3.1. Entry Level Evidence items (2019-20) required for NHSmail

Small organisations which have not previously published a full DSPT assessment are able to publish an ‘Entry Level’ assessment indicating that, while the DSPT Standard is not being met, critical Data Security Measures have been implemented. 

The following organisation types are eligible to publish an entry level assessment: 

  • Care Home
  • Charity / Hospice
  • Dentist (NHS)
  • Dentist (Private)
  • Domiciliary Care Organisation
  • NHS Business Partner
  • Optician
  • Pharmacy

For providers, completing and publishing an ‘Entry Level’ toolkit assessment also supports access to NHSmail, a centrally funded email service that is free for social care providers to use. It enables fast and secure information sharing with other health and care professionals. Further information for social care providers is available here and an Entry level Step by step guide is available .


The Entry Level Data Security and Protection Toolkit evidence items required to enable access NHSmail are: 

1.2.1      Are there approved data security and protection policies in place that follow relevant guidance?

1.3.1      What is your ICO Registration Number?

1.3.3      How have Individuals been informed about their rights and how to exercise them?

1.4.1      Provide details of the record or register that details each use or sharing of personal information.

1.5.1      Is there approved staff guidance on confidentiality and data protection issues?

1.6.1      There is an approved procedure that sets out the organisation’s approach to data protection by design and by default, which includes pseudonymisation requirements.

1.6.5      There is a staff procedure, agreed by the person with responsibility for data security, on carrying out a Data Protection Impact Assessment that follows relevant ICO guidance.

1.6.6      Is a Data Protection Impact Assessment carried out before high risk processing commences?

1.7.1      There is a policy and staff guidance on data quality.

2.1.2      When did your organisation last review the list of all systems/information assets holding or sharing personal information?

2.2.2      Do all employment contracts contain data security requirements?

4.1.1      Your organisation maintains a record of staff and their roles.

6.1.1      A data security and protection breach reporting system is in place.

10.1.1    The organisation has a list of its suppliers that handle personal information, the products and services they deliver, their contact details and the contract duration.