- What is the NHS Data Security and Protection Toolkit (DSPT)?
- Challenges NHS trusts face with DSPT implementation
- How AD360 addresses NHS DSPT requirements
- Cyber Assessment Framework vs NHS Data Security and Protection Toolkit
- FAQs
- Final thoughts: Strengthen data governance, earn patient trust with AD360
The NHS handles some of the most sensitive data in the UK—medical histories, patient records, and care pathways—making it a prime target for cyberattacks. A single breach can compromise patient safety, erode public trust, and result in severe regulatory penalties.
To address these risks, NHS Digital mandates the use of the NHS Data Security and Protection Toolkit (DSPT) for all organisations that handle NHS patient data. Whether you’re an NHS Trust, a GP surgery, a care provider, or a technology supplier, DSPT compliance is now a non-negotiable requirement for doing business with the NHS.
This blog explores how ManageEngine AD360—a unified identity and access management solution—enables NHS trusts to simplify and sustain DSPT compliance. From access control to incident management, discover how AD360 aligns with the DSPT’s 10 standards to fortify NHS data governance and enhance overall healthcare identity management.
What is the NHS Data Security and Protection Toolkit (DSPT)?
The DSPT is a mandatory self-assessment framework that helps healthcare organizations demonstrate their commitment to patient data security. Developed by NHS Digital, the DSPT ensures that organisations align with the National Data Guardian’s 10 Data Security Standards and meet their legal obligations under UK GDPR and NHS information governance policies.
DSPT compliance is required for all organizations that process or have access to NHS patient information—including NHS trusts, GP practices, care homes, IT system suppliers, and cloud service vendors. The toolkit helps these organisations:
- Assess their current data security posture.
- Identify and close security and compliance gaps.
- Demonstrate responsible data handling and governance practices.
In addition to legal compliance, DSPT supports alignment with other frameworks like Cyber Essentials, enhancing overall NHS cybersecurity maturity.
Who must comply with the NHS DSPT?
- NHS trusts and hospitals
- GP practices and clinics
- Social care providers
- NHS suppliers, digital health companies, and IT consultancies
- Any organisation handling NHS patient data, whether based in the UK or abroad
Why is the NHS DSPT essential for cybersecurity?
- Protects patient data: Ensures confidential health records are collected, processed, and stored securely.
- Builds trust: Demonstrates your organisation’s commitment to NHS data protection standards and UK GDPR.
- Enables business: DSPT compliance is required to win and retain NHS contracts.
- Reduces risk: Minimises the likelihood and impact of data breaches, regulatory penalties, and reputational harm.
Key components of the NHS DSPT
What makes DSPT significant is its focus on continuous security improvement across three core areas:
- Information governance: Ensuring proper data handling and protection.
- Risk management: Identifying and mitigating security threats.
- Access accountability: Tracking who accesses what data and when.
Challenges NHS trusts face with DSPT implementation
Achieving and maintaining compliance with the NHS DSPT is a complex, ongoing process—especially for trusts operating within fragmented or legacy IT environments. Below are some of the most significant challenges NHS organisations encounter:
- Manual identity provisioning across multiple systems: Many NHS trusts rely on a patchwork of clinical, administrative, and legacy systems. Without automated identity management, onboarding or offboarding staff becomes a labor-intensive process prone to delays and human error. This increases the risk of inappropriate access, particularly when temporary or agency staff require swift provisioning and deprovisioning.
- Lack of unified access visibility: Siloed IT systems make it difficult for security teams to gain a single, consolidated view of who has access to what data and applications. This lack of unified visibility can result in undetected privilege creep, where staff accumulate excessive permissions over time and make it harder to spot inappropriate or risky access patterns.
- Difficulty in revoking outdated or excessive permissions: As roles evolve and staff move between departments, permissions are often granted but rarely reviewed or revoked. Without automated processes and regular access reviews, outdated or unnecessary privileges can persist, increasing the risk of insider threats or accidental data exposure.
- Insufficient audit trails for accountability and reporting: Comprehensive audit logging is a core DSPT requirement, but many trusts struggle to maintain detailed, tamper-proof records of access and administrative actions across all systems. This makes it challenging to investigate incidents, demonstrate compliance during DSPT audits, and hold staff accountable for their actions. This is where advanced audit tools for NHS environments become critical.
- Legacy systems and limited cybersecurity resources: Many NHS trusts still depend on legacy applications that lack modern security features or integration capabilities. Coupled with stretched IT teams and limited cybersecurity expertise, this makes it difficult to implement consistent controls, keep up with evolving threats, or respond quickly to incidents.
These challenges not only complicate DSPT compliance but also expose NHS trusts to greater risk of data breaches, regulatory penalties, and operational disruption. Addressing them requires a unified, automated approach to identity and access management—one that delivers visibility, control, and auditability across the entire healthcare IT environment.
How AD360 addresses NHS DSPT requirements
AD360 simplifies DSPT implementation by delivering NHS-specific controls that align directly with the National Data Guardian’s 10 Data Security Standards. It supports centralised access control, automates identity governance, and ensures real-time auditing and compliance reporting—all critical to meeting the DSPT's expectations.
AD360 support for each of the 10 DSPT Standards
Below is a standard-by-standard breakdown of how AD360 supports DSPT compliance.
1. Personal confidential data
DSPT Requirement (Standard 1)
All staff must ensure that personal confidential data (PCD)—including patient records, medical histories, and other sensitive information—is handled, stored, and transmitted securely, whether in electronic or paper form. Data must only be shared for lawful and appropriate purposes, and organisations must demonstrate compliance with UK GDPR. Typical responsible departments: Legal, Information Governance, Data Security & Protection, and Risk Management.
How AD360 helps
- Policy-based access control: Enforces granular, role-based access and conditional policies, ensuring only authorised NHS staff can access or share sensitive patient data.
- Comprehensive auditing and reporting: Logs every access, modification, or transmission of confidential data, providing a complete audit trail for compliance and rapid incident response. This simplifies DSPT and GDPR reporting requirements.
2. Staff responsibilities
DSPT Requirement (Standard 2)
All staff must be aware of their responsibilities under the National Data Guardian’s Data Security Standards. This includes being accountable for how they handle information, understanding the consequences of breaches, and knowing that their IT usage is logged. Staff should feel empowered to report insecure behaviours or system flaws without fear of reprisal. Responsible departments: Information Governance, Data Security, and HR.
How AD360 helps
- End-to-end activity tracking: Logs every user and administrator action, attributing all activity to specific individuals.
- Automated alerts and accountability: Fosters a culture of accountability and enables swift corrective action with real-time notifications for policy violations or unusual activity.
3. Training
DSPT Requirement (Standard 3)
All staff must receive information governance and cybersecurity training appropriate to their role. Organisations must set training requirements, monitor completion, and adapt content and delivery methods to suit their size and type. Evidence of ongoing training and awareness is required.
4. Managing data access
DSPT Requirement (Standard 4)
Access to personal confidential data must be limited to staff who need it for their current role. Access must be removed promptly when no longer required. The principle of least privilege is enforced, and all access is linked to individual users. Privileges must be actively managed to prevent privilege creep, and a forensic trail must be maintained.
How AD360 helps
- Automated provisioning and deprovisioning: Ensures users only have access relevant to their current role, with prompt removal when roles change or staff leave. This is central to effective identity access management in healthcare.
- Delegated administration: Allows department heads to manage access securely within their teams without over-provisioning.
- Behavioural analytics: Detects anomalies such as privilege escalations, suspicious logins, or access outside normal patterns, supporting proactive risk management.
5. Process reviews
DSPT Requirement (Standard 5)
Security processes and access rights must be reviewed at least annually. Lessons learned from breaches or near-misses should be used to improve security. User input is encouraged to identify high-risk behaviours and find solutions that do not impede workflows. Reviews must be documented and improvements implemented.
How AD360 helps
- Access certification and review: Schedules automated access reviews to identify and revoke unnecessary privileges, critical for DSPT audits.
- Forensic reporting: Generates detailed reports and analytics for governance meetings, ensuring ongoing compliance and continuous improvement.
6. Responding to incidents
DSPT Requirement (Standard 6)
Organisations must be able to detect, resist, and respond to cyberattacks, following CareCERT guidance. Breaches or near-misses must be acted upon immediately, with senior management informed within 12 hours and significant incidents reported to CareCERT without delay.
How AD360 helps
- Automated incident response: Triggers immediate actions (e.g., account disablement, session termination) with policy-based workflows when threats are detected, reducing response times.
- Forensic audit trails: Maintains detailed logs to support incident investigation, root cause analysis, and regulatory reporting.
7. Continuity planning
DSPT Requirement (Standard 7)
A tested continuity plan must be in place to handle data security threats, including major breaches or near misses. Annual business continuity exercises are required, and results must be reported to senior management. Plans should be practical, with key personnel trained to respond effectively.
How AD360 helps
- Rapid recovery: Backs up and restores access configurations, ensuring minimal disruption to clinical operations during incidents.
- Compliance reporting: Provides predefined audit reports to demonstrate readiness and support annual continuity exercises.
8. Unsupported systems
DSPT Requirement (Standard 8)
No unsupported or end-of-life systems, software, or browsers are permitted within the NHS IT environment, including those used by key IT suppliers and operators of essential services under the Network and Information Systems (NIS) directive. Regular asset reviews are required to identify and remediate legacy risks.
9. IT protection
DSPT Requirement (Standard 9)
IT infrastructure must be secured, with privileged accounts monitored and protected. Organisations must implement strong authentication, password policies, and continuous monitoring for risky changes.
How AD360 helps
- Privileged account monitoring: Tracks and audits all privileged user activity, detecting risky changes or misuse of elevated permissions.
- Strong authentication: Enforces multi-factor authentication and robust password policies across all accounts; foundational for robust healthcare identity management.
10. Accountable suppliers
DSPT Requirement (Standard 10)
IT suppliers must protect personal confidential data and follow the National Data Guardian’s Data Security Standards, as outlined in their contracts. They must understand their GDPR obligations and help customers balance security and usability. Since suppliers serve many organisations, they play a key role in reducing cyber risks—making strong risk management essential in contracts. Suppliers must also ensure their software runs on supported operating systems, browsers, and plugins
Cyber Assessment Framework vs NHS Data Security and Protection Toolkit
| Aspect | Cyber Assessment Framework (CAF) | Data Security and Protection Toolkit (DSPT) |
|---|---|---|
| Purpose | To assess and improve the cybersecurity posture of NHS organizations. | To assess the level of data security and protection practices in NHS England organisations. |
| Focus | Cybersecurity across NHS organizations, focusing on governance, risk management, and system security. | Data security and privacy, with a focus on ensuring GDPR compliance and data governance. |
| Primary audience | Cybersecurity across NHS organisations, focusing on governance, risk management,and system security. | NHS organisations, with emphasis on organisations that handle patient data and sensitive information. |
| Assessment method | Cybersecurity across NHS organisations, focusing on governance, risk management,and system security. | Self-assessment followed by an annual submission for compliance verification. |
| Governance | Clear leadership with roles and responsibilities for cybersecurity; necessary involvement of senior management. | Requires a Data Protection Officer (DPO) role and clear accountability for data security governance. |
| Data protection | Secures patient and sensitive data from unauthorised access or loss. | Focusses on protecting patient data in line with GDPR, ensuring confidentiality and integrity. |
| Incident response | Provides a structured approach for detecting, responding to, and recovering from incidents. | Includes detailed requirements for reporting breaches and managing data-related incidents. |
| Risk management | Involves identifying, managing, and mitigating cybersecurity risks. | Assesses the organisation’s approach to managing data security risks and impact assessment. |
| System and network security | Focusses on securing IT infrastructure and systems, including vulnerability management. | Not as focussed on system and network security; more on data management practices. |
| Training and awareness | Staff must be educated and trained on cybersecurity threats and best practices. | Focusses heavily on staff training regarding GDPR compliance and data handling procedures. |
FAQs: Using AD360 for streamlined DSPT compliance
The DSPT is an annual self-assessment tool mandated by NHS Digital that helps healthcare organisations—including local authorities and suppliers—measure their compliance with data security and personal information governance standards. It ensures that patient data is handled securely and in line with UK GDPR and NHS requirements.
Yes. It provides structured access reports, logs, and alerts aligned with DSPT audit requirements, reducing manual collation. Its comprehensive audit tools for NHS reporting streamline the submission process significantly.
Absolutely. AD360 scales to organisations of all sizes, simplifying complex compliance requirements through automation and unified identity management, reducing the burden on limited IT resources.
Automated workflows trigger immediate account suspension and log all related activity to aid reporting and analysis.
Yes. While primarily focused on DSPT, AD360's robust identity governance and access management healthcare capabilities inherently support compliance with other frameworks like CAF, Cyber Essentials, and UK GDPR by centralising security controls.
Final thoughts: Strengthen data governance, earn patient trust with AD360
The DSPT framework is more than a regulatory obligation—it’s a way for NHS trusts to operationalise trust, safety, and security across their services. But checklists don’t protect patients—actionable controls do.
ManageEngine AD360 empowers NHS IT teams to implement those controls with confidence. By automating access governance, monitoring identity risk, and aligning operations with NHS standards, AD360 transforms compliance from a reactive chore into a proactive safeguard.