NHS Adoption & Procurement

What is the DSP Toolkit?

Q: How does it relate to DTAC?

Data security is one of the five areas in the NHS DTAC . A current DSP Toolkit submission is strong supporting evidence for the data-protection and security elements.

In short: The Data Security and Protection (DSP) Toolkit is an annual online self-assessment that NHS organisations — and the suppliers that handle NHS data or systems — use to evidence they meet the expected data-security and information-governance standards.

Written by Meds Global Health Clinical Team · Clinically reviewed by Dr Muhammad Suffyan Rasheed, MBBS, Founder & Clinical Director · Last reviewed June 2026

What it covers

The Toolkit maps to the National Data Guardian's data-security standards and covers areas such as data protection, staff training, access control, incident management and technical security. Organisations assess themselves against the assertions and publish a submission, typically annually.

Who needs it

Any organisation that processes NHS patient data or connects to NHS systems is generally expected to maintain a current DSP Toolkit submission. For suppliers, NHS buyers often ask for your DSP Toolkit status as part of procurement and onboarding.

How it fits the assurance picture

DSP Toolkit sits alongside DTAC, clinical safety (DCB0129/0160) and a DPIA as part of the evidence NHS buyers expect. Preparing it early — rather than at tender time — speeds procurement.

Meds Global Health helps suppliers assemble and quality-assure data-security and procurement evidence. See Data Protection & Security and NHS Buyer Readiness.

The annual cycle

What a submission involves

The DSP Toolkit is not a one-off form — it is an annual cycle with a published deadline, and a current submission is what NHS buyers check. An organisation self-assesses against a set of assertions mapped to the National Data Guardian's data-security standards, gathers the supporting evidence, and publishes its status. A lapsed submission is read as a live risk during procurement, so the practical goal is to keep the underlying evidence current year-round rather than scrambling before the deadline.

Useful supporting evidence to maintain includes:

Data-protection and information-security policies, kept under review
A current DPIA where the processing warrants one
Staff data-security training records
Access control, role-based permissions and audit logging
A documented incident-response and breach-management process
Results of recent penetration or security testing

Holding these as living artefacts turns each annual submission into a confirmation rather than a project.

Common pitfalls

Where suppliers trip up

The recurring mistakes are organisational, not technical. Treating the Toolkit as a once-a-year box-tick lets evidence drift out of date, so the submission no longer reflects reality. Over-claiming a status the evidence cannot support is worse — it surfaces during buyer due diligence and erodes trust. And leaving the work until a tender is live means the submission sits on the critical path of a deal it should have de-risked.

The fix is to fold data security into business-as-usual: assign clear ownership, link the Toolkit assertions to evidence you already maintain, and review it on a calendar rather than under deadline pressure. Doing so reinforces the other assurance artefacts a buyer expects — the DTAC, the clinical safety case and the DPIA — and slots neatly into the wider picture of how the NHS buys digital health.