NHS DSPT Toolkit v8 Released: What This Means for Your Data Protection Standards

The NHS has published version 8 of the Data Security and Protection Toolkit (DSPT) for 2025-26. The new version introduces updated Outcomes, Assertions and Evidence items across sectors like GPs, hospitals, opticians, social care and universities. Organisations must meet the new standards by the deadline, 30 June 2026. This update has practical impact for any organisation using or supplying services to the NHS, or those seeking to align with their data protection expectations.

Why This Matters Now

Data security and protection remain under intense scrutiny. The DSPT is one of the key frameworks used by NHS England and associated bodies to assess how safely organisations process personal data. With the new version 8 now agreed, you can’t delay updating your toolkit submission. Failing to comply could risk access to NHS contracts or partnerships. The changes also reflect evolving expectations around evidence, assertions, and outcomes. Organisations operating in health and social care need to align quickly to avoid falling behind.

What’s New in DSPT Version 8

Version 8 introduces several important changes. First, the Outcomes, Assertions and Evidence items have been updated. Organisation types including IT suppliers, dentists, GPs, local authorities, opticians, pharmacies, social care providers, universities, NHS Trusts, ALBs, CSUs, and ICBs now face revised requirements. Second, the indicators of good practice for outcomes are available in spreadsheet format for NHS Trusts, ICBs, ALBs and others, enabling detailed review and comparison. Third, there is a log of changes comparing version 7 (2024-25) to version 8, so organisations can see precisely what has shifted. Finally, DSPT v8 is aligned with the Clinical Assurance Framework (CAF) version 3.4, emphasising consistency and standardisation across health systems.

Why It Matters for Data Protection & Compliance

UK GDPR requires that organisations processing health or personal data maintain high standards of security, accountability and transparency. The DSPT is a practical benchmark showing where your organisation meets or falls short of those standards. New or updated assertions and evidence requirements mean that documentation and proof will matter more than ever. If you are audited or reviewed, you will need to show how your policies, technical measures, controls and practices align with DSPT version 8’s criteria. Organisations that neglect these changes risk failing toolkit assessments, affecting reputation and eligibility for contracts.

What You Should Be Doing Now

Begin by downloading the updated Outcomes, Assertions and Evidence items using the NHS-DSPT link to the version 8 spreadsheets for your sector. Review the “Log of Changes” document to understand what specific requirements have changed since version 7. Map your existing controls, policies and practices against the new criteria, highlighting gaps. Prioritise closing those gaps, especially for areas that carry high risk or impact, such as cybersecurity, access controls, staff training and third-party arrangements.

Update your internal documentation and evidence-gathering methods now. Make sure you collect the right records showing compliance (assertions, proof, outcomes). Train relevant staff on the updated toolkit version so they understand what’s required. If your organisation supports or supplies NHS services, ensure your contracts, audits and supplier oversight reflect DSPT v8 standards. Use this year’s toolkit version as part of your risk management planning.

If you need expert review, our GDPR Audit service can compare your current state to DSPT version 8. Our Data Protection Training can help your team understand the new assertions and evidence expectations, and our Data Protection Support service can guide you in preparing for toolkit submission or contract readiness.

Our View / Final Thoughts

Data Protection People welcomes the release of DSPT version 8. It sharpens expectations, raises the bar for evidence, and promotes alignment across health and social care sectors. Organisations that respond proactively will not only meet NHS expectations but also strengthen their overall GDPR and data protection posture. Waiting until the deadline risks rushed compliance or overlooked gaps. Embracing the new requirements now will build trust, reduce risk, and help ensure readiness for oversight or contract compliance.

FAQs

What is the DSPT Toolkit?

The Data Security and Protection Toolkit (DSPT) is a framework used by NHS and related bodies to assess how organisations handle data security, protection, evidence and outcomes. Download the toolkit here.

Who is affected by DSPT version 8?

Organisations in health, social care, universities, pharmacies, GPs, opticians, IT suppliers and those supplying NHS‐connected services must comply. Local authorities and others subject to DSPT assertions should also review changes.

What’s the deadline for DSPT v8?

The deadline for meeting the DSPT 2025-26 version 8 requirements is 30 June 2026.

What does alignment with CAF version 3.4 mean?

Alignment with the Clinical Assurance Framework (CAF) version 3.4 ensures consistency in assessment criteria and helps organisations using both frameworks avoid duplication and gaps.

Contact Us

If you need help aligning with DSPT version 8, closing compliance gaps or preparing evidence, our GDPR Audits team is ready to help. If you want to train your staff on the updated requirements or build policies and proofs of compliance, our Data Protection Training and Data Protection Support services can support you every step of the way.