NHS DSPT Requirement 9.4.5: Independent Data Protection Audit Explained

The NHS DSP Toolkit and the June 30th Deadline

If your company handles NHS patient data or provides services to NHS organisations, you're likely familiar with the Data Security and Protection Toolkit (DSPT). The DSPT is an online self-assessment tool that allows organisations to demonstrate they are practising good data security and protection. Each year, organisations must complete and publish their DSPT assessment. For the 2024/25 cycle, the deadline is 30th June 2025.

Missing the NHS DSPT deadline can have serious consequences—non-compliance with NHS contractual requirements, loss of NHS data access, and reputational damage. For those who must comply, the DSPT is not optional; it’s an annual requirement.

However, meeting the DSPT standards isn’t just about ticking boxes. One particular requirement—Evidence Item 9.4.5—is gaining attention because it goes beyond self-assessment and introduces a mandatory independent audit.

Let’s break down what 9.4.5 means, why it matters, and how your company, if you are an NHS IT supplier, can comply confidently.

What is DSPT Evidence Item 9.4.5?

Within the DSP Toolkit, Evidence Item 9.4.5 requires an independent audit of your DSPT submission. In simple terms, this means that after completing the self-assessment, your organisation must undergo a third-party review to validate your data protection practices.

The DSPT portal specifically asks:

“What level of assurance (overall risk rating and confidence level rating) did the independent audit of your Data Security and Protection Toolkit provide to your organisation?”

You’re also required to upload a full audit report as supporting evidence.

This audit must be conducted by an impartial expert and should include:

• Findings and Ratings – How well your organisation meets each of the DSPT's ten data security standards, typically with individual risk ratings.

• Overall Assurance Level – A summary risk rating (e.g., low, moderate, high).

• Confidence Level – An auditor’s confidence in your controls and evidence.

This process ensures that self-declared compliance is independently verified—adding credibility and trust to your DSPT return.

Note: Evidence Item 9.4.5 falls under Data Security Standard 9 (IT Protection), which includes controls such as penetration testing, vulnerability management, and broader IT risk mitigation.

Who Needs to Comply—and Who We Audit

Periculo provides independent DSPT audits specifically for NHS IT Suppliers. While Requirement 9.4.5 applies to a broader range of organisations (e.g. NHS Trusts, ICSs, OES healthcare providers), our audit service is tailored exclusively for IT suppliers working with the NHS.

This specialism allows us to focus deeply on the specific needs, risks, and expectations of NHS-facing tech organisations.

Our Focus: Mandatory Assertions + Meaningful Security Recommendations

We focus our audit on the mandatory assertions required by NHS England under the DSPT. These are the core elements that determine whether your DSPT submission is accepted.

However, our approach goes beyond just checking the minimum. We assess additional areas where relevant to provide value-added recommendations—practical, actionable steps to improve your overall security posture. In other words, we help you meet the requirement and make measurable improvements in how you manage data security.

Why Does Requirement 9.4.5 Matter?

Enhanced Trust and Assurance

An independent audit gives NHS partners, commissioners, and clients confidence in your commitment to data protection. It proves your self-assessment is more than lip service.

Standardisation and Risk Insight

NHS England mandates these audits to ensure all relevant organisations are assessed consistently, helping surface sector-wide risks and weaknesses.

Continuous Improvement

The audit isn’t about passing or failing—it’s about improvement. The insights can help identify blind spots, tighten up gaps, and prevent incidents before they happen.

Mandatory for NHS IT Suppliers

If you’re supplying software, hosting, integration, or technical support to NHS organisations, this audit is mandatory. Missing it risks an incomplete submission, jeopardising your NHS contracts and data access.

How to Meet DSPT 9.4.5 – Book Your Independent Audit with Periculo

At Periculo, we help NHS IT suppliers complete their independent DSPT audit with clarity, speed, and accuracy.

What to Expect – Our 4-Step Audit Process

1. Pre-Audit Planning and Evidence Checklist

We provide a clear, itemised checklist so you know exactly what evidence to prepare.

2. Document Review

Our auditors review your key documents offline—policies, incident logs, risk registers, DPIAs, and ISO certifications, where relevant.

3. Stakeholder Interviews

In structured interviews with your team, we verify that policies are not only written but also followed in practice.

4. Audit Report + Risk & Confidence Ratings

You’ll receive a report that includes:

• Your official risk and confidence levels (as required by DSPT)

• A breakdown of strengths and gaps

• Targeted recommendations to enhance your data security posture

We tailor findings so they’re meaningful and relevant to your environment, not generic templates.

Why Work With Periculo?

• NHS-compliant audits for IT suppliers

• Focused on mandatory assertions—but with real improvement insights

• Efficient, fast turnaround

• Real people, clear communication—no checkbox bureaucracy

Book Your DSPT Audit Today

The NHS 30th June DSPT deadline is fast approaching. If 9.4.5 applies to your organisation, now is the time to act.

We’ll help you meet the requirement confidently and efficiently—and demonstrate to your NHS partners that you take data protection seriously.