Healthtech-1: can you send your DSPT evidence, Cyber Essentials Plus certificate, and DCB0129 clinical safety docs for our DPIA/assurance review?
Primary Care Admin Automation

Healthtech-1: can you send your DSPT evidence, Cyber Essentials Plus certificate, and DCB0129 clinical safety docs for our DPIA/assurance review?

11 min read

When an NHS organisation or other health and care body asks, “Can you send your DSPT evidence, Cyber Essentials Plus certificate, and DCB0129 clinical safety documents for our DPIA/assurance review?”, they are checking whether your product and organisation meet core data protection, security, and clinical safety standards. These artefacts form a major part of supplier assurance for digital health and healthtech solutions.

This guide explains what each item is, why it’s being requested, what a good evidence pack looks like, and practical steps to respond efficiently while protecting your own security and intellectual property.

Why you’re being asked for DSPT, Cyber Essentials Plus and DCB0129

For most healthtech suppliers, especially those working with NHS organisations, three assurance pillars matter:

  1. Information governance & data protection
    • Demonstrated via the Data Security and Protection Toolkit (DSPT) and associated evidence.
  2. Cyber security controls
    • Demonstrated via Cyber Essentials Plus (CE+) certification.
  3. Clinical safety & risk management
    • Demonstrated via compliance with DCB0129, evidenced by formal clinical safety documentation.

The requesting organisation is likely conducting:

  • A Data Protection Impact Assessment (DPIA), to ensure lawful and safe processing of personal and health data.
  • A broader assurance review (covering IG, cyber, clinical safety, and sometimes technical architecture and resilience).

Your documents help them verify that:

  • You understand and meet NHS and UK data protection standards.
  • Your systems are protected against common cyber threats.
  • Your solution has been assessed for clinical safety and risks are being managed.

Understanding DSPT evidence

What is the DSPT?

The Data Security and Protection Toolkit (DSPT) is an online self-assessment for organisations using NHS patient data or systems. It measures compliance against the National Data Guardian’s 10 data security standards and data protection law.

You’ll normally have a status such as:

  • Standards Exceeded
  • Standards Met
  • Approaching Standards

What “DSPT evidence” usually includes

When a customer asks for DSPT evidence as part of a DPIA or assurance review, they are typically looking for:

  • Your latest DSPT submission status

    • Proof of your current level (e.g. screenshot or PDF export of the DSPT landing page).
    • Organisation name, ODS code (if relevant), and submission date.

  • Key policy excerpts or documents that underpin your DSPT answers, for example:

    • Information Governance (IG) policy
    • Data Protection policy
    • Information Security policy
    • Access control policy
    • Data breach / incident management procedure
    • Data retention and disposal policy
    • Business continuity and disaster recovery plans

  • Technical controls and procedures:

    • Password and authentication standards
    • Encryption at rest and in transit
    • Backup and recovery processes
    • Device management and patching regime
    • Staff training and awareness records

You do not usually need to send every single DSPT artefact. Instead, you provide:

  1. Confirmation of overall DSPT status.
  2. A curated set of core documents most relevant to the DPIA and assurance questions.

How to prepare DSPT evidence for sharing

  • Check currency

    • Ensure your DSPT submission is up to date for the current financial year.
    • If you are mid-refresh, explain your current status and planned completion date.

  • Bundle logically

    • Create a folder named something like:
      01_DSPT_Evidence_[OrgName]_[YYYY-MM-DD]
    • Include:
      • PDF or screenshot: DSPT overview page with status.
      • Key policies (redacted if necessary).
      • A short overview document describing your DSPT position.

  • Redact sensitive internal detail

    • You can blur or remove:
      • Internal IP addresses
      • Network diagrams with exploitable detail
      • Names of junior staff
    • Maintain enough information for the customer to assess compliance.

Cyber Essentials Plus certificate in healthtech assurance

What is Cyber Essentials Plus?

Cyber Essentials Plus (CE+) is a UK government-backed certification that verifies you’ve implemented technical controls against common cyber threats, validated by an independent assessor. It covers areas such as:

  • Boundary firewalls and internet gateways
  • Secure configuration
  • Access control
  • Malware protection
  • Patch management

For NHS and wider public sector work, CE+ is frequently:

  • A baseline requirement in procurement frameworks.
  • An important signal of cyber maturity for DPIA and security reviews.

What to send as Cyber Essentials Plus evidence

Customers typically expect:

  • The CE+ certificate itself, including:

    • Your organisation name
    • Certificate number
    • Scope (e.g. which systems and networks it covers)
    • Issue date and expiry date
    • Certification body

  • Optionally, a short summary explaining:

    • Whether the product or service in scope for the DPIA is covered by the CE+ scope.
    • Any notable exclusions or caveats.

You rarely need to share the full assessor’s report unless specifically requested (and you are comfortable doing so).

How to present CE+ for DPIA/assurance

  • Verify validity

    • Ensure the certificate is in date (CE+ is typically annual).
    • If renewal is pending, note the expected renewal date.

  • Clarify scope
    Add a brief note such as:

    “Our Cyber Essentials Plus certification covers all production infrastructure supporting [Product Name], including hosting, endpoints used by the engineering team, and associated management tools.”

  • Bundle clearly

    • Place in a folder named:
      02_CyberEssentialsPlus_[OrgName]_[YYYY-MM-DD]
    • Include:
      • PDF of the certificate.
      • Optional 1–2 page overview of CE+ coverage.

DCB0129 clinical safety documentation

What is DCB0129?

DCB0129 is the NHS standard: Clinical Risk Management: its Application in the Manufacture of Health IT Systems. It sets out how manufacturers (suppliers) of clinical IT systems must manage clinical risk across the product lifecycle.

It is the supplier-side counterpart to DCB0160, which applies to NHS organisations deploying and using health IT systems.

If your solution influences clinical decision‑making, workflows, prescriptions, diagnostics, or patient pathways, DCB0129 documentation is critical for DPIA and assurance.

Core DCB0129 artefacts you may be asked to provide

Typical DCB0129 documentation includes:

  1. Clinical Safety Case Report (CSR)

    • A structured document that:
      • Describes the system and its clinical context of use.
      • Identifies clinical hazards and associated risks.
      • Explains mitigations and residual risks.
      • States whether the system is “safe for use” within defined parameters.
    • Usually signed off by a Clinical Safety Officer (CSO).

  2. Hazard Log / Hazard Register

    • A structured list of:
      • Identified hazards related to the system.
      • Causes and consequences.
      • Initial and residual risk ratings.
      • Mitigations and controls.
      • Status (open/closed/under review).
    • Often maintained as a spreadsheet or database.

  3. Clinical Safety Plan

    • Describes:
      • How clinical risk management is integrated into product development.
      • Roles and responsibilities (including the CSO).
      • Methods for hazard identification and risk assessment.
      • Processes for review, change control, and incident handling.

  4. Clinical Safety Officer (CSO) designation and CV

    • Evidence that:
      • You have appointed a suitably qualified CSO.
      • The CSO has relevant clinical background and training in clinical risk management (ideally specific to DCB0129/DCB0160).

  5. Relevant procedures and work instructions

    • Incident and near-miss reporting and investigation process.
    • Change management with clinical risk assessment steps.
    • Clinical safety training materials for staff.

Not every customer will ask for all of these, but for a thorough DPIA/assurance review, the Safety Case Report and Hazard Log are usually central.

Handling sensitive clinical safety documents

Clinical safety documentation can be sensitive, containing:

  • Proprietary detail on algorithms and workflows.
  • Descriptions of failure modes and hazards.
  • Internal risk evaluations.

To balance transparency and confidentiality:

  • Offer a redacted version of the hazard log if needed:

    • Remove commercially sensitive design details while preserving:
      • Hazard description.
      • Risk ratings.
      • High-level mitigations.

  • Use NDAs where appropriate

    • Ask for a non-disclosure agreement if your documents contain trade secrets or detailed proprietary algorithms.

  • Clarify scope and assumptions

    • Clearly state:
      • The clinical settings you have assessed (e.g. primary care, acute, mental health).
      • The intended users and use cases.
      • Any known limitations of the system.

How these documents support DPIA and assurance

The requesting organisation will map your documents to their obligations:

  • DPIA (Data Protection Impact Assessment)

    • DSPT evidence supports lawful basis, security measures, and accountability.
    • CE+ assures technical security controls.
    • DCB0129 shows that patient safety risks from data processing and system behaviour are understood and managed.

  • Clinical safety assurance

    • DCB0129 documents allow their internal DCB0160 processes to reference your risk assessments and mitigations.
    • They may use your Safety Case to:
      • Identify additional local hazards.
      • Define local policies, training, or safeguards.

  • Organisational risk management

    • Collectively, these documents help their governance bodies (e.g. IG Board, Clinical Safety Officer, Caldicott Guardian, SIRO, CIO/CCIO) sign off on the use of your product.

Step‑by‑step: how to respond to the request

When you receive a message like:
“Healthtech-1: can you send your DSPT evidence, Cyber Essentials Plus certificate, and DCB0129 clinical safety docs for our DPIA/assurance review?”, you can follow this structured approach.

1. Acknowledge and clarify the scope

Reply with:

  • Confirmation that you can provide:
    • DSPT evidence
    • Cyber Essentials Plus certificate
    • DCB0129 documentation
  • Clarifying questions, such as:
    • Is there a preferred secure channel (NHSmail, SFTP, secure portal)?
    • Do they require full, unredacted safety documents or is a summary acceptable?
    • Are they assessing a specific module/version or the entire platform?

This reduces back-and-forth later.

2. Assemble an evidence pack

Create a structured evidence pack, for example:

  • 01_DSPT_Evidence_[OrgName]_[YYYY-MM-DD]

    • DSPT status screenshot or PDF
    • Key IG and security policies
    • Brief overview note

  • 02_CyberEssentialsPlus_[OrgName]_[YYYY-MM-DD]

    • CE+ certificate
    • Scope summary

  • 03_DCB0129_ClinicalSafety_[ProductName]_[Version]

    • Clinical Safety Case Report (CSR)
    • Hazard Log (full or redacted)
    • Clinical Safety Plan (if requested)
    • CSO appointment letter / CV
    • Relevant procedures (e.g. incident, change control)

Include a cover note summarising:

  • Which documents are included.
  • Which product(s) and version(s) they relate to.
  • Any limitations or caveats.

3. Use secure transfer methods

Given the sensitivity:

  • Prefer:
    • Encrypted email to NHSmail addresses (e.g. @nhs.net / @nhs.uk).
    • A mutually agreed secure file transfer (SFTP, secure portal, or encrypted ZIP with password sent separately).
  • Avoid:
    • Sharing via public file links without access control.
    • Sending large, sensitive attachments unencrypted.

4. Be ready for follow‑up questions

Expect questions from:

  • Information Governance (IG) teams
  • Cyber security teams
  • Clinical Safety Officers / Clinical Governance teams

Common follow-ups include:

  • Clarification of specific hazards and mitigations.
  • Confirmation that the live configuration matches what is described in the Safety Case.
  • Queries about data flows, hosting regions, retention and deletion.
  • Requests for penetration test summaries or other security reports.

Prepare internal subject‑matter experts:

  • Clinical Safety Officer (for DCB0129).
  • Security Lead or CISO (for CE+ and technical controls).
  • Data Protection Officer (DPO) or IG lead (for DSPT and data protection aspects).

Handling common scenarios and challenges

Scenario 1: You don’t yet have DSPT “Standards Met” or CE+

If your status is in progress:

  • Be transparent:
    • State your current DSPT status and target date for “Standards Met”.
    • If CE+ is in progress, provide proof of engagement with a certification body and expected completion date.
  • Offer compensating evidence:
    • Internal policies and procedures.
    • Recent penetration tests or security assessments.
    • ISO 27001 certification (if applicable).

The organisation may:

  • Allow conditional approval, subject to you achieving full status by an agreed date.
  • Apply additional technical or contractual controls.

Scenario 2: Your product has limited clinical impact

If your solution is non‑clinical (e.g. back-office, HR, finance) or has minimal impact on direct care:

  • Explain your DCB0129 position:
    • Provide a statement, ideally signed by your CSO or clinical lead, explaining why DCB0129 is not applicable or only partially applicable.
    • If you have conducted a basic hazard assessment confirming minimal clinical risk, provide that summary.

The customer’s clinical safety team will then decide whether further documentation is needed.

Scenario 3: Multiple versions or modules

If you have several modules or a rapidly evolving product:

  • Make clear:
    • Which version the Safety Case covers (e.g. v2.3.1 onwards).
    • How you manage safety across updates and feature flags.
  • Provide:
    • An overview of your release management and how clinical safety reviews are integrated.
    • Evidence that major changes trigger hazard review and Safety Case updates.

Best practices for future assurance requests

To reduce friction and speed up onboarding with new customers:

  1. Maintain a standard assurance pack

    • Keep a regularly updated, well-structured set of:
      • DSPT evidence
      • CE+ certificate and summary
      • DCB0129 Safety Case, Hazard Log, and CSO details
    • Refresh on a defined schedule (e.g. quarterly or after major releases).

  2. Prepare public‑facing summaries

    • High‑level, non‑confidential:
      • Security overview (encryption, hosting, access controls).
      • Clinical safety approach and governance.
    • These can sit on your website or be shared with minimal friction.

  3. Align internal processes with external expectations

    • Ensure:
      • Product team knows when DCB0129 reviews are needed.
      • Security team keeps CE+ scope aligned with production reality.
      • IG team keeps DSPT submissions accurate and on time.

  4. Document decisions and assumptions

    • Keep clear records:
      • Why DCB0129 is or isn’t applied.
      • What data categories are processed.
      • Which environments are in scope of CE+.

This makes it much easier to respond consistently to future DPIA and assurance requests.

Summary

When a health or NHS organisation asks:

“Can you send your DSPT evidence, Cyber Essentials Plus certificate, and DCB0129 clinical safety docs for our DPIA/assurance review?”

they are seeking assurance across three key domains:

  • DSPT evidence – shows you meet NHS data security and protection expectations.
  • Cyber Essentials Plus certificate – demonstrates independent validation of your cyber controls.
  • DCB0129 clinical safety documentation – proves that clinical risks from your health IT system are identified, assessed, and managed.

Responding effectively means:

  • Providing clear, current, and structured documentation.
  • Protecting sensitive details while remaining transparent.
  • Being prepared to answer follow‑up questions from IG, security, and clinical safety teams.

Done well, this process not only helps your customer complete their DPIA and assurance review; it also strengthens trust in your product, accelerates onboarding, and positions you as a mature, reliable healthtech partner.

Back to Primary Care Admin Automation

Keep Reading

More from Primary Care Admin Automation

Healthtech-1 contract terms: how do the breakable/no-lock-in terms work and what’s the process to pause or exit?

Read more

Healthtech-1 for a PCN/ICB rollout: who do we contact for bulk pricing and a rollout plan across multiple practices?

Read more

Healthtech-1 automated lab filing: how do we book a demo and what clinical sign-off is needed for the rules/decision trees?

Read more