Why NHS DSPT Failures Are an Engineering Problem, Not a Policy Problem

The NHS Digital Security and Protection Toolkit is an online self-assessment tool that NHS organisations and their suppliers must complete annually. Failure to achieve "Standards Met" status can result in suspension from NHS systems access — a commercially significant outcome for technology suppliers. Despite the stakes, DSPT failures are common, and they follow a consistent pattern: the engineering team delivered a system, and then someone tried to make it DSPT-compliant.

The DSPT has ten data security standards. Seven of them are engineering standards dressed in policy language. Understanding which assertions map to which engineering implementations is the difference between a genuine assessment and a documentation exercise that fails the next spot check.

The Mandatory Evidence Items That Fail Engineering Teams

Data Security Standard 1 (Personal Confidential Data) requires that all staff with access to personal data have undertaken annual data security training and that access to personal data is limited to what is required for their role. Standard 1's Mandatory Evidence Item 1.3 requires that the organisation can demonstrate where its personal and sensitive data is held and processed — the "data flow mapping" requirement. Most suppliers can produce a DPIA narrative. Few can produce a live data flow map that accurately reflects their current architecture.

Standard 2 (Staff Responsibilities) is mainly HR and training. Standard 3 (Training) is mainly HR. Standard 4 (Managing Data Access) is where engineering failures concentrate. The Mandatory Evidence Items for Standard 4 include: demonstration that system access is reviewed regularly, evidence of role-based access control implementation, evidence that leaver accounts are deactivated within X days, and evidence of MFA implementation.

Standard 6: Cyber Security

Standard 6 requires compliance with the Cyber Essentials scheme — specifically, organisations storing NHS patient data must achieve Cyber Essentials Plus certification. Cyber Essentials Plus requires on-site verification of five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. The "patch management" requirement — all software must be patched within 14 days of patches being available for high-risk vulnerabilities — is the one that most NHS supplier systems fail, because it requires a patch management process that is both rapid and tested.

Standard 7 and the Clinical Safety Obligation

Standard 7 (Continuity Planning) requires a documented and tested business continuity and disaster recovery plan. The testing requirement is the gap: many suppliers have DR plans that have never been tested. DSPT assessors are increasingly asking for test evidence — a DR test result, dated within 12 months, demonstrating that recovery objectives were met.

The Engineering Checklist for DSPT Compliance

1. Produce a current, accurate data flow diagram showing all personal and special category data — not from memory, from the infrastructure
2. Implement automated access reviews: quarterly reports of user access vs. current HR system data, with documented review and action
3. Achieve and maintain Cyber Essentials Plus certification before attempting DSPT — it's a prerequisite, not a parallel exercise
4. Implement automated patch scanning with SLA enforcement — 14-day patching for high-risk CVEs is not achievable with a manual patch process
5. Run and document a DR test within the past 12 months, with results against defined RTOs and RPOs
6. Implement MFA for all remote access, all admin consoles, and all systems processing personal data

Our healthcare technology and compliance infrastructure practices support DSPT compliance for NHS suppliers. The pattern that succeeds: treat the DSPT Mandatory Evidence Items as a product requirements document for the compliance infrastructure, build the controls first, and collect the evidence as a byproduct of operation.