What Does DSPT Stand For?

DSPT stands for Data Security and Protection Toolkit.

It is an online self-assessment used by organisations to show how well they manage data security and information protection. NHS England describes it as a toolkit that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. It must be used by organisations that have access to NHS patient data and systems.

In simple terms, DSPT helps answer one important question:

Can your organisation be trusted to handle NHS data securely and responsibly?

For digital health companies, this can include:

• SaaS platforms used by NHS teams
• Healthcare apps processing patient information
• Software suppliers integrating with NHS systems
• Cloud hosting providers supporting healthcare workloads
• Managed IT providers supporting health and care organisations
• Medical technology companies collecting or processing personal data
• Private healthcare providers working with NHS organisations

Why DSPT Matters for Digital Health Companies

DSPT matters because NHS buyers, commissioners and partners need assurance before they allow suppliers to handle sensitive information or connect into healthcare environments.

If your DSPT position is unclear, incomplete or expired, it can create delays in procurement, onboarding, contract approval and supplier assurance. It may also raise wider questions about your data protection, cyber security and operational maturity.

For growing healthtech businesses, DSPT can support:

• NHS supplier onboarding
• Procurement due diligence
• Digital health product assurance
• Patient data protection
• Cyber security governance
• UK GDPR alignment
• Trust with NHS stakeholders
• Readiness for DTAC assessments

The NHS Digital Technology Assessment Criteria, known as DTAC, is used by care commissioners and providers to assess digital health technology products. DTAC covers clinical safety, data protection, technical security, interoperability, usability and accessibility, and is used alongside checks such as DSPT.

This means DSPT should not be treated as a stand-alone admin exercise. It should sit within your wider compliance, cyber security and product assurance programme.

Is DSPT Only for NHS Trusts?

No.

This is one of the biggest misunderstandings around DSPT. It is not only for NHS trusts, GP practices or large healthcare organisations.

If your organisation has access to NHS patient data or NHS systems, DSPT may apply to you. NHS guidance states that all organisations with access to NHS patient data and systems must use the toolkit to provide assurance that they practise good data security and handle personal information correctly.

That means DSPT can apply to third-party suppliers, technology providers and service partners, not just direct care providers.

You may need DSPT if you:

• Process patient identifiable information
• Host NHS-related data
• Provide software used in clinical or care settings
• Support infrastructure connected to NHS services
• Provide managed IT or cyber security support to healthcare organisations
• Work as a processor, sub-processor or supplier in the NHS supply chain

Even if your business does not directly deliver clinical care, your role in the supply chain may still bring DSPT into scope.

What Does DSPT Assess?

DSPT looks at whether your organisation has suitable controls, policies, processes and evidence in place to protect sensitive data.

The NHS assessment guidance is based around the 10 National Data Guardian standards, which cover areas such as personal confidential data, staff responsibilities, training, access management, incident response, continuity planning, unsupported systems, IT protection and accountable suppliers.

For a digital health company, this usually means being able to evidence areas such as:

• Information governance policies
• Staff data protection and cyber security training
• Asset registers
• Access control reviews
• Multi-factor authentication
• Device and endpoint security
• Patch management
• Antivirus or endpoint protection
• Supplier and sub-processor management
• Incident response processes
• Business continuity plans
• Backup and recovery arrangements
• Data Protection Impact Assessments
• Records of Processing Activities
• Privacy notices
• Secure software and cloud configuration

The key word is evidence.

A policy on its own is not enough. NHS partners may expect to see proof that the control exists, is current and is being followed in practice.

DSPT Is a Self-Assessment, But It Is Not a Tick-Box Exercise

DSPT is completed as a self-assessment, but that does not mean it should be rushed or treated casually.

When you submit DSPT, you are making a formal statement about your organisation’s data security and protection position. If your submission is questioned during procurement, audit, contract review or incident investigation, your evidence needs to stand up.

A weak submission can create issues such as:

• Delayed NHS onboarding
• Lost procurement opportunities
• Extra due diligence from NHS partners
• Increased contract risk
• Poor confidence from commissioners
• Gaps in cyber insurance or assurance reviews
• Increased exposure during data incidents

The safest approach is to complete DSPT as part of a wider security improvement process, not as a last-minute form-filling task.

Common DSPT Mistakes Digital Health Companies Make

Many suppliers underestimate DSPT because they assume it is mainly a paperwork exercise. In reality, it often exposes gaps across IT, operations, legal, HR, software development and supplier management.

Here are the most common mistakes.

1. Starting Too Late

DSPT requires evidence. If you start too close to the submission deadline or procurement review, you may not have time to fix technical issues, update policies, train staff or collect the right records.

2. Confusing Policies with Evidence

A document saying “we review user access” is not the same as evidence that access reviews are actually happening. You may need logs, review records, meeting notes, training records or screenshots to prove control activity.

3. Forgetting Supplier Risk

Healthcare suppliers often rely on cloud platforms, development partners, hosting providers, outsourced support and third-party tools. NHS guidance on accountable suppliers highlights the importance of understanding supplier responsibilities, contractual obligations and where your responsibilities end and your providers’ begin.

4. Ignoring Technical Controls

DSPT is not only about data protection. Cyber security matters. Unsupported systems, weak access controls, missing MFA, poor patching and unclear backup arrangements can all create problems.

5. Not Assigning Ownership

DSPT needs a named owner, but that person cannot complete it in isolation. Input may be needed from IT, cyber security, legal, HR, operations, product teams and senior leadership.

6. Treating DSPT as a One-Off

DSPT should be maintained throughout the year. If you only look at it once a year, you are more likely to face gaps, outdated documents and missing evidence.

How DSPT Connects with Cyber Essentials and Cyber Security

DSPT and Cyber Essentials are different frameworks, but they complement each other.

Cyber Essentials is described by the National Cyber Security Centre as the minimum standard of cyber security recommended by the Government for organisations of all sizes. It focuses on five technical controls designed to protect against common internet-based cyber threats.

For digital health companies, Cyber Essentials can help strengthen the technical foundation that supports DSPT, including:

• Firewalls and boundary protection
• Secure configuration
• Access control
• Malware protection
• Security updates and patching

Cyber Essentials Plus goes further by adding independent technical verification. For suppliers working in healthcare, this can provide stronger assurance to NHS partners, commissioners and procurement teams.

DSPT may be the NHS-specific requirement, but Cyber Essentials, Cyber Essentials Plus, penetration testing and Microsoft 365 hardening can all help build a stronger compliance position.

How to Prepare for DSPT: A Practical Roadmap

The best way to approach DSPT is to treat it like a structured readiness project.

Step 1: Confirm Whether DSPT Applies to You

Start by checking whether your organisation has access to NHS patient data, NHS systems or healthcare data through a contract or supplier relationship.

If you are part of the NHS supply chain, check your contractual requirements and ask the NHS buyer or partner what level of assurance they expect.

Step 2: Identify Your Data Flows

Map what data you collect, process, store, transfer and delete.

This should include:

• Patient data
• Staff data
• Clinical data
• Usage data
• Support tickets
• Backups
• Logs
• Integrations
• Third-party platforms
• Cloud-hosted systems

If you cannot explain where data goes, you cannot properly secure it.

Step 3: Build Your Evidence Library

Create a central evidence folder for DSPT. This should include current documents, screenshots, reports and records.

Useful evidence may include:

• Information security policy
• Data protection policy
• Incident response plan
• Business continuity plan
• Asset register
• Access review records
• Training completion reports
• Penetration test reports
• Vulnerability scan summaries
• Backup test results
• Supplier register
• DPIAs
• ROPA
• Cyber Essentials certificate
• Microsoft 365 security configuration evidence

Step 4: Review Your Microsoft 365 and Cloud Security

Many digital health companies rely heavily on Microsoft 365, Azure, AWS or other cloud platforms. Your security configuration should be reviewed before submission.

Focus on:

• MFA enforcement
• Conditional Access
• Admin role control
• Secure email configuration
• Endpoint management
• Device compliance
• Logging and monitoring
• Data loss prevention
• Backup and retention
• Guest access controls
• Shared mailbox and Teams governance

Step 5: Check Your Endpoint and Patch Management

Make sure all laptops, desktops, servers and cloud systems are supported, patched and protected.

Unsupported operating systems, unmanaged devices and missing security updates can weaken your DSPT position and increase real-world cyber risk.

Step 6: Test Your Incident Response Plan

DSPT looks at whether organisations can identify, resist and respond to cyber incidents. NHS guidance also confirms that reportable data security and protection incidents must be notified through the DSPT incident reporting tool, and that notifiable breaches must be reported to the ICO without undue delay, with reasons required if notification takes longer than 72 hours.

You should know:

• Who handles incidents
• Who contacts clients
• Who contacts regulators
• Who investigates technical evidence
• How incidents are logged
• How lessons learned are recorded
• How suppliers are involved
• How recovery is tested

Step 7: Run a Gap Assessment Before Submission

Before completing the toolkit, carry out a DSPT gap review. This will show what is already in place, what needs improvement and what evidence is missing.

A good gap review should produce a clear action plan with owners, priorities and deadlines.

DSPT Readiness Checklist

Use this quick checklist before starting your submission.

How Creative Networks Can Help

Creative Networks supports organisations with practical cyber security, compliance readiness and managed IT services that help strengthen DSPT submissions.

We can help you prepare by reviewing the technical controls that sit behind your DSPT answers, including Microsoft 365 security, endpoint protection, network security, access control, patching, backup readiness and supplier risk.

Our support can include:

• DSPT readiness review
• Cyber Essentials and Cyber Essentials Plus preparation
• Microsoft 365 security hardening
• Network and endpoint security checks
• Penetration testing support
• Vulnerability management
• Backup and disaster recovery review
• IT asset register support
• Policy and evidence review
• Ongoing managed IT and cyber security support

If you are preparing for an NHS contract, supplier review or digital health product assessment, getting your security foundations in place early can save time, reduce risk and give your NHS partners more confidence.

Final Thoughts

DSPT is more than an NHS compliance requirement. It is a practical way to prove that your organisation takes patient data, cyber security and supplier responsibility seriously.

For digital health companies, a strong DSPT position can support NHS procurement, improve internal security and reduce the risk of delays during due diligence.

The most successful organisations do not wait until the deadline. They build DSPT into their operating model, keep evidence updated throughout the year and treat compliance as part of everyday business resilience.

If your organisation needs support with DSPT readiness, Cyber Essentials, penetration testing or managed cyber security, Creative Networks can help you understand the gaps, strengthen your controls and prepare with confidence.