Client Portal


The NHS Data Security & Protection Toolkit is an NHS-operated tool that allows organisations handling sensitive patient data to self-assess themselves against the 10 Data Security Standards issued by the National Data Guardian. The toolkit also requires organisations to declare their compliance and offer a transparent public statement to this effect.

It is imperative that all organisations handling sensitive patient information use the Data Security & Protection Toolkit to thoroughly assess their data security efforts & ensure effective data protection measurements are in place.


We can assist you with the requirements of the DSP toolkit and we’ll help ensure that your organisation is structured how it needs to be for the assessment.

We offer the following services:

Audit Service

Submission Service

Security Testing Service


The NHS Data Security & Protection Toolkit serves as an annual requirement for organisations wishing to access (or continue to access) sensitive NHS data. Whether you’re working directly under the NHS – or simply serving as a third party supplier to NHS organisations – it’s essential your organisation is fully-compliant with the Data Security & Protection Toolkit. 

Larger trusts or hospital groups may also be required to complete the toolkit bi-annually to ensure ongoing compliance.

Organisations that are required to comply with the NHS Data Security & Protection Toolkit are grouped into the following four categories:

Category 1 – NHS trusts

Category 2 – Arm’s length bodies, Clinical Commissioning Groups (CCGs) and Commissioning Support Units (CSUs)

Category 3 – All other sectors

Category 4 – GP practices


The NHS DSP (Data Security The National Data Guardian’s 10 Data Security Standards are grouped under three distinct leadership obligations to address people, process and obligations:


Handling, transmission and storage of confidential data

All sensitive data is stored, handled & distributed in a secure manner, with personally-identifiable information only being shared for lawful purposes.

Staff accountability and responsibilities

The organisation’s faculty understands their duties under the Nation Data Guardian’s Data Security Standards, including the responsible handling of sensitive data and active prevention of data breaches.

Staff data security training and testing

All faculty must take part in annual data protection training and pass a compulsory test provided through the revised Information Governance Toolkit.


Access controls

Sensitive data is only accessible to members of staff who require access to it, with access being removed as soon as it’s no longer required.

Annual process reviews

Data protection processes are reviewed at least once a year to identify – and remediate – any shortcomings in the organisation’s data protection process. Standard procedures are continuously improved year on year in line with evolving cyber security threats and data protection regulation.

Cyber attack, identification, resistance and response

Cyber attacks against the organisation’s infrastructure are rapidly identified and deflected, with immediate action taken following an attempted (or successful) data breach. Cyber threats are reported to senior management within twelve hours of detection.

Continuity and incident response planning

A suitable continuity plan is established to respond to data protection threats. The plan is tested annually, with a performance report issued to senior management.


Unsupported operating systems, applications or browsers

No unsupported or unsafe infrastructure – including browsers, operating systems and software – are utilised within the organisation’s IT suite.

Implementation of a suitable strategy or framework to protect IT systems

A cohesive strategy is in place to protect IT infrastructure from cyber security threats. The strategy must be based upon a proven framework – such as Cyber Essentials – and reviewed annually.

Contractual accountability for IT suppliers

IT suppliers are held contractually accountable to protect the sensitive NHS data they handle in adherence to the National Data Guardian’s Data Security Standards.


The deadline for completing the DSP toolkit is 31st March, although it can be submitted at any point in the year. (If you are an organisation that is required to complete it twice a year, deadlines will be 31st March and 31st October). It is recommended that you get the DSP toolkit submitted as soon as you have the information ready rather than wait for the deadline to avoid unnecessary rush and potential shortcomings.

Why Choose Bruce & Butler As Your NHS DSP Toolkit Specialists?

Bruce & Butler are committed to providing unmatched assistance in ensuring your organisation achieves full compliance with the NHS Data Security & Protection Toolkit. Our specialist team of data protection experts hold industry-recognised certifications, including CREST and OSCP. This is combined with decades of cyber security experience across a wide range of sectors. 

We’ll work closely with you to identify the unique requirements and facets of your organisation, before ensuring full compliance with the NHS DSP toolkit in a comprehensive and cost-effective manner.

Get in touch with us today to learn more about how our NHS Data Security & Protection Toolkit services can safeguard your organisation.

Our Services

Contact Us

Drop Us a line

Contact Us

  • This field is for validation purposes and should be left unchanged.