NHS DSP Toolkit: What It Is & How to Ensure Compliance

NHS DSP Toolkit deadline: When is it due?

Baseline submissions for those who were obligated to complete them were due in February (Trusts, Integrated Care Boards, Arm’s Length Bodies and Commissioning Support Units). The full submission deadline is 30th June 2025.

Crucially, who must complete the NHS DSP Toolkit?

Baseline submissions for those who were obligated to complete them were due in February (Trusts, Integrated Care Boards, Arm’s Length Bodies and Commissioning Support Units). The full submission deadline is 30th June 2025.

The toolkit is specific to England as opposed to the rest of the UK. However, those outside of England that receive English NHS data will be required to comply. As you may expect, those who operate within the ecosphere must complete the assessment, so all providers of health and social care in England, all companies and other organisations such as charities who receive any NHS data, and any company or organisation who connects to the Health and Social Care Network (HSCN). It can also include pharmacies, dentists, private ambulance services, IT providers, counselling services, and more.

However, it is important to be aware that the scope extends beyond what might be thought of as ‘obvious’ entities and firms including rights advocacies, housing providers, IT, auditors, social care providers, payments processors, facilities/maintenance, and more are in scope. And further, it can also include those who provide services to these.

You’re in scope… how to prepare for NHS DSP Toolkit compliance

To ensure that your organisation is in the best place to complete the assessment, we suggest the following steps:

1. Plan ahead – There’s a lot of individual activities and these are best planned over many months rather than tackled over a few short weeks.
2. Information Asset Register/RoPA review – You will need to check that your current records are complete and accurate, that risks are current, and provide updates such as whether there has been a breach involving the data for each item.
3. Policy and procedure review – Make sure that none of your policies have expired, that they reflect current legislation, risks, and your activities.
4. Update registers – All of your records such as registers of data breaches/near misses, suppliers, disposal, and data subject requests will need to be current.
5. Risk reviews – You will be required to review the data risks in your organisation and document the risk reduction strategy. As part of this, you are asked for evidence of the meeting where these were discussed, the top risks were identified, and your official plan for reducing these.
6. Security updates – Review and update security standards and settings across the business to reflect the latest standards (e.g., separation of activities from IT system administration accounts, 2FA/MFA, live data auditing, password standards, patch management).
7. Mitigate or eliminate out of support systems – The use of out of support systems such as older versions of Windows are normally prohibited within NHS operations but there is an understanding in some specific cases so long as there is a robust plan for handling the added risk. You will need to declare that you have no out of support systems or provide this plan.
8. Training – 95% of all personnel working for you need to complete their training every year (this includes those on long term leave etc.). You need to provide evidence of your training needs analysis and training compliance. Additional roles with greater risks, responsibility, or sensitivity such as IT or senior leadership will require additional training.
9. National Data Opt-out compliance – You will be asked to demonstrate compliance with the National Data Opt-out policy. This can be through policy prohibiting in-scope re-use of data for research or utilisation of the centralised whitelist.

NHS DSP Toolkit assessment outcomes explained

• Standards not met – As it implies, you haven’t met the requirements. This can result in the termination of contracts or exclusion from securing work. It can have the effect of terminating access to NHS data and networks.
• Approaching standards – Nearly but not quite there, but there is evidence that you will get there soon, and they are permitting you to proceed so long as you rectify it soon. This is for eligible social care providers.
• Standards met – You’ve met the requirements and can undertake work for another year. This is the highest rating you can achieve if you don’t have Cyber Essentials Plus in place.
• Standard exceeded – You met the requirements above and have CE+ in place. Some commissioners may rate suppliers with this more highly than others when scoring bids.

Important considerations for NHS DSP Toolkit compliance

The assessment is not a ‘one-size fits all’, and there are variables that you need to be aware of when planning to complete.

• Your assessment may have from around two dozen to nearly two hundred questions and evidence items depending on organisation type and certifications held.
• If you have a head office and other multiple sites/subsidiaries, but exist as a single entity and they all follow the same standards, then combined submissions can be made. However, if your sites/subsidiaries differ, then you will be asked to complete one for every one. For example, a care provider with multiple sites all doing the same thing for a single entity will have the option of making one submission that covers it all, but if those operations differ, have different policies and procedures, or are not covered by a single legal entity, then they will need to make a submission for each.
• Requirements range from simple declarations that the correct personnel are in place to evidence of policies, procedures, information asset registers, to technical information around security settings, tabletop continuity exercises, penetration testing, and training records.
• Some organisations are required to procure an independent assessment of their responses prior to or immediately after submission. This usually takes the form of a review of the declarations and checking the evidence (e.g., there is a requirement that 95% of all staff have had data protection and security training in the past year, the auditor may seek records of personnel and their training to see that this is accurate).
• The DSP Toolkit must also be used by certain in-scope providers and optionally by others to submit data breach reports to the ICO, and where necessary, others such as DHSC.