The Data Security and Protection Toolkit (DSPT): A Comprehensive Analysis of its Role in UK Healthcare Data Security

Many thanks to our sponsor Esdebe who helped us prepare this research report.

Abstract

The Data Security and Protection Toolkit (DSPT) is an indispensable online self-assessment and assurance framework meticulously developed by the UK’s National Health Service (NHS). Its primary objective is to empower healthcare organisations and their partners to systematically measure and demonstrably improve their performance against stringent data security and information governance requirements. This extensive report provides a profound and in-depth analysis of the DSPT, meticulously tracing its historical evolution from its predecessor, the Information Governance (IG) Toolkit. It thoroughly dissects its complex structure, articulates the pervasive implementation challenges encountered by diverse organisational types – from large NHS Trusts to independent primary care providers – and critically evaluates its profound impact on healthcare data security posture.

Furthermore, this report rigorously examines the toolkit’s intricate alignment with broader national and international data protection regulations, notably the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA 2018), and the Network and Information Systems (NIS) Regulations. By exploring these interconnections, the analysis offers critical insights into the DSPT’s multifaceted effectiveness in not only robustly enhancing patient data security but also in fostering a consistent, resilient, and proactive security culture across the entirety of the UK’s health and social care sector. It delves into the granular aspects of its annual review process, the implications for supply chain security, and provides forward-looking recommendations for continuous improvement and adaptation to an evolving threat landscape.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

1. Introduction

In an increasingly digitised world, the healthcare sector stands at the nexus of technological advancement and profound ethical responsibility, entrusted with safeguarding some of the most sensitive and personal information imaginable: patient health data. The pervasive transition from paper-based records to intricate digital ecosystems, while offering unprecedented efficiencies and improvements in patient care, simultaneously introduces a myriad of complex data security challenges. The sheer volume and intrinsic value of patient data make healthcare organisations prime targets for cyber attackers, ranging from opportunistic criminals to sophisticated state-sponsored groups. The consequences of a data breach in healthcare extend far beyond financial penalties; they erode public trust, compromise patient privacy, disrupt critical care services, and can even endanger lives.

Recognising the escalating threats and the imperative to establish a uniform, high standard of data security across its vast and interconnected ecosystem, the NHS introduced the Data Security and Protection Toolkit (DSPT). Launched as a successor to the less comprehensive Information Governance (IG) Toolkit, the DSPT was conceptualised as a dynamic, living framework designed to provide a standardised, transparent, and auditable mechanism for organisations to assess, demonstrate, and continuously improve their data security and information governance practices. This report embarks on a critical evaluation of the DSPT’s pivotal role in elevating data security standards within healthcare organisations throughout the UK. It will delve into the nuanced intricacies of its structural design, illuminate the multifaceted implementation challenges that diverse entities encounter, and meticulously analyse its strategic alignment with the broader regulatory landscape, thereby offering a comprehensive understanding of its present efficacy and future potential.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2. Evolution and Structure of the DSPT

2.1 Historical Background: From IG Toolkit to DSPT

The genesis of the DSPT can be traced back to a pressing need to modernise and fortify data protection within the NHS, moving beyond the capabilities of its predecessor, the Information Governance (IG) Toolkit. The IG Toolkit, while foundational for its time, was increasingly perceived as insufficient to address the rapidly evolving cyber threat landscape and the growing complexity of digital health records. Its scope was primarily focused on traditional information governance principles, often lacking the granular detail and cyber security emphasis required for contemporary digital environments.

Several key factors spurred the transition to the DSPT. Firstly, the catastrophic WannaCry ransomware attack in May 2017 served as a stark, global wake-up call, profoundly exposing vulnerabilities within NHS IT systems and underscoring the critical need for a more robust, cyber-centric security framework. The incident highlighted the devastating potential of cyber-attacks to disrupt patient care and compromise sensitive data, prompting an urgent re-evaluation of national data security strategies. Secondly, the impending arrival of the General Data Protection Regulation (GDPR) in May 2018, along with the subsequent Data Protection Act 2018 (DPA 2018), mandated significantly higher standards for data protection, accountability, and breach reporting. Organisations were required to demonstrate ‘appropriate technical and organisational measures’ to protect personal data, a requirement that the IG Toolkit was ill-equipped to facilitate comprehensively.

In parallel, the National Data Guardian for Health and Social Care, Dame Fiona Caldicott, conducted a comprehensive review of data security in the NHS, culminating in her 2016 report, ‘Review of Data Security, Consent and Opt-Outs’. This seminal report outlined 10 crucial data security standards, establishing a definitive benchmark for all health and social care organisations. These standards were designed to instil a culture of proactive data protection, ranging from leadership accountability to incident response. The DSPT was explicitly engineered to provide a practical framework for organisations to assess and demonstrate their adherence to these 10 National Data Guardian (NDG) Data Security Standards. The 10 standards are:

1. Personal Confidential Data (PCD) Handled Appropriately: All staff understand their responsibilities under the Data Security Standards, Data Protection Act, Caldicott Principles, and common law duty of confidentiality.
2. Staff Training: All staff undertake mandatory annual data security awareness training.
3. Reporting Incidents: All staff know how to report data security incidents and breaches, and incidents are acted upon appropriately.
4. Security of IT Systems: IT systems and data are protected from cyber threats and unauthorised access, with regular patching and updates.
5. Managing Access to Data: Access to confidential data is controlled, auditable, and based on job role and need.
6. Data Quality: Data is accurate, complete, and reliable.
7. Supplier Contracts: Contracts with third parties include explicit data security and confidentiality clauses.
8. Business Continuity: Robust plans are in place to restore IT systems and access to data in the event of a breach or system failure.
9. Risk Management: Organisations regularly assess and manage risks to data security, including physical security and human error.
10. Leadership and Accountability: Senior leadership takes clear responsibility for data security, supported by a Senior Information Risk Owner (SIRO) and Caldicott Guardian.

Furthermore, the DSPT incorporated elements of the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). The CAF provides a systematic approach to assessing an organisation’s cyber resilience, categorised into 14 principles across four objectives: organisational governance, risk management, security architecture, and operational security. For the health and social care sector, a specific CAF profile was developed to tailor these principles to the unique operational context and critical dependencies of healthcare, ensuring that the DSPT’s technical requirements are aligned with national cyber security best practices, particularly for Operators of Essential Services (OES) under the NIS Regulations.

2.2 Framework and Standards: Assertions, Evidence, and Assessment

The DSPT is fundamentally an online portal that presents organisations with a structured series of ‘assertions’ – statements describing a particular data security or information governance practice – against which they must provide ‘evidence items’. These evidence items are tangible proofs demonstrating that the organisation has met the requirements outlined in the assertion. The nature of these evidence items is diverse, encompassing:

• Policy Documents: Formal written statements outlining the organisation’s stance and approach to data security, e.g., a Data Protection Policy, Information Security Policy, or Acceptable Use Policy.
• Procedural Documents: Step-by-step guides for specific tasks, e.g., an Incident Response Procedure, Data Breach Protocol, or Staff Onboarding/Offboarding Procedure.
• Training Records: Documentation proving staff have undergone mandatory data security awareness training, including attendance logs, completion certificates, and content outlines.
• Technical Reports: Outputs from security assessments such as penetration tests, vulnerability scans, audit logs, or configuration reports for IT systems.
• Contractual Agreements: Clauses within third-party contracts stipulating data security requirements and responsibilities.
• Risk Registers: Documentation of identified risks, their assessment, and mitigation strategies.
• Meeting Minutes: Records of governance meetings where data security is discussed, decisions made, and actions assigned.

The DSPT categorises organisations based on their nature and the volume/sensitivity of data they handle. This ensures that the requirements are proportionate and relevant. Categories include NHS organisations (e.g., Trusts, Integrated Care Boards), social care providers (e.g., care homes, domiciliary care agencies), general practitioners (GPs), community pharmacies, optical practices, dental practices, and commercial organisations that process NHS data. While the core NDG standards and CAF principles apply broadly, the specific assertions and evidence items are sometimes tailored to reflect the operational realities and scale of different provider types.

Organisations are assessed against these assertions and assigned a status, typically:

• Approaching Standards: Indicates that the organisation is working towards compliance but has not yet met all required assertions.
• Standards Met: The organisation has successfully met all mandatory assertions for its organisational type, demonstrating a good level of compliance.
• Standards Exceeded: The organisation has not only met all mandatory requirements but has also implemented additional best practices, often going beyond the baseline to achieve a higher level of data security and resilience.

The toolkit is subject to rigorous annual reviews and updates. This annual cycle is crucial for several reasons: it ensures the DSPT remains aligned with the latest regulatory changes (e.g., updates to GDPR guidance, new NIS interpretations), incorporates emerging cyber threat intelligence, reflects advancements in technology, and integrates feedback from users. This iterative process guarantees that the DSPT remains a relevant and effective tool in the dynamic landscape of data security. For example, recent updates have seen an increased emphasis on aligning with the CAF for specific categories of organisations, reflecting the NCSC’s evolving guidance on cyber resilience for critical national infrastructure. Furthermore, compliance with the DSPT is often a mandatory contractual requirement for any organisation wishing to provide services to, or process data on behalf of, the NHS, making it a critical gateway for participation in the health and social care ecosystem.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

3. Implementation Challenges

While the DSPT offers an invaluable framework for enhancing data security, its implementation can present substantial challenges, particularly for organisations with varying capacities and existing infrastructures. These challenges often intersect, creating complex hurdles that require strategic planning and dedicated effort to overcome.

3.1 Resource Constraints

Implementing the DSPT is far from a trivial undertaking; it is inherently resource-intensive, demanding significant investment across three critical dimensions: time, budget, and skilled personnel. The cumulative effort required to thoroughly review, update, and implement policies, procedures, technical controls, and provide comprehensive training across an entire organisation can consume hundreds, if not thousands, of person-hours annually. This includes time spent on:

• Evidence Gathering: Locating, compiling, and preparing documentation, often requiring input from multiple departments.
• Gap Analysis: Identifying areas where current practices fall short of DSPT requirements.
• Remediation: Implementing new controls, upgrading systems, or developing new policies.
• Training: Developing and delivering staff training on new policies and procedures.
• Review and Approval: Internal sign-off processes, including engagement with senior leadership and governance bodies.

For larger NHS Trusts, which typically benefit from dedicated Information Governance (IG), IT, and cyber security teams, these resource demands, though significant, can often be absorbed. However, for Small and Medium-sized Enterprises (SMEs), such as independent general practices, community pharmacies, dental practices, or care homes, the allocation of sufficient resources becomes a formidable challenge. These organisations frequently operate with lean administrative teams, limited IT support, and constrained budgets. The opportunity cost of diverting staff from core clinical or operational duties to focus on DSPT compliance can be substantial, leading to delays, incomplete submissions, or reliance on external, often costly, consultancy services. Without adequate funding streams or tailored support mechanisms, smaller entities face a disproportionate burden, potentially compromising their ability to meet standards and, by extension, their capacity to securely participate in the wider health and social care landscape.

3.2 Complexity of Requirements

The DSPT’s requirements, while comprehensive and necessary, can be exceptionally complex and highly technical, posing a significant interpretational hurdle for many organisations. The toolkit covers a broad spectrum of domains, encompassing not only traditional information governance principles (e.g., data quality, confidentiality, consent) but also intricate cyber security measures (e.g., penetration testing, vulnerability management, secure configuration, incident response frameworks, supply chain assurance). This breadth means that a single assertion might touch upon legal, technical, and operational aspects simultaneously.

For organisations lacking specialised expertise, deciphering the precise intent behind certain assertions, understanding the technical jargon, or identifying the correct evidence can be daunting. For instance, an assertion related to ‘secure system configuration’ might require knowledge of operating system hardening guides (e.g., CIS benchmarks), network segmentation principles, and firewall rules, far exceeding the typical IT knowledge of a general practice manager. This complexity can lead to:

• Misinterpretation: Organisations may believe they are compliant when their practices only superficially meet the requirements, leaving underlying vulnerabilities unaddressed.
• Over-engineering: Unnecessary or overly complex solutions are implemented, wasting resources without genuinely enhancing security.
• Under-compliance: Critical requirements are overlooked or misunderstood, leading to gaps in their security posture.
• Frustration and Disengagement: The sheer difficulty can overwhelm staff, leading to a sense of futility and reduced engagement with the compliance process.

The need for clear, unambiguous guidance, supported by practical examples and accessible language, is paramount to mitigate this challenge. Without it, the risk of confusion, errors, and ultimately, compromised data security, remains high.

3.3 Skills Gap

Arguably one of the most significant and pervasive challenges is the critical scarcity of specialised expertise in data security, information governance, and cyber security across the UK healthcare sector. The demand for qualified professionals in these fields far outstrips supply, leading to intense competition for talent and inflated recruitment costs.

Organisations require a diverse skill set to effectively implement and maintain DSPT compliance, including:

• Senior Information Risk Owners (SIROs): Individuals with strategic oversight of information risk.
• Caldicott Guardians: Senior clinicians or managers responsible for protecting the confidentiality of patient information and enabling appropriate information sharing.
• Data Protection Officers (DPOs): Experts in data protection law (GDPR/DPA 2018).
• Information Governance Officers: Specialists in policy development, auditing, and compliance.
• Cyber Security Analysts: Technical experts capable of conducting risk assessments, managing security tools, and responding to incidents.
• Trainers: Individuals skilled in developing and delivering effective data security awareness programs.

Smaller organisations, in particular, often lack the financial means or the organisational structure to attract and retain such high-calibre professionals. They frequently rely on individuals with dual roles (e.g., a practice manager doubling as an IG lead) or external consultants, which can be an expensive and fragmented approach. This skills gap manifests in several ways:

• Inadequate Risk Assessment: Failure to accurately identify and assess data security risks due to a lack of technical or governance expertise.
• Ineffective Incident Response: Delays or errors in responding to security incidents, exacerbating their impact.
• Poor Policy Implementation: Policies developed without sufficient understanding of operational realities or technical capabilities.
• Suboptimal Technology Utilisation: Inability to effectively configure and manage security tools.

Addressing this requires a multi-faceted approach, including strategic investment in workforce development, national training initiatives, and mechanisms for sharing expertise across the sector.

3.4 Legacy Systems and Processes

The NHS, like many long-established organisations, operates a vast and heterogeneous IT estate, often characterised by a complex mix of modern digital systems alongside deeply entrenched legacy systems and processes. Integrating the DSPT’s contemporary requirements with this existing infrastructure frequently exposes significant discrepancies where technology, operational processes, or organisational culture have failed to keep pace with evolving security standards.

Legacy Systems: These older systems, often developed decades ago, present inherent security vulnerabilities:

• Outdated Software/Hardware: May no longer receive security updates or patches, making them susceptible to known exploits.
• Interoperability Issues: Difficult to integrate securely with newer systems or modern security controls (e.g., multi-factor authentication).
• Technical Debt: Accumulated complexity and dependencies make them costly and risky to upgrade or replace.
• Limited Functionality: May lack modern security features such as robust auditing, encryption at rest, or granular access controls.

Legacy Processes and Culture: Beyond technology, deeply ingrained practices can impede effective DSPT implementation:

• Paper-Based Records: Despite digitisation efforts, many organisations still retain significant paper records, requiring physical security controls and careful manual data handling, which are prone to human error.
• Misaligned Policies: Disparate policies across different business units or acquired entities may not align with a unified data security strategy.
• Lack of Digital Traceability: Processes that pre-date comprehensive digital record-keeping can make it challenging to track data access, modifications, or transfers, hindering auditability.
• Cultural Resistance to Change: Staff accustomed to older ways of working may resist new, more stringent security protocols, viewing them as burdensome rather than beneficial.
• Staff Unclear on Roles: Ambiguity regarding individual responsibilities for data protection, particularly in complex multi-disciplinary teams, can lead to gaps in accountability.

Addressing these issues demands a proactive and strategic approach: systematic process migration from manual to digital, robust policy harmonisation across all organisational units, comprehensive and continuous staff training tailored to specific roles, and, crucially, a long-term digital transformation roadmap that prioritises the secure retirement and replacement of legacy systems. Without this, organisations face significant challenges in achieving consistent DSPT compliance and maintaining a truly secure environment.

3.5 Stakeholder Engagement and Buy-in

Effective implementation of the DSPT hinges not just on technical and procedural changes, but critically on robust stakeholder engagement and achieving widespread buy-in across all levels of an organisation. Without the active support and understanding of key stakeholders, even the most well-designed security initiatives can falter.

• Leadership Buy-in: Senior leadership, including the Board, SIRO, and Caldicott Guardian, must visibly champion the DSPT. Their commitment sets the tone for the entire organisation. Challenges arise when leaders view DSPT solely as a compliance burden rather than a strategic enabler of safe patient care. Their active participation in risk reviews, resource allocation, and communication of the DSPT’s importance is essential.
• Frontline Staff and Clinical Teams: These individuals are at the coalface of data handling and often bear the direct impact of new security measures. Challenges include engaging them effectively, demonstrating the relevance of security protocols to their daily work, and overcoming resistance to perceived administrative overheads. Lack of awareness about why certain procedures are necessary, or how they protect patients, can lead to non-compliance. Communication strategies must be tailored to different roles, emphasising the patient safety and trust aspects of data security.
• IT and Information Governance Teams: These teams are directly responsible for implementing and maintaining many of the DSPT’s technical and procedural requirements. Challenges can include managing conflicting priorities, securing adequate budget for necessary tools and training, and dealing with the complexity of integrating new security controls into existing IT infrastructure. Effective collaboration between these teams is paramount.

3.6 Interoperability and Supply Chain Complexity

The UK healthcare ecosystem is a complex web of interconnected organisations, ranging from NHS bodies to numerous independent providers and a vast network of third-party suppliers (e.g., IT service providers, cloud hosts, medical device manufacturers, pharmacies, pathology labs). The DSPT explicitly extends its reach to these external entities, recognising that the security of patient data is only as strong as its weakest link within the entire supply chain.

• Supply Chain Assurance: The DSPT requires organisations to conduct due diligence on their suppliers and ensure that contractual agreements include explicit data security and confidentiality clauses, mandating DSPT compliance or an equivalent standard. The challenge lies in verifying and continuously monitoring the security posture of dozens, or even hundreds, of third-party providers, especially when these providers might themselves subcontract aspects of their services.
• Interoperability Challenges: The secure exchange of patient data between disparate systems and organisations is fundamental to modern healthcare. However, ensuring secure interoperability – where data is shared appropriately, with consent, and protected in transit and at rest – adds significant complexity. Different systems may have varying security capabilities, encryption standards, or access control mechanisms, creating potential vulnerabilities at integration points.
• Risk of ‘Weakest Link’: A data breach originating from a third-party supplier can have devastating consequences for the primary healthcare organisation, both in terms of reputational damage and regulatory fines. Managing this extended risk requires robust vendor risk management programs, regular audits, and clear incident reporting obligations within contracts.

These challenges highlight the systemic nature of data security in healthcare, where individual organisational compliance is necessary but insufficient without a holistic approach to securing the entire ecosystem.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

4. Impact on Healthcare Organizations

Despite the inherent challenges, the DSPT has profoundly influenced the landscape of data security and information governance within UK healthcare. Its systematic application has yielded significant positive impacts, fostering a more secure, compliant, and trustworthy environment for patient data.

4.1 Enhancing Data Security Posture

The DSPT provides a structured, comprehensive framework that guides organisations through a systematic assessment and improvement of their data security practices. By meticulously addressing each of the toolkit’s assertions, organisations are compelled to:

• Identify Vulnerabilities: The self-assessment process acts as an internal audit, uncovering previously unrecognised weaknesses in technical systems, administrative processes, or staff practices.
• Implement Necessary Controls: The toolkit mandates the deployment of a wide array of security controls, moving organisations from reactive ad-hoc measures to a proactive, layered security architecture. This includes, but is not limited to:
  • Robust Access Controls: Implementing multi-factor authentication (MFA), role-based access control (RBAC), and regular access reviews to ensure only authorised personnel can access sensitive data.
  • Data Encryption: Mandating encryption for data at rest (on servers, databases, and devices) and in transit (during transmission between systems or organisations) to protect against unauthorised interception.
  • Vulnerability Management: Establishing regular vulnerability scanning, penetration testing, and timely patching regimes for all IT systems.
  • Security Monitoring and Incident Response: Deploying security information and event management (SIEM) systems, establishing clear incident response plans, and conducting regular drills to enhance preparedness.
  • Device and Asset Management: Implementing secure configuration baselines for all devices, maintaining an accurate inventory of assets, and ensuring secure disposal procedures.

By systematically addressing these areas, organisations elevate their overall security posture, significantly reducing the likelihood and potential impact of data breaches, cyber-attacks, and unauthorised access incidents. The DSPT encourages a shift from mere compliance to genuine resilience, transforming security from a checkbox exercise into an embedded operational priority.

4.2 Fostering a Consistent Security Culture

One of the most transformative impacts of the DSPT is its role in cultivating a consistent and robust security culture across the diverse and fragmented healthcare sector. By mandating annual completion and requiring senior leadership sign-off, the toolkit elevates data security from a purely technical concern to a strategic organisational imperative. This top-down emphasis permeates all levels of an organisation, fostering a collective responsibility for data protection.

Key aspects of this cultural shift include:

• Universal Awareness: The requirement for mandatory annual data security awareness training for all staff ensures that everyone, from clinical staff to administrators and volunteers, understands their individual responsibilities in safeguarding patient information. This educates staff on common threats (e.g., phishing, social engineering), safe data handling practices, and incident reporting procedures.
• Leadership Engagement: The involvement of the SIRO and Caldicott Guardian ensures that data security is regularly discussed at Board level, integrated into strategic planning, and resourced appropriately. This visible commitment from leadership reinforces the importance of security.
• Standardised Practices: The DSPT promotes the adoption of standardised best practices, ensuring that data is handled consistently across different departments, organisations, and care settings. This reduces variations in security posture and strengthens the overall ecosystem.
• Collaborative Environment: By setting a common baseline, the DSPT encourages organisations to share knowledge, experiences, and best practices. This can lead to the formation of peer networks, regional forums, and collaborative initiatives focused on improving collective security.

Ultimately, a strong security culture means that data protection becomes an intrinsic part of daily operations and decision-making, rather than an afterthought, significantly enhancing patient trust and safety.

4.3 Accountability and Compliance

The DSPT serves as a powerful mechanism for demonstrating accountability and ensuring compliance with a multitude of legal, regulatory, and ethical obligations. It transforms abstract requirements into concrete, auditable actions.

• Demonstrable Accountability: The toolkit requires organisations to maintain comprehensive records of their data security measures, policies, and incident responses. This transparency demonstrates a proactive commitment to safeguarding sensitive information to patients, regulators (such as the Information Commissioner’s Office – ICO), and other stakeholders.
• Legal and Regulatory Compliance: By addressing the NDG’s 10 Data Security Standards and aspects of the CAF, organisations are simultaneously working towards compliance with:
  • General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018): The DSPT helps organisations meet their obligations under these laws, particularly the principles of ‘integrity and confidentiality’ (Article 5(1)(f) GDPR) and the requirement to implement ‘appropriate technical and organisational measures’ (Article 32 GDPR).
  • Common Law Duty of Confidentiality: Upholding the ethical and legal obligation to keep patient information confidential.
  • Caldicott Principles: Adhering to the eight principles for the use and sharing of health and social care information.
  • NHS Terms and Conditions for the Provision of Services: For suppliers, DSPT compliance is often a contractual prerequisite.
• Risk Mitigation: Non-compliance with data protection legislation can result in substantial fines (up to €20 million or 4% of global annual turnover under GDPR), severe reputational damage, loss of patient trust, and even withdrawal of contracts. The DSPT provides a structured pathway to mitigate these significant risks, enabling organisations to identify and address weaknesses proactively before they lead to costly breaches.

By providing a clear framework for demonstrating compliance, the DSPT bolsters an organisation’s credibility and reinforces public confidence in the secure handling of sensitive health data.

4.4 Alignment with Broader Data Protection Regulations

The strategic design of the DSPT ensures a robust alignment with key national and international data protection and cyber security regulations, making it a pivotal tool for achieving multi-faceted compliance.

• General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018): The DSPT is intrinsically linked to the principles and requirements of GDPR. The 10 NDG Data Security Standards directly address GDPR’s core principles, particularly those relating to integrity, confidentiality, and accountability. For instance, DSPT assertions on access controls, encryption, incident response, and staff training directly contribute to an organisation’s ability to demonstrate ‘appropriate technical and organisational measures’ (Article 32 GDPR) and ensure the ‘security of personal data’ (Article 5(1)(f) GDPR). By successfully completing the DSPT, organisations are effectively building the necessary foundations to meet their GDPR obligations for securing health data, thereby reducing the risk of regulatory enforcement actions and fines from the ICO.

• Network and Information Systems (NIS) Regulations 2018: The NIS Regulations aim to boost the overall level of security of network and information systems for providers of essential services and digital service providers. In the health sector, this primarily applies to ‘Operators of Essential Services’ (OES), which include NHS Trusts providing acute care, ambulance services, mental health services, and potentially some large independent providers that form part of the critical national infrastructure. The NIS Regulations mandate OES to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems. Crucially, the NCSC’s Cyber Assessment Framework (CAF) is the recognised standard for OES to demonstrate their compliance with NIS. The DSPT has increasingly integrated elements of the CAF, particularly for OES, requiring them to demonstrate adherence to specific CAF principles through their DSPT submission. This alignment ensures that healthcare OES can use the DSPT as a primary vehicle to evidence their NIS compliance, undergo necessary independent audits, and contribute to the resilience of critical health services.

• Caldicott Principles and Common Law Duty of Confidentiality: Beyond formal regulations, the DSPT reinforces the long-standing ethical and legal duties of confidentiality specific to health and social care. The toolkit’s emphasis on appropriate handling of personal confidential data, controlled access, and secure information sharing directly supports adherence to the Caldicott Principles, which govern the sharing of patient information.

This comprehensive alignment means that organisations engaging with the DSPT are not merely ticking boxes for one framework but are simultaneously building robust foundations to meet multiple, interconnected legal and ethical obligations, creating a more cohesive and efficient approach to data protection.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5. Case Studies: Diverse Organisational Impacts

The impact and implementation experience of the DSPT vary significantly across the diverse spectrum of healthcare organisations in the UK. Examining these variations through case studies illuminates both the toolkit’s adaptability and the specific challenges faced by different types of providers.

5.1 Large NHS Trusts

Large NHS Trusts, such as acute hospitals, mental health trusts, and large community trusts, typically manage extensive IT infrastructures, process vast quantities of highly sensitive patient data, and serve large populations. They generally possess greater resources, enabling a more effective implementation of the DSPT.

• Resource Advantages: These organisations often have dedicated, multi-disciplinary teams focused on Information Governance, Cyber Security, and IT. This allows for a structured approach to DSPT compliance, including:
  • Specialised Personnel: Employing dedicated SIROs, Caldicott Guardians, DPOs, and technical cyber security teams capable of addressing complex assertions related to vulnerability management, penetration testing, and incident response.
  • Budget Allocation: Access to larger budgets for security technologies (e.g., SIEM, endpoint detection and response, advanced firewalls), external consultancy, and comprehensive staff training programs.
  • Established Governance: Existing robust governance structures, risk committees, and internal audit functions that can integrate DSPT compliance into routine operations.
• Best Practices: Large Trusts often achieve ‘Standards Met’ or even ‘Standards Exceeded’ ratings by implementing sophisticated controls such as:
  • ISO 27001 Certification: Many large Trusts seek independent ISO 27001 certification, which provides an internationally recognised framework for information security management, significantly overlapping with DSPT requirements and streamlining compliance efforts.
  • Advanced Threat Intelligence: Integrating national and international threat intelligence feeds to proactively defend against emerging cyber threats.
  • Mature Incident Response: Well-defined incident response plans, regularly tested through simulation exercises, ensuring rapid and effective handling of security breaches.
• Persistent Challenges: Despite their advantages, large Trusts are not immune to implementation challenges. Their sheer scale and complexity present unique hurdles:
  • Legacy IT Estate: Managing a vast array of legacy systems alongside modern infrastructure, making universal patching, secure configuration, and data flow mapping a formidable task.
  • Distributed Data: Patient data residing in numerous departmental systems, often with varying levels of security controls, complicates unified data protection efforts.
  • Workforce Size: Ensuring consistent data security awareness and adherence across tens of thousands of staff, including temporary workers and contractors, requires continuous effort.

For large Trusts, the DSPT serves not just as a compliance tool but as a framework for continuous improvement, pushing them to maintain cutting-edge security practices amidst an evolving threat landscape and complex operational environments.

5.2 Small and Medium-Sized Enterprises (SMEs) / Primary Care

This category encompasses a vast array of independent healthcare providers crucial to the NHS, including General Practitioner (GP) practices, community pharmacies, dental surgeries, optical practices, and care homes. These SMEs face distinct and often more acute challenges in DSPT implementation compared to larger Trusts.

• Resource Scarcity: Limited financial resources mean small organisations struggle to fund dedicated IT or IG staff, relying instead on practice managers, senior clinicians, or administrative staff to manage DSPT compliance alongside their core duties. Budgets for advanced security tools or external consultants are often extremely constrained.
• Expertise Gap: A significant lack of in-house specialised expertise in cyber security and complex information governance is common. Understanding technical jargon and implementing advanced controls can be overwhelming.
• Reliance on External Support: Many SMEs rely heavily on third-party IT support providers. Ensuring these providers are themselves DSPT compliant and adequately support the organisation’s security posture is a critical, yet sometimes challenging, dependency.
• Strategies for Success: Despite these hurdles, many SMEs successfully navigate the DSPT by leveraging:
  • Centralised NHS Guidance: Utilising simplified guidance and templates provided by NHS Digital or local Integrated Care Boards (ICBs).
  • Accredited Suppliers: Partnering with IT and security service providers who are familiar with the DSPT and can offer tailored support.
  • Peer Networks: Collaborating with other local practices or care homes to share best practices, resources, and provide mutual support.
  • Local Support Organisations: Engaging with local ICBs or care associations (e.g., Hampshire Care Association, Community Pharmacy England) that offer DSPT workshops, helplines, and dedicated assistance.

For SMEs, the DSPT highlights the crucial role of external support and collaborative initiatives in bridging resource and expertise gaps, ensuring that even the smallest providers can meet essential data security standards.

5.3 Independent Providers and Third-Party Suppliers

Independent providers range from specialist clinics to laboratories and domiciliary care agencies. A critical sub-set of these, particularly those designated as Operators of Essential Services (OES) under the Network and Information Systems (NIS) Regulations, face heightened DSPT requirements.

• NIS Regulations and CAF Alignment: For OES within healthcare (e.g., large independent hospitals, critical pathology services, national data infrastructure providers), the DSPT explicitly mandates alignment with the NCSC’s Cyber Assessment Framework (CAF). This means that their DSPT submission must demonstrate compliance against the CAF’s 14 principles, which are designed for critical national infrastructure and cover a broader and deeper scope of cyber resilience than baseline DSPT requirements.
• Independent Audit Assessments: A distinguishing feature for OES within the 2024/2025 version of the DSPT and onwards is the requirement for independent audit assessments. Unlike other organisations that primarily self-assess, OES must undergo an external, independent audit to validate their DSPT submission and CAF compliance. These audits are typically conducted by accredited third-party assessors who provide an objective verification of the organisation’s security controls and evidence. This adds another layer of rigour and assurance, ensuring they meet the necessary high standards for data security and protection for their critical functions.
• Contractual Mandates: For all independent providers, whether OES or not, DSPT compliance is increasingly a mandatory contractual requirement for any organisation processing NHS patient data or providing services to the NHS. This ensures a consistent security baseline across the entire NHS supply chain, placing a significant burden on these providers to maintain compliance to secure or retain contracts.
• Supply Chain Risk Management: The DSPT also requires NHS organisations to ensure their own suppliers are compliant. This creates a cascading effect where third-party suppliers to NHS organisations (e.g., IT contractors, cloud providers like AWS which explicitly addresses NHS DSPT compliance in its offerings) must also meet DSPT standards, even if they don’t directly handle patient data themselves but provide services that impact the security of NHS systems. This ensures a holistic approach to supply chain risk management.

The DSPT thus plays a vital role in integrating a diverse range of independent providers and suppliers into the NHS’s overarching data security strategy, ensuring that the protection of patient data is a shared responsibility across the entire ecosystem.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6. The DSPT Assessment Process and Governance

Understanding the mechanics of the DSPT assessment and its embedded governance mechanisms is crucial for appreciating its comprehensive impact. The toolkit is designed not as a static compliance hurdle but as a dynamic process that promotes continuous security improvement.

6.1 The Annual Submission Cycle

The DSPT operates on an annual submission cycle, typically with a deadline in the latter part of the financial year (e.g., June for the previous year’s assessment). This annual rhythm ensures that organisations regularly review and update their security posture in response to evolving threats, technological changes, and regulatory updates. The cycle typically involves:

• Planning and Scoping: At the beginning of the cycle, organisations identify the scope of their submission, noting any significant changes in their services, systems, or data processing activities.
• Information Gathering: Departments across the organisation (IT, IG, clinical, HR, finance) gather relevant evidence, update policies, and complete necessary training.
• Self-Assessment: Key personnel, often led by an IG lead or DPO, systematically work through each assertion in the DSPT portal, uploading evidence and providing explanations.
• Internal Review and Sign-off: The completed submission undergoes internal scrutiny, culminating in formal sign-off by the Senior Information Risk Owner (SIRO) and the Caldicott Guardian. This high-level endorsement signifies the organisation’s leadership commitment and accountability.
• Submission and Publication: Once signed off, the submission is formally published on the DSPT portal, making the organisation’s compliance status publicly accessible (unless specific exemptions apply).

6.2 Evidence Gathering and Documentation

The robustness of a DSPT submission lies in the quality and completeness of its evidence. This isn’t just about ticking boxes; it’s about demonstrating that policies are not just written but actively implemented, that training is not just delivered but effectively absorbed, and that technical controls are not just installed but actively managed. Examples of crucial evidence include:

• Policy and Procedure Documents: Up-to-date information security policies, data breach response plans, acceptable use policies, and business continuity plans.
• Training Records: Proof of completion for mandatory data security awareness training for all staff, ideally with assessment results.
• Technical Audit Logs and Reports: Evidence of access control reviews, vulnerability scans, penetration test reports, patch management reports, and system configuration documentation.
• Risk Registers: Documented identification, assessment, and mitigation of information risks.
• Third-Party Contracts: Agreements with suppliers explicitly detailing data processing and security requirements.
• Incident Logs: Records of data security incidents, their investigation, and lessons learned.

Effective evidence gathering often requires a robust document management system and clear lines of responsibility across departments.

6.3 Internal Review and Governance Sign-off

Before submission, the DSPT undergoes a critical internal review process, involving key governance roles:

• Senior Information Risk Owner (SIRO): The SIRO is a board-level executive or equivalent responsible for information risk across the organisation. They must be assured that all information risks are being managed appropriately and formally sign off the DSPT submission, taking accountability for its accuracy and completeness.
• Caldicott Guardian: This senior person is responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. They also review and sign off the DSPT, ensuring that the organisation’s practices align with the Caldicott Principles.
• Data Protection Officer (DPO): The DPO provides independent advice and guidance on data protection compliance (GDPR/DPA 2018) and typically plays a central role in coordinating the DSPT submission, ensuring its legal conformity.

This multi-layered sign-off process ensures that data security is embedded within the organisation’s highest governance structures, fostering accountability and strategic oversight.

6.4 External Assurance for Operators of Essential Services (OES)

As previously mentioned, for healthcare organisations designated as OES under the NIS Regulations, the DSPT process includes a mandatory independent audit assessment. This adds a crucial layer of external validation to their self-assessment.

• Audit Scope: The audit verifies the OES’s adherence to the NCSC’s Cyber Assessment Framework (CAF) principles as articulated within their DSPT submission.
• Accredited Assessors: These audits are conducted by independent third-party firms accredited to perform CAF assessments, ensuring objectivity and expertise.
• Verification of Evidence: Auditors rigorously examine the evidence provided in the DSPT, interview key personnel, and may conduct on-site inspections to confirm the implementation and effectiveness of security controls.
• Benefits: The independent audit provides heightened assurance to regulators (e.g., Department of Health and Social Care, NCSC) and commissioners, demonstrating a robust and externally validated approach to cyber resilience for critical health services.

6.5 Continuous Improvement

The annual DSPT cycle is not merely a compliance exercise but a catalyst for continuous improvement. The toolkit’s structure encourages organisations to:

• Review Performance: Analyse previous years’ submissions, identify areas for improvement, and track progress against identified gaps.
• Respond to Feedback: Incorporate lessons learned from incident reviews, audit findings, and internal assessments into their security practices.
• Adapt to Changes: Proactively adjust policies and controls in response to new threats, technological developments, or changes in service delivery.

By embedding this cycle of assessment, remediation, and review, the DSPT helps organisations evolve their security posture dynamically, ensuring ongoing protection of patient data.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

7. Future Outlook and Evolving Landscape

The landscape of data security is in perpetual flux, driven by rapid technological advancements, evolving threat actor capabilities, and changing regulatory priorities. The DSPT, by design, must remain agile and responsive to these shifts to maintain its effectiveness. Looking ahead, several key areas will shape the future trajectory of the toolkit and its impact on healthcare security.

7.1 Emerging Threats

The sophistication and scale of cyber threats continue to escalate, posing new challenges for healthcare data protection:

• Advanced Persistent Threats (APTs): Highly sophisticated, stealthy attacks often backed by nation-states, aiming for long-term data exfiltration or disruption, requiring advanced detection and response capabilities.
• Ransomware Evolution: Ransomware attacks are becoming more targeted, involving double extortion (encrypting data and threatening to publish it) and ‘triple extortion’ (targeting patients, partners, and the organisation). This necessitates robust backup and recovery strategies, alongside proactive defence.
• Artificial Intelligence (AI) and Machine Learning (ML) in Cyberattacks: Attackers are leveraging AI to automate social engineering, craft more convincing phishing attacks, and discover vulnerabilities faster. This demands healthcare organisations to also embrace AI/ML for defence, such as anomaly detection and threat prediction.
• Supply Chain Attacks: Exploiting vulnerabilities in third-party software or services to gain access to target organisations, underscoring the DSPT’s increasing emphasis on supply chain assurance.
• Quantum Computing: While still in its nascent stages, the eventual advent of quantum computing poses a long-term threat to current encryption standards, requiring strategic planning for post-quantum cryptography adoption.

The DSPT will need to continually integrate new assertions and guidance to address these burgeoning threats, ensuring organisations are equipped with the knowledge and controls to defend against them.

7.2 Technological Advancements in Healthcare

Healthcare itself is undergoing a profound digital transformation, introducing new data protection considerations:

• Cloud Adoption: The increasing migration of NHS data and systems to cloud environments (e.g., Azure, AWS, GCP) offers scalability and resilience but requires robust cloud security governance, data residency considerations, and ensuring cloud providers meet DSPT standards.
• Internet of Medical Things (IoMT): The proliferation of connected medical devices (wearables, remote monitoring devices, smart hospital equipment) generates vast amounts of health data and introduces a new attack surface, requiring device security, secure data transmission, and vulnerability management for IoMT.
• Digital Health Records (DHR) and Interoperability: While enhancing patient care, widespread DHR adoption and initiatives for seamless data sharing across integrated care systems amplify the need for stringent access controls, consent management, and secure data exchange protocols.
• Genomic Data: The growing use of genomic sequencing for personalised medicine involves extremely sensitive and unique data, demanding exceptionally high levels of security and ethical considerations for its storage, processing, and sharing.

Future iterations of the DSPT will need to specifically address the security implications and best practices for these emerging healthcare technologies, providing tailored guidance for their secure implementation and management.

7.3 Regulatory Changes and Harmonisation

The regulatory landscape is not static, and the DSPT must evolve in lockstep:

• Updates to UK GDPR/DPA 2018: Any future amendments or interpretations of these foundational data protection laws will necessitate corresponding adjustments within the DSPT.
• NIS 2 Directive: The EU’s NIS 2 Directive (replacing the original NIS Directive) broadens the scope of essential entities and introduces more stringent requirements, including stronger enforcement measures. The UK is likely to mirror aspects of this, or develop its own equivalent, which will directly impact the DSPT’s requirements for OES and potentially expand to other critical digital service providers within healthcare.
• International Alignment: As healthcare becomes more globally interconnected, there may be pressure to align DSPT requirements with international standards (e.g., ISO 27001, HIPAA for international collaborations) to facilitate secure cross-border data flows.
• Digital Identity and Trust Frameworks: The development of national digital identity frameworks (e.g., NHS login) will require the DSPT to ensure organisations securely integrate and utilise these mechanisms for patient authentication and access.

Maintaining agility in response to these regulatory shifts is paramount for the DSPT to remain relevant and authoritative.

7.4 Integration with Broader Digital Transformation

The DSPT is not merely a standalone compliance tool but a fundamental enabler of secure digital transformation within the NHS. Its future role will be increasingly integrated into broader strategic initiatives:

• Secure by Design: Promoting the ‘security by design’ principle, where data protection is baked into the very inception of new digital services, systems, and patient pathways, rather than being an afterthought.
• Data-Driven Healthcare: Facilitating the safe and ethical use of health data for research, public health, and service improvement, ensuring that data utility is balanced with robust privacy and security.
• Integrated Care Systems (ICSs): Supporting the secure sharing of information within and between ICSs, enabling seamless patient care delivery while maintaining confidentiality.

By continuously adapting to emerging threats, technological innovations, and regulatory shifts, the DSPT can reinforce its position as a cornerstone of secure, patient-centred digital healthcare, ensuring public trust remains at the heart of the NHS’s digital future.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

8. Recommendations

To further enhance the effectiveness of the DSPT, address persistent implementation challenges, and ensure its continued relevance in a rapidly evolving digital landscape, the following comprehensive recommendations are proposed:

8.1 Enhanced Guidance and Tailored Support

The complexity of the DSPT can be a significant barrier, particularly for smaller organisations. To mitigate this:

• Develop Contextualised Guides: Create sector-specific DSPT guidance, providing clear examples and explanations tailored to the unique operational realities of GPs, care homes, pharmacies, and specialist clinics. This would include simplified language, flowcharts, and FAQs.
• Establish Mentorship Programs and Peer Networks: Facilitate the creation of regional or local peer-to-peer mentorship programs where experienced organisations can guide and support those new to or struggling with DSPT compliance. Encourage the formation of online forums and community groups for shared learning.
• Provide Dedicated Helpdesk Support: Enhance the availability and expertise of the DSPT helpdesk, offering direct, jargon-free support for technical queries and interpretational challenges.
• Offer Standardised Templates and Tools: Provide accessible templates for common evidence items (e.g., policy documents, risk registers, training logs) and potentially develop simplified tools to assist with tasks like asset inventories or data flow mapping.

8.2 Strategic Investment in Workforce Development

The persistent skills gap in data security and information governance needs a national, strategic response:

• National Training and Certification Programs: Invest in nationally funded or subsidised training programs and certifications for staff across the health and social care sector, covering core DSPT competencies, cyber security fundamentals, and advanced IG principles.
• Apprenticeships and Graduate Schemes: Establish dedicated apprenticeship and graduate schemes focused on information governance and cyber security within NHS organisations, creating a sustainable pipeline of skilled professionals.
• Cross-Organisational Skill Sharing: Implement mechanisms for skilled professionals (e.g., DPOs, SIROs, cyber security analysts) to provide part-time support or consultancy to smaller, less resourced organisations within their Integrated Care System (ICS) footprint.
• Leadership Development: Provide targeted training for senior leaders (SIROs, Caldicott Guardians) to deepen their understanding of contemporary data security risks and their strategic oversight responsibilities.

8.3 Streamlining and Harmonisation

Reducing redundancy and complexity can make the DSPT more efficient and less burdensome:

• Align with International Standards: Actively map and harmonise DSPT assertions with other widely recognised security frameworks such as ISO 27001, Cyber Essentials Plus, or industry-specific standards. This would allow organisations already certified to these standards to more easily demonstrate DSPT compliance, potentially through automated cross-mapping.
• Automate Compliance Checks: Explore technological solutions to automate aspects of compliance checking where feasible, such as integrating with IT asset management systems or security monitoring tools to pull evidence directly.
• Tiered Requirements: Continuously review and refine the tiered nature of DSPT requirements, ensuring that the demands are always proportionate to the size, complexity, and data processing activities of different organisational types, without compromising baseline security.
• Centralised Policy Libraries: Develop and maintain a national library of model policies and procedures that organisations can adapt, reducing the burden of creating documents from scratch.

8.4 Fostering a Collaborative Ecosystem

Promoting collaboration can strengthen collective security and knowledge sharing:

• Regional DSPT Hubs within ICBs: Establish dedicated DSPT support hubs within each Integrated Care Board (ICB) to coordinate local support, run workshops, and act as a central point of contact for providers in their area.
• Information Sharing and Analysis Centres (ISACs): Further develop and promote participation in sector-specific ISACs for healthcare, enabling the rapid sharing of threat intelligence and best practices amongst organisations.
• Incentivise Best Practice Sharing: Create awards or recognition programs for organisations demonstrating exemplary DSPT compliance and those actively contributing to the community through knowledge sharing.
• Strengthen Supply Chain Oversight: Provide clearer guidance and tools for organisations to assess and monitor the DSPT compliance of their third-party suppliers, potentially through a centralised supplier assurance portal.

8.5 Proactive Engagement with Legacy Issues

Addressing the challenges posed by legacy systems and processes requires strategic, long-term investment:

• Funding for Digital Modernisation: Allocate dedicated funding streams for NHS organisations and their partners to upgrade or replace critical legacy IT systems, ensuring security is a primary driver for these investments.
• Strategic Retirement Plans: Develop national guidance and support for the secure decommissioning and migration of data from outdated systems, providing clear frameworks for managing technical debt.
• Change Management Expertise: Provide resources and expertise in change management to help organisations navigate the cultural and procedural shifts required to move away from legacy practices and fully embrace digital, secure ways of working.

By implementing these recommendations, the DSPT can evolve into an even more effective, accessible, and integral component of the UK’s healthcare data security infrastructure, continuously safeguarding patient information in an increasingly digital world.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

9. Conclusion

The Data Security and Protection Toolkit (DSPT) stands as a critical cornerstone in the UK’s ongoing endeavour to safeguard highly sensitive patient information within the vast and complex landscape of the health and social care sector. Its evolution from the foundational IG Toolkit, driven by the escalating cyber threat environment, the lessons learned from incidents like WannaCry, and the imperative of modern data protection legislation like GDPR and the NIS Regulations, underscores its strategic importance. The DSPT provides a meticulously structured framework, aligning with the National Data Guardian’s 10 Data Security Standards and the NCSC’s Cyber Assessment Framework, compelling organisations to adopt comprehensive and auditable security practices.

While its implementation presents formidable challenges—particularly for smaller entities grappling with resource constraints, the inherent complexity of requirements, a persistent skills gap, and the pervasive issue of legacy systems—the DSPT’s impact on enhancing data security across the NHS ecosystem is undeniable. It fosters a proactive, rather than reactive, approach to security, embeds a consistent security culture through universal training and leadership accountability, and robustly supports compliance with critical legal and ethical obligations. Its nuanced application, as evidenced by the varying experiences of large Trusts, SMEs, and independent providers (especially those with OES status and the requirement for independent CAF audits), demonstrates its adaptability while simultaneously highlighting the need for tailored support.

Looking to the future, the DSPT must continue its dynamic evolution, constantly adapting to emerging cyber threats, leveraging technological advancements, and responding to ongoing regulatory shifts. The persistent digitisation of healthcare, from cloud adoption to the proliferation of IoMT and genomic data, will demand continuous refinement of the toolkit’s assertions and guidance. The recommendations outlined in this report—focusing on enhanced guidance, strategic workforce development, streamlining, collaborative ecosystem building, and proactive engagement with legacy issues—offer a pathway to strengthen the DSPT’s efficacy and accessibility.

In essence, the DSPT is far more than a mere compliance exercise; it is an indispensable mechanism for instilling trust, ensuring accountability, and driving continuous improvement in data protection. By embracing its principles and addressing its challenges with sustained commitment and strategic investment, the UK healthcare system can reinforce its resilience, safeguard patient confidentiality, and confidently navigate the complexities of the digital age, ultimately upholding the public’s unwavering faith in the integrity of its most personal data.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

References

• NHS Digital. (2024). Data Security and Protection Toolkit. Retrieved from dsptoolkit.nhs.uk
• Dionach by Nomios. (2024). Data Security and Protection Toolkit (DSPT) 2024/2025 CAF. Retrieved from dionach.com
• National Health Service. (2024). Data Security and Protection Toolkit. NHS Standards Directory. Retrieved from standards.nhs.uk
• HTN Health Tech News. (2024). Feature: Overcoming the Implementation Challenges of the Data Security and Protection Toolkit. Retrieved from htn.co.uk
• CrowdStrike. (2024). 5 Common Data Protection Challenges and Solutions. Retrieved from crowdstrike.com
• Cornwall Partners in Care. (2024). DSPT. Retrieved from cornwallpartnersincare.org
• Community Pharmacy England. (2024). Data Security and Protection Toolkit – Deadline 30th June 2025. Retrieved from cpe.org.uk
• Hampshire Care Association. (2024). Data Security and Protection Toolkit. Retrieved from hampshirecare.org
• Amazon Web Services. (2024). National Health Service (NHS) Data Security and Protection Toolkit (DSPT). Retrieved from aws.amazon.com
• ISMS.online. (2024). NHS Data Security and Protection Toolkit. Retrieved from isms.online
• Digital World. (2024). Challenges Faced in Implementing the NHS Data Security and Protection Toolkit. Retrieved from getlifeinfo.com
• CFH Docmail. (2024). Data Security and Protection Toolkit – Standards Exceeded Achievement. Retrieved from cfh.com
• Data Security and Protection Toolkit. (2024). NHS Standards Directory. Retrieved from standards.nhs.uk
• National Data Guardian for Health and Social Care. (2016). Review of Data Security, Consent and Opt-Outs (Caldicott 3 Review). Retrieved from gov.uk
• Information Commissioner’s Office. (2024). General Data Protection Regulation (GDPR). Retrieved from ico.org.uk
• National Cyber Security Centre. (2024). Cyber Assessment Framework (CAF). Retrieved from ncsc.gov.uk
• Department of Health and Social Care. (2018). The Network and Information Systems Regulations 2018: A Guide. Retrieved from gov.uk