What is DSPT?
Last updated
The DSPT — Data Security and Protection Toolkit — is an annual online self-assessment against the National Data Guardian's security standards. Any organisation with access to NHS patient data or systems must complete it each year. For private clinics, a vendor's current DSPT status is a quick, checkable signal of data-security maturity.
The toolkit covers staff training, access controls, incident response, technical security and data-protection governance, with the assessment published — you can look any organisation's status up on the DSPT website. Standards are reviewed annually, so "DSPT compliant" only means anything with a year attached: the question for any vendor is whether their current-year assessment shows 'Standards Met' (or exceeded).
Private-only clinics aren't required to complete the DSPT unless they access NHS data or systems (for example through NHS contracts, or systems like NHSmail). Where it earns its place in a private clinic's due diligence is on the vendor side: a clinic AI supplier that processes patient data and maintains a published 'Standards Met' DSPT has accepted external, annual, NHS-grade scrutiny — which is more than a privacy policy proves.