that its individual services are compliant, it can use the same process as independent sector organisations to transfer HQ completion across to individual site completion.

How will completing the DSPT help me with my CQC inspection?

Completing the DSPT will help you demonstrate that you meet CQC expectations.  In particular, question C3.3 from the Key Lines of Enquiry (KLOE) asks: “How are people assured that information about them is treated confidentially…?” Question W2.8 asks: “How does the service satisfy itself that it has robust arrangements… in line with data security standards?”  CQC has said that “Our inspectors do encourage care providers to use the officially recognised Data Security and Protection Toolkit (DSPT) to assess their own data and cyber security arrangements – and provide evidence that they are complying with legal and regulatory requirements.” Find out more in the CQC blog, published June 2021.

Will organisations applying for NHSmail have to complete the DSPT first?

Any organisation seeking to register for NHSmail for the first time after 30 June 2021 will need to be published at Approaching Standards.

Where organisations currently use NHSmail and have not published a Toolkit submission there are no current plans to remove access to NHSmail. Any changes to this will be clearly flagged well in advance. The best way to ensure ongoing access to NHSmail is to complete the DSPT to at least approaching standards.

How can I get help and advice with the DSPT?

A national and local support programme has been established to help care providers to use the DSPT and improve their cyber security. This includes support at a national level, plus a network of local support partners.

For details, see information on the Better Security, Better Care programme.

Please register for updates via the Digital Social Care newsletter.

The Digital Social Care helpline is open between 9am and 5pm Monday to Friday by calling 0208 133 3430 or by email on [email protected]

Does the DSPT cover all of Great Britain or the UK?

The DSPT is for care services based in England only.

Wales has the Welsh Information Governance Toolkit

Scotland has the Scottish Information Sharing (IS) Toolkit

Northern Ireland has the General Data Protection Toolkit for charities. The Northern Ireland Department of Health also points to other resources to support improvement for Good Management Good records.


Last updated 16 June 2021