Back to BlogSecurity

NHS Data Security UK 2026 — DSPT, GDPR & Cybersecurity Guide for Hospitals

Jul 3, 2026 13 min readUK

Complete guide to NHS data security in the UK — DSPT (Data Security and Protection Toolkit) compliance, GDPR, NHS Spine security, cyber attack prevention, and ransomware protection.

The NHS faces 200+ cyber attacks per day. The 2017 WannaCry attack cost £92 million. DSPT compliance is mandatory for all NHS organisations. This guide covers everything you need to stay secure.

10 NHS Data Security Standards

NHS Data Security Standards (DSPT)
AreaStandards
Leadership1. Personal responsibility (Board-level), 2. Security policy, 3. Staff training
People4. Access control, 5. Staff screening, 6. Incident response
Technology7. Cyber security (firewall, encryption, patching), 8. Continuous monitoring, 9. Resilience (backup, recovery), 10. Supplier management

GDPR Requirements for UK Hospitals

  1. Lawful basis: Article 9(2)(h) — provision of health care is the lawful basis
  2. Patient rights: Access (SAR), rectification, erasure, portability, objection
  3. DPIA: Data Protection Impact Assessment for new systems and processing
  4. Breach notification: Report to ICO within 72 hours of discovery
  5. Data Protection Officer: Mandatory for hospitals processing health data
  6. Privacy by design: Build privacy into all systems and processes
  7. Data minimisation: Only collect data needed for the purpose
  8. Retention policy: Define and enforce data retention periods

NHS Cybersecurity Best Practices

  • DSPT compliance: Complete annual DSPT assessment and maintain 'Standards Met'
  • Multi-factor authentication: MFA for all systems accessing patient data
  • Encryption: AES-256 at rest, TLS 1.3 in transit for all patient data
  • Patch management: Apply security patches within 14 days (critical: 48 hours)
  • Network segmentation: Separate clinical and admin networks
  • Backup and recovery: Immutable backups, tested recovery procedures
  • Staff training: Annual cybersecurity training for all staff
  • Incident response: Tested cyber incident response plan
  • Supplier security: DSPT or equivalent for all IT suppliers

Frequently Asked Questions

What is the DSPT (Data Security and Protection Toolkit)?
The DSPT is the NHS's mandatory self-assessment tool for data security. All NHS organisations must complete it annually. It assesses 10 data security standards across 3 areas: leadership, people, and technology. 'Standards Met' rating is required for NHS contract compliance. Failure to complete DSPT can result in contract termination.
How does GDPR affect UK hospitals?
GDPR (General Data Protection Regulation) and UK Data Protection Act 2018 require hospitals to: 1) Lawful basis for processing patient data, 2) Patient rights (access, rectification, erasure), 3) Data Protection Impact Assessment for new systems, 4) 72-hour breach notification, 5) Data Protection Officer, 6) Privacy by design. Fines can reach £17.5 million or 4% of turnover.
How many cyber attacks does the NHS face?
The NHS faces 200+ cyber attacks per day. The 2017 WannaCry attack cost the NHS £92 million and disrupted 200 hospitals. In 2024, a ransomware attack on a major NHS trust disrupted services for 3 months. NHS England invested £150 million in cybersecurity for 2024-2026.