Data Security and Protection Toolkit Standard for 2020-21 (1 June 2020)


The Data Security and Protection Toolkit (DSPT) Standard has been reviewed for 2020-21 and is now available on NHS Digital’s Information Standards site.


Due to the extension of the deadline for 2019-20 submission date (to 30 September 2020), the 2020-21 standard will be implemented into the DSPT, after 30 September 2020.


Please note that the 2020-21 standard will be kept under review based on the COVID19 response.


Changes have been made in order to:

- Respond to lessons learned and direct feedback from users following the second year of the DSPT.

- Make “Cyber Essentials” requirements mandatory for relevant organisations in 2020-21.

- Rationalise the evidence items which are now considered “business as usual” or where there is overlap between evidence items.


In response to feedback and analysis, wording of many evidence items has been improved to ensure requirements are clear and explicit.    


The updates to the DSPT 2020/21 standard have led to a reduction in the total number of evidence items for all organisations. A comparative breakdown is provided in the table below:


  Category 1 organisations Category 2 organisations Category 3 organisations Category 4 organisations
Total number of evidence  items 2019-20 179 157 115 61
Total number of evidence  items 2020-21 149 145 95 50


Organisation Categories:

Category 1: NHS Trusts (Foundation Trusts, Acute Trusts, Ambulance Trusts, Mental Health Trusts, Community Trusts, Care Trusts)

Category 2: Arm’s Length Bodies, CCGs and CSUs

Category 3: AQP Clinical Services, AQP Non-Clinical Services, Care Home, Charity/Hospice, Company, Dentist (NHS), Dentist (Private), Domiciliary Care Organisation, Local Authority, NHS Business Partner, Optician, Pharmacy, Prison, Researcher/Department, Secondary Use Organisation and University

Category 4: GP Practices


The requirements of the new standard is provided here:

- 2020-21 (version 3) Requirements

 Where evidence items are not materially changed – existing responses will be carried forward. Assertions must be re-confirmed prior to publishing an assessment against the 2020/21 standard. 


"Big picture" guidance documentation will be updated to reflect the 2020-21 standard.


Further detail applicable to NHS Trusts, CCGs, CSUs and Arm’s Length Bodies:

To ensure high data security standards are in place for the organisations which process the highest risk information in the health and care system, the standards for the above organisations have been raised.


Updated audit guidance has been made available for the 2019/20 standard to validate submissions. An updated version will also be released for the 2020/21 standard. This will help provide assurance of data security and identify common problem areas.

Change Control:

1) Updated the number of evidence items  on 160420. 

2) Added additional details on the changes and mappings.

Supporting Documents