Information and Resources - Hampshire Care Association

Free resources to help you complete the Data Security Protection Toolkit (DSPT).

DSPT Helpline 07434 571207

Digital Champion [email protected]

Documents/policies needed to complete to Standards Met

The 10 Data Security Standards

The policies and documents needed to complete the DSPT are listed below:

ICO Registration Number

All companies that handle data in any form must be registered with the ICO (Information Commisioners Office).  It is an offence if you hold or process data and are not registered.

Registration is easy and is done online at For most organisations there is a £40 fee but it can vary.

The ICO Registration number is a requirement of the DSP Toolkit and you cannot complete the Toolkit without it.

If you are registered but cannot find your ICO number you can search for it here

Data Privacy Policy

Your data privacy policy is an overarching document which sets out how you collect personal data, what it is used for and how long it is retained. It must also stipulate how individuals can view or challenge the use of this data.  This policy must be easily accessible and produced on demand.  It may consist of several documents or a single document. Most organisations publish this on their website (often as a permanent link in the page  footer) it may also be included in your service user contracts.  There are many standard templates available that are GDPR compliant.

You can see the associations privacy policy at    You will need to state that you have a policy and specify where it is held.

Staff Data Policy

Staff must be aware of the safe and secure use of data and their individual responsibilities pertaining to its use and access.  This should be included in your standard staff procedures and manuals. All staff must be made aware of your policies and their responsibilities on induction and reviewed regularly. You can see an example policy here   You will need to state that you have a policy and specify where it is held.

Data Register

This is a list of all the data you hold, where it is held and whether or not this is shared with other organisations. The Data Register is made up of several different documents. It is entirely up to you if you maintain a single register or have them as separate documents. These are:

  • Information Asset Register : This is a document including details of the type, location, software, owner, support and maintenance arrangements, quantity of data and how critical they are to the organisation. You will need to state that you have a policy and specify where it is held.
  • Retention Register. A document stating how long data is held and when it is due for destruction/disposal
  • List of Suppliers and any data sharing arrangements (if applicable) : You must be able to provide a list of your current suppliers with whom you share data or who process personal data of your service users or staff. It must also include the nature of the data processing and when the contract expires (eg outsourced payroll). If you do not have any such arrangements you can state not applicable in the Toolkit.  If you do, you will need to state that you have a register an d specify where it is held.

Staff Bring Your Own Device Policy (BYOD) – new

If you allow staff to use their own phones/mobile devices you must have a policy outlining how this works and how it is managed. You do not need this policy if staff do not use their own devices

  • A Training Needs Analysis of Data Protection/Security needs
  • Systems Administers need to sign an agreement holding them to higher standards
  • A document highlighting any unsupported software you use and the business need and risk (if you have unsupported software)

Make sure you have the information stated above to hand before you begin the assessment questions as this will save you a lot of time.

Completing the Assessment

The Toolkit comprises a list of 44 questions which when completed will take you to standards met. (DSPT Toolkit Completed)

If you only complete the mandatory questions (27 questions in total) You will not be able to publish at Approaching Standards unless you upload an action plan on how you plan to address the issues stopping you from publishing at Standards Met The action plan is provided as a downloadable spreadsheet from the DSPT assessment page and identifies the additional evidence required.

Once published the Toolkit results are normally valid for 12 months. 

Toolkit Question Types:

The toolkit will ask you three types of questions:

1 A tick box to confirm your answer (essentially yes or no).

2 A text comment/statement

3 Upload a document, reference a document or weblink or enter text – You should always use the ‘enter text option; you do not have to upload documents unless you want to but you must specify in the text box where the document is located (eg on a computer in the care home).
All questions include an optional comments box – we recommend that you don’t make any comments.

Free resources


NHSmail Drop In Sessions for Care Providers
 Wednesday 3 August 2022
Start: 14:00
End: 14:30
Are you a care provider who has a question about NHSmail? The NHSmail team are now running drop-in sessions every other Wednesday 2-2:30pm to help with any questions you have. There is no need to register, just click the link below to join the call.
Please note that these sessions are for staff working in social care provider organisations only. Commissioners and individuals who provide support to care providers around NHSmail are asked not to join these sessions.
Microsoft Teams meeting
Join on your computer or mobile app
Click here to join the meeting