What is DSPT? A Guide for Digital Health Companies

If you are building or scaling a digital health product in the UK, understanding the Data Security and Protection Toolkit (DSPT) is crucial. DSPT is commonly required where a supplier has access to NHS patient data or system, with some DSPT requirements also applying to organisations that don’t handle patient data directly but provide IT or cloud services supporting NHS systems. DSPT is often reviewed during NHS procurement, onboarding, and due diligence, and is also a key part of NHS DTAC.

The NHS describes DSPT as "an online self-assessment tool or assurance mechanism for data security and protection". For healthtechs, it is often one of the first compliance hurdles you will face before securing NHS contracts or partnerships.

This guide explains everything you need to know about DSPT, including what it is, who must complete it, key deadlines, and how to prepare for submission.

What is DSPT and Why Does It Matter for Healthtechs

DSPT is an online self-assessment tool developed by the NHS. It allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

DSPT was introduced in 2018, replacing the old Information Governance Toolkit. Its purpose is to ensure that all organisations handling NHS patient data meet a consistent level of security and data protection.

For healthtech companies, DSPT is important because:

• It is required to access NHS systems or data
• It builds trust with NHS partners and patients
• It supports broader data protection and security compliance efforts, with overlap between DSPT and UK GDPR
• It reduces the risk of data breaches and cyber incidents

Without DSPT compliance, many NHS organisations may be reluctant to engage with your product, so it's important to get it done on time!

What's the Difference Between DSPT & the IG Toolkit

You may come across resources or conversations referring to the “IG Toolkit.” This is simply the older name for what is now called the Data Security and Protection Toolkit (DSPT).

• IG Toolkit: the pre-2018 framework
• DSPT: the current, updated framework

It’s important to note that these are not separate requirements. If you see “IG Toolkit” mentioned, it’s usually referencing guidance or materials from before 2018. For NHS compliance today, you should always refer to DSPT.

Who is Required to complete a DSPT Submission?

In simple terms, organisations that have access to NHS patient data and systems must complete the DSPT framework.

Here's some examples of organisations who should do a DSPT submission:

• A digital health startup processing patient data
• A software provider integrating with NHS systems
• An IT consultancy working with NHS organisations
• A medical device company collecting patient information
• A data processor or cloud provider handling NHS data
• A private healthcare provider delivering NHS services

Even if you are not directly contracted with the NHS, you may still need DSPT if you are part of the supply chain.

Should I do DSPT if I Don't Handle Patient Data?

Even organisations that do not directly handle patient data may still be required to complete DSPT, particularly if they support or connect to NHS systems.

You should confirm your requirement and expected submission level using the Data Security and Protection Toolkit guidance, or get in touch with the Assuric team for a free consultation.

DSPT Submission Deadlines You Must Know

Importantly, DSPT is not a one-off task, it is an annual requirement, and unlike many other frameworks there is a set annual deadline for DSPT submission.

Key DSPT Deadline

• Submission deadline: 30th June every year
• Reporting period: Previous financial year (ending 31 March)

For example:

• Data from April 2025 to March 2026 must be submitted by 30 June 2026

Missing the deadline can delay procurement, potentially impact contracts, and reduce trust with NHS partners.

What Does DSPT Assess?

DSPT has historically been based on the 10 standards set by the National Data Guardian, covering how organisations handle data securely.

However, this is undergoing some changes. Since 2024, NHS England has begun aligning DSPT with the National Cyber Security Centre’s Cyber Assessment Framework (CAF), meaning assessments are increasingly shaped by both data governance and wider cybersecurity requirements.

In practice, organisations should be prepared to demonstrate strong controls across both Data Protection & Cyber Security.

Below are the key areas your digital health product must address.

1. Data Protection and Confidentiality

You must ensure that:

• Personal data is handled securely at all times
• Privacy notices are in place
• You are registered with the ICO
• You comply with UK GDPR

2. Staff Responsibilities and Training

All staff must:

• Understand their data security responsibilities
• Complete regular training
• Know how to handle sensitive information

Security awareness must be part of your company culture.

3. Access Control and Least Privilege

Access to data must be:

• Restricted to those who need it
• Regularly reviewed
• Removed when no longer required

This is known as the principle of least privilege.

4. Incident Management

You must have:

• A clear incident response plan
• Processes for reporting breaches
• Regular reviews of incidents and near misses

Staff must know how to respond quickly to security issues.

5. System Security and Updates

Your organisation must:

• Avoid unsupported software
• Apply security patches regularly
• Maintain antivirus and firewall protection

Outdated systems are a major risk factor.

6. Asset and Device Management

You need a clear record of:

• Devices
• Software
• Systems handling data

This ensures you always know where sensitive data is stored.

What does DSPT Submission Look Like in Practice?

DSPT is a self-assessment, meaning you complete the toolkit AND you declare your own compliance status: either standard met or standards not met.

Your submission can then be reviewed or audited by NHS organisations during procurement and due diligence processes.

What are the DSPT Categories?

Every organisation completing DSPT is assigned to a category. This determines the level of detail required in your submission.

There are four categories in total.

• Category 1: Large healthcare organisations (e.g., NHS trusts)
• Category 2: Large IT suppliers to the NHS
  • 50+ staff
  • Annual turnover > £10 million
  • Established NHS contracts
• Category 3: Other IT suppliers
  • Any supplier who does not meeting all three Category 2 criteria
  • Typically includes startups and scale-up SaaS providers
  • Fewer requirements than Category 2, but still need clear policies and evidence
• Category 4: GP practices and small healthcare providers

DSPT Changes for 2025-2026 Submission

For the 2025–26 submission, DSPT version 8 introduces incremental updates, focusing on the quality of evidence rather than a major overhaul of the framework:

• Organisations must demonstrate that controls are operating in practice, not just documented
• Evidence must be clear, consistent, and up to date
• Submission structure largely remains the same for small and medium-sized healthtech suppliers

Read our full blog on the key changes for DSPT v8, and exactly what it means for healthtechs ⤵️

DSPT v8 2025 updates - What’s changed and how Assuric can help you stay compliant

An overview of key changes to the 2025 DSPT and how Assuric can simplify the journey to compliance.

As mentioned earlier, DSPT is continuing to align with the National Cyber Security Centre framework, but for most healthtech companies the core structure remains largely the same this year.

How Assuric Streamlines & Automates DSPT for Healthtechs

Assuric removes the complexity from DSPT by turning a fragmented, manual process into a structured, end-to-end workflow, helping healthtech teams move faster and submit with confidence.

🔧 Structured, Actionable Workflows

• The platform breaks DSPT requirements into clear, trackable tasks
• Assigns ownership across your team, ensuring continuous progress, with no last-minute scrambling

📄 Built-in DSPT Submission Form

• The platform pre-populates responses using your compliance data
• Evidence automatically links to the key requirements, streamlining the entire submission process in one place

🔁 Reduce Duplication Across Frameworks

• Assuric maps requirements and controls across DSPT, UK GDPR, Cyber Essentials, and ISO 27001
• Complete tasks once and reuse them, seamlessly maintaining up-to-date policies and evidence

👀 Real-Time Visibility and Audit Readiness

• Live view of compliance status and gaps
• Always audit-ready with organised evidence

🚀 From Setup to Submission, All in One Place

• Manage, track, and submit DSPT in a single platform
• Reduce manual effort and risk of errors, reaching “Standards Met” faster and with confidence