The Data Security and Protection Toolkit (DSPT): A Simple Guide for Care Providers

For many UK care providers, the annual data security and protection toolkit assessment can feel like a daunting task. Without dedicated IT staff, navigating the technical jargon and bureaucratic requirements is often overwhelming. This leads to uncertainty about where to start, a lack of time to manage compliance, and a genuine fear of failing to meet the mandatory standards required to operate.

This guide simplifies the entire process. We provide a clear, step-by-step plan to help you complete the DSPT with confidence and clarity. Use our practical checklist to prepare your evidence and understand your obligations. Learn precisely what is needed to submit your toolkit correctly, achieve 'Standards Met', and demonstrate your commitment to protecting sensitive information. Master the DSPT and ensure your care service meets national data security standards efficiently.

What is the DSPT and Why Does It Matter for Care Providers?

The Data Security and Protection Toolkit (DSPT) is a mandatory online self-assessment for any organisation that has access to NHS patient data. Its purpose is to ensure you practise good data security and that personal information is handled correctly. It measures your organisation's performance against the ten data security standards set by the National Data Guardian, aligning your practices with essential Information governance principles.

Watch this short video for a clear overview of the toolkit.

Completing the DSPT is not just a box-ticking exercise. It is a requirement for accessing key NHS services, including NHSmail and shared care records. Furthermore, your DSPT status is used by the Care Quality Commission (CQC) as strong evidence for the 'Well-led' Key Line of Enquiry (KLOE) during inspections. Demonstrating compliance shows the CQC that you have robust systems in place to protect sensitive information.

Understanding the Core Requirement

All care providers in England who process, store, or share NHS patient information must complete the data security and protection toolkit annually. This includes residential homes, domiciliary care agencies, and supported living services. Failure to comply can result in restricted access to vital NHS systems and may negatively impact your CQC rating. The DSPT replaces the previous Information Governance (IG) Toolkit with a more streamlined and relevant framework for the adult social care sector.

The Different DSPT Compliance Levels

The DSPT has three main levels of compliance to reflect the different stages of an organisation's data security journey.

• Approaching Standards: This entry-level status shows you have started your DSPT submission but have not yet met all mandatory requirements. It is a temporary status while you work towards full compliance.
• Standards Met: This is the required level for all care providers. It demonstrates that your organisation has implemented the necessary data security measures and follows good practice.
• Standards Exceeded: This level is for larger organisations or those with advanced data processing systems. It shows you have gone beyond the mandatory requirements to implement enhanced security protocols.

Getting Started: Your Pre-Assessment Checklist

Before you begin your submission, gather all essential information and documents. Proper preparation is crucial for a smooth and efficient process. This checklist outlines the practical steps to take before you start working on the data security and protection toolkit. Assign clear roles within your team to manage the assessment effectively.

Registering Your Organisation on the Toolkit

Your first step is to register your service on the official portal. Visit the Official Data Security and Protection Toolkit website and use your Organisation Data Service (ODS) code to find your organisation. If your care service is not listed, you must first request an ODS code from the NHS. Once your profile is active, you can set up user accounts for other team members who will help complete the assessment.

Gathering Your Essential Policies and Procedures

Having your key documents ready will save significant time. Before you start, locate and review the following policies. Ensure they are up-to-date and reflect your current practices.

• Data protection and confidentiality policies.
• Information governance policies for staff, including acceptable use of IT.
• An up-to-date Data Protection Impact Assessment (DPIA) for any new systems or processes.
• Evidence of staff training on data security and protection.

If you do not have these policies in place, Digital Social Care and other sector bodies provide templates to help you create them.

Identifying Your Key Personnel

Assign clear responsibilities for the DSPT submission. Designate one person, typically the Registered Manager or an Information Governance (IG) Lead, to oversee the process. You must also identify your Data Protection Officer (DPO) if you have one. If not, state who holds responsibility for data protection matters. Finally, confirm who has overall accountability for data security in your service, as this person will need to approve the final submission.

Navigating the DSPT Assessment: Key Sections Explained

The data security and protection toolkit assessment is structured into logical categories. It focuses on three core areas of your organisation: your people, your policies, and your technology. Understanding what is required in each section simplifies the process of completing your self-assessment. This breakdown clarifies the type of evidence you need to provide for each key area.

Category 1: People and Staffing

This section confirms that your staff understand their data protection duties. You must demonstrate that data security is part of your organisation's culture, from induction to daily practice. The evidence required is often straightforward and involves documents you may already have.

• Staff Training: Provide a training register or spreadsheet showing which staff members have completed data protection training and the date of completion.
• Roles and Responsibilities: Show that roles are clearly defined. This can be a simple document naming your Data Security and Protection Lead and outlining their duties.
• Confidentiality Clauses: Upload a template of your staff contract, highlighting the clause that legally requires them to maintain confidentiality.

Category 2: Policies and Procedures

Here, you must show that you have formal, written rules for handling personal and sensitive data. These documents prove you have a clear plan for managing information securely and responding to incidents. Many organisations use templates to develop these policies; the Digital Care Hub offers excellent DSPT guidance for care providers with resources to help you create them. You will typically need to upload:

• Data Security Policy: Your main information governance policy document that outlines your organisation's overall approach.
• Data Breach Process: A procedure explaining the steps you take if a data breach occurs, alongside a log for recording any incidents.
• Subject Access Request (SAR) Policy: A document showing how you handle requests from individuals wanting to see their personal data.

Category 3: Data and IT Systems

This category assesses the technical and physical measures you use to protect information. It covers everything from your computers to your filing cabinets. The goal is to show you have basic, effective security controls in place to prevent unauthorised access to sensitive data.

• Secure Data Storage: Provide evidence of locked filing cabinets for paper records and confirmation that computers and devices are password-protected.
• Secure Email: Document your use of a secure email service, such as NHSmail, for sharing confidential care information.
• IT Security: Show evidence of active anti-virus software, a strong password policy, and a process for keeping software and apps updated.

Achieving 'Standards Met': Common Pitfalls and Best Practices

Completing your data security and protection toolkit submission is more than just filling in boxes. To achieve 'Standards Met', your evidence must be clear, relevant, and current. This section provides practical guidance to help you submit with confidence and avoid common pitfalls that lead to an 'Approaching Standards' result.

Avoiding Common Submission Errors

A frequent mistake is providing vague answers or simply attaching a document without context. Assessors need to see how your policies are applied in practice. Avoid these common errors:

• Vague References: Instead of writing 'Policy attached', explain which part of the policy answers the question and how it is implemented day-to-day.
• Outdated Evidence: Ensure all policies and procedures have a recent review date. Submitting a policy from three years ago suggests it is no longer in active use.
• Irrelevant Answers: Read each question carefully and answer it directly. Do not copy and paste generic text that does not address the specific assertion.

To structure a clear response, use the STAR method: describe the Situation, the Task required, the Action you took, and the Result. This provides a concise, evidence-based answer.

What 'Good' Evidence Looks Like

Strong evidence is specific and directly supports your statements. Aim for clarity and precision in every answer. Good evidence is:

• Specific: State the date of your last staff training session or the annual policy review date (e.g., "Reviewed on 15th October 2023").
• Referenced: Refer to specific clauses in your documents (e.g., "As stated in Section 4.2 of our Data Breach Policy...").
• Visual: Include screenshots where helpful, such as antivirus software settings or a log of completed software updates.
• Concise: Keep your answers focused. Provide only the information required to meet the assertion.

Using an Improvement Plan

Receiving an 'Approaching Standards' outcome is not a failure. It identifies areas for development and is a key part of the improvement process. Use the feedback to create a realistic, time-bound improvement plan that details the specific actions you will take, who is responsible, and a target completion date.

Once you have actioned the items in your plan, you can update the relevant sections of the data security and protection toolkit and resubmit for review. Need guidance on creating your plan or strengthening your submission? Explore our resources for care providers.

Beyond Compliance: Annual Reviews and Leveraging Your DSPT Status

Completing the Data Security and Protection Toolkit is a significant achievement. However, it is not a one-time task. Maintaining your 'Standards Met' status requires an ongoing commitment to good data security practices, demonstrated through an annual review and submission. This final step transforms compliance from a requirement into a valuable asset for your care service.

The Annual Review Process

You must review and republish your DSPT assessment at least once a year. The deadline for this is typically 30th June. While the core principles remain the same, the toolkit questions may be updated annually to reflect new regulations or emerging cybersecurity threats. This ensures your practices stay current.

To make your annual review more efficient:

• Organise Your Evidence: Keep all documents, policies, and training records from your first submission in a dedicated folder for easy access.
• Review Policies Regularly: Do not wait until the deadline. Review and update your data security policies throughout the year as part of your normal operations.
• Document Changes: Note any significant changes when they happen, such as introducing new software, a data breach, or new staff training procedures.

Using Your DSPT Status in Marketing

Achieving 'Standards Met' on the data security and protection toolkit is a powerful mark of quality and trust. It demonstrates a professional commitment to protecting sensitive information, which is a primary concern for clients and their families. Use this status to differentiate your service.

Actively promote your compliance on your website, in brochures, and on social media. Explain to prospective clients what it means in simple terms: that your service meets the NHS's high standards for data security. This provides reassurance and builds confidence before they even make an enquiry. It shows you are a professional, trustworthy provider. Showcase your quality commitment on your Guide2Care profile.

Secure Your Data, Build Trust: Final Steps

Completing the data security and protection toolkit is a crucial requirement for all UK care providers. As this guide has shown, achieving 'Standards Met' is a manageable process built on clear preparation and an understanding of key assessment areas. This is not just about compliance; it is a fundamental part of protecting client information and demonstrating your commitment to high-quality, professional care.

Your DSPT status is a powerful signal to potential clients and their families. Showcase this commitment to a wider audience. Guide2Care is a comprehensive directory trusted by UK families, offering resources designed to support providers like you. Increase your visibility to those actively seeking care and reinforce your reputation for excellence.

Demonstrate your commitment to quality and security. List your care service on Guide2Care.

Frequently Asked Questions

How long does it take to complete the Data Security and Protection Toolkit?

The time required varies based on your service's size and existing data protection measures. A small care provider with good policies may complete it in a few hours. Larger organisations might take several days. Preparation is key. Once you achieve the 'Standards Met' level, you must review and republish your assessment at least once a year to maintain compliance. Plan for this annual commitment.

What happens if our care service fails to meet the standards?

Failing to meet DSPT standards can have significant consequences. You may be unable to access key services like NHSmail or shared care records. It can also negatively impact your CQC inspection, as data security is part of the 'Well-led' assessment. Furthermore, local authorities and NHS partners often require DSPT compliance as a condition of their contracts, potentially limiting your business opportunities and funding access.

Do very small care providers or sole traders also need to complete the DSPT?

Yes. Any organisation that has access to NHS patient data or systems must complete the DSPT, regardless of its size. This includes sole traders, small residential homes, and local charities. The toolkit is designed to scale, with different requirements based on your organisation's category. The goal is to ensure that all handlers of sensitive health information meet a consistent, secure standard across the sector.

Is there a cost associated with using the DSPT or getting certified?

No, there is no cost to use the official Data Security and Protection Toolkit. The online self-assessment tool provided by the NHS is completely free. There are also no fees for publishing your assessment or achieving a 'Standards Met' status. While you may choose to pay for external support or training to help you complete it, the tool itself and the certification process are free of charge.

Where can I get official help and support for completing the DSPT?

Official support is available from several sources. The NHS Digital DSPT helpdesk provides direct assistance with technical queries. For broader guidance, the 'Better Security, Better Care' programme is a government-funded initiative designed specifically to help adult social care providers complete the toolkit. They offer free resources, webinars, and a network of local support organisations to guide you through the entire process.

Does completing the DSPT make my care service GDPR compliant?

Completing the DSPT is a crucial step towards demonstrating compliance, but it does not automatically make you fully GDPR compliant. The toolkit is the official standard used to measure your data security practices against the requirements of laws like UK GDPR and the Data Protection Act 2018. It provides strong evidence that you are managing information correctly, which is a key principle of data protection law.

How does the DSPT relate to our CQC inspection?

The CQC considers good data security a key component of a well-led care service. During an inspection, they will assess how you manage and protect people's information. Having an up-to-date 'Standards Met' DSPT assessment is strong evidence that you are meeting your legal obligations. The CQC's Key Line of Enquiry (KLOE) W1 specifically examines how governance and management systems ensure the delivery of high-quality, person-centred care.