What is DSPT? A Guide for Digital Health Companies

If you are building or scaling a digital health product in the UK, the NHS Data Security and Protection Toolkit — universally known as DSPT — is almost certainly on your compliance roadmap. It is one of the most common requirements for any organisation looking to access NHS systems, handle patient data, or work within the NHS supply chain.

But DSPT is also one of the most misunderstood frameworks in digital health compliance. What exactly does it assess? Who has to complete it? When is it due? And what does "Standards Met" actually mean?

This guide answers all of those questions. Whether you are approaching DSPT for the first time or looking to sharpen your understanding ahead of a submission, this is everything you need to know.

What is DSPT?

DSPT stands for the Data Security and Protection Toolkit. It is an online self-assessment tool developed by NHS England that allows organisations to measure and demonstrate their performance against data security and protection standards.

Launched in 2018 as a replacement for the older Information Governance Toolkit (IG Toolkit), DSPT provides a consistent framework for ensuring that all organisations handling NHS patient data meet an agreed baseline of security and data protection controls.

The NHS describes DSPT as an online self-assessment tool or assurance mechanism for data security and protection. For digital health companies, it is typically one of the first formal compliance hurdles you will encounter before securing NHS contracts, being onboarded by an NHS trust, or participating in pilots.

What is the Difference Between DSPT and the IG Toolkit?

You may come across references to the "IG Toolkit" in older guidance documents or conversations with NHS contacts. The IG Toolkit was the predecessor to DSPT, used prior to 2018. It was not a separate standard — it was simply the earlier version of the same framework.

If you see "IG Toolkit" mentioned today, it usually refers to historical documentation. All current NHS compliance requirements use DSPT. Always refer to DSPT for your submissions.

Why Does DSPT Matter for Healthtech Companies?

DSPT matters because without it, the doors to the NHS stay closed. NHS organisations are required to check DSPT compliance as part of their procurement and due diligence processes. Even if you are not directly contracted with an NHS trust, you may still be required to hold a valid DSPT submission if you are processing NHS patient data or providing technology that supports NHS systems.

Beyond the procurement gateway, DSPT matters for four key reasons:

• It gives NHS partners and patients confidence that you are handling their data responsibly.
• It aligns closely with UK GDPR, so completing DSPT also advances your broader data protection compliance.
• It reduces the risk of data breaches and the reputational and financial damage they cause.
• It is a core component of NHS DTAC (Digital Technology Assessment Criteria), the wider assurance framework used to evaluate digital health technologies.

Who Needs to Complete a DSPT Submission?

Any organisation that has access to NHS patient data or NHS systems is expected to complete a DSPT submission. This is broader than it might initially appear. You do not have to be an NHS trust or a large IT supplier to be in scope. Examples of organisations typically required to complete DSPT include:

• Digital health startups and SaaS companies processing or accessing patient data
• Software providers integrating with NHS systems such as clinical systems or electronic patient records
• Cloud infrastructure providers hosting NHS data
• IT consultancies and managed service providers working with NHS organisations
• Medical device companies collecting patient information
• Private healthcare providers delivering services on behalf of the NHS

Do I Need DSPT if I Do Not Handle Patient Data Directly?

This is one of the most common questions we hear from digital health companies. The answer is: possibly yes. Even organisations that do not directly process patient data may still be required to complete DSPT if they:

• Provide IT or cloud services that support NHS systems
• Connect to NHS networks or infrastructure
• Are part of the supply chain for organisations that do handle patient data

If you are unsure whether DSPT applies to you, the NHS Digital guidance is the starting point — or get in touch with the Periculo team for a free consultation to clarify your position.

DSPT Submission Deadlines

DSPT is an annual requirement, not a one-off task. This is a critical point that many early-stage healthtech companies overlook: your submission must be renewed every year, and there is a fixed annual deadline.

Missing the deadline can have real consequences. NHS procurement teams check DSPT status during due diligence, and an expired or missing submission can delay contracts, block pilots, or undermine trust with NHS partners. Building DSPT renewal into your compliance calendar — well ahead of June — is essential.

What Does DSPT Assess?

DSPT has historically been structured around the 10 data security standards set by the National Data Guardian (NDG). These standards define how organisations should manage and protect health and care data. Since 2024, NHS England has been progressively aligning DSPT with the National Cyber Security Centre's Cyber Assessment Framework (CAF), meaning the assessment increasingly reflects both data governance and broader cybersecurity requirements.

In practice, this means organisations should demonstrate strong, evidenced controls across two broad areas:

1. Data Protection and Information Governance

You must demonstrate that personal and patient data is handled lawfully and securely at all times. Key requirements include:

• Registration with the Information Commissioner's Office (ICO)
• Documented compliance with UK GDPR, including a Record of Processing Activities (ROPA)
• A published Privacy Notice that clearly explains how data is used
• A documented Data Protection Impact Assessment (DPIA) for high-risk processing
• Appointment of a Data Protection Officer or Data Protection Lead where required

2. Cyber Security

The cyber security elements of DSPT assess whether your organisation has the technical and operational controls to protect NHS data from threats. Key areas include:

• Access control — restricting data access to those who genuinely need it, with regular reviews
• Staff training — ensuring all staff understand their data security responsibilities
• Incident management — having a clear, tested plan for responding to security incidents and reporting breaches
• System and software security — keeping systems patched, avoiding unsupported software, and maintaining antivirus and firewall protection
• Asset management — maintaining an up-to-date register of devices, systems, and software handling NHS data
• Secure configuration — ensuring systems and networks are configured to minimise vulnerabilities

What Does "Self-Assessment" Mean in Practice?

DSPT is a self-assessment, which means your organisation declares its own compliance status. There is no external auditor or certifying body for standard DSPT submissions. Instead, you complete the toolkit and declare whether you have met the standards or not.

However, this does not mean DSPT is just a tick-box exercise. NHS organisations can and do review your evidence during procurement, and inaccurate or unsubstantiated submissions can create significant problems if queried. Your submission must be supported by real policies, processes, and evidence.

DSPT Submission Categories

Every organisation completing DSPT is assigned to one of four categories. Your category determines the scope and depth of your submission. Understanding which category applies to you is one of the first steps in your DSPT journey.

DSPT 2025–2026: What Has Changed?

For the 2025–2026 submission cycle, DSPT version 8 introduced incremental but important updates. The core message from NHS England is that evidence quality matters more than ever — organisations must demonstrate that their controls are actually working in practice, not simply documented on paper.

Key themes for DSPT v8 include:

• Evidence must be current, clear, and consistent with actual organisational practice
• Continued alignment with the NCSC's Cyber Assessment Framework (CAF)
• Increased focus on the effectiveness of controls, not just their existence

For most Category 3 healthtech suppliers — the majority of startups and scale-ups — the structure of the submission remains broadly similar to previous years. The primary change is the expectation of stronger, more substantiated evidence.

How to Achieve DSPT Compliance: A Step-by-Step Overview

Approaching DSPT for the first time can feel daunting. Here is a practical framework for how to structure your compliance effort:

1. Use the DSPT toolkit guidance to identify whether you are Category 2, 3, or 4.
   Most healthtech startups and SaaS companies fall into Category 3. Confirm your category.
   
   
2. Work through the DSPT requirements and identify where your current policies, processes, and technical controls fall short.
   Conduct a gap analysis.
3. This includes data protection policies, information security policies, an acceptable use policy, an incident response plan, and a business continuity plan.
   Build your policy framework.
4. Create a Record of Processing Activities (ROPA) and complete any required Data Protection Impact Assessments (DPIAs).
   Document your data flows.
5. Address access management, system patching, asset management, staff training, and multi-factor authentication.
   Implement technical controls.
6. For each requirement, compile evidence that your controls are in place and working — policies, training records, audit logs, penetration test results, and so on.
   Gather and organise evidence.
7. Log in to the DSPT portal, work through the requirements, upload your evidence, and submit before 30 June.
   Complete the self-assessment.
8. DSPT is annual. Build a schedule to keep your policies, evidence, and submission up to date throughout the year.
   Plan for renewal.

Common DSPT Mistakes to Avoid

Based on our experience working with digital health companies across the UK, these are the mistakes that most often delay or derail DSPT submissions:

• DSPT is a significant body of work. Starting in May for a June deadline rarely ends well. Build in at least three to four months for a first submission.
  Leaving it too late.
• Having a policy written down is not enough — you need to demonstrate that the policy is actually followed. Evidence might include training records, access review logs, or incident reports.
  Confusing documentation with evidence.
• Many companies focus on the data protection side and overlook the cyber security requirements. Both carry equal weight.
  Underestimating the technical controls.
• DSPT spans IT, legal, HR, and operations. Without clear ownership across the organisation, requirements fall through the gaps.
  Not assigning ownership.
• DSPT renewal happens every year. Companies that build it into their ongoing compliance processes fare much better than those who treat it as a one-time project.
  Treating it as a one-off task.

How Periculo Helps with DSPT

Periculo can help companies navigate the DSPT toolkit from initial gap analysis through to a confident Standards Met submission and beyond, with ongoing support for annual renewal.

Our approach combines deep NHS compliance expertise with practical, hands-on support tailored to the stage and scale of your business. Whether you are approaching DSPT for the first time or looking to strengthen your existing submission, we can help.

• DSPT gap analysis and readiness assessments
• Policy and procedure development tailored to your product and data flows
• Evidence compilation and submission support
• Annual DSPT renewal and ongoing compliance management
• Integration with wider NHS compliance, including DTAC, DCB0129, and Cyber Essentials
• Support with DSPT requirement 9.4.5 — the mandatory independent external cyber assessment for organisations required to obtain third-party assurance of their cyber security posture