Your web browser does not appear to have javascript enabled.

The Data Security and Protection Toolkit requires javascript to be enabled.

If you are unable to re-instate the javascript option on your browser please contact us and we will be able to help.

Data Security and Protection Toolkit (version 4) 2021-22 (Updated 9 June)

Overview of the Data Security and Protection Toolkit (version 4) 2021-22 requirements, including downloadable spreadsheet. Updated to reflect national data opt-out changes

Back to list of news

The Data Security and Protection Toolkit is an annual self-assessment. The deadline for the 2021-22 publication is 30 June 2022.

A downloadable spreadsheet listing requirements is available

Version control

9th June 2022 v1.04 spreadsheet provided, updated to reflect that the national data opt-out requirement has been changed to be non-mandatory in the 2021-22 (v4) Data Security and Protection Toolkit.

Key features of the 2021-22 standard (compared to 2020-21)

NHS Trusts and CSUs - Category 1

Rationalise evidence items where they are now considered “business as usual” or where there is overlap between evidence items.

Update technical requirements to reflect the current threat landscape, including connected medical devices. Specific Improvements on Unsupported Operating systems and asset criticality assessment.

Map requirements to the Information Commissioner’s Office Data Protection Self Assessment.

Commissioning Support Units (CSUs) have moved from Category 2 to Category 1.

Reflect feedback from stakeholders and organisations.

CE+ On site assessment is a non-mandatory requirement for 21-22.

Organisations should complete and publish their baseline assessment by 28 February 2022 and final assessment by 30 June 2022.

CCGs, and DHSC ALBS - Category 2

Rationalise evidence items where they are now considered “business as usual” or where there is overlap between evidence items.

Update technical requirements to reflect the current threat landscape.

Map requirements to the Information Commissioner’s Office Data Protection Self Assessment.

Reflect feedback from stakeholders and organisations.

CE+ On site assessment is a non-mandatory requirement for 21-22.

Subject to the passage of legislation, it is expected that Integrated Care Boards (ICBs) will be established on 1st April 2022. The ICB will be responsible for submitting a Data Security and Protection Toolkit (DSPT).

In the event that ICBs are not yet established on the 1 April 2022, the responsibility for submitting the DSPT will remain with existing CCGs.

CCGs or ICBs must publish a DSP Toolkit for 2021-22 by 30^th June 2022.

ALBs should complete and publish their baseline assessment by 28 February 2022 and final assessment by 30 June 2022.

Primary Care (excluding GPs), Social care, Companies, Charity/Hospice, Researchers/Universities, Companies, Local Authorities, NHS Business Partners - Category 3

Evidence items updated to aid understanding with additional information provided to support completion.

Evidence items rationalised where there is overlap between evidence items.

GP - Category 4

Evidence items updated to aid understanding with additional information provided to support completion.

More information

Further information on the standard is published on the NHS Digital website