Declare Data Security and Information Security

As the supplier organisation of a service or product, your staff (and contractors) might come into contact with patient data, for example when processing data or supporting your end users.

To ensure you have controls in place to keep patient data private and secure, you must complete the Data and Security Protection Toolkit (DSPT).

We recommend following the Information Security Management Code of Practice standards (ISMS). This is intended to help NHS organisations manage digital information effectively, and to comply with legal requirement of best practice.

You will need an ODS code to complete the DSPT.

Help and tips for completing this section

When you complete the DSPT, you need to state your organisation profile. You should use:

  • NHS Business Partner – if your system directly processes patient data on a regular basis (for example, a GP system)
  • Company – if your software has technical access to patient data (for example, a middleware system)

The Code of Practice for ISMS covers:

  • digital or hard copy patient health records
  • digital or hard copy administrative information
  • digital or printed X-rays, photographs, slides and images
  • digital media including data tapes, CDs, DVDs, USB disk drives, removable memory sticks
  • computerised records, including those that are processed in networked, mobile or standalone systems
  • email, text and other message types
Q.1

Has your organisation completed the Data Security Protection Toolkit (DSPT) assessment for the current year within the deadline?

The DSPT allows organisations to measure performance against the National Data Guardians data security standards. It is a prerequisite for Live deployment.
You can enter up to 2000 characters
Q.2

Are you compliant with the annual DSPT assessment?

Your organisation must reach a standards met or standards exceeded status.
Supporting information

Reference in connection agreement:

3.5 The Connecting Party shall inform NHS England of any changes required to the Conformance Documentation as soon as it becomes aware (or ought reasonably to be aware) of the same and shall on an annual basis on the anniversary of this connection agreement, confirm to NHS England that all Conformance Documentation remains true, accurate and complete.

You can enter up to 2000 characters
Q.2.1
Q.2.2

Provide the date your organisation's DSPT status was published
For example, 24 04 2025
Q.3

Do you have a process in place to ensure all end user organisations (EUOs) connected to your product have completed the DSPT assessment for the current year within the deadline before onboarding?

Supporting information

The Connecting Party shall incorporate or otherwise alert the EUOs to the EUO acceptable use policy as updated from time to time.

You can enter up to 2000 characters
Q.4

Is a formal and documented Information Security Management System (ISMS) in place which covers the scope of the Consumer System?

An ISMS is defined as that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security.

This should be in line with ISO/IEC 27001 ISMS but does not require certification against this standard. Some guidance on appropriate controls to have within your ISMS is available here.
You can enter up to 2000 characters

Insufficient information

Not providing the relevant information will increase the time of approval and may result in application rejection.

Back to NIR XCA Provider