Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Data security and protection toolkit data collections service Direction

A Direction given by the Secretary of State for Health requiring NHS Digital to establish and operate a system to be known as the data security and protection toolkit data collections service.


The purpose of the data security and protection toolkit is to provide a means for health and care organisations (or those providing services to NHS organisations) to measure their compliance against Data Protection legislation and the National Data Guardian’s Data Security Standards to see whether information they hold is handled correctly and protected from unauthorised access, loss, damage and destruction.

Where partial or non-compliance is revealed, organisations must take appropriate measures to raise standards. The aim is to demonstrate that the organisation can be trusted to maintain the confidentiality and security of information. This in-turn increases public confidence that the NHS and its partners can be trusted with their sensitive data.

The data security and protection toolkit is the successor framework to the information governance toolkit and draws together the legal rules and central guidance set out by the Department of Health and Social Care and presents them in a single standard. Relevant organisations are required to carry out self-assessments of their compliance against the assertions and evidence items contained within the data security and protection toolkit.

In accordance with section 260(2)(d) of the Act, NHS Digital is directed not to publish the data obtained by complying with the section 254 Direction except for a summary level of each organisations’ completed data security and protection toolkit which will be made available online to the public.

Learn more about this Direction

Last edited: 1 December 2020 9:19 am