← Frameworks / Health Security

NHS Data Security and Protection Toolkit

Mandatory annual self-assessment for all organisations that have access to NHS patient data and systems. 40 requirements across 10 National Data Guardian standards covering leadership, staff responsibilities, training, managing data access, process reviews, responding to incidents, continuity planning, unsupported systems, IT protection, and accountable suppliers. Aligned with the National Data Guardian's 10 data security standards and NCSC Cyber Essentials. Applies to all NHS trusts, CCGs, GP practices, social care providers, and third-party suppliers processing NHS data.

Clauses: 40

Avg Coverage: 76.7%

Publisher: NHS England / NHS Digital Version: 2024/25

NHS DSPT → SP 800-53 SP 800-53 → NHS DSPT Coverage Analysis

Clause	Title	SP 800-53 Controls
NDG-1.1	Standard 1 — Confidentiality of personal confidential data	AC-01 AC-03 AC-06 MP-01 MP-02 MP-04 MP-05 SC-08 SC-13 SC-28 PT-01 PT-02 PT-03
NDG-1.2	Standard 1 — Caldicott Guardian appointment and registration	PM-02 PM-29 PS-09
NDG-1.3	Standard 1 — Staff understanding of DPA 2018 and UK GDPR obligations	AT-01 AT-02 AT-03 PL-04 PT-01 PT-04 PT-05 PT-06
NDG-2.1	Standard 2 — Staff understand NDG data security standards	AT-01 AT-02 AT-04 PL-04 PM-13
NDG-2.2	Standard 2 — Annual data security awareness training completion	AT-02 AT-03 AT-04 AT-06 PM-14
NDG-2.3	Standard 2 — Data security induction for new starters	AT-02 AT-03 PS-01 PS-06
NDG-3.1	Standard 3 — Role-appropriate data security training	AT-01 AT-02 AT-03 AT-04 AT-06 PM-13
NDG-3.2	Standard 3 — Annual training needs analysis	AT-01 AT-03 PM-13 PM-14
NDG-4.1	Standard 4 — Role-based access controls for personal confidential data	AC-01 AC-02 AC-03 AC-05 AC-06 AC-24 IA-01 IA-02 IA-04 IA-05
NDG-4.2	Standard 4 — Access reviews (joiners, movers, leavers)	AC-02 PS-04 PS-05 PS-07 IA-04 IA-05
NDG-4.3	Standard 4 — Multi-factor authentication	IA-02 IA-05 IA-08 IA-11 IA-12 AC-07
NDG-4.4	Standard 4 — Least privilege principle	AC-05 AC-06 AC-16 AC-24 CM-05 CM-07
NDG-5.1	Standard 5 — Annual process reviews for data security improvement	CA-01 CA-02 CA-05 CA-07 PM-06 PM-14 PL-02
NDG-5.2	Standard 5 — Data Protection Impact Assessments	RA-03 RA-08 PT-01 PT-02 PM-09 PM-25
NDG-5.3	Standard 5 — Information asset register and data flow mapping	CM-08 CM-12 CM-13 PM-05 RA-02 RA-09
NDG-5.4	Standard 5 — Records of processing activities (ROPA)	CM-13 PT-01 PT-03 PT-07 PM-25 SI-12
NDG-6.1	Standard 6 — Incident response plan for cyber attacks and data breaches	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08
NDG-6.2	Standard 6 — Data breach notification to ICO	IR-06 IR-09 PT-01 PT-08
NDG-6.3	Standard 6 — Major incident (CareCERT) reporting	IR-04 IR-05 IR-06 SI-05 PM-16
NDG-6.4	Standard 6 — Root cause analysis and lessons learned	IR-04 IR-06 CA-05 PM-06 AT-06
NDG-7.1	Standard 7 — Business continuity planning for data security	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 PM-08 PM-11
NDG-7.2	Standard 7 — Disaster recovery	CP-02 CP-07 CP-09 CP-10 CP-06 CP-08
NDG-7.3	Standard 7 — Backup and restore testing	CP-04 CP-09 CA-02 CA-07
NDG-7.4	Standard 7 — Critical clinical system availability	CP-02 CP-11 CP-12 CP-13 SC-24 SI-17
NDG-8.1	Standard 8 — Unsupported system management and end-of-life planning	CM-08 SA-22 SI-02 PM-05 RA-05
NDG-8.2	Standard 8 — Vulnerability patching within 14 days	SI-02 RA-05 CM-03 CM-04 SI-05
NDG-8.3	Standard 8 — IT asset inventory	CM-08 PM-05 CM-02 CM-09 CM-12 RA-09
NDG-9.1	Standard 9 — Cyber security strategy	PM-01 PM-09 PL-01 PL-02 PL-09 PL-10 PL-11 RA-01
NDG-9.2	Standard 9 — Firewalls and network segmentation	SC-07 AC-04 SC-08 SC-32 SC-39
NDG-9.3	Standard 9 — Malware protection	SI-03 SI-04 SI-08 SC-44 SC-18
NDG-9.4	Standard 9 — Email security (DMARC, SPF, DKIM)	SI-08 SC-07 SC-08 SI-03
NDG-9.5	Standard 9 — Web filtering	SC-07 AC-04 SI-04 SC-18
NDG-9.6	Standard 9 — Encryption in transit and at rest	SC-08 SC-12 SC-13 SC-28 SC-17
NDG-9.7	Standard 9 — Mobile device management	AC-19 AC-20 CM-08 SC-28 MP-07 AC-17
NDG-9.8	Standard 9 — Annual penetration testing	CA-08 RA-05 RA-10 PM-14 PM-16
NDG-9.9	Standard 9 — Vulnerability scanning	RA-05 SI-02 CM-06 CA-07 SI-04
NDG-10.1	Standard 10 — IT supplier security assessments	SA-04 SA-09 SR-04 SR-01 SR-02 SR-03 SR-05 SR-06
NDG-10.2	Standard 10 — Data processing agreements	SA-04 SA-09 CA-03 PT-01 PT-02
NDG-10.3	Standard 10 — Sub-processor controls	SR-01 SR-03 SA-09 SA-04 CA-03
NDG-10.4	Standard 10 — Supply chain security	SR-01 SR-02 SR-03 SR-05 SR-06 SR-09 SR-10 SR-11 SR-04