Skip to content

Understanding the NHS Data Security and Protection Toolkit

Last reviewed: 10 March 2026

You've been told your organisation needs to complete the NHS Data Security and Protection Toolkit. But what is it, exactly? And what happens when you log in for the first time?

This guide explains the toolkit itself — what it is as a system, who's behind it, how it's structured, and what you'll actually see on screen. For a detailed walkthrough of what evidence to gather and how to prepare your submission, see our complete DSPT guide.

What the toolkit is

The Data Security and Protection Toolkit (DSPT) is a web-based self-assessment hosted at dsptoolkit.nhs.uk. It's run by NHS England and measures how well your organisation protects the personal data it handles — specifically patient data connected to NHS systems.

It replaced the old Information Governance Toolkit (IGT) in 2018. If you remember the IGT, the DSPT covers similar ground but is structured around the 10 National Data Guardian (NDG) data security standards rather than the old IG requirements.

The toolkit isn't an audit or a certification — at least not for small providers. It's a self-assessment. You answer questions, upload evidence that your security practices work, and publish your results. Your submission status is then visible to commissioners, ICBs, and other NHS organisations you share data with.

Who runs it

The DSPT was originally managed by NHS Digital. In February 2023, NHS Digital merged into NHS England, which now maintains the toolkit. You may still see references to "NHS Digital" in older guidance documents — they point to the same organisation.

The NHS England Digital services page provides an overview, but the toolkit itself lives at dsptoolkit.nhs.uk.

Who needs to complete it

Any organisation that accesses NHS patient data or connects to NHS systems:

  • Care homes — residential, nursing, and domiciliary care providers receiving NHS-funded residents or accessing NHSmail
  • Community pharmacies — all pharmacies dispensing NHS prescriptions
  • GP practices — all practices connected to NHS Spine
  • Dental practices and opticians — if accessing NHS patient data
  • IT suppliers — companies providing software or services to NHS organisations

The simple test: do you access NHS patient data, NHSmail, or NHS Spine services? If yes, you need to complete the DSPT annually.

How the toolkit categorises you

When you register on the portal using your Organisation Data Service (ODS) code, the toolkit assigns you to one of four categories:

Category Typical organisations What's required
1 Large NHS trusts, ALBs Full CAF assessment + independent audit
2 IT suppliers, larger NHS bodies Extended assessment + independent audit
3 Care homes, pharmacies, dentists, opticians Core assessment — no audit required
4 GP practices Tailored GP-specific assessment

Most readers of this guide are Category 3 or Category 4. The key difference: Category 3 has a general set of assertions covering all 10 NDG standards, while Category 4 includes GP-specific items around clinical system access and NHS Spine usage.

Neither Category 3 nor Category 4 requires an independent audit. You self-assess, upload evidence, and publish.

What you see when you log in

When you first log in to the portal, you'll see a dashboard showing:

  • Your category and the specific assertions that apply to your organisation
  • Progress tracker — which evidence items you've completed, started, or not yet addressed
  • Evidence upload areas — where you attach documents, screenshots, or confirmation statements for each item
  • Publication status — whether your submission is draft, published, or overdue

The assessment is divided into the 10 NDG standards: personal confidential data, staff responsibilities, training, managing data access, process reviews, responding to incidents, continuity planning, unsupported systems, IT protection, and accountable suppliers.

Each standard contains specific assertions — statements about what your organisation should be doing. Each assertion requires one or more evidence items to prove you're actually doing it. For Category 3, there are approximately 42 mandatory evidence items across all 10 standards.

The current version: DSPT v8 (2025/26)

DSPT v8 opened for submissions on 18 September 2025. This version is fully aligned with the NCSC Cyber Assessment Framework (CAF), which is a significant structural change from earlier versions.

Three things to know about v8:

Evidence doesn't carry forward from v7. You'll need to re-upload or re-confirm evidence items. Even if your policies haven't changed, you need to confirm them in the new structure.

The format has changed. v8 uses Outcomes, Assertions, and Evidence items rather than the old question format. The workload for Category 3 is broadly similar to previous years, but the layout is different — expect to spend time finding where things are.

Evidence must be outcome-based. "We have a data security policy" isn't sufficient. You need to show the policy exists AND that staff have read and acknowledged it. The shift is from "do you have this?" to "does this actually work?"

The official v8 announcement has downloadable spreadsheets showing the exact assertions and evidence items for each category.

Two compliance levels

Your published submission is assessed at one of two levels:

  • Approaching Standards — you've completed the mandatory assertions and uploaded the minimum required evidence. This is the baseline.
  • Standards Met — you've completed all assertions, including non-mandatory ones, with full evidence.

If this is your first time with v8, aim for "Approaching Standards" by the 30 June 2026 deadline. You can work toward "Standards Met" afterward — the toolkit stays open for updates throughout the year.

What happens if you miss the deadline

The annual submission deadline is 30 June 2026. Missing it has operational consequences — non-compliant organisations can lose access to NHSmail, NHS Spine, the Electronic Prescription Service, and data sharing agreements with ICBs.

For a pharmacy, losing EPS access halts NHS dispensing. For a care home, it disrupts medication management and hospital discharge communications.

If you're at risk of missing the deadline, contact NHS England before 30 June to discuss your options. Check the DSPT help pages for current support routes available to your organisation category.

Next steps

  1. Register or log in at dsptoolkit.nhs.uk — confirm your category
  2. Check your readiness — take the DSPT readiness quiz to see where you stand
  3. Get your evidence list — use the evidence checklist generator to see exactly what you need for your category
  4. Plan your timeline — the deadline calculator shows how many working days remain
  5. Start the process — follow our step-by-step DSPT completion guide

This guide is based on DSPT v8 (2025/26) requirements. Always verify current requirements on the official DSPT portal. This is not legal or compliance advice.

Sources

Get guided DSPT compliance when we launch

Join the waitlist for early access to DSPTready — step-by-step DSPT guidance built for small providers.

No spam. Unsubscribe any time. Privacy policy

Related guides

DSPT Evidence Requirements: A Category-by-Category Breakdown

What evidence the DSPT actually requires — broken down by category and standard, with specific examples for Category 3 and Category 4 organisations.

DSPT for Pharmacies: A Community Pharmacy Compliance Guide

A pharmacy-specific DSPT guide — what evidence a superintendent pharmacist or pharmacy owner needs, PMR supplier coordination, and multi-site batch submissions.

DSPT Toolkit: Everything You Need to Know Before You Start

A prep guide for the DSPT toolkit — what to gather before you log in, how to register, and what to expect when you open the portal for the first time.