0113 801 9001  info@episodeltd.com   Client Portal


NHS Data Security and Protection Toolkit (DSPT)

The Data Security and Protection Toolkit is an online assessment tool that allows organisations to demonstrate their performance against the National Data Guardian’s 10 data security standards.

All organisations that have access to NHS patient data and systems must use the toolkit to provide assurance that they are practising data security and that personal information is handled in line with the NHS’ requirements. Compliance is mandatory, and increasingly compliance with a certified standard such as Cyber Essentials Plus is also expected.

Just what is involved in being registered?

Registration is an annual process, which as to be completed by March of each year. 

If you haven’t already got your Organisation Code from NHS Digital you have to apply to obtain one. We know our way around this process, albeit it is a very simple one. 

Once you have your code you register on the toolkit website and identify what type of organisation you are. They fall into 4 categories, with each category (or “primary sector”) having different numbers of mandatory evidence types. 


Call us today on 0113 8019001 or email info@episodeltd.com

Understanding Your Requirements

Depending on the nature of your organisation, there will be anything from 42 requirements if you are a GP practice, to 116 if you are a hospital. For each you need to provide evidence of compliance.

They are all designed to help you ensure you meet the National Data Guardian’s (NDG) data security standards. Completing this Toolkit assessment, by providing evidence and judging whether you meet the assertions, demonstrates that your organisation is working towards or meeting the standards:

Personal Confidential Data
Staff Responsibilities
Managing Data Access
Process Reviews
Responding to Incidents
Continuity Planning
Unsupported Systems
IT Protection
10  Accountable Suppliers

There is a mix of documented policies and procedures you must have in place, as well as proving you have carried out staff training and awareness. The policies needed include a Data Quality Policy, and a Data Security and Protection Policy.

Other Requirements

Registration with the Information Commissioner’s Office, or ICO

Provide details of a record or register that details each use or sharing of personal information. 

There may also be an element of changes to your IT systems

Processes for dealing with subject access requests.

Processes for reporting & investigating security breaches and near misses.

These requirements are in line with the need to have carried out a Data Protection Impact Assessment, or DPIA, for GDPR compliance. NHS Digital has created a useful tracking tool listing the questions asked and what kind of evidence is acceptable. You can access this as part of our free download pack.

Key Certifications

security icon

Cyber Essentials +

Created by the National Cyber Security Centre (part of GCHQ), Cyber Essentials is a UK Government scheme aimed at helping you adopt best practice in information security.

It is designed specifically for smaller organisations. 

If you are certified to this standard the DSP Toolkit automatically passes you for many of the requirements. 

Perhaps more importantly the scheme ensures you have the right security environment, and can go a long way in helping your GDPR compliance. See our other page for more information.

security icon

ISO 27001 - Information Security Management

Recognised globally as the best standard for information security. If you are certified to this a larger number of the requirements are automatically met than are by being Cyber Security Plus certified. 

It is unlikely you will choose to adopt this standard as it can be seen as overkill for smaller organisations such as dentists and GP practices. See our other page for more information.

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

Why Episode?

Episode spends most of our time in client office, not speaking with you by email. It is the only way we can really make sure you get the best service.

We are not IT experts, but we have an associate partner, Bleam Cyber Security, that is. They conduct a thorough review of your set-up to give you a report and best practice advice on what is needed in your IT systems.

We have done this before – for example, with Topp Language Solutions 

We come from the real world. We have all been operations managers of one discipline or another so we know what will, & will not, work in your day to day activities, which are already too overburdened with admin. We keep the additional admin overhead to a minimum (& take care of most of it for you). We will train you & your staff on the requirements & get you through the process

Gain free access to our example documents and information guides.

- Organisation Code Application Form
- DSP Toolkit requirements
- Data Protection Policy
- Data Quality Policy

    Call us today on 0113 8019001 or email info@episodeltd.com


    It was only by utilising the expert guidance and experience of Episode that Thurston Group was able to attain certification within an exceptionally challenging time frame. We therefore offer our thanks to Episode Ltd. For the diligent and professional services provided. We also look forward to working with them again soon and would not hesitate to recommend their services."

    Peter Spieight, Senior Divisional Director, Thurston Group, Wakefield

    Roger's support was invaluable in terms of gap analysis, recommendations for improvement, and facilitation of the certification process. I would strongly recommend Roger to any organisation wishing to develop or improve its management systems, in a way which minimizes bureaucracy, and focuses on best serving the needs of the organization.

    Gary Evans, Flour Corporation, Abu Dhabi

    Roger and Sandy at Episode were  great in helping us achieve not only one but two ISO standards 9001:2015 and 14001:2015. Episode were extremely helpful from the onset, they were able to break down the ISO standard so they were easily comprehensible and well applied to our business in a sustainable manner.  They are a company that offers a guaranteed certification at the end of the process and they delivered it.  I believe that the work completed during this process was key to us having won the Leeds Bid contract.

    Harvey Mills, Managing Director, Forge Recycling, Leeds. 

    If Sandy hasn’t already updated you we are delighted to say we passed the transition audit for ISO 9001 and ISO 14001.  Sandy did an absolutely fab job and all credit to her, we have loved having both of you here it’s been a pleasure.

    I have had a brief chat with Morgan[the CEO] about the next steps and how we manage things going forwards.  Morgan will be in touch with you soon about this and getting Episode/Sandy back in on a regular basis. Once again many thanks for everything and especially to Sandy!!

    Morag Tearne, HR and Health & Safety Manager, H. Slingsby plc, Shipley

    Episode is always prepared to go the extra mile. When in a tight spot the lead consultant carried out an audit for us at very short notice (on a Sunday afternoon) to keep us on track. What is important to us is the advice they give us is practical and tailored to us. The quality of output Episode produces is very high. 

    This has resulted in us having a multi-year managed service from Episode so as a company we know our ISO 9001, ISO 14001 and ISO 45001 integrated system is up to date and working for us. 

    Gareth Walters, Financial Controller, Sports Turf Research Institute, Bingley.

    When asked by Episode what three things they do well, and what three things they could improve upon, my answers were:

    Done well

    1. Client Communication, responded to queries very quickly

    2. Requirements of the standard were communicated in a simple manner.

    3. Assistance from initial implementation to date of assessment was very good.

    I can honestly there is nothing I feel they should improve upon.

    Paul Hunneybell, Operations Manager, Fenland Fire Contracts Limited, Luton

    The consultant worked with the team in Scott Bader Middle East Ltd. to completely re-engineer our Integrated Management System incorporating ISO 9001, ISO 14001 and OHSAS 18001. Until then we were slaves to the ISO audits, with the systems not adding much value beyond certification. Now we have a business management system that really works for us and is truly integrated into our operations. We were also successfully re-certified along the way.

    John Kemp, CEO Scott Bader Middle East, Africa and Asia

    The consultant really focused on making our systems and processes work better for us, not just help us comply with ISO 9001. He was able to work with Department Heads and Senior Management to shape their strategic thinking about quality and business objectives without telling them what they had to do because the standard says so.

    Karim D'Alessandro, HSE Director, Shelf Drilling Inc.