Recent studies show many care providers are not meeting their legal duties with regard to data protection law / GDPR. They are also not taking steps to reduce the risk to their business of a cyber-attack or data breach. To use digital services such as NHSmail, Online Ordering of Medications (also known as Proxy Medication Ordering) and GP Connect, providers MUST ensure they are compliant with the law and have good practice in place with their cyber security.

The most effective and efficient way to check if you are complaint is by completing and publishing the DSPT. It is a a prerequisite for all these digital services.


The Data Security and Protection Toolkit (DSPT) is an annual self-assessment for health and care organisations. The questions cover Roles and Staff Training, Policies and Procedures, Data Security and IT Systems and Devices.

Answering just 27 questions initially take a provider to “Approaching Standards” which enables access to NHSmail.  Answering a further 15 questions provides a nationally recognised status of “Standards Met” and allows access to other NHS digital initiatives such as Online Ordering of Medications.

Publishing the toolkit is a requirement for NHS contracts and is increasingly becoming a requirement for local authority contracts.  CQC would expect you to have published the assessment annually to be able to demonstrate you are meeting their quality statements.

If you already have good GDPR and cyber security practices in place, the toolkit takes around 40 minutes to publish.  If your data protection and cyber security measures are not up to scratch, HCPA can help (for FREE).

Since March 2021 HCPA has been commissioned to support all registered providers in Hertfordshire and Essex to complete the DSPT.

Click here to go to the DSPT assessment website.  You will need to register an account to view your assessment.  We can help you with that as well as guide you through all of the questions.

To express an interest in obtaining support to complete your toolkit, please email the DSPT team at: or call us via: 01707 70 80 18.

We can signpost you to really helpful tools and templates to help you keep your personal data safe such as resources for staff training to help with cyber-awareness, example data protection policies, guidance on how to keep the information on your systems and mobile devices safe, etc

Click here to access lots of useful information on the HCPA DSPT support webpages.


NHSmail – Secure email

Most email systems are not secure and using these to share personal data might mean a prosecution or a fine. NHS Mail is a free, fast and secure method of communication between GP Practices and Care Homes, hospitals and other clinical and community services. It allows the secure sharing of information, complying with the GDPR as well as regulations for CQC and other statutory bodies.

Click here to view our NHSmail support page which includes FAQs and a directory of NHSmail addresses for Hertfordshire’s Care Sector

For sustained access to NHSmail, providers must publish an annual Data Security and Protection Toolkit