DSP Toolkit (Data Security and Protection) for care bids
Completing the Data Security and Protection Toolkit (DSPT) is effectively mandatory for any care provider bidding for NHS-funded or council-commissioned work, because it is a contractual requirement under the NHS Standard Contract. The DSPT is a free annual online self-assessment hosted by NHS England at dsptoolkit.nhs.uk. You evidence the National Data Guardian's 10 Data Security Standards, publish at least one assessment by 30 June each year, and aim for a result of "Standards Met". In a tender, a current "Standards Met" publication is the difference between clearing the information governance gate and being marked non-compliant before your quality answers are even read.
What the DSP Toolkit is
The DSP Toolkit is a free online self-assessment hosted by NHS England at dsptoolkit.nhs.uk for any organisation that holds, processes or shares NHS health and care data. It evidences the National Data Guardian's 10 Data Security Standards and supports your wider UK GDPR and Data Protection Act 2018 compliance. In plain terms, it is the recognised way to show a commissioner that you handle service-user records, care plans and staff data safely. It is an information governance assessment, not a technical certificate. You answer a structured set of questions about your policies, staff training, data flows, access controls and incident response, then publish a result. According to the NHS Data Security and Protection Toolkit guidance, the assessment evidences all 10 National Data Guardian standards, covering people, process and technology. For social care, the toolkit has a dedicated Social Care entry route designed to be lighter than the full NHS organisation version, so a domiciliary or supported living provider is not expected to answer hospital-scale questions.
Is it mandatory for care bids
For NHS-funded care it is mandatory, because completing the DSP Toolkit is a contractual requirement for organisations that provide care under the NHS Standard Contract. That makes it a genuine pass or fail gate rather than a nice-to-have. If a Continuing Healthcare package, a hospital discharge service or an NHS-commissioned framework names the DSPT, a missing or expired publication can make your bid non-compliant before a single quality answer is scored. For council social care it is increasingly expected too. Local authorities often ask for it in the selection questionnaire as evidence of good information governance, sometimes accepting it in place of a full data security policy bundle. Treat a named DSPT requirement the same way you treat CQC registration or insurance: a threshold you must clear to stay in the process. If you are unsure whether a specific tender requires it, our free eligibility check confirms the gate before you commit time to writing.
The 30 June deadline and the annual cycle
Organisations must publish at least one DSP Toolkit assessment by the annual deadline of 30 June each year, according to the NHS Data Security and Protection Toolkit and Digital Care Hub. The toolkit runs on a yearly cycle, so a publication from a previous year does not count once a new deadline has passed. A bid submitted in, say, August needs the current year's assessment showing as published. The practical risk in tendering is a lapsed status. Providers often complete the DSPT once, win a contract, then let it drift. When the next tender lands, the published result is out of date and the information governance question scores poorly or fails outright. Build the 30 June refresh into your annual compliance calendar alongside insurance renewals and policy reviews. If you are new to the toolkit, start early: gathering training records, your data flow map and your last incident log takes longer than the form itself.
What 'Standards Met' actually requires
"Standards Met" means you have answered every mandatory assertion and provided the evidence the toolkit asks for across all 10 National Data Guardian standards. The published outcomes are "Standards Met", "Approaching Standards" or "Standards Not Met", and only the first reliably clears a tender's information governance gate. "Approaching Standards" signals gaps and will usually read as a weakness to an evaluator. In practice, reaching "Standards Met" means having a named information governance lead, current staff data security training, a clear record of where personal data is held and shared, working access controls, and a tested process for reporting data breaches. There is a higher tier: organisations with "Standards Met" plus a current Cyber Essentials Plus certificate are displayed as "Standards Exceeded". That upgrade is worth pursuing if a tender scores information security, but it is the Cyber Essentials Plus certificate, not the DSPT itself, that unlocks it.
DSPT versus Cyber Essentials
They are different things and many tenders ask for both. The DSP Toolkit is the broad information governance self-assessment covering policies, training, data handling and breach response. Cyber Essentials is a separate, technical certification scheme that checks your IT defences, things like firewalls, secure configuration, patching and access control. One proves you govern data well; the other proves your technical setup is hardened. The two connect at the top tier. Holding a current Cyber Essentials Plus certificate that covers all your health and care data processing upgrades your DSPT result to "Standards Exceeded". So if a bid rewards both information governance and cyber security, the strongest position is "Standards Met" in the DSPT plus Cyber Essentials Plus, which together display as "Standards Exceeded". Do not conflate the two in your bid answers: name each correctly, give the certificate or publication date, and state what each one covers. Evaluators notice when a provider uses the terms loosely.
Free support and the CQC link
You do not have to do this alone or pay for it. Free support for social care providers new to the DSPT is available through Digital Care Hub and Skills for Care, and the toolkit has a dedicated Social Care entry route that scales the questions to your size. These resources walk you through each assertion, which is useful if this is your first cycle and the language feels NHS-heavy. The toolkit also does double duty. The DSPT feeds CQC assurance: it helps evidence the Well-led key question and demonstrates good information governance, so the same work supports both your inspection readiness and your bids. That overlap is worth flagging in tender answers, because it shows a commissioner you treat data security as part of running a well-led service, not a box ticked for procurement. When you reference the DSPT in a bid, tie it back to how you protect service users' records day to day, not just to the published status.
DSP Toolkit at a glance for care bids
The essentials a commissioner expects when a tender names the Data Security and Protection Toolkit.
| Item | Detail | Why it matters in a bid |
|---|---|---|
| What it is | Free online IG self-assessment at dsptoolkit.nhs.uk | Recognised proof you handle NHS health and care data safely |
| What it evidences | The National Data Guardian's 10 Data Security Standards | Aligns your bid with UK GDPR and Data Protection Act 2018 |
| Annual deadline | Publish at least one assessment by 30 June each year | A lapsed status reads as non-compliant; refresh yearly |
| Possible results | Standards Met, Approaching Standards, Standards Not Met | Only Standards Met reliably clears the IG gate |
| Top tier | Standards Met plus Cyber Essentials Plus = Standards Exceeded | Stronger score where a tender rewards cyber security |
| Mandatory when | Care delivered under the NHS Standard Contract | Contractual pass or fail gate, not optional |
| Free support | Digital Care Hub and Skills for Care, Social Care route | Helps first-time social care providers reach Standards Met |
Not sure if you qualify for a tender? We check it for free, before you pay anything, and we only take bids we believe you can win. Text TENDER to get started.
Common questions
Is the DSP Toolkit mandatory for care providers?
For NHS-funded care, yes. Completing the DSP Toolkit is a contractual requirement for organisations that provide care under the NHS Standard Contract, so it is a genuine pass or fail gate. For council social care it is increasingly expected too and often appears in the selection questionnaire as evidence of good information governance. If a tender names it, treat a current 'Standards Met' publication as a threshold you must clear, like CQC registration or insurance.
What is the deadline for the DSP Toolkit?
Organisations must publish at least one DSP Toolkit assessment by the annual deadline of 30 June each year, according to the NHS Data Security and Protection Toolkit and Digital Care Hub. The toolkit runs on a yearly cycle, so a publication from a previous year stops counting once the new deadline passes. Build the 30 June refresh into your compliance calendar so your status is current whenever a tender lands.
What is the difference between the DSP Toolkit and Cyber Essentials?
The DSP Toolkit is the broad information governance self-assessment covering policies, staff training, data handling and breach response. Cyber Essentials is a separate technical certification that checks your IT defences such as firewalls, patching and access control. They connect at the top: holding a current Cyber Essentials Plus certificate that covers all your health and care data processing upgrades your DSPT result to 'Standards Exceeded'. Many tenders ask for both, so name each correctly in your bid.
How much does the DSP Toolkit cost?
Nothing. The Data Security and Protection Toolkit is a free online self-assessment hosted by NHS England at dsptoolkit.nhs.uk. There is no fee to register, complete or publish. Free support for social care providers new to the toolkit is also available through Digital Care Hub and Skills for Care, and there is a dedicated Social Care entry route that scales the questions to your size. The only cost is the staff time to gather your evidence and complete it.
What is 'Standards Met' on the DSP Toolkit?
'Standards Met' means you have completed every mandatory assertion and provided the required evidence across the National Data Guardian's 10 Data Security Standards. It is the result you need to clear a tender's information governance gate. The other published outcomes, 'Approaching Standards' and 'Standards Not Met', signal gaps and usually read as weaknesses. If you also hold a current Cyber Essentials Plus certificate covering all your data processing, your result is displayed as 'Standards Exceeded'.
Does the DSP Toolkit help with CQC?
Yes. The DSPT does double duty: it feeds CQC assurance by helping you evidence the Well-led key question and demonstrating good information governance. So the same work supports both inspection readiness and your bids. It is worth flagging this overlap in tender answers, because it shows a commissioner you treat data security as part of running a well-led service rather than a box ticked only for procurement. Your first tender with us is £795. We only take bids we believe you can win, and if a loss is clearly down to our writing error we rewrite the next one free. Our win rate is 96 percent.
Got a tender to check?
Text TENDER to +44 7822 030677and we'll tell you free whether you'd qualify, before you spend a penny.