Data Security and Protection Toolkit


An online self-assessment tool that all organisations must use if they have access to NHS patient data and systems.

The Data Security and Protection Toolkit replaces the previous Information Governance toolkit from April 2018.

The Data Security and Protection Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian's ten data security standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

Go to the new toolkit for more information, and to access the new service.

Data Security and Protection Incident Reporting tool available

A new incident reporting tool for data security and protection incidents has been launched within the Data Security and Protection Toolkit. To access the tool, administrators should log in to the toolkit and look for the report an incident menu link.

This replaces the previous SIRI reporting tool which was part of the previous Information Governance Toolkit. The new incident reporting tool reflects the new reporting requirements of the General Data Protection Regulation (GDPR), and for relevant organisations the Networks and Information System (NIS) Regulations.

Reportable data security and protection incidents must be notified through the reporting tool. Guidance materials are available to support organisations assess whether incidents should be reported (

If you require immediate advice and guidance related to a cyber security incident, please contact the NHS Digital Data Security Centre on 0300 303 5222.

You must report a notifiable breach to the Information Commissioner’s Office without undue delay. If you take longer than 72 hours, you must give reasons for the delay.

Further information