A practical guide to the NHS Data Security and Protection Toolkit — what it covers, how to meet each assertion, and how Folelse makes submission faster and audit-ready.
The NHS Data Security and Protection Toolkit (DSPT) is an online self-assessment tool produced by NHS England that measures NHS organisations' compliance with the National Data Guardian's ten data security standards. It replaced the Information Governance Toolkit in 2018.
All organisations that have access to NHS patient data and systems must complete the DSPT annually. Achieving "Standards Met" status is typically a prerequisite for NHS data sharing agreements, commissioning contracts, and connection to NHS systems such as N3/HSCN.
The toolkit covers six key areas across data security, cyber security, and information governance — spanning leadership accountability, staff training, data management, data quality, cyber security, and business continuity.
Each area contains mandatory and advisory assertions. You must meet all mandatory assertions to achieve Standards Met.
Area 1
Area 2
Area 3
Area 4
Area 5
Area 6
New DSPT submission cycle opens — review previous year actions and improvement plans
Begin systematic evidence collection against all mandatory assertions
Complete cyber security evidence (Cyber Essentials, pen test reports)
Training completion drive — target 95%+ staff completion
Board review session; SIRO confirms evidence sufficiency
Internal audit of evidence quality; address any gaps
Final evidence review; prepare for submission
Submit — target Standards Met status by 30 June deadline
All DSPT assertions pre-mapped to Folelse features — no manual mapping required.
Attach documents, screenshots, and records directly to each assertion as evidence.
Real-time completion dashboard shows where you stand against the submission deadline.
Export a full evidence pack for your SIRO review or external IG audit.
The DSPT annual submission deadline is typically 30 June each year. NHS organisations are expected to achieve at least "Standards Met" status by this date. NHS England may adjust deadlines — always check the official DSPT website for the current cycle dates.
Standards Met means your organisation has provided satisfactory evidence for all mandatory assertions in the current DSPT toolkit. Organisations that cannot reach Standards Met may submit as "Standards Not Met" with an improvement plan, but this may affect commissioning and information sharing agreements.
The Senior Information Risk Owner (SIRO) is ultimately accountable for the submission. In practice, the Data Protection Officer or Information Governance Manager typically leads the evidence collection and submission process, with sign-off from the SIRO and board.
All NHS Trusts, GP Practices, CSUs, NHS England arms-length bodies, and organisations processing NHS patient data under a Data Sharing Agreement must complete the DSPT. Many independent sector providers working for the NHS are also required to submit.
No — the DSPT submission is made directly on the NHS Digital portal by your SIRO or nominated submitter. Folelse helps you prepare the evidence, track completion, and link evidence to each assertion, making the submission process significantly faster and audit-ready.
Folelse pre-loads all current DSPT assertions and maps platform features to relevant evidence requirements. For example, your ROPA module evidence can be directly linked to Assertion 3 requirements, and your breach log links to Assertion 5 and 6 controls.
Related resources
