Contents
1. Data Security and Protection Toolkit (DSPT)
2. Digital Technology Assessment Criteria (DTAC)
3. Clinical Safety Standards – DCB 0129 and DCB 0160
4. Cyber Essentials Plus and the NHS Secure Boundary
Who this section is for
This appendix is relevant to both sponsors and participating NHS/HSC organisations. It provides contextual information on national assurance frameworks and is not intended to introduce new or additional requirements beyond those already considered through study-wide review.
This Appendix provides an overview of key National Health Service (NHS) national standards relevant to digital and data assurance that may apply in a research context. These frameworks form part of the baseline against which NHS organisations are expected to demonstrate appropriate levels of security and quality assurance for digital systems and data environments. They may also apply to sponsors where relevant to the systems they select, configure, or operate for research purposes.
Sponsors should consider which of these standards apply to the systems they use or provide for research, confirm compatibility where relevant, and ensure that appropriate assurance has been documented. Local NHS and Health and Social Care (HSC) organisations can normally rely on those sponsor assurances, and should only undertake local checks where integration of sponsor-provided systems with local IT or clinical systems introduces participating organisation-specific considerations (for example, network connectivity or device deployment), which are evidenced through their usual local assurance processes (for example, recorded within local Information Asset and Flow Registers and associated Data Security and Protection Toolkit (DSPT) evidence).
Where access to confidential patient information (CPI) without consent is sought in England or Wales, sponsors must also meet the assurance expectations of the Confidentiality Advisory Group (CAG), which normally include demonstrating appropriate organisational security assurance (a current DSPT submission for UK-based sponsors, or equivalent evidence of controls for international sponsors).
1. Data Security and Protection Toolkit (DSPT)
The DSPT is the core self-assessment and assurance framework for NHS and social care organisations processing personal data. DSPT is an English mechanism for evidencing alignment with national data security requirements. It provides a structured way of demonstrating that an organisation meets its data protection, cyber security and information governance obligations. The DSPT is underpinned by the National Data Guardian (NDG) Data Security Standards, and its current assessment model aligns with the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF). Devolved administrations have equivalent assurance routes, and future updates will incorporate references to these where it helps clarity and usability.
Relevance to Research:
- all NHS organisations in England must maintain DSPT compliance annually
- sponsors that are English NHS bodies will normally evidence their DSPT status as part of their research assurance
- a valid DSPT return is expected for any UK organisation seeking CAG Section 251 support to process CPI without consent
- non-NHS sponsors should confirm alignment with equivalent organisational security frameworks (for example, ISO 27001 or Cyber Essentials Plus), noting how these provide assurance equivalent to DSPT where applicable
- the DSPT provides a basis for participating organisations to record and manage research-related information assets within their Information Asset and Flow Register, forming part of local accountability
Key References:
- NHS Data Security and Protection Toolkit and Cyber Assessment Framework (CAF) -aligned Data Security and Protection Toolkit (DSPT) guidance - NHS England Digital
- National Data Guardian’s 10 Data Security Standards
- NCSC Cyber Assessment Framework
2. Digital Technology Assessment Criteria (DTAC)
DTAC provides a baseline for assessing the safety, security, interoperability, and usability of digital health technologies, including apps, platforms, and clinical decision-support tools.
Relevance to Research:
- DTAC applies to technologies used in direct care and may apply to research deployments of these technologies where they interact with NHS clinical systems that support care delivery or could influence clinical decisions
- sponsors should confirm whether DTAC applies and, if so, reference completion of a DTAC assessment (or equivalent manufacturer evidence) in their study documentation
- DTAC assurance may remove the need for Trusts to undertake separate local cyber or app-risk questionnaires
- DTAC is not required for technologies or systems that are used solely for research data collection, storage, or analysis and do not support care delivery or influence clinical decisions, but sponsors should still demonstrate that appropriate security and clinical-risk controls are in place
Key Reference:
3. Clinical Safety Standards – DCB 0129 and DCB 0160
These standards govern the clinical safety of digital systems used within health and care.
- DCB 0129 applies to manufacturers or developers (including sponsors of research systems)
- DCB 0160 applies to NHS organisations deploying those systems
Relevance to Research:
- sponsors developing or deploying digital systems that may influence clinical decisions, workflows, or patient outcomes must complete DCB 0129 compliance
- NHS Trusts implementing those systems must undertake DCB 0160 clinical-risk assessment as part of local deployment
- where research systems do not interface with clinical systems and do not influence clinical care (for example, purely observational data capture platforms), these standards may not be required, but the rationale for non-applicability should be stated clearly and sponsors should confirm how any residual risks have been addressed
- evidence of these standards demonstrates appropriate clinical-risk management and complements DSPT and DTAC assurances where applicable
Key References:
4. Cyber Essentials Plus and the NHS Secure Boundary
Cyber Essentials Plus is a UK Government–backed scheme providing independent verification that an organisation has implemented key technical controls against common cyber threats. While not specific to the NHS, it is recognised across the UK public sector as a proportionate baseline for demonstrating technical security and is often used by NHS suppliers and research partners handling NHS data.
The NHS Secure Boundary, operated by NHS England, enhances national protections by filtering and monitoring internet traffic entering and leaving the NHS network. It forms part of the NHS England Cyber Security Strategy (2023) and supports a consistent national perimeter of defence across NHS infrastructure.
Relevance to Research:
- for non-NHS sponsors, Cyber Essentials Plus (or ISO 27001 certification) can provide a recognised, proportionate means of demonstrating that organisational technical controls meet the standards expected when processing NHS data
- NHS organisations remain responsible for ensuring that any external connections or integrations align with NHS Secure Boundary controls and do not introduce unmanaged risks
- for studies involving international data transfers, sponsors should also evidence compliance with UK General Data Protection Regulations Chapter V (Articles 44–49) and the NHS England Offshoring and Public Cloud Policy, confirming that personal data is processed within the UK, European Economic Area (EEA), or adequacy-approved jurisdictions, or – where relevant – that appropriate restricted transfer safeguards (e.g. International Data Transfer Agreement (IDTA) or Transfer Risk Assessment (TRA)) are in place
Key References:
- National Cyber Security Centre (NCSC) – Cyber Essentials overview
- NHS England – NHS Secure Boundary service description
- NHS and social care data: off-shoring and the use of public cloud services - NHS England Digital