This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

The Data Security and Protection (DSP) Toolkit

From April 2018, the DSP Toolkit will replace the Information Governance (IG) Toolkit as the standard for cyber and data security for healthcare organisations.

Compliance with the DSP Toolkit requires organisations to demonstrate that they are implementing the ten data security standards recommended by the National Data Guardian Review as well as complying with the requirements of the General Data Protection Regulation (GDPR).

The DSP Toolkit will apply to all healthcare organisations: both NHS and industry partners. The Department of Health (DoH) and NHS England have released guidance on the new toolkit, identifying the steps that NHS providers and GPs should take in 2017/18 to prepare for the new regulatory framework.

Key dates for implementation:

  • November 2017: The DSP Toolkit will be piloted in 500 health and care organisations.
  • January 2018: During January all organisations will have access to the new toolkit and can begin to consider their approach to implementation and compliance.
  • April 2018: Organisations will be required to comply with the DSP Toolkit. Further guidance will be published to support this.
  • May 2018: The GDPR and the Directive on Security of Network and Information Systems (NIS Directive) come into force, increasing the legislative requirements of healthcare organisations to their cyber and data security.

DSP toolkit guidance

The DSP Toolkit is arranged into three categories of leadership obligations: people, process and technology.


The human element of cyber security is often underplayed when organisations are planning for change. The DSP Toolkit highlights the need to improve the 'people' element to reduce organisational vulnerabilities:

  • Senior level responsibility: One senior executive, preferably a member of the organisation's board, should be responsible for data and cyber security. Ideally, this person will also be the senior information risk owner.
  • IG Toolkit v14.1: In 2017/18 organisations will still be required to comply with the IG Toolkit v14.1, to a minimum of level two. The DSP Toolkit will be released in April 2018, replacing the IG Toolkit.
  • Complete the GDPR checklist: The GDPR comes into force in May 2018, replacing the Data Protection Act 1998 (DPA) as the regulatory standard for any organisation that processes the personal data of EU residents. NHS Digital will publish a checklist of requirements for GDPR compliance. To achieve DSP Toolkit compliance, all organisations will need to complete that checklist to demonstrate adherence to the Regulation.
    For more information on GDPR compliance, including staff training, appointing a Data Protection Officer (DPO) and conducting a gap analysis, please visit our information page.
  • Training staff: All staff will be required to complete appropriate data security and protection training in line with the remit of their role. From 2018, NHS Health Education England training courses will include cyber security training modules and the requirements of the DSP Toolkit.


The DSP Toolkit identifies steps that need to be taken to prevent and mitigate the effects of a data breach:

  • Acting on CareCERT advisories: CareCERT advisories notify healthcare organisations of immediate and upcoming cyber security threats. Under the DSP Toolkit, organisations will be required to act on these notifications and, for the more severe threats, confirm within 48 hours that plans are in place to act on them.
  • Business continuity planning: The DSP Toolkit requires organisations to have a comprehensive plan to ensure business continuity while recovering from an event, such as a data breach or cyber attack.
    For information on the international framework for effective business continuity management (ISO 22301), please visit our information page.
  • Reporting incidents: All data security incidents will need to be reported to CareCERT in line with reporting guidelines.


Technology is a key element in achieving effective cyber security. The DSP Toolkit identifies the technology controls that need to be in place to support data security and protection:

  • Unsupported systems: Organisations will be required to identify unsupported systems and have a plan in place for these to be removed or replaced, or the risk actively managed.
  • On-site assessments: NHS organisations will be required to conduct an on-site assessment of cyber and data security, if invited to by NHS Digital. The outcomes of this assessment will need to be acted upon and shared with the appropriate commissioner.
  • Supplier certification: Supplier certification will need to be checked for any supplier of IT systems. Both the provider and the services will require the appropriate certification, which might include:

Adjustments have been made to the implementation of this guidance for GPs. This identifies the role of the CCG and the commissioned GP IT & Information Governance services to support practices in their Leadership Obligation One.

For more information on the implementation of this guidance in General Practices:

Talk to an expert

Safe data, safe care – CQC review

In July 2016 the Care Quality Commission (CQC) released its findings on safe data management in the NHS. It took three elements of data security into account: availability, integrity and confidentiality.

The CQC discovered that, although there was widespread commitment to data security, staff training and the infrastructure were not in place to manage this in line with day-to-day needs.

The CQC recommended six areas of improvement. The first four of these – leadership; information, tools and training; IT systems; and unsupported technology – have been addressed in the assurance guidance and will be requirements of the DSP Toolkit. The final two recommendations are:

  • “Audit and validation
    Arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring financial integrity and accountability.
  • CQC assessment
    We'll amend our assessment framework and inspection approach to include assurance that appropriate validation against the new data security standards has been carried out, and make sure inspectors are appropriately trained.”

This suggests that NHS organisations will be audited against the standards set out in the new toolkit. It is likely that, if the CQC assessment framework includes data security as a parameter, this will be reflected in an organisation’s CQC rating. More information will be available once guidance is released in January 2018.

ISMS as a solution

A number of solutions are available to address the upcoming changes and challenges affecting information and cyber security in healthcare organisations.

The most effective approach to reducing cyber risk and ensuring regulatory compliance is to implement an ISO 27001-accredited information security management system (ISMS). This demonstrates that your organisation is following information security best practice, and delivers an independent, expert assessment of whether your data is adequately protected.

For more information on the benefits of an ISMS, please visit our information page or download our free guide.

For further information on the DSP Toolkit and tailored advice for implementation:

Talk to an expert