Data Security and Protection (DSP) Toolkit launched for health and social care

For more than a decade, the Information Governance (IG) Toolkit has been the all too familiar – although not always welcome – annual obligation for healthcare organisations to demonstrate their accord compliance with the Department of Health (DoH) standards for data security. 31 March 2018 marked the final submission date for the IG Toolkit v.14.1, which has now been replaced with the new, more comprehensive Data Security and Protection (DSP) Toolkit.

Much like the IG Toolkit, organisations have until 31 March 2019 to comply with the DSP Toolkit, which incorporates both the data security standards outlined by the National Data Guardian (NDG) and NHS Digital guidance for General Data Protection Regulation (GDPR) compliance. Some organisations will also have to prepare a baseline toolkit submission for an October 2018 deadline.

Key changes

The DSP Toolkit portal is now available to most organisations that completed their IG Toolkit v.14.1 submission, although the phased rollout does mean that some organisations will need to wait to access the online submission site. The assertions that must be completed to achieve compliance have been published by NHS Digital so organisations can plan how they will achieve compliance by the deadline.

Some key changes will be evident in the Toolkit:

  • Level 1, 2 and 3 submissions have been replaced with mandatory and non-mandatory assertions. The Toolkit will only be available to submit once the mandatory assertions are completed, although best practice suggests that non-mandatory assertions are also met.
  • Organisations that need to complete the Toolkit have been split into three ‘types’: Large, Small and GP. On registration you are asked to detail your organisation’s function, which will assign you to one of these categories. Your organisation ‘type’ will affect the assertions visible to you in the online submission portal.
  • Leaders and board members must receive suitable data security and protection training in order to comply. Additionally, staff must be aware of their responsibility to data security and protection. See our staff awareness training for more information.
  • Penetration testing must be undertaken annually for all ‘Large’ organisations. The minimum requirement is a network vulnerability scan in the 12 months preceding the submission of your DSP Toolkit. Best practice recommends that web applications are tested and it is confirmed that they are not vulnerable to the Open Web Application Security Project (OWASP) Top 10 vulnerabilities.
  • ‘Large’ organisations must also notify NHS Digital of any suppliers that fall significantly short on the NDG standards.


The GDPR comes into effect on 25 May 2018. The DSP Toolkit requires organisations to demonstrate that they are complying with the Regulation and enacting the GDPR guidance outlined by NHS Digital. Organisations will also need to coordinate their DSP Toolkit and GDPR compliance programmes to address where these overlap.

IT Governance’s health and social care experts are available to discuss how your organisation can achieve and demonstrate compliance in the most cost-effective manner. Our solutions allow you to use your internal resources where possible and embed compliance practices in organisational practices to maintain standards after your initial implementation phase.

Speak to a healthcare expert >>

More information is available on our website >>