NHS DSP Toolkit
The NHS Data Security and Protection Toolkit is the mandatory annual self-assessment that every NHS organization and supplier handling NHS patient data must complete — it is the baseline for NHS digital procurement.
The NHS Data Security and Protection (DSP) Toolkit is an online self-assessment tool developed by NHS England and NHS Improvement. Every NHS organization — trusts, GP practices, commissioning bodies — and every supplier or partner that accesses NHS patient data must complete an annual Toolkit submission. The Toolkit covers ten National Data Guardian (NDG) data security standards across three themes: people, processes, and technology. An "approaching standards" or "standards met" rating is a procurement requirement for any third-party system that will touch NHS data.
The Toolkit's technical requirements translate into specific engineering obligations. The technology standards cover vulnerability management (regular patching, penetration testing), access control (role-based access, multi-factor authentication for remote access), data flow mapping (inventorying all personal data flows), cyber essentials certification (or equivalent), and incident response procedures. These are not checkbox exercises — NHS assurance teams conduct spot-checks, and suppliers that cannot produce evidence of technical compliance face procurement termination.
For technology vendors serving NHS clients, DSP Toolkit compliance is a sales requirement, not an operational one. A digital health product that cannot demonstrate Toolkit compliance will not reach NHS procurement. The compliance must be evidenced at the architecture level — not described in a policy document. NHS Digital's DTAC (Digital Technology Assessment Criteria) adds another layer for products seeking formal NHS approval, covering clinical safety, data protection, technical assurance, and usability.
We architect NHS DSP Toolkit compliance into healthcare systems from the first infrastructure decision — implementing the NDG data security standards at the system design level, building vulnerability management and access control as platform capabilities, and generating the evidence documentation that satisfies NHS assurance review. Our teams understand DTAC requirements and design for first-submission pass rates.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.