The Data Security and Protection Toolkit: How to Meet NHS Data Security Demands

The NHS is the UK’s largest employer and manages an annual budget of nearly £200 billion. As a result, countless suppliers interact with the health service at some point, each required to meet strict standards for safeguarding data.

These expectations are set out in the Data Security and Protection Toolkit (DSPT), a free online self-assessment that measures an organization’s performance against the National Data Guardian’s ten data security standards. It is designed to help organizations ensure they handle personal healthcare information responsibly, comply with legal obligations, and reduce the risk of data breaches.

Completion is mandatory for organizations that require access to NHS systems and all providers registered with the Care Quality Commission, the independent regulator of health and social care in England.

So, what exactly does the DSPT ask organizations to do? That becomes clearer once we understand the security standards behind it.

A breakdown of the ten data security standards

Developed by the National Data Guardian, the standards cover a wide range of areas that are organized under three leadership obligations: people, process, and technology. Below we break down what that entails.

People

This obligation covers standards one, two, and three. These standards are designed to ensure that staff are equipped to handle information respectfully and safely, according to the Caldicott Principles. They cover such areas as ensuring confidential data is handled, stored, and transmitted securely, and that all staff complete appropriate annual data security training.

Process

Process covers standards four, five, six, and seven, which are designed to ensure the organization proactively prevents data security breaches and responds appropriately to incidents or near misses. This includes making sure personal confidential data is only accessible to staff who need it for their current role, with access removed as soon as it’s no longer required and all system activity attributable to individual users.

They also require organizations to regularly review and improve any processes that may contribute to breaches or insecure workarounds. Cyberattacks must also be identified and resisted, CareCERT guidance acted upon, and any breach or near miss reported to senior management within 12 hours.

Organizations must also have a continuity plan in place to address threats to data security, including significant breaches or near misses. This plan must be tested at least once a year with outcomes reported to senior leadership.

Technology

Technology covers standards eight, nine and ten, which focus on ensuring technology across the organization is secure, modern, and resilient. This means eliminating unsupported operating systems, software, and browsers from the IT estate, and maintaining a cybersecurity strategy that is based on a recognized framework like Cyber Essentials. This has to be reviewed at least annually.

These standards also require organizations to hold their IT suppliers accountable through contracts, ensuring they protect any personal confidential data they process and meet the National Data Guardian’s security expectations.

Other standards to be aware of

In addition to the standards outlined above, organizations must also comply with a wider set of data protection regulations and legislation, most notably the UK General Data Protection Regulation (UK GDPR). Other important frameworks should also be considered, including the National Institute of Standards and Technology Special Publication 800 Series (NIST SP 800 Series), and the NCSC’s Cyber Assessment Framework (CAF).

How to prepare your organization for the Data Security and Protection Toolkit and support ongoing compliance

Here are three key steps to help get your organization DSPT ready:

1. Assign ownership: The NHS advises that organizations assign owners for each outcome independently to ensure that responsibility is given to the most appropriate person. These outcomes can serve as benchmarks for evaluating the effectiveness of your cybersecurity and information governance practices.
2. Gather evidence: The DSPT requires a supporting statement for every contributing outcome, accompanied by relevant documentation where necessary. This evidence demonstrates how your organization meets the expectations of the data security standards.
3. Focus on continuous improvement: The toolkit’s emphasis on annual reviews and clearly assigned responsibilities highlights a central message, that DSPT compliance is not a one-time task but an ongoing process of evaluation, refinement, and improvement.

Strengthen your DSPT readiness through better identity and access practices

Although the DSPT may appear extensive and a bit overwhelming, many of its requirements can be met by applying identity and authentication controls that are already standard in most modern enterprise environments.

Multi-factor authentication (MFA) is a foundational component of securing access across NHS infrastructure. It significantly reduces exposure to social engineering attacks and other techniques designed to deceive users into revealing sensitive information, while also reinforcing privileged access management and improving overall credential hygiene.

However, it’s important not to neglect the fundamentals of cybersecurity. Passwords continue to serve as a primary layer of defense, and adversaries routinely target weak or reused credentials as an initial point of compromise, even in environments protected by MFA.

For this reason, effective DSPT compliance relies heavily on strong password practices, particularly as brute force attacks and the misuse of lost or stolen credentials remain major contributors to data breaches.

How Specops supports stronger DSPT readiness for NHS partners

Meeting the requirements of the Data Security and Protection Toolkit is not simply about passing an assessment. As outlined in the standards, organizations working with the NHS must be able to demonstrate that their identity, access, and password controls are mature, resilient, and capable of protecting highly sensitive patient and operational data.

This is where Specops’ solutions add measurable value by helping you build and maintain a security posture that can stand up to scrutiny and strengthens your ability to work confidently with the NHS.

Multiple NHS trusts across the UK rely on Specops Password Policy, Specops uReset, and Specops Secure Service Desk to strengthen their password security, reduce service desk strain, and close gaps linked to weak, reused, or compromised credentials.

These capabilities align closely with DSPT expectations, giving organizations clearer visibility over their Active Directory environment, enforcing stronger password standards, and preventing the use of billions of known breached passwords.

If you want to see what this looks like in practice, you can read Specops’ NHS case study, which details how one NHS trust reduced password vulnerabilities, improved authentication controls, and supported compliance efforts using Specops solutions.

If your organization needs to meet DSPT requirements or wants to improve its password and authentication security, contact us here. For more insights and access to our research, please visit the Specops blog.