Skip to main content
Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. More about the merger.

Data sharing standard 2a - Security Assurance

This standard is part of a series of guidance documents to support the various stages of a DARS application.

Standard description

1. All data controllers and data processors must provide evidence of adequate security assurance which is one of

  1. Data Security and Protection Toolkit (DSPT) meeting the following conditions:
    1. Organisation code must be provided;
    2. The organisation must either have completed the latest available version of the DSPT assessment or must have produced the previous version of the DSPT within the last 12 months and the assessment must not have exceeded its expiry date;
    3. The self-assessment outcome must be ‘Standards Met’ or ‘Standards Exceeded’ or, if not, an improvement plan must have been reviewed and approved by NHS Digital;
    4. If an improvement plan has been agreed, the Data Sharing Agreement must include special conditions requiring the organisation to carry out improvements (as stipulated in the review) within an agreed time frame determined based on the assessment findings and the organisation’s remediation plan;
    5. If identifiable data is to be provided to or to be released from NHS Digital, NHS Digital must have reviewed the latest DSPT self-assessment and confirmed standards are met or the DSA must contain a special condition covering a future review;
    6. If identifiable data has previously been provided to or released from NHS Digital on the basis of support under section 251 of the NHS Act 2006 and self-assessment outcome is not ‘Standards Met’ or ‘Standards Exceeded’, specific approval for the retention and/or reuse of the data must have been given by NHS Digital and this must be detailed in the DARS application.
  2. System level security policies which must be reviewed and agreed by NHS Digital security team as relevant and appropriate to the application
  3. ISO 27001 certification which must have been reviewed and approved by the security team as relevant and appropriate to the application

2. All locations stated in respect of the organisation(s) must be covered by that organisation(s) security policy.

3. Applications involving the use of cloud storage will be subject to additional scrutiny and assessment.  In respect of the cloud storage provider, the following apply:

  1. The cloud provider must use UK-based data centres only and data must not be accessible outside of the UK;
  2. The applicant must provide evidence to support:
    1. The use of the Data Risk Model to assess the Risk Profile Class;
    2. Risk Management of the use of the Cloud for this data, taking into consideration Confidentiality, Integrity and Availability;
    3. The use of Pseudonymisation;
    4. Board level involvement in the Risk Management Process evidenced through Minutes of these meetings;
    5. Understanding of the Shared Responsibility Model
  3. Applications involving cloud storage will only be approved when NHS Digital is satisfied that sufficient assurance has been provided based on a case-by-case assessment.

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that enables health and social care organisations to measure and publish their performance against the National Data Guardian’s team data security standards. The DSPT supports organisations to meet the requirements of the General Data Protection Regulations (GDPR)


View a transcript of the security assurance standard video.

Slide 1

Hello my name is Tracy and I work as a senior case officer in the Data Access request service team. 

Slide 2

This video is one of a series of presentations designed to help you use our Data Access Request Service (DARS) as effectively as possible.

You can view the other videos in this series on our Youtube channel using the following link:

NHS Digital has published a number of standards in relation to how we assess applications for data from NHS Digital. These are designed to be transparent and to help you in completing the relevant section of your online application for data.

This presentation will provide detail on the agreed standard for completing the following section of the application: Security Assurance

Slide 3

NHS Digital has a duty to ensure that the data you are requesting is held securely, therefore we will seek evidence of appropriate security assurance of all Data Controller and Data Processor organisations listed in your application. The type of evidence provided may vary across organisations. 

The security policy will need to cover all locations stated in respect of that organisation(s) and should include any secondary back up locations, such as disaster recovery sites

This presentation describes the suitable evidence that you might provide to demonstrate that your organisation has appropriate security assurance in place

Slide 4

The first type of suitable security assurance could be evidence that you have completed the Data Security and Protection Toolkit (DSPT) which has now replaced the Information Governance Toolkit. 

If you have already completed your Data Security and Protection Toolkit you will need to enter the date that it was published in the comments field of the security assurance section for each of the data controllers and data processors listed within your application. 

If you haven’t yet completed the Data Security and Protection Toolkit assessment and it has been less than 12 months since you submitted the last years iteration of the IG toolkit, you may still be relying on the IG Toolkit as evidence of adequate security assurance. 

Where you are still relying on the IG Toolkit you will be required to provide the following information as evidence:

The Organisation code

The most recent score - which should be satisfactory.

If your most recent score is not satisfactory then we will arrange for this to be reviewed by the NHS Digital security assurance team to confirm that it is adequate for the processing and use of the data requested.

An appropriate special condition will be added to your Data Sharing Agreement by your case officer, dependent on the Toolkit version that has been completed, stating that the Data Security and Protection Toolkit must be completed within a given timeframe.

If identifiable data is being provided to or being released from NHS Digital as part of your request then we will seek additional approval from the NHS Digital security team to confirm that adequate security is in place which covers the processing and use of identifiable data.

Slide 5

If you intend to rely on ISO27001 as evidence of your organisation’s security assurance you need to provide a copy of the certificate, which relates to the processing and use of data, for verification. 

The certificate must also cover all specified locations listed in your application for the processing of data.

Slide 6

System Level Security Policies are currently being phased out as evidence of suitable security assurance and you are encouraged to complete the Data Security Protection Toolkit (DSPT)

However, if you do rely on a System Level Security Policy (SLSP) as evidence of adequate security assurance, you will be required to provide copies of the policies for review by NHS Digital’s security assurance team to ensure that it is relevant and appropriate to the application you are making.

Slide 7

When submitting your application via DARS online you will be asked to provide detail of security assurance for each of the organisations that you have listed as a Data Controller or Data Processor

Slide 8

Thank you for listening. We would welcome feedback on this presentation, if you would like to provide feedback then please email us at .

Last edited: 28 July 2021 4:59 pm