Under NHS England’s 2024–25 guidance, certain organisations handling NHS data were mandated to undergo an independent audit of their Data Security and Protection Toolkit (DSPT) submission. This included:
- NHS Trusts
- Integrated Care Boards (ICBs)
- Commissioning Support Units (CSUs)
- Arm’s Length Bodies (ALBs)
- IT suppliers to the NHS (e.g. Software providers)
These organisations are considered part of the national critical infrastructure and therefore must complete both their DSPT self-assessment and have an independent audit by 30th June each year.
Some organisations have failed to recognise their DSPT audit obligations due to revisions made to their organisation category. If your organisation missed the deadline but has submitted a DSPT Improvement Plan, there’s still an opportunity to demonstrate your commitment to compliance if you act now. NHS England allows organisations to continue working towards full DSPT standards, and the inclusion of an independent audit remains a critical part of that approach.
Failure to achieve DSPT compliance could potentially result in termination of NHS contract, revocation of access to NHS systems, commercial liabilities, and reputational damage.
For other organisations who are outside the mandatory requirements but delivering NHS-funded services, NHS England strongly encourages independent audits (e.g. for large private healthcare providers, GP federations, and those managing complex or integrated digital systems). An independent DSPT audit demonstrates a high standard of cyber security assurance and prepares organisations for potential future requirements.
We can help, with trusted expertise.
With many years of experience in Information Governance Toolkit, and DSPT auditing, we provide independent, expert-led DSPT audit to fulfil this obligation. This includes assessments aligned with the NHS’s Cyber Assessment Framework (CAF) based DSPT. Our audits provide robust assurance to:
- Identify compliance gaps
- Provide independent assurance to NHS England
- Support your organisation in meeting, and exceeding, DSPT standards
Whether your audit is mandatory or recommended good practice, we help you address this requirement with clarity, confidence, and compliance. Get in touch to discuss how we can support your DSPT audit needs.
Peter Sheppard, Director – Digital
Angela Antunovich, Senior Audit Manager – ICT Audit and Information Governance
Further information
https://www.dsptoolkit.nhs.uk/Help/Overview
https://www.dsptoolkit.nhs.uk/OrganisationSearch