top of page

What is The Data Security and Protection Toolkit?

The Data Security and Protection Toolkit (DSPT), previously known as the IG Toolkit, is an online tool developed by the NHS. Its primary purpose is to allow vendors that process patient data in NHS or social care organisations to measure their performance against data security standards

The DSP toolkit is a core part of the NHS Digital Technology Assessment Criteria (DTAC) officially launched in 2021, that guides health IT procurement for NHS organisations across England. This assessment not only ensures that digital systems and technology used within the NHS is suitable for use, but also works to protect sensitive patient data, and has a DSPT incident reporting tool to manage any breaches of personal data.


Meeting and, ideally exceeding, the DSP Toolkit's requirements involves:

  • 25 Assertions – There are approximately 25 'assertions' that vendors must fulfil through a range of evidence based requirements 

  • 40 Requirements – Each assertion can have one or multiple requirements associated with it against which evidence must be provided

  • >20 Evidence Items – There are over 20 different types of evidence that need to be developed, structured and updated as submittable documents corresponding to each DSP Toolkit Requirement. 

  • Regular Audits – Many of the evidence items require associated annual process audits and version updates in order to be submittable each year

  • Training – Cybersecurity awareness and compliance training for all staff from the most junior to the boardroom is an essential part of fulfilling the requirements of the DSP Toolkit

  • Accountability – There must be clear evidence of board level engagement and accountable stakeholders responsible for cybersecurity

Young Programmer

Who Needs to Submit the Data Security and Protection Toolkit?

Any relevant organisations in England that process health and/or social care data, and have access to NHS patient data and systems, must use the Data Security and Protection Toolkit and may be subject to an external audit (depending on the type of organisation and its size).

Examples of organisations that would need to complete the Data Protection Toolkit and may be subject to an external audit include:


  • IT Suppliers

  • Medical Device Manufacturers

  • General Practices (GPs)

  • NHS Trusts

  • Pharmacies

  • Dental Practices

  • Opticians

  • Biomedical organisations

  • NHS charities

Contact our team today to learn about our DSPT Support Service.

People Working in Open Office

Why Seek Help To Complete Your DSPT? 

DSP Toolkit requirements are increasingly either being audited or being reviewed as a core part of NHS procurements as seen with DTAC. The issue is that the DSP Toolkit is one of the most document and process-intensive requirements that NHS digital technology suppliers face.

Successfully fulfilling the DSP Toolkit's requirements necessitates effective project management to gather evidence, complete annual audits and communicate effectively across departments including HR, legal, IT and at the executive level. This complexity means there's a high risk of missing submission deadlines, not having the appropriate evidence impacting your ability to fulfil the assertions and significant costs to complete the DSP Toolkit at the last minute.

DSPT Independent Assurance and Audit Service 

From 2023–24 onwards, NHS organisations and IT suppliers with revenue at or exceeding £10m per year or 50 employees or greater are being asked to subject their organisation to an external audit, by an auditor of their choice, to demonstrate evidence of compliance with the mandatory DSPT requirements. 

Completing an annual DSPT return and independent assessment audit is mediated through the NHS Standard Contract and aligns with the National Data Guardian's 10 Data Security Standards upon which the audit methodology is based.

As a leading provider of NHS cybersecurity and compliance services including a track record of advising NHS England (and previously NHS Digital and NHSX), our consultants at The AbedGraham Group are the best choice to complete a rapid External DSPT Audit in time for your annual DSPT return.

Our audit methodology aligns with NHS England's required risk assessment framework and covers all the key audit items:

  • The organisation has a framework in place to support Lawfulness, Fairness and Transparency

  • Staff contracts set out responsibilities for data security

  • Staff have appropriate understanding of information governance and cyber security, with an effective range of approaches taken to training and awareness

  • Your organisation engages proactively and widely to improve data security, and has an open and just culture for data security incidents

  • You closely manage privileged user access to networks and information systems supporting the essential service

  • Process reviews are held at least once per year where data security is put at risk and following DS incidents

  • All user devices are subject to anti-virus protections while email services benefit from spam filtering and protection deployed at the corporate gateway

  • Organisations have a defined, planned and communicated response to Data security incidents that impact sensitive information or key operational services

  • You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service

  • A penetration test has been scoped and undertaken

  • You securely configure the network and information systems that support the delivery of essential services

  • The organisation is protected by a well-managed firewall

  • Basic due diligence has been undertaken against each supplier that handles personal information 

Contact our team today to organise your External DSPT Audit.

Our solutioN: Full NHS DSPT Support

At the AbedGraham Group, we specialise in assisting vendors of any size to navigate the complexities of the Data Security and Protection Toolkit. Through our team of NHS compliance consultants, project managers and cybersecurity experts, your organisation can fully outsource its DSP Toolkit completion processes to The AbedGraham Group. By partnering with us, you get the reassurance that we will assist you in completing your submissions to NHS Digital ahead of time with a focus on exceeding NHS expectations whenever possible. Our support service is:

  • Efficient – We use specialised sets of 'in-house' evidence templates to accelerate document creation

  • Engaging – We communicate effectively with all key stakeholders in your organisation to ensure necessary processes, audits and evidence are generated in a timely manner every year

  • Granular – Our cybersecurity consultants have worked extensively with local and central NHS organisations and understand how to structure cybersecurity best practice standards so they are right sized to your organisation and your NHS customers' environments 

  • Cost-effective – Retaining our support service for a fixed annual fee will be more cost effective than in-house processes or ad-hoc engagements with 3rd party consultants

Doctor in Hospital Corridor

Ready To Speak to One of the team?

If you need help with your DSPT compliance, or any other healthcare legislation, partnering with The AbedGraham Group will ensure your applications run smoothly and that you are able to operate in the healthcare sector.

​Contact The AbedGraham Group
Contact us today to leverage the power of clinically led consulting.
  • LinkedIn Social Icon

Success! Message received.

Copyright © 2024-25  AbedGraham Healthcare Strategies Ltd.

bottom of page