Skip to main content

Data Security and Protection Toolkit: GDPR information


Why and how we process your data in the Data Security and Protection Toolkit (DSPT) and your rights.

Controller NHS Digital
How we use the information (processing activities)

The DSPT requires account details that contain an individual’s name, email address and telephone number for administration purposes. This includes providing audit data for all DSPT transactions and supporting NHS Digital services having a dependency on the DSPT.

Does this contain sensitive (special category) data such as health information? No
Who are recipients of this data?


Is data transferred outside the UK? Within Europe
How long the data is kept 3 years minimum from no longer required
Our lawful basis for holding this data Legal obligation
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Cross Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Cross Object to it being processed or used
  • Cross Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Consent not the basis for processing

Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? Data subject
The legal basis for collecting this data

Legal obligation (Direction)

Where NHS Digital uses this data


Data Security and Protection Toolkit

The Data Security and Protection Toolkit is an online self-assessment tool that all organisations must use if they have access to NHS patient data and systems.