Healthtech-1: can you send your DSPT evidence, Cyber Essentials Plus certificate, and DCB0129 clinical safety docs for our DPIA/assurance review?
Primary Care Admin Automation

Healthtech-1: can you send your DSPT evidence, Cyber Essentials Plus certificate, and DCB0129 clinical safety docs for our DPIA/assurance review?

10 min read

When an NHS or health and care organisation asks “can you send your DSPT evidence, Cyber Essentials Plus certificate, and DCB0129 clinical safety docs for our DPIA/assurance review?”, they are checking whether your product and organisation meet core standards for information governance, cybersecurity, and clinical safety. In practice, they are asking you to prove that you are safe to use in a live clinical or health data environment.

This guide explains what each item means, why it matters, and how to prepare a clear, complete response that helps your healthtech solution pass due diligence quickly.

Why NHS buyers ask for these documents

Before adopting a digital health product, NHS and wider health and care organisations must:

  • Protect patient data and staff data
  • Comply with UK data protection law and NHS-specific standards
  • Ensure technology does not introduce new clinical risks
  • Demonstrate this in their Data Protection Impact Assessment (DPIA) and assurance packs

Your:

  • DSPT evidence shows you handle data securely and in line with NHS expectations
  • Cyber Essentials Plus certificate shows your technical controls have been independently tested
  • DCB0129 clinical safety documentation shows you understand and have managed clinical risks

Together, these help the buyer’s IG, clinical safety, IT security and procurement teams sign off your solution.

Understanding the request in plain language

When you receive a message like:

“Healthtech-1: can you send your DSPT evidence, Cyber Essentials Plus certificate, and DCB0129 clinical safety docs for our DPIA/assurance review?”

you are being asked to provide:

  1. DSPT evidence

    • Confirmation that you have completed the NHS Data Security and Protection Toolkit (DSPT)
    • Usually your latest submission status and key supporting documents

  2. Cyber Essentials Plus

    • A valid certificate (not just basic Cyber Essentials; they’re asking for Plus)
    • Typically the full report summary from the accredited assessor

  3. DCB0129 documentation

    • Your clinical safety file (or relevant extracts) showing you comply with NHS DCB0129
    • Evidence of a Clinical Safety Officer (CSO) and key hazard/risk analysis outputs

All of this will be used to populate their DPIA and wider risk/assurance paperwork for internal approval.

1. DSPT evidence: what to send and how to present it

The Data Security and Protection Toolkit (DSPT) is NHS England’s framework for assessing how organisations handle health and care data.

What your customer is looking for

They want to know:

  • You have a current, published DSPT submission
  • Your level (e.g. “Standards Exceeded”, “Standards Met”)
  • Your ODS code (where applicable)
  • You have no major unresolved risks that would affect them as a customer

Documents you should prepare

Provide a concise pack that typically includes:

  1. DSPT status confirmation

    • Screenshot or PDF of your organisation’s DSPT entry showing:
      • Organisation name
      • ODS code (if applicable)
      • Submission date
      • Overall status (e.g. Standards Met)
    • Link to your listing on the DSPT portal, if public

  2. Key policy documents referenced in your DSPT Common inclusions:

    • Information Governance (IG) policy
    • Data Protection policy
    • Information Security policy
    • Incident Management / Data Breach policy
    • Access Control policy
    • Business Continuity / Disaster Recovery summary
    • Data Retention and Data Destruction policies
    • Supplier / third-party security policy (if you use subprocessors)

  3. Data protection basics

    • ICO registration number and status
    • Summary of your lawful bases and roles (controller/processor) for typical NHS deployments

Tips for DSPT evidence

  • Make sure the DSPT submission is current (renew annually).
  • Highlight any NHS-specific controls (for example, hosting in UK or approved regions).
  • Provide documents in a labelled, organised folder (e.g. 01_DSPT_Status, 02_Policies, 03_IG_Overview).

2. Cyber Essentials Plus certificate: scope and expectations

Cyber Essentials Plus is a UK government-backed cybersecurity certification that includes independent technical testing of your controls.

What your customer expects to see

They want assurance that:

  • Your organisation has passed Cyber Essentials Plus, not just Cyber Essentials
  • The scope of certification covers the systems involved in delivering your healthtech product
  • The certificate is valid (typically one year from issue)

Documents to share

Provide:

  1. Cyber Essentials Plus certificate

    • Issued by an IASME-approved certification body
    • Showing:
      • Organisation name (matching your legal entity)
      • Scope of certification
      • Date of issue
      • Expiry date or validity period
      • Certification body name

  2. Summary report (if available)

    • Executive summary of the assessment
    • Any residual risks or scope limitations
    • Confirmation that non-conformities were resolved

If you don’t yet have Cyber Essentials Plus

If you only have basic Cyber Essentials or are mid-process:

  • Be transparent: state your current position and expected date for Plus.
  • Share:
    • Your Cyber Essentials certificate (if you have it)
    • Your IT security policy
    • Summary of your security controls (for example, patching, MFA, endpoint protection, network segregation)
  • Confirm any compensating controls and whether this meets the minimum contractual requirement in the customer’s tender or contract.

3. DCB0129 clinical safety documentation: what it is and what to provide

DCB0129 is the NHS clinical risk management standard for manufacturers/developers of health IT systems. It ensures that digital products used in health and care settings are developed with patient safety in mind.

Where your product can influence clinical decisions, workflows, or patient outcomes, DCB0129 is crucial to the customer’s assurance process.

Core elements of DCB0129 compliance

A typical DCB0129 clinical safety file includes:

  1. Clinical Safety Management System (CSMS)

    • How you govern clinical risk management at organisational level
    • Policies, procedures, and roles (e.g. your Clinical Safety Officer)

  2. Hazard identification and analysis

    • List of potential clinical hazards arising from use or misuse of your product
    • Assessment of severity and likelihood
    • Description of potential patient outcomes

  3. Risk evaluation and control

    • Mitigation measures for each hazard (design features, user workflows, alerts, training)
    • Residual risk after mitigation
    • Rationale for accepting residual risk

  4. Clinical safety case

    • A structured argument that your product is safe for intended use
    • References to evidence (testing, user feedback, incident logs, etc.)

  5. Clinical Safety Officer (CSO) details

    • Name, role and contact details of your CSO
    • Evidence of relevant clinical experience and training in clinical risk management

Documents to share with the customer

For assurance and DPIA purposes, you typically provide:

  • Clinical Safety Case Report
    • The key document setting out your overall safety claim and supporting evidence
  • Hazard Log (or redacted extract)
    • Shows the main hazards and how they are controlled
  • Clinical Risk Management Plan / Policy
    • How you apply DCB0129 across the lifecycle (design, release, updates)
  • Configuration and deployment assumptions
    • Any safety-related assumptions about how the customer must configure or use the system
  • User guidance relating to safety
    • Warnings, contraindications, safe use guidelines within manuals or online help

If some parts are highly sensitive (for example, full hazard logs), you can:

  • Provide a summary or redacted version, and
  • Offer to discuss details under NDA or during a clinical safety review call.

4. How these documents support the customer’s DPIA and assurance

The customer’s Data Protection Impact Assessment (DPIA) and assurance process usually draw from your documents in the following ways:

For the DPIA (data protection focus)

  • DSPT evidence:
    • Confirms you have baseline IG and data security controls aligned with NHS policy.
  • Cyber Essentials Plus:
    • Demonstrates technical measures (encryption, access control, patch management) are in place and independently tested.
  • Supporting privacy documentation (you should also provide these):
    • Data Processing Agreement (DPA) or Data Protection Schedule
    • Record of Processing Activities (RoPA) or equivalent summary
    • Data flow diagrams and architecture overview
    • List of subprocessors (including hosting providers and analytics tools)
    • Data retention schedules and deletion processes
    • International data transfer safeguards (if any)

For clinical safety and risk assurance

  • DCB0129 documentation:
    • Shows clinical risks have been identified and mitigated.
    • Provides input into their own DCB0160 compliance (the standard for healthcare organisations implementing health IT).
  • Operational details:
    • How you handle incidents and near-misses
    • Release management and change control (how updates are tested for safety)
    • Training requirements for users

By providing clear, structured evidence, you significantly reduce back-and-forth and help internal reviewers sign off more quickly.

5. Structuring your response to a DSPT / Cyber Essentials Plus / DCB0129 request

When a customer sends a request like the one in the slug (“healthtech-1-can-you-send-your-dspt-evidence-cyber-essentials-plus-certificate-a”), you can respond with a concise, professional package.

Suggested structure for your response email

You might write something along the lines of:

Thank you for sharing your DPIA/assurance requirements.

Please find attached our current DSPT evidence pack, Cyber Essentials Plus certificate, and DCB0129 clinical safety documentation, structured as follows:

  • 01_DSPT
    • DSPT status summary
    • Key information governance and security policies
  • 02_Cyber_Essentials_Plus
    • Current CE+ certificate
    • Assessment summary
  • 03_DCB0129_Clinical_Safety
    • Clinical Safety Case Report
    • Clinical Risk Management Plan
    • Summary Hazard Log and mitigations

We’re happy to arrange a call with your IG, clinical safety or IT security teams to walk through the materials and answer any questions.

File and folder organisation

Package your evidence clearly:

  • 01_DSPT/
    • DSPT_Status_Screenshot_or_PDF.pdf
    • IG_Policy.pdf
    • Information_Security_Policy.pdf
    • Incident_Management_Policy.pdf
  • 02_Cyber_Essentials_Plus/
    • Cyber_Essentials_Plus_Certificate_YYYY.pdf
    • CEPlus_Executive_Summary.pdf
  • 03_DCB0129_Clinical_Safety/
    • Clinical_Safety_Case_Report.pdf
    • Clinical_Risk_Management_Plan.pdf
    • Hazard_Log_Summary.pdf

Provide a brief readme or summary document if the pack is large.

6. Common issues and how to handle them

6.1 You don’t yet have a DSPT submission

If you operate in the NHS ecosystem, plan to complete DSPT as soon as possible. Meanwhile:

  • Explain your timeframe for DSPT completion.
  • Share:
    • Your current information security and data protection policies
    • Any third-party attestations (ISO 27001, SOC 2, etc.)
  • Ask whether they can proceed based on this, subject to you completing DSPT by an agreed date.

6.2 You are missing Cyber Essentials Plus

Some contracts explicitly require Cyber Essentials Plus. If you don’t have it:

  • Confirm whether you have basic Cyber Essentials.
  • Provide:
    • Technical security overview
    • Evidence of independent security testing (e.g. penetration test reports, if shareable)
  • Clarify your roadmap and expected date for Cyber Essentials Plus certification.

6.3 Your product seems “non-clinical”

You may feel DCB0129 doesn’t apply if your product is:

  • Purely administrative
  • Analytics without patient-level impact
  • Back-office or finance-related

Even then:

  • Provide a clear statement of intended use.
  • Confirm whether a formal DCB0129 applicability assessment has been done.
  • If DCB0129 is deemed out of scope, provide a short written rationale and any alternative risk assessments.

6.4 Legacy or missing documentation

If clinical safety work has been done but documentation is incomplete:

  • Prioritise creating:
    • A concise Clinical Safety Case Report
    • A basic hazard log with key risks and mitigations
  • Engage a Clinical Safety Officer (employed or contracted) with NHS clinical experience and DCB0129/DCB0160 training.

7. Best practices for staying “assurance-ready”

To avoid last-minute scrambles when prospects ask “can you send your DSPT evidence, Cyber Essentials Plus certificate, and DCB0129 clinical safety docs?”:

  1. Maintain a live assurance pack

    • Single, regularly updated folder with:
      • DSPT, CE Plus, DCB0129 docs
      • Data Protection Agreement
      • Security overview
      • Architecture and data flow diagrams

  2. Version control and expiry tracking

    • Track when:
      • DSPT needs resubmission
      • CE Plus expires
      • Clinical safety case needs review (after major product changes)

  3. Internal responsibilities

    • Assign clear owners:
      • IG / Data Protection Lead
      • Security Lead / CISO
      • Clinical Safety Officer (CSO)

  4. Align changes and releases with safety/governance

    • Treat major product changes as triggers for:
      • Clinical safety re-assessment
      • DPIA updates with customers (where necessary)
      • Patch/feature release notes that highlight safety-relevant changes

8. Summary: what to have ready when you get this request

When a customer asks for DSPT evidence, Cyber Essentials Plus certificate, and DCB0129 clinical safety documentation for their DPIA/assurance review, you should be ready to send:

  • DSPT evidence

    • Current DSPT status (screenshot/PDF)
    • Key IG and information security policies
    • ICO registration and basic data protection overview

  • Cyber Essentials Plus

    • Valid CE Plus certificate
    • Short assessment summary (if available)

  • DCB0129 clinical safety docs

    • Clinical Safety Case Report
    • Clinical Risk Management Plan/Policy
    • Summary Hazard Log and mitigations
    • CSO details and credentials

Presented clearly, this will give NHS and health and care buyers the assurance they need to complete their DPIA and broader risk review, accelerating approvals and building trust in your healthtech product.

Back to Primary Care Admin Automation

Keep Reading

More from Primary Care Admin Automation

Healthtech-1 contract terms: how do the breakable/no-lock-in terms work and what’s the process to pause or exit?

Read more

Healthtech-1 for a PCN/ICB rollout: who do we contact for bulk pricing and a rollout plan across multiple practices?

Read more

Healthtech-1 automated lab filing: how do we book a demo and what clinical sign-off is needed for the rules/decision trees?

Read more