8. Frequently asked questions

Responses to frequently asked questions regarding the Data Security and Protection Toolkit.

Q – (GENERAL) Why does my organisation have to complete a Data Security and Protection Toolkit assessment?

A – This is covered in the “About the Data Security and Protection Toolkit” help document.


Q- I am using the "Provide evidence for multiple organisations in one go" feature and sometimes I am only able to view answers, not change answers.  Why?

A- The '"provide evidence for multiple organisations in one go" function enables individuals to respond to text, date and checkbox questions in bulk.  For questions that require a document, it is only possible to review responses in bulk.  Expansion of this functionality will be kept under consideration as we monitor usage of the new tool.  We need to be satisfied that the feature is easy to use, popular and that performance & speed is acceptable.


Q – (INCIDENT REPORTING) How do I edit an incident?

A – It is not possible to edit an incident.

The scope of the DSPT incident reporting system is limited to the initial notification to regulators. Once notified, the incident is managed by the ICO using their case management system.

Where an incident has been reported to the ICO / DHSC, any further updates should be brought to the attention of the ICO directly. 

It is acknowledged that information held on the DSPT reflects the best understanding at the point the incident was initially notified. 


Q – (DATA QUALITY) Is Data Quality limited to clinical coding in the DSPT / Is Clinical Coding included in the DSPT?

 A –  Whilst clinical coding represents a vital portion of data quality and is included in the DSPT, it is not the only element. We have worked with our colleagues in Data Quality Assurance to produce guidance to cover more elements of data quality other than clinical coding in a large organisation and for smaller organisations. This guidance is now published.

Guidance on data quality and clinical coding audits is available in "Data Security Standard 01 - Personal confidential data big picture guide


Q – (ORGANISATION PROFILE) We run a hospital but also some GP practices. Which sector should we choose?

A – You should pick the sector which reflects the largest bulk of the work you undertake as an organisation. 

For more information, please see “organisation types” guidance.


Q – (ORGANISATION PROFILE) The organisation profile asks if I have NHSmail, I don’t, but I do use another secure email provider (e.g. Office 365). Please can this be added to the organisation profile?

A – Where an organisation confirms NHSmail is the only email system used, there are a small number of evidence items which the organisation no longer needs to provide.

We recognise that NHSmail is not the only secure email service, however, at this stage we do not intend to add further options.

We do not believe it is feasible for organisations to reliably and consistently self-certify that they have an alternate secure email service, in a way which avoids adding additional complexity and burden to the organisation profile process for all users.

This will be kept under review.


Q – (ORGANISATION PROFILE) Once I have completed my organisation profile, can my responses be changed?

 A – Yes, an organisation profile can be changed at any time by an administrator, by using the admin menu. For example, your organisation may gain Cyber Essentials PLUS accreditation during the year, and you may wish to update your organisation profile accordingly.


Q – (ORGANISATION PROFILE) Do I need Cyber Essentials Plus to complete a toolkit self assessment?

A – No.  If you do not have Cyber Essentials PLUS accreditation simply choose "no" or "don't know" when prompted.  Where organisations do hold Cyber Essentials PLUS they do not have to respond to some toolkit questions, but Cyber Essentials Plus certification is not mandatory. 

The same principle applies to any questions you may be asked about ISO 27001, NHS Mail and PSNIA certification.


 Q – (THE STANDARD) Do requirements vary between sectors?

 A – Yes, the assertions and evidence items are tailored depending on your organisation type. For example, a domiciliary care organisation will see a sub-set of those items which an NHS Trust (for example) would be expected to provide, and the language will be tailored to be appropriate for a smaller organisation.


Q – (GENERAL) Our company is made up of several divisions… should we complete one assessment or one for each division?

 A – If you are a single legal entity and have a single ICO registration but have multiple sites, one toolkit could cover them all. Please contact the helpdesk and we will provide access to Headquarters "HQ" functionality and/or help you publish for all your sites.

If you have multiple legal entities, with multiple ICO registrations, it is unlikely that a single toolkit will cover everything. We would be happy to discuss how atypical organisations can make best use of the toolkit.


Q – (GENERAL) What does “beta” mean?

A – The “beta” logo indicates that the service is still subject to further development. For more information, please see the “system changes and release notes” article on the news page.


Q – (TRAINING) Staff surveys and the e-learning for health data security training are frequently mentioned within the toolkit. Do we have to use this training? Will the e-learning for health system automatically feed the DSP?

A – Organisations are encouraged to use the national e-learning for health training tool.

Use of local training is however acceptable where the SIRO (or equivalent) has formally confirmed that local training is of an equivalent or higher standard.

Where the Data Security and Protection Toolkit requests training KPIs, these should be entered on the system manually (our user research to date has indicated that users prefer no automation).

You can also view responses to e-learning frequently asked questions.


Q: What happens if I am submitting data to NHS Digital systems via an API and my DSPT self-assessment renewal results in a ‘standards not met’ status?

A: You should take the following steps:

1) Assess the risk

2) If necessary stop submitting data/stop using your API. 

3) Review the guidance documents in this DSPT website and implement accordingly

4) If you need NHS Digital advice, use the contact us  function on the NHS Digital website or email enquiries@nhsdigital.nhs.uk.


Q: Hi we are an Independent sector healthcare provider (ISHP)/ Non-NHS organisation applying for NHSmail. Do we have to do the DSP Toolkit at HQ/ Provider level or at a site by site level.

A: You will be required to complete a DSP Toolkit at HQ/ Provider level. Further information is available at https://www.digitalsocialcare.co.uk/latest-guidance/registering-for-the-data-security-and-protection-toolkit/ on registering sites and HQs. it was writeeen for social care sector but the advice is the same for ISHPs.  


Q: Should a Primary Care Networks (PCN) complete a DSP Toolkit?



All organisations who process health and/or care data should complete the DSPT. (https://digital.nhs.uk/data-and-information/information-standards/information-standards-and-data-collections-including-extractions/publications-and-notifications/standards-and-collections/dapb0086-data-security-and-protection-toolkit).


If a PCN is a separate organisation to the General practices in the network, is processing health data, and taking legal responsibility for the data processing, then it should complete the DSPT.


If the PCN is a not a separate organisation and another organisation, such as the lead General practice, takes legal responsibility for the health data processing of the PCN, then that General Practice should include the PCN data processing in its DSPT submission.


Primary Care Networks should select Other (including charities and NHS Business Partners) as their primary sector.


Q: Do I have to complete a DSP Toolkit every year?

A: The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations that process health and care data to measure their performance against the National Data Guardian’s 10 data security standards.

Health and care organisations that have access to NHS Patient Data and Systems should complete a Data Security and Protection Toolkit self-assessment every year against the standard. 


Q: What are DSP Toolkit Certificates?

A: The DSPT certificate is a quick and visual way to demonstrate your DSPT compliance.

Organisations who reach Standards Met or Standards Exceeded can download the certificate which includes the standard they have reached, the year of their DSPT and the date they published. Certificates are available for the most recent year of publication, and only for 2021/22 or 2022/23.

Here are some tips on how to make the most of it:

- Print your certificate and display it on your premises.

- Upload it to your website.

- Share it with people seeking care.

- Use it as evidence where relevant for CQC, commissioners, NHS partners, bids, data suppliers etc.

Head offices (HQs) can access the certificate within the Previous Publications section of their DSPT account. If you’re DSPT covers multiple sites, you will need to download and share the certificate with them.

A short guide is available on how to access and use your DSPT certificate.

Q – I am a Pharmacy and cannot see the option to upload my GDPR Workbook?

A: The GDPR Workbook is no longer included for upload into the DSPT. 
It can still be a great source of evidence for you to use but require postive confirmation for each of the evidence items this year rather than automatically answering them all if you have completed a GDPR Workbook.  


Q – (SUPPORT) Who should I contact if I have any queries?

Please contact the helpdesk if you have any queries. Contact details are available from the contact us page.

We appreciate your feedback, but please note that we are unable to respond to specific queries raised through the ‘feedback’ function. Please use the helpdesk for this purpose.