DSPT Support
DSPT without the annual panic.
DDG helps NHS and care-sector organisations understand and complete the Data Security and Protection Toolkit in plain English, without tick-box overload.
Built around NHS and care-sector pressure
Clear guidance for teams dealing with evidence, systems, access, and deadlines.
Plain-English explanation of what DSPT expects.
Evidence mapping across policies, IT controls, training, and governance.
What DSPT is
A structured way to evidence data security and protection.
DSPT is an online self-assessment for organisations that access NHS patient data or NHS systems. It asks you to show how you keep information secure, both digitally and on paper, and how you plan to improve over time.
Plain-English explanation of what DSPT expects.
Evidence mapping across policies, IT controls, training, and governance.
Support for NHS, primary care, social care, charities, and suppliers.
A calmer route through renewals, lapsed submissions, and deadlines.
Who it applies to
If you access NHS data or services, DSPT probably matters.
Letting DSPT lapse can affect contracts, commissioning decisions, and access to NHS systems. DDG helps you confirm what applies and what needs to happen next.
NHS organisations
NHS trusts, ICBs, and other NHS organisations handling patient data or using national NHS digital services.
Primary care
GP practices, dentists, community pharmacies, and providers using NHS systems or handling patient records.
Social care providers
Adult social care providers, home-care agencies, supported living services, and care-sector teams connected to NHS or local authority systems.
Suppliers and partners
Technology, data, and service suppliers that connect into NHS digital services or process NHS patient data.
What DSPT covers
Governance, people, processes, technology, and evidence.
You do not need to memorise every assertion. At a practical level, DSPT checks whether your organisation manages sensitive information and technology in a safe, organised way.
Governance, leadership, and responsibility for data security.
Data protection, confidentiality, and patient or service-user information.
Staff awareness, training, and routes for reporting concerns.
IT security controls such as access management, patching, backups, devices, and remote access.
Incident response, breach reporting, third parties, and supplier assurance.
Common blockers
Most teams know security matters. The hard part is proving it clearly.
DSPT often becomes difficult because evidence is scattered, responsibilities are shared, and toolkit wording does not always map neatly to day-to-day operations.
Understanding what each assertion is really asking in practical terms.
Finding, organising, and updating evidence across different teams and systems.
Closing policy, procedure, training, or technical gaps without derailing daily work.
Translating IT controls into the language and structure DSPT expects.
Keeping the annual cycle moving before deadlines turn into panic.
How DDG helps
A calmer route from uncertainty to submission.
Our role is to support your team, not replace it. We help connect DSPT to your wider security work so evidence and improvements count in more than one place.
Step 1
Understand where you are
Review whether DSPT is new, a renewal, or lapsed, then identify the main pressure points.
Step 2
Translate the requirements
Explain toolkit language in plain English so leaders, IT, and operational teams know what matters.
Step 3
Reuse existing evidence
Map policies, Cyber Essentials work, testing, monitoring, and training to DSPT wherever possible.
Step 4
Prioritise improvements
Set out practical actions that support the submission and strengthen day-to-day security.
Step 5
Support the submission
Help keep the online toolkit work structured, evidence-led, and moving towards publication.
Joined-up evidence
DSPT should not become a separate pile of work.
Cyber Essentials, IASME Cyber Baseline, penetration testing, vulnerability scanning, awareness work, and managed security support can all feed evidence into DSPT when they are organised properly.
DDG helps you reuse policy work, technical testing, monitoring, and training evidence so your organisation builds one joined-up security story rather than a collection of disconnected projects.
We help turn scattered evidence into a clear plan for the toolkit, leadership, and day-to-day improvement.
FAQ
DSPT questions we hear often.
Short, practical answers for NHS and care-sector teams.
Who has to complete DSPT?v
Any organisation that accesses NHS patient data or NHS digital services is normally expected to complete DSPT, including NHS bodies, primary care, social care providers, and many suppliers.
How often do we need to submit?v
DSPT runs on an annual cycle. Most organisations update and publish their assessment once a year, with evidence of changes and planned improvements.
Do we need Cyber Essentials to pass DSPT?v
Cyber Essentials is not a formal requirement for every DSPT submission, but it can provide useful evidence for technical controls such as patching, access management, and boundary security.
What happens if DSPT lapses?v
A lapsed or missing DSPT can affect access to NHS systems, contracts, commissioning decisions, and partner confidence.
Can you work with our existing IT provider?v
Yes. DDG can work alongside internal IT, managed service providers, and existing consultants to make sure technical work is reflected clearly in DSPT.
Need help with DSPT?
Tell us where you are with the toolkit and what is creating pressure.
We will review your situation and come back with clear next steps, realistic options, and no pressure.
Include your organisation type, whether DSPT is new, renewing or lapsed, any deadline, and the systems or contracts you are worried about.