The Health Research Authority website uses essential cookies

This site uses session cookies and persistent cookies to improve the content and structure of the site.

By clicking “Accept All Cookies”, you agree to the storing of cookies on this device to enhance site navigation and content, analyse site usage, and assist in our marketing efforts.

By clicking 'See cookie policy' you can review and change your cookie preferences and enable the ones you agree to.

By dismissing this banner, you are rejecting all cookies and therefore we will not store any cookies on this device.

See cookie policy

Security assurances required for applications to the CAG - Update to DSPT assurances in England

Last updated on 5 Mar 2025

Background

It is a policy of the Department of Health and Social Care that all bodies processing patient information in England provide assurances via the Data Security and Protection Toolkit (DSPT). This is undertaken on a yearly self-assessment basis, with the outputs published on the NHS England website NHS England - DSPT toolkit

It is also a policy position of the Department of Health and Social Care that all bodies processing confidential patient information in England under a CAG application have their DSPT self-assessment submission additionally reviewed by NHS England, to provide assurances that the organisation has achieved the appropriate ‘standards met’ status. This is required annually for the duration of the support. The NHS England assurance is provided on an organisation basis. Once the assurance is provided it is valid for all studies within the organisation to process confidential patient information without consent.

Please note that evidence is required that NHS England have reviewed the organisation’s DSPT and determined that standards have been met. Evidence of the organisation’s self-assessed grade is not sufficient.

How to provide security assurance for ‘section 251’ applications.

In order to provide evidence that DSPT standards have been met, you should undertake the following:

  1. Contact the DSPT Team at NHS England by emailing ssd.nationalservicedesk@nhs.net to request review of organisational DSPT submissions relevant to the CAG application. Do not contact any other function within NHS England as you may be given inaccurate advice
  2. Provide the following in the email:
    1. Inform them a review of the relevant DSPT submission is required to progress a ‘section 251 application’
    2. The CAG application reference number(s) (if known)
    3. The full name of all organisations physically processing information under support under the CAG reference number
    4. The relevant DSPT submission references / ODS Code (if known)
  3. Once complete, NHS England will email you directly to confirm ‘Standards Met’ in relation to the review.
  4. This email will be copied to the CAG and include the application reference..

What version of DSPT is accepted?

We are currently accepting NHS England confirmation of security assurances for the 2023/24 DSPT submission.

Security assurances for organisations processing confidential patient information generated within Wales.

Security assurances for confidential patient information generated within Wales are provided by either a Caldicott Principles in Practice (CPiP) Report or a completed Welsh Information Governance Toolkit. The relevant CPIP out-turn report, or IG Toolkit, is provided directly by Digital Health and Care Wales (DHCW) to CAG.

Alternatively, where a Welsh organisation has a DSPT assured by NHS England this will also be accepted.

Security assurances for organisations processing confidential patient information generated within Scotland.

An approval letter from the Public Benefit and Privacy Panel (PBPP), where processing is taking place in Scotland, is accepted as evidence of adequate security assurance for organisations in Scotland.

Alternatively, where a Scottish organisation has a DSPT assured by NHS England this will also be accepted.

If you have questions about security assurances please email cag@hra.nhs.uk

Back to guidance for cag applicants
© Copyright HRA 2025
Site by Big Blue Door