Yes — completing the Data Security and Protection Toolkit (DSPT) is mandatory for all organisations that access or process NHS patient data and systems.
This requirement applies to NHS bodies, local authorities, care providers, independent contractors, and any third parties with access to NHS data. The DSPT must be completed annually to demonstrate compliance with national data protection and cybersecurity standards.
Failure to submit a DSPT assessment can result in:
- Loss of access to NHS systems and data
- Contractual restrictions or delays
- Increased regulatory scrutiny from NHS England and partner agencies
Maintaining DSPT compliance is not only a contractual requirement but also a key element of demonstrating responsible data stewardship and protecting patient trust.
