Who should complete the Data Security and Protection Toolkit (DSPT)?

All adult social care providers in England should complete the Data Security and Protection Toolkit on an annual basis – including inhouse services run by local authorities.

If a care provider has an NHS contract to deliver services (e.g. a continuing healthcare contract) or if they use systems that access NHS patient data, they need to complete the DSPT on an annual basis.

The NHS Standard Contract – paragraph 21.2 states:

“The Provider must complete and publish an annual information governance assessment in accordance with, and comply with the mandatory requirements of, the NHS Data Security and Protection Toolkit, as applicable to the Services and the Provider’s organisation type.”

Reaching Standards Met on the DSPT also allows providers to take part in local shared records projects where these projects are available. The current DSPT information standard says:

“All organisations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.”

CQC inspectors do encourage care providers to use the officially recognised DSPT and LGA guidance for commissioners recommends councils require annual DSPT completion within their contracts with care providers going forward.

Back to FAQs