DSPT Independent Assurance and Audit 2022-23 (Updated 29 September 2022)

Guidance for all NHS Trusts, ICBs, CSUs and DHSC Arms Length Bodies to have a DSPT Audit to the required mandatory scope and framework methodology.


All DSPT independent assessment/audit providers must follow the guidance provided at: https://www.dsptoolkit.nhs.uk/Help/Independent-Assessment-Guides.

The purpose of the guidance is to enable better assurance of DSPT submissions by increasing standardisation and harmonisation across assessments. It will also facilitate a better understanding of data security and protection risk themes across the health and care system. 

It is mandated via the NHS Standard Contract and the DSPT requirement that the following NHS organisations annually complete a DSPT audit/independent assessment following this guidance

- NHS Trusts (Acute, Foundation, Ambulance and Mental Health)

- Integrated Care Boards

- Commissioning Support Units

- DHSC Arm’s Length Bodies

Organisational Requirements:

Organisations must ensure that their audit provider follows the mandated scope which for this year (mandatory evidence items only) is set out in the DSPT Independent Assessment Guide and detailed below:

1.3 Accountability and Governance in place for data protection and data security

2.1 Staff are supported in understanding their obligations under the NDGs Data Security Standards

3.4 Leaders and board members receive suitable data protection and security training

4.1 The organisation maintains a current record of staff and their roles

4.2 Org. assures good management and maintenance of identity and access control for NIS

4.5 You ensure your passwords are suitable for the information you are protecting

5.1 Process reviews are held at least once per year where data security is put at risk and following DS incidents

6.3 Known vulnerabilities are acted on based on advice from NHS Digital, and lessons are learned from previous incidents and near misses

7.2 There is an effective test of the continuity plan and disaster recovery plan for data security incidents

7.3 You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions

8.3 Supported systems are kept up-to-date with the latest security patches

9.3 Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities

10.1 The organisation can name its suppliers, the products and services they deliver and the contract durations

Organisational Audit provider requirement

Organisations shall ensure that their chosen audit provider is aware of the mandated framework which needs to be followed. The hallmark of the methodology is an output which includes: a risk rating against each of the 10 data security standards; an overall risk rating (based on the 10 individual ratings); and an overall confidence rating.

The example in the link below is from a previous year’s report (i.e. a different scope applies this year)

DSPT Audit Table.png

The presentation of these items can vary but it is vital that they are present, and that the framework is utilised in full

To meet the requirement, the audit functionality must be used.


Supporting Documents