Compliance & Security
NHS Data Security and Protection Toolkit (DSPT)
The NHS Data Security and Protection Toolkit (DSPT) is the online self-assessment that organisations must complete to demonstrate they meet the National Data Guardian's standards for handling health and care information. Any organisation that accesses NHS patient data or systems — including the software suppliers and AI vendors that serve NHS trusts, GP practices, and care providers — is expected to complete the DSPT annually. For a healthcare engineering company selling into the NHS, DSPT compliance is effectively a licence to operate.
What the DSPT covers
The DSPT is structured around the National Data Guardian's data security standards, spanning people, processes, and technology. It assesses how an organisation manages personal confidential data, trains its staff, controls access, secures its systems, responds to incidents, and works with its own suppliers. Organisations complete an annual self-assessment against mandatory evidence items and publish a status — for example 'Standards Met' — that NHS bodies can check before sharing data or contracting. It is both a compliance exercise and a structured way to mature an organisation's security posture.
Why it matters for suppliers
NHS organisations are accountable for the data they share, so they scrutinise the security of anyone they connect to — and the DSPT is the common yardstick. A software vendor that cannot show a satisfactory DSPT status will struggle to win NHS work, integrate with NHS systems, or pass procurement. Conversely, achieving 'Standards Met' signals to NHS buyers that the supplier takes information governance seriously. For AI products in particular, where data sensitivity and novelty raise extra questions, a clean DSPT is a powerful trust signal.
DSPT alongside UK GDPR and other frameworks
The DSPT does not stand alone. It sits within the UK's wider regulatory landscape — UK GDPR and the Data Protection Act 2018 set the legal baseline for personal data, while standards like Cyber Essentials and ISO 27001 provide complementary security assurance. The DSPT references and aligns with these. A mature NHS supplier typically holds several of these credentials together, presenting a coherent compliance story rather than a single checkbox. Building to these standards from the start is far cheaper than retrofitting them under procurement pressure.
Engineering for DSPT compliance
Meeting DSPT standards shapes how you build and operate. It pushes toward strong access controls and authentication, encryption of data in transit and at rest, comprehensive audit logging, documented incident response, staff training, and careful management of your own subprocessors and cloud providers. For NHS-connected AI systems, it also means being able to explain and evidence how patient data flows through your models and infrastructure. Designing systems with these controls baked in makes the annual self-assessment a documentation exercise rather than a scramble.
Frequently asked questions
Who needs to complete the NHS DSP Toolkit?
Any organisation that has access to NHS patient data or systems — NHS trusts, GP practices, care providers, and the suppliers and technology vendors that serve them. For most NHS-facing software companies, completing the DSPT annually is expected.
Is the DSPT the same as Cyber Essentials or ISO 27001?
No, but they are complementary. The DSPT is the NHS-specific assessment aligned to the National Data Guardian's standards, while Cyber Essentials and ISO 27001 are broader security certifications. Many NHS suppliers hold several together for a stronger assurance story.
How often is the DSPT completed?
It is an annual self-assessment. Organisations reassess each year against the current standards and publish their status, which NHS bodies can verify before sharing data or awarding contracts.
Selling AI or software into the NHS? We build systems that meet NHS DSP Toolkit and UK GDPR expectations from day one. Book a discovery call.