DSP Toolkit Audit & Support​

Data Security and Protection Toolkit  (DSP) Audits and pre-submission assessments

Note : The deadline for completing the DSP Toolkit has been announced as 30 June 2024 .

All organisations that have access to NHS patient data, deliver services under an NHS contract, use a shared health and care records system or are applying for NHSmail must complete the Data Security and Protection Toolkit to provide assurance that they are practicing good data security and that personal information is handled correctly. 

All CQC registered care providers should complete the DSPT at least once a year.

The DSP Toolkit is a free online self-assessment tool that allows organisations to measure their
performance against the National Data Guardian’s 10 data security standards. It is not just about technology and digital records, it is about any and all information you hold about any person ,staff , clients , patients ,partners or visitors and this incudes paper records.

The organisations in scope for mandatory annual audits of their DSPT self-assessments are:

·       NHS Trusts (Acute, Foundation, Ambulance and Mental Health)

·       Clinical Commissioning Groups

·       Commissioning Support Units

·       Arm’s Length Bodies.

We provide an objective independent examination to assess the organisation against the requirements of the DSP Toolkit.

This increases the value and credibility of the assessment and collation of evidence produced by your own internal review which in turn increases user confidence and reduces your data protection risk.

Our independent review, carried out by experienced and practical Information Governance experts, also provides greater transparency to the Board and Trustees, highlighting areas of concern or risks.

As external auditors appointed by the organisation, we are able to act independently to ensure an objective approach to the audit process.

We follow the NHS Digital Data Security and Protection Toolkit (DSP Toolkit) Independent Assessment Framework and produce written reports and action plans as required to determine the organisations compliance with the National Data Guardian’s 10 data security standards.

As experienced independent assessors of Health and Social Care organisations we are able to provide comfort over the accuracy of your data protection compliance, for example, we can reveal any systematic errors occurring throughout the organisation or within individual departments – and often our report is critical to decision making for an organisation placing reliance on patient information.

We can challenge the robustness of the internal controls and processes an organisation has in place, giving an external perspective and valuable feedback leading to organsiational change where required.

And as we have previous experience in those areas, we know which on-site tests and documents that need to be carried out and reviewed as part of the audit, such as whether or not the evidence text is mandatory for each category of health and social care organisation.

We use our highly regarded professional judgement and expertise in further investigating and analysing the specific control environment, and associated risk, of each health and social care organisation.

For further information contact us: