Data Protection

The Data Security and Protection Toolkit (DSPT) – a free self-assessment toolkit for Care Providers

You care for your clients and your staff …but are you taking care of their personal information?

Are you sure you are legally compliant?

We can help (and our help is free)

As a part of the National Better Security Better Care programme, HCPA is now supporting registered care providers to meet required legal requirements for Data Protection standards.

The Data Security Protection Toolkit (DSPT) is an online data protection assessment. Completing the DSPT ensures you are compliant with Data Protection laws, mitigates risks from any nasty data breach fines and is required by Local Authorities, CQC, other contracting bodies.

This service is provided at no cost to the Provider. HCPA will provide virtual/face-to-face information workshops and follow these up with one-on-one support surgeries, where we will work with Providers to complete and publish DSPT.


  • Ensures you are operating within the law – This may prevent any nasty GDPR fines
  • Meeting CQC regulations, as toolkit linked with KLOEs
  • Key to access NHS systems and data– Requirement for NHS/ Secure Mail, Online Proxy medications ordering, System One, iPad, hospital discharge information
  • READ this case study showing the benefits of Online Proxy medications ordering
UPDATE – September 2021
  • Read the recent case study: “The DSPT is not a theoretical model, the principles of the DSPT need to be applied daily to ensure data is secure.”
  • As a response to Covid and Cyber Security risks, the DSPT now part of Government’s Digital Transformation Plan : Click here
  • Publishing the Toolkit is now to be included as a requirement for commissioned services, written into contracts.
  • Publishing the Toolkit is a CQC expectation, and provides some answers to KLOEs – See the latest statement here: Click here

What others have said about our free, friendly and helpful support:

“You explained everything… I enjoyed your friendly approach. I was dreading the registration and had no idea where to start. You made it so nice & easy and helped me enormously… I regret not calling you earlier as that would have saved me lots of worries.” 

“Knowledgeable, professional and ever so efficient. We appreciate all the help and support. You have helped us complete our DSPT.”

“The sessions we had on the Data Security and Protection Toolkit were very informative and have helped in answering the questions, also given us the tools we need to have in place. Presentation was very good and easy to understand (love the examples given).Thank you once again and if I need any support will definitely be contacting you.”

“I completed the Data Security Protection Toolkit today!  We have used all the templates to create and update our policies. I wanted to thank you for your assistance at the beginning of this task… knowing you were there at the end of the phone helped.”

Get in touch with the team: / 01707 70 80 18


This support programme is part of the Better Security, Better Care programme, funded by NHSX to support data and cyber security across the adult social care provider sector. This support is aligned to Digital Social Care. 

Digital Social Care has produced a really useful reference guide to help small and medium sized Care Providers to understand, register and publish the Data Security and Protection Toolkit (DSPT) – Click here

Registering your DSPT

Setting up your organisation profile on DSPT

Ensuring you can complete your DSPT


  • Template Information Asset Register (IAR): Click here
  • Template Record of Processing Activities (RoPA): Click here
  • Guidance on documenting data in Information Asset Register and Record of Processing Activities: Click here
  • Template Privacy Notice: Click here
  • Template Data Protection Policy: Click here
  • Template Data Privacy Policy: Click here
  • Template Data Protection Impact Assessment (DPIA): Click here
  • Template Spot-checks audit checklist: Click here
  • Template Unsupported Software register: Click here


  • Once you have registered for a DSPT account, this short video will tell you what you need to set up your organisational profile: Click here (Thanks to WMCA for the use of their video)
  • More videos supporting DSPT: CLICK HERE


  • Digital Social Care offer free online events focussing on the data protection lead role in social care, adopting digital scoial care records, using iPads in social care organisations, and many more subjects: click here to see DSC’s latest events

Important – Protecting against scam / phishing emails:

Worried about scam emails? Know how to spot a scam email? Know what to do if a staff member has already clicked on a scam email?

  • Her Majesty’s National Cyber Security Centre has produced this helpful poster, which you may want to show your staff, or put on your office wall: Click here



Here is a recording of our Hertfordshire awareness-raising webinar 21st April 2021 – click here.   A copy of the slides used can also be downloaded here.

Webinar TitleDateTutorLocationStart timeRegister in advance for this meeting
HCPA DSPT Support - Staffing & Roles, Policies & ProceduresThu, 6 Oct Jo WilliamsZoom10:30Book now
HCPA DSPT Support - Introduction & RegistrationTue, 11 Oct Jo WilliamsZoom11:00Book now
HCPA DSPT Support - Data Security, IT Systems & DevicesThu, 27 Oct Jo WilliamsZoom10:30Book now


Here is a recording of our Essex awareness-raising webinar 26th April 2021 – click here

Webinar TitleDateTutorLocationStart timeRegister in advance for this meeting
DSPT - Policies & ProceduresWed, 12 Oct Sharon HayeZoom 10:30Book now
DSPT - Introduction to the ToolkitWed, 19 Oct Sharon HayeZoom 10:30Book now

General Overview of Data Security and Protection Toolkit

Plus accessing proxy online medications and NHS secure email: 1 Hour overview webinar and Q&A (suitable for either Hertfordshire or Essex Care providers)

Webinar TitleDateLocationStart timeRegister in advance for this meeting
HCPA NHSmail/Online Meds Ordering/DSPT General OverviewTue, 25 Oct Zoom11:00Book now

Never Completed DSPT

If you have never completed the Data Security Protection Toolkit (DSPT) here is some useful information

The DSPT provides you with a method of checking you are working within the law. Publishing the DSPT (44 simple questions) allows you to assert compliance with GDPR and NHS Data Standards: let’s you know you are doing what is expected of you.

  • You are required to publish DSPT if you have access to any NHS data systems (including NHS Mail).  As we increasingly work in a digital world the NHS intends to further open its systems to Adult Social Care providers. Access to NHS digital systems will transform the way you deliver care, but in order to access these services, providers must be able to demonstrate that they have adequate Data Protection policies in place.  This is where the Toolkit comes in.

Why do I need to do this?

  • Adult Social Care and the Health Services are inextricably linked and this is being demonstrated by the increasing importance and use of digital care and health systems.
  • During the COVID 19 pandemic the NHS encouraged care providers to sign up to NHS Mail and this has resulted in much more streamlined sharing of records and data.
  • The NHS does not want to lose what we have gained and it wants to further expand the data and systems that it can share with Adult Social Care.
  • The DSPT underpins all this as it shows that you have good data protection and security protections in place.
  • The DSPT is an extremely useful tool because it covers all areas of GDPR compliance that you as a Care Provider are required to implement, such as having up to date policies and ICO registration, ensuring you are operating within the law.
  • It is also a contractual requirement set by CCG’s and Local Authorities.
  • It is looked upon favourably by CQC (KLOE 2.8 Well Led).

What are the benefits?

  • Once you have completed the DSPT you can create free NHS secure email accounts, meaning you can securely pass data to the NHS and back again. For example, it allows GPs to send prescriptions to you securely.
  • It also includes Microsoft Teams video conferencing which is being used by doctors to carry out virtual consultations and meetings
  • DSPT compliance can also give you access to NHS records

What if I do need more help?

  • The DSPT has been rewritten to make it simple to understand and complete
  • Completing the DSPT is not a 5 minute job and requires some preparation beforehand, so a program of free support is available to help you successfully complete the Toolkit, both at a national level and locally.
  • Digital Social Care website has lots of online resources and templates you can access, and they are also delivering a series of webinars to give you more information about the DSPT.
  • HCPA has information on what you need to complete the Toolkit (please see the section titled “Resources”) and we’ve also put together a program of information webinars you can attend, where we can talk you through the Toolkit, allowing you to complete it – with our help – while you are on the webinar.
  • A getting started guide has been created by Digital Social Care: Click here

Registering for DSPT:

  1. Visit here and find your NHS ODS code / see if your organisation or site has already registered or published DSPT NOTE: For individual sites / services, this code should start with letter V, groups completing one DSPT on behalf of multiple sites will have a code which starts with letter A
  2. Visit: here – You will be asked to enter your email address and ODS code
  3. A registration email will be sent, which is good for 24 hours only
  4. Find this email (may go to your Spam folder) and click into the link to set up your password
  5. To book onto an Information webinar, please email us at (stating that you have no experience of the DSPT) or call us on 01707 70 80 18,
  6. After attending an information webinar, we can ensure you receive any further support required to publish your DSPT.

HCPA are here to support you 100% and all support is provided for free

Previously Completed to Entry Level

If you have completed the DSPT to ENTRY LEVEL in the last 12 months you are required to take the following action

  • The Bad News:  The Entry Level DSPT standard has now been withdrawn and all Care Providers at this level are required to work towards completing the DSPT to Standards Met, particularly if you have an NHS Mail account.
  • The Good News: The DSPT Toolkit was updated on the 1 December and many questions have either been removed, rewritten or simplified.  We are here to support you with this.
  • Digital Social Care have created a guidance document showing how the questions have changed: Click here

What do I need to do next?

  • Get in touch with the team and we will support you with everything you could need: / 01707 70 80 18



Previously Completed to Standards Met

If you have completed the DSPT to STANDARDS MET in the last 12 months you are required to take the following action

The questions within the DSPT were updated on the 1st December 2020, so even if you published your DSPT in November 2020 (or before) you will need to sign in again to make sure that your submission is up to date for the 2020/2021 DSPT Year.

Why do I need to do this?

  • As you have published the DSPT before at Standards Met, this should not take you too long to do.  You will need to sign into your DSPT account and answer the new questions.. Any questions that have not been changed from the previous version will have your answers carried over.

What if I need more help?

  • The new version of the Toolkit is written in much plainer language and each question has comprehensive guidance as to what is required, so we think most providers should find it very straightforward.
  • Digital Social Care have created a guidance document to show the changes in the new Toolkit:  Click here
  • The HCPA Team are here to help and support you – Get in touch with the team today: / 01707 70 80 18


The Law / CQC / Contracts

Why it is now essential to complete DSPT?

  • The Data Security and Protection Toolkit is official and well-recognised. Completing this toolkit shows that you care about the personal data of your clients, their families and your staff.
  • Central and local government bodies, local authority and CCG commissioners, the Care Quality Commission and the National Data Guardian recognise this as the official tool to evaluate your compliance with legal requirements, Data Security Standards and good practice.

By completing and publishing the toolkit on an annual basis (reaching Standards Met) you will be able to:

  • reassure people who use services, their families and your staff that you are managing their information safely. Most people expect you to share information with others who support them – but you must do this securely and legally.
  • answer the Care Quality Commission’s Key Line of Enquiry questions about how you manage data securely (see below)
  • demonstrate that you meet legal requirements including Data Protection Legislation and the Data Security Standards
  • access key services such as free NHS mail, shared care records, etc.

Social care providers who provide care through the NHS Standard contract or through Local Authority commissioning need to complete and publish the new DSP Toolkit as a part of any new contracts (Mandatory).

CQC guidance to Care Providers:

  • Publishing the Toolkit is a CQC expectation, and provides some answers to KLOEs – See the latest statement here: Click here

CQC assess digital records systems and paper records against the relevant key lines of enquiry and the characteristics of ratings. All records must comply with:

  • Regulation 17 Health and Social Care Act 2008 (Regulated Activities) Regulations 2014.
  • Accessible Information Standard.
  • Data protection legislation (including GDPR) requirements.
  • Data Security and Protection Toolkit (where providers have access to NHS patient data and systems).

Click here

All health and care organisations must assure themselves they are implementing the data security standards and meeting their statutory obligations on data protection and data security. This comes under well-led, key line of enquiry W6 “Is appropriate and accurate information being effectively processed, challenged and acted on?”


Skip to content