NHS DSPT · Data Security & Protection Toolkit
Meet and exceed the NHS Data Security and Protection Toolkit
If your organisation handles NHS patient data or uses NHS systems, the DSPT is mandatory — and for 2025/26 it is tougher than ever. Our Cyber Resilience Programme gives you the controls, the evidence and the expert hand to reach ‘Standards Met’ and stay there.
Overview
What is the DSPT?
The Data Security and Protection Toolkit is NHS England’s annual self-assessment for data security and information governance. You must complete it if you handle health or care data, use NHS systems such as NHSmail or e-Referrals, or deliver services under an NHS contract. The 2025/26 edition is Version 8, with a submission deadline of 30 June 2026. For NHS trusts, ICBs, CSUs, arm’s-length bodies and now designated Operators of Essential Services and genomics organisations, the toolkit is aligned to the NCSC Cyber Assessment Framework (CAF) — an outcome-based, evidence-led model. Smaller organisations assess against the National Data Guardian’s 10 data security standards. Crucially, Cyber Essentials Plus and ISO 27001 no longer grant exemptions, and Category 1 and 2 suppliers must now pass an independent audit. Fall short and you risk losing access to NHS systems, including NHSmail.
The mapping
How our Cyber Resilience Programme meets the DSPT
The CAF is built around four objectives (A–D) plus an NHS-specific Objective E. Here is how our programme delivers each one.
| Requirement | How Foresight delivers it |
|---|---|
| Objective A — Managing security risk | We run your DSPT gap analysis, build and maintain asset and risk registers, set information-governance policies, and review supplier contracts and Technical & Organisational Measures. |
| Objective B — Protecting against cyber attack | Enforced MFA (a CAF national directive), managed Fortinet firewalls, endpoint EDR, email security, 14-day patching, Microsoft Intune device management, immutable Acronis backups and security-awareness training. |
| Objective C — Detecting cyber security events | 24/7 infrastructure monitoring with Microsoft Sentinel for centralised logging, alerting and threat detection. |
| Objective D — Minimising the impact of incidents | Documented incident-response plans, tested backups and disaster recovery, and rehearsed business-continuity exercises. |
| Objective E — Using and sharing patient data lawfully | Data-flow mapping, information-governance policies and DPIA support, delivered alongside your DPO. |
| The 10 NDG data security standards | For non-CAF organisations we cover all ten — from personal confidential data and staff training to access control, incident response, continuity and accountable suppliers. |
| Mandatory independent audit (Cat 1 & 2) | We prepare and organise your evidence pack mapped to each outcome, so your NCSC Cyber Resilience Audit (CRA) scheme assessor finds everything in order. |
Speed
How quickly can you be ready?
Week 1 · Gap analysis
We assess you against your DSPT category and required profile and produce a prioritised action list.
Weeks 2–4 · Quick wins
MFA, patching, backups, core policies and your asset register — the controls that move the most outcomes fastest.
Weeks 4–8 · Remediation & evidence
We close the remaining outcomes and assemble a clean, audit-ready evidence pack.
Before 30 June · Submit & audit
You submit with confidence — and, where required, your independent audit is booked and supported.
Most practices, suppliers and care providers reach ‘Standards Met’ in 4–8 weeks.
Larger CAF-aligned trusts take longer given their scope. Timings are indicative; the 2025/26 deadline is 30 June 2026 — the sooner we start, the smoother it is.
Why Foresight
Experts in NHS data security
Healthcare IT and cyber security is our home ground. We hold Cyber Essentials Plus ourselves, support healthcare providers and schools across Greater Manchester, and bring a dedicated Cyber Lead (Saad Gul) and IT & Safeguarding Lead (Amanda Nellist) to every engagement.
In practice
Typical engagements
GP & dental practices
Needed ‘Standards Met’ to keep NHSmail. We delivered MFA, policies and staff training, then completed the submission with weeks to spare.
Category 2 NHS supplier
Facing a mandatory independent audit, we built the CAF-mapped evidence pack and supported the assessor from start to finish.
Care provider (10 NDG standards)
We turned a yearly scramble into a repeatable, low-stress annual submission with the evidence kept current year-round.
Ready to meet the DSPT — and exceed it?
Talk to our team for a free, no-obligation gap review. We will show you exactly where you stand and how quickly we can close the gaps.
Book a free consultation