Skip to content
Contact Us
All posts

What Is an NHS DSPT Audit and Audit Guide

By  Jack White  ·  2 minute read

If your organisation handles NHS patient data or connects to NHS systems, for example as an IT supplier providing software or services to the health service, you will be familiar with the Data Security and Protection Toolkit (DSPT). The DSPT is an online self-assessment system that all such organisations must complete annually to demonstrate NHS data protection compliance. However, many organisations, particularly IT suppliers, are now also required to undergo an NHS DSPT audit—an independent review of their data security practices. In this guide, we at Periculo explain what the DSPT is, what a DSPT audit involves, who needs one, and how to prepare effectively.

What is the NHS DSPT?

The NHS DSPT is an online self-assessment tool used to measure an organisation’s data security practices against NHS standards. The DSPT requires organisations to evidence that they have policies and controls in place to safeguard NHS patient data. These include staff training, secure system access, incident management, and compliance with the Data Protection Act 2018 and UK GDPR.

All organisations in England with access to NHS patient data or systems must complete the DSPT each year. This includes NHS trusts, GP practices, social care providers, and IT suppliers.

What is an NHS DSPT Audit?

A DSPT audit is an independent assessment of an organisation’s DSPT submission and evidence. While the self-assessment relies on internal verification, an audit is conducted by a qualified independent auditor to verify that the claimed measures are truly in place.

Key differences between self-assessment and audit:

  • Objectivity: Auditors provide impartial assurance that controls exist and function as described.

  • Detail: An audit involves detailed documentation review, staff interviews, and inspection of processes.

  • Outcome: A formal audit report is produced, which may be required to maintain NHS contracts.

NHS England has mandated DSPT audits for IT suppliers and large NHS bodies to ensure the highest standards of assurance.

Who Needs a DSPT Audit?

You must undertake an NHS DSPT audit if you are:

  • An NHS Trust, ICB, CSU, or Arm’s Length Body.

  • An IT supplier to the NHS providing digital goods or services.

  • An independent healthcare provider classed as an Operator of Essential Services (OES).

Smaller providers such as GP practices, pharmacies, or care homes currently do not require independent audits but must still complete the DSPT self-assessment.

DSPT Audit Process

At Periculo, we guide clients through every step of the audit process:

Our Four-Step DSPT Audit Process

  1. Discovery and Gap Analysis We work with your organisation to understand your current data security posture and identify any gaps against the NHS DSPT requirements.

  2. Audit Preparation We help you compile the necessary evidence, update policies, and address any areas for improvement prior to the audit.

  3. Independent Audit Our experienced auditors conduct a thorough review of your documentation and practices to provide a clear, objective assessment of compliance.

  4. Report and Recommendations We provide a detailed audit report with findings, risk ratings, and actionable recommendations to support your compliance journey and prepare you for submission.

Common Pitfalls to Avoid

Typical mistakes include:

  • Incomplete or outdated documentation

  • Overstating compliance

  • Poor evidence management

  • Lack of senior leadership engagement

  • Failure to act on changes to NHS DSPT requirements

Periculo’s consultants can help your organisation avoid these pitfalls and stay fully compliant.

How to Prepare for Success

  • Map each DSPT requirement to policies and evidence.

  • Conduct an internal mock audit.

  • Leverage existing certifications such as ISO 27001 or Cyber Essentials Plus.

  • Ensure management involvement and accountability.

  • Maintain a comprehensive evidence library.

Need support with your NHS DSPT submission or audit?

Periculo specialises in helping IT suppliers with their DSPT external audit. Our consultants offer tailored gap analysis, audit readiness support, and independent auditing services to help you meet NHS expectations.

Book a Meeting with Periculo for guidance and to get DSPT compliant with confidence.

Please note: At Periculo, we only provide DSPT audit services for IT suppliers. 

 

More On NHS DSPT...