Data Security and Protection Toolkit Standard for 2020-21 (16 September 2020)


The Data Security and Protection Toolkit (DSPT) Standard has been reviewed for 2020-21 and is now available on NHS Digital’s Information Standards site.


Due to the extension of the deadline for 2019-20 submission date (to 30 September 2020), the 2020-21 standard will be implemented into the DSPT, after 30 September 2020.


Please note that the 2020-21 standard will be kept under review based on the COVID19 response.


Changes have been made in order to:

Respond to lessons learned and direct feedback from users following the second year of the DSPT.

Make “Cyber Essentials” requirements mandatory for relevant organisations in 2020-21.

Rationalise the evidence items which are now considered “business as usual” or where there is overlap between evidence items.


In response to feedback and analysis, wording of many evidence items has been improved to ensure requirements are clear and explicit.    


The requirements of the new standard are provided here:

2020-21 DSPT Requirements.xlsx


Organisation Categories:

Category 1: NHS Trusts (Foundation Trusts, Acute Trusts, Ambulance Trusts, Mental Health Trusts, Community Trusts, Care Trusts)

Category 2: Arm’s Length Bodies, CCGs and CSUs

Category 3: AQP Clinical Services, AQP Non-Clinical Services, Care Home, Charity/Hospice, Company, Dentist (NHS), Dentist (Private), Domiciliary Care Organisation, Local Authority, NHS Business Partner, Optician, Pharmacy, Prison, Researcher/Department, Secondary Use Organisation and University

Category 4: GP Practices


Where evidence items are not materially changed – existing responses will be carried forward. Assertions must be re-confirmed prior to publishing an assessment against the 2020-21 standard. 


Further detail applicable to NHS Trusts, CCGs, CSUs and Arm’s Length Bodies:

To ensure high data security standards are in place for the organisations which process the highest risk information in the health and care system, the standards for the above organisations have been raised.

No baseline publication will be required for 2020-21.


DSPT Independent Assessment (audit) and Big Picture Guides

The DSPT Independent Assessment Guides and Big Picture Guides for the next release of the DSPT toolkit (2020 -21) are now available on this page. The current guidance (2019-20) is still valid for the current live version of the DSPT. The links within the DSPT will still point to 2019-20 guidance. 


DSPT Independent Assessment

DSPT Independent Assessment Guides are now available for the 2020-21 DSPT Standard. Updates have been made to align with changes to the 2020-21 DSPT assertions and to incorporate feedback from the independent assessment and audit Pilot, which was carried out last year.

In developing these guides, we have gratefully received feedback from several stakeholders and would like to thank The Internal Audit Network (TIAN), including: Audit 360, ASW Assurance, MIAA, TIAA and West Midlands Ambulance Service NHS Foundation Trust, for their time and effort in reviewing the guidance.

The purpose of the guidance is to enable better assurance of DSPT submissions by increasing standardisation and harmonisation across audits and assessments. It will also facilitate a better understanding of data security and protection risk themes across the health and care system. 

The 2020-21 guidance includes the following documents:

DSPT Strengthening Assurance Framework 2020-21 (pre DSPT uplift).pdf

DSPT Strengthening Assurance Guide 2020-21 (pre DSPT uplift).pdf

DSPT Strengthening Assurance Summary of Guides 2020-21 (pre DSPT uplift).pdf

DSPT Strengthening Assurance Templates 2020-21 (pre DSPT uplift).pptx


Organisations in scope

The guidance is designed to be used by DSPT independent assessment providers, including internal auditors, when assessing DSPT submissions. The organisations in scope for mandatory annual audits of their DSPT self-assessments are:

- NHS Trusts (Acute, Foundation, Ambulance and Mental Health)

- Clinical Commissioning Groups

- Commissioning Support Units

- Arm’s Length Bodies


Assessment and Audit Scope for 2020-21

The advised scope for 2020-21 is reduced in size for this year, following feedback from the Pilot and taking into account the shortened timescale for completing the 2020-21 DSPT. DSPT independent assessments and audits should follow the scope set out below (also detailed in the DSP Toolkit Independent Assessment Guide)

- Org Profile Check - Check sector, key roles (Mail system & CE plus scope - validity)

- 13 Selected Assertions (mandatory evidence items only) - 1.6, 1.8, 2.2, 3.1, 4.2, 5.1, 7.2, 6.2, 7.3, 8.4, 8.3, 9.2 and 10.2


Big Picture Guides

Big Picture Guides provide more information about the 10 National Data Guardian standards and take you through the definitions used in the Data Security and Protection Toolkit.  The guides include suggestions and examples of how the standards might be achieved, how this relates to common current practises, together with useful resources.  Updated guides for 2020-21 are provided below.

Data Security guide 01 Personal confidential data ver 20-21 (pre DSPT uplift).pdf

Data Security guide 02 Staff Responsibilities ver 20-21 (pre DSPT uplift).pdf

Data Security guide 03 Staff Training ver 20-21 (pre DSPT uplift).pdf

Data Security guide 04 Managing Data Access  ver 20-21 (pre DSPT uplift).pdf

Data Security guide 05 Processes ver 20-21 (pre DSPT uplift).pdf

Data Security guide 06 Responding to incidents ver 20-21 (pre DSPT uplift).pdf

Data Security guide 07 Continuity Planning ver 20-21 (pre DSPT uplift).pdf

Data Security guide 08  Unsupported systems ver 20-21 (pre DSPT uplift).pdf

Data Security guide 09  IT Protection ver 20-21 (pre DSPT uplift).pdf

Data Security guide 10 Accountable suppliers ver 20-21 (pre DSPT uplift).pdf




Please note that in these unprecedented times the guidance may be subject to change throughout the year, depending on updates to the DSPT standard such as the recent National Data Opt Out deadline extension to March 2021.


Change Control:

1) Updated the number of evidence items  on 16/04/20. 

2) Added additional details on the changes and mappings 01/06/20.

3) Added updated CE+ equivalence 25/08/20.

4) Removed table 27/08/20.

5) Updated to explain that no baseline would be required for 2020-21.

6) Added 2020-21 big picture guides and assurance guidance. 14/09/20

7) Minor ammendment to assurance guide 16/09/20