Free DSPT Resources - Lincolnshire Care Association

DSPT Resources 

Helpful Guides:

Documents and Policies needed to complete to Standards Met:

The policies and documents needed to complete the DSPT are the same as before.

ICO Registration Number

All companies that handle data in any form must be registered with the ICO (Information Commisioners Office). It is an offence if you hold or process data and are not registered.

Registration is easy and can be completed online at Home | ICO

For most organisations there is a £40 fee but it can vary!

The ICO Registration number is a requirement of the DSP Toolkit and you cannot complete the Toolkit without it.

If you are registered but cannot find your ICO number you can search for it here Information Commissioners - Data protection public register (

Data Privacy Policy 

Your data privacy policy is an overarching document which sets out how you collect personal data, what it is used for and how long it is retained. It must also stipulate how individuals can view or challenge the use of this data.  This policy must be easily accessible and produced on demand.  It may consist of several documents or a single document. Most organisations publish this on their website (often as a permanent link in the page  footer) it may also be included in your service user contracts. 

There are many standard templates available that are GDPR compliant.

You can see the associations privacy policy at

You will need to state that you have a policy and specify where it is held.

Staff Data Policy

Staff must be aware of the safe and secure use of data and their individual responsibilities pertaining to its use and access.  This should be included in your standard staff procedures and manuals. All staff must be made aware of your policies and their responsibilities on induction and reviewed regularly.


Data Register

This is a list of all the data you hold, where it is held and whether or not this is shared with other organisations. The Data Register is made up of several different documents. It is entirely up to you if you maintain a single register or have them as separate documents. These are:

  • Information Asset Register : This is a document including details of the type, location, software, owner, support and maintenance arrangements, quantity of data and how critical they are to the organisation. You will need to state that you have a policy and specify where it is held.

  • Retention Register. A document stating how long data is held and when it is due for destruction/disposal

  • List of Suppliers and any data sharing arrangements (if applicable) : You must be able to provide a list of your current suppliers with whom you share data or who process personal data of your service users or staff. It must also include the nature of the data processing and when the contract expires (eg outsourced payroll). If you do not have any such arrangements, you can state ‘Not Applicable’ in the Toolkit.  If you do, you will need to state that you have a register and specify where it is held.

Staff Bring Your Own Device Policy (BYOD)

If you allow staff to use their own phones/mobile devices you must have a policy outlining how this works and how it is managed. You do not need this policy if staff do not use their own devices

Additional Information Required for Standards Met

To complete the Toolkit to Standards Met you will also need the following:

  • A Training Needs Analysis of Data Protection/Security needs

  • Systems Administrators need to sign an agreement holding them to higher standards

  • A document highlighting any unsupported software you use and the business need and risk (if you have unsupported software)

Make sure you have the information stated above to hand before you begin the assessment questions as this will save you a lot of time.

Completing the Assessment

The Toolkit comprises of a list of 43 questions

You will initially be presented with mandatory questions. These are referred to as the Approaching Standards questions. If you have previously completed to Entry Level these will need to be checked to ensure they are still current.  Approaching Standards questions are confusingly marked as Mandatory but the full list of questions are required to be completed to get to Standards Met

You cannot publish at Approaching Standards unless you upload an ACTION PLAN on how you plan to address the issues stopping you from publishing at Standards Met The action plan is provided as a downloadable spreadsheet from the DSPT assessment page and identifies the additional evidence required.

To complete to Standards Met you will need to complete a further set of questions using the information you have collected above.

Once you have done this successfully, you can publish your Toolkit.  You will receive an email confirmation to the registered email address once published.

Once published the Toolkit results are valid for 12 months. You will be sent a reminder email after that date to remind you to reconfirm your toolkit status.

Toolkit Question Types:

The toolkit will ask you three types of questions:

  1. A tick box to confirm your answer (essentially yes or no).

  2. A text comment/statement

  3. Upload a document, reference a document or weblink or enter text - You should always use the 'enter text option; you do not have to upload documents unless you want to but you must specify in the text box where the document is located (eg on a computer in the care home).

All questions include an optional comments box - we recommend that you don't make any comments.

You must also tick a confirmation box after you have completed each section of questions.

 This support programme is part of the Better Security, Better Care programme, funded by NHSX to support data and cyber security across the adult social care provider sector.