All organisations that access or use NHS patient data must show that they have met the standards set out in the Data Security and Protection Toolkit (DSPT).

All organisations that use personal data (including health and care organisations) also need to be registered with the Office of the Information Commissioner. If your organisation is not already registered, you can apply online.

Completing the Data Security and Protection Toolkit

The DSPT is an online self-assessment tool that measures your organisation’s level of data security against a set of ten national standards.

There are two levels to work towards:

• ‘approaching standards’ status: Completing Approaching Standards on the Data Security and Protection Toolkit – Digital Social Care which is needed for social care organisations that deliver services under the NHS Standard Contract or that want to apply for NHSmail accounts
• ‘standards met’ which is the level all NHS organisations need to achieve and is recommended for social care organisations

If your organisation has not registered and completed a DSPT assessment for compliance already, at least to entry level, you will have to do this before you can apply for NHSmail.

Larger care providers with several sites may already have completed the DSPT and have an accredited secure email system registered with NHS Digital. Please check with your own organisation’s data protection or information governance teams for local information.

DSPT standards met level

We recommend that all social care organisations with an entry level assessment work towards the full ‘standards met’ accreditation within a year.

View the next sections in this guide:

• Getting a secure email service
• Signing up for NHSmail
• NHSmail training
• Top tips for success
• Case study
• Getting rid of your fax machine
• List of downloadable resources used in this guidance