Loading
Infraspine supports health and social care organisations through the full NHS Data Security and Protection Toolkit annual submission cycle — from gap assessment and evidence collection through to mandatory assertion completion and ASO sign-off, covering all 10 NDG data security standards.
From initial gap assessment and evidence collection through to policy development, training, and final submission — Infraspine manages the complete DSPT annual cycle.
Before beginning the annual DSPT submission process, Infraspine conducts a structured gap assessment to establish your organisation's current position against all 10 National Data Guardian (NDG) data security standards and their associated evidence items. The gap assessment reviews your existing policies, technical controls, training records, and governance structures against each required assertion. Every assertion is assessed as met, partially met, or not met, with a clear explanation of what evidence is required and what remediation work is needed before submission. The gap assessment report provides a prioritised action plan that your team can begin working through immediately, with estimated effort for each gap. For organisations that are new to the DSPT or are returning after a period of non-compliance, the gap assessment establishes a realistic timeline for achieving a standards-met submission.
The DSPT requires organisations to upload evidence documents to support each assertion they claim to have met. Evidence collection is one of the most time-consuming aspects of the DSPT submission process — and one of the most common failure points, as organisations often have the controls in place but cannot locate or present the evidence in a format that satisfies assessors. Infraspine coordinates your evidence collection process: creating an evidence requirement register for every assertion your organisation plans to claim, identifying who holds each piece of evidence and in what format, collecting and reviewing evidence documents for quality and completeness, and organising the evidence pack into a clearly structured submission-ready format. We ensure every piece of evidence is labelled appropriately for the assertion it supports, and that the evidence genuinely demonstrates compliance rather than simply existing as a document.
Many DSPT assertions require supporting policies and procedures as evidence — and for organisations without an existing policy library, developing these documents is a significant component of the DSPT preparation work. Infraspine develops a full suite of DSPT-compliant policies and procedures tailored to your organisation's context: a Data Security and Protection Policy, Information Governance Policy, Acceptable Use Policy, Data Breach Reporting Procedure, Bring Your Own Device Policy, Remote Working Policy, Information Asset Register procedure, and all other documents required by the specific assertions your organisation needs to meet. Every policy is written in plain language, reviewed with your team, and formatted for the DSPT evidence pack. We also provide a policy review schedule so that documents are updated annually before each submission cycle.
NDG Standard 9 requires that all staff, including temporary and bank staff, complete mandatory data security awareness training annually. This is one of the most consistently difficult assertions for health and social care organisations to meet because of high staff turnover, use of agency workers, and the logistical challenge of tracking training completion across a large and varied workforce. Infraspine develops and delivers a data security training programme aligned to NDG Standard 9 requirements: an e-learning module covering all mandatory topics, a tracking system for recording completion by staff member and employment type, a certificate of completion for each staff member, and a summary completion report in the format required for the DSPT evidence pack. For organisations using existing training platforms, we review existing training content against NDG requirements and advise on gaps.
The DSPT contains mandatory assertions that every health and social care organisation must meet in order to achieve a standards-met submission — failure to meet any mandatory assertion results in a not-yet-met status regardless of performance elsewhere. Infraspine conducts a dedicated review of your mandatory assertions to ensure all are met and properly evidenced before submission. This includes: the data security and protection lead role is identified and appropriate; an annual review of data security and protection policies has been completed and evidenced; all staff have completed the mandatory data security training; the organisation has submitted a DSPT submission in the previous year (or is a new entrant with a clear plan); and the organisation has a documented process for managing personal data breaches. For mandatory assertions where gaps exist, we prioritise these in the remediation action plan above all other work.
The final stage of the DSPT process is completing the online submission, uploading evidence documents, and obtaining the required sign-off from the Accountable Senior Officer (ASO) — a board-level or equivalent senior person who takes accountability for the organisation's data security and protection compliance. Infraspine manages the submission process: completing the assertion responses in the DSPT online system, uploading and tagging evidence documents, preparing the ASO sign-off declaration, and submitting the completed toolkit before the annual deadline. We also prepare a submission summary report for the ASO that explains what has been submitted and why, so they can sign off with confidence. Post-submission, we provide a record of the completed submission and a planning document for the following year's submission cycle, ensuring continuous compliance rather than a last-minute annual rush.
Common questions from health and social care organisations preparing for their annual DSPT submission.
Contact Infraspine for a free DSPT readiness assessment. We will identify your gaps against all 10 NDG standards and give you a clear plan to achieve a standards-met submission.