NHS DSPT: 3 Common Struggles for Support Organisations

Struggling with the NHS DSPT? Learn the 3 reasons support organisations fail to meet the standard and discover practical steps to achieve compliance.

· DSP Toolkit

For any organisation providing software, IT support, or consultancy services to the NHS, the Data Security and Protection Toolkit (DSPT) is a mandatory requirement. Achieving a 'Standards Met' status is not merely a compliance exercise; it is fundamental to maintaining trust and securing access to NHS systems and data. Without it, contracts can be jeopardised and access revoked.

Yet, many support organisations, from technology start-ups to established service providers, find the toolkit challenging. Its language and structure are rooted in the clinical environment of NHS Trusts and GP practices, creating a significant barrier for those in the technology sector. This is a common and understandable difficulty.

The purpose of the DSPT is to ensure that patient data is handled safely and securely, in line with the principles of the UK GDPR. It is a framework for demonstrating good practice. For suppliers, it shows the NHS that you are a responsible partner in protecting sensitive information.

This article will explain the three most common reasons why support organisations struggle with their NHS DSPT submission. More importantly, it provides practical, actionable steps to overcome these challenges, helping you build a sustainable and proportionate approach to compliance. For a detailed overview, new suppliers should review our essential guide for non-NHS suppliers and start-ups.

1. The Challenge of Clinical Terminology

A primary hurdle for technology companies is the clinical language used throughout the DSPT. Assertions that reference 'Patient Safety', 'Clinical Risk Management', or 'Caldicott Guardians' can seem irrelevant to an organisation that manages servers or develops software. The immediate response is often to mark these as 'not applicable'.

This approach is a significant mistake. The NHS expects suppliers to translate these clinical concepts into their own operational context. Failure to do so demonstrates a misunderstanding of the risks your services can pose to patient care, even indirectly. The DSPT is built upon the ten NHS Data Security Standards, which apply to everyone.

How to Translate Clinical Requirements into Technical Controls

The solution is to reframe the questions. You must map the clinical requirement to an equivalent operational security principle within your own organisation. This is a critical exercise in accountability and risk assessment.

Consider these practical translations:

  • When the DSPT asks about 'Patient Safety': Think 'Data Integrity and Availability'. If your system fails or data is corrupted, could this delay a diagnosis or lead to an incorrect clinical decision? Your business continuity and disaster recovery plans are your evidence here.

  • When the DSPT asks about 'Caldicott Guardian' principles: Think 'Data Access Controls and Confidentiality'. This relates to ensuring that only authorised individuals can access patient data and that there is a senior person in your organisation responsible for its protection.

  • When the DSPT asks about 'Clinical Risk': Think 'Information Risk Management'. This involves identifying, assessing, and mitigating risks to the confidentiality, integrity, and availability of the data you process.

Practical Steps for Translation

  1. Do not skip assertions: Address every assertion, even if it sounds purely medical. Document your reasoning clearly.

  2. Create a mapping document: For each clinical-sounding requirement, write down what it means for your specific service or product.

  3. Focus on impact: Analyse how a failure in your service could ultimately impact patient care. This is the core of the risk assessment process.

2. Treating the DSPT as a Once-a-Year Administrative Task

Another common pitfall is viewing the annual 30th June submission deadline as a singular event, similar to filing a tax return. This leads to a last-minute scramble to gather information, write policies, and generate evidence. This approach is fundamentally at odds with the toolkit's purpose.

The DSPT requires contemporaneous evidence. This means records, logs, and documentation that were created at the time an activity took place. If the toolkit asks for staff training records or system audit logs from six months ago, you cannot create them retrospectively in June. The submission is a reflection of ongoing activity, not a standalone project.

Moving from a 'Project' to a 'System' Mindset

Effective compliance means embedding information governance into your organisation's daily operations. It should be a continuous process of management and review, not a yearly burden. This is the essence of the accountability principle within UK GDPR, which requires organisations to take responsibility for their data processing activities and be able to demonstrate it.

Adopting a 'system' mindset ensures that when the submission window opens, you are simply collating existing, up-to-date evidence. This approach reduces stress, improves the quality of your submission, and builds a more resilient security posture. Truly demonstrating UK GDPR accountability is about having these processes in place year-round.

Checklist for Continuous DSPT Management

  • Quarterly Reviews: Schedule regular reviews of key documents like your Information Asset Register, risk register, and data flow maps.

  • Ongoing Training: Implement an annual refresher for data protection training and maintain a log of completion dates for all staff.

  • Incident Logging: Ensure you have a clear process for logging all security incidents, no matter how small, as they occur.

  • Document Control: Use version control for all policies and procedures to show a history of review and updates.

3. Over-Engineering Evidence and Ignoring Proportionality

Faced with the formal language of the DSPT, many organisations overcompensate. They write excessively long, complex policies and evidence documents, believing that volume equates to compliance. This often leads to 'compliance fatigue', where the task becomes so overwhelming that progress stalls and leadership disengages.

The NHS does not expect a ten-person software company to have the same information governance infrastructure as a 5,000-employee hospital trust. The key principle is proportionality. Your controls and evidence should be proportionate to the size of your organisation and the specific risks associated with the data you process. This aligns with the risk-based approach advocated by the Information Commissioner's Office (ICO).

Applying a Risk-Based, Proportionate Approach

Instead of aiming for perfection, focus on demonstrating effective risk management. Your evidence should be clear, concise, and directly address the assertion's requirement. A simple, well-written paragraph that explains your control is often more valuable than a 50-page generic policy document.

Risk-Based Decision Prompts

Before creating evidence, ask yourself these questions:

  • What is the specific risk to patient data that this assertion addresses?

  • What practical control do we have in place to mitigate this specific risk?

  • How can we document this control in the clearest and most direct way?

  • Is this control reasonable and proportionate for an organisation of our size and function?

This focus helps you build resilient information governance frameworks that are practical to maintain, rather than just ticking boxes for an annual audit.

Myth vs. Fact: Common NHS DSPT Misconceptions

Addressing common myths can help clarify the process and reduce anxiety.

Myth: The DSPT only applies to large NHS organisations.

Fact: The DSPT is mandatory for any organisation that processes data shared by the NHS or provides IT systems and services that handle NHS data. This includes small software developers, IT support companies, and consultants.

Myth: We can mark most technical assertions as 'Not Applicable' if we use a third-party cloud provider like AWS or Azure.

Fact: While you can rely on your provider's certifications for physical security, you remain responsible for configuring the services securely, managing access controls, and overseeing data processing. You must provide evidence of your own governance and configuration, not just your provider's.

Myth: Achieving 'Standards Met' once is sufficient.

Fact: The DSPT is an annual assessment. You must review and republish your submission every year to demonstrate ongoing compliance and reflect any changes in your organisation or the services you provide.

Frequently Asked Questions (FAQ)

What happens if we do not achieve 'Standards Met'?

A 'Standards Not Met' status can have serious commercial consequences. NHS organisations are contractually obliged to ensure their suppliers meet the standard. Failure to do so can lead to suspension of access to data, termination of existing contracts, and exclusion from future procurement opportunities.

How does the NHS DSPT relate to UK GDPR and ISO 27001?

The DSPT is the official framework for demonstrating compliance with the data protection and security requirements of the UK GDPR within the health and care sector. If you hold a valid ISO 27001 certification, it can be used as evidence for many of the DSPT assertions, but it does not replace the need to complete the toolkit.

Do we need to appoint a Data Protection Officer (DPO)?

Under UK GDPR, you must appoint a DPO if you are a public authority or if your core activities involve large-scale, regular, and systematic monitoring of individuals or processing of special category data. Many suppliers to the NHS will meet this threshold. Even if not mandatory, appointing a person with formal responsibility for data protection is a requirement of the DSPT. For many small to medium-sized enterprises, using an external Data Protection Officer service is a proportionate and effective solution.

Navigating the NHS DSPT can feel like a significant challenge, but it is an achievable one. By translating clinical language into operational controls, embedding compliance into your daily processes, and applying a proportionate, risk-based approach, you can meet the required standard effectively.

Completing the DSPT is more than a regulatory hurdle; it is a positive differentiator. It demonstrates to your NHS partners that you are a trustworthy custodian of sensitive patient data, strengthening your position in the marketplace and enabling you to continue your vital work supporting the health and care system.

If your organisation is struggling to interpret the requirements or gather the necessary evidence, seeking specialist guidance can provide the clarity and structure needed to progress your submission with confidence.