Data Security and Protection Toolkit Standard for 2019-20 (updated 4 May 2020)

The Data Security and Protection Toolkit Standard (DSPT) has been reviewed for 2019-20.  The standard builds on the work and learning from 2018-19.


Changes have been made in order to:

-   respond to lessons learned and direct feedback from users following the first year of the DSPT

-   improve the targeting of requirements to different categories of organisations

-   rationalise some of the General Data Protection Regulation (GDPR) evidence items which are now considered “business as usual”

-   incorporate the requirements of Cyber Essentials and the Minimum Cyber Security Standard (MCSS) for relevant larger NHS organisations

-   incorporate key elements of the Network and Information Systems (NIS) Regulations 2018 Cyber Assessment Framework (CAF) for relevant larger NHS      organisations as advised by the National Cyber Security Centre


The updates to the DSPT 2019-20 standard have led to an increase from 100 to 116 mandatory evidence items for NHS trusts. This is due to additional evidence items being added to cover Cyber Essentials, MCSS and key NIS/CAF requirements.  This has been balanced partially by a rationalisation of GDPR requirements within the toolkit.  The rationalisation of GDPR requirements has led to a reduction in the evidence items for most smaller organisations.

The requirements of the updated standard following the deadline extension, original standard (and a mapping document from the 18/19 standard) are provided here:

DSPT Requirements 19-20 V1.9.6.xlsx

DSPT Changes 2018-19 to 2019-20.xlsx

  DSPT Requirements 19-20 V1.9.7.xlsx

Where evidence items are not materially changed – existing responses have been carried forward.  Assertions must be re-confirmed prior to publishing an assessment against the new standard. 


Further detail applicable to NHS Trusts, CCGs, CSUs and Arm’s Length Bodies:

To ensure high data security standards are in place for the organisations which process the highest risk information in the health and care system, the standards for the above organisations have been raised to match those required by Government departments.

The Lessons learned review of the WannaCry Ransomware Cyber Attack from February 2018 recommended that all NHS organisations (Trusts) move towards Cyber Essentials PLUS, as recommended by the National Cyber Security Centre (NCSC). The DSPT standard for NHS Trusts has been uplifted to assist these organisations to meet this standard by March 2021.  Note, not all Cyber Essentials requirements will be mandatory in 2019-20.

An updated audit regime is in development to validate DSPT submissions. This will help provide assurance of data security and identify common problem areas.


Version control:

4 June 2019: Requirements sheet updated (v1.9.6):  Evidence item 9.3.9 removed (duplicate).  8.2.2 tooltip updated.

7 June 2019: Additional notes attached (including sector mapping):  DSPT 19-20 Notes v1.00.docx

21 June 2019: Minor updates to reflect the changes are no longer planned but implemented. 

4 May 2020: Minor updates to reflect the deadline extension to 30 September 2020.