September 18th 2025
We’ve updated our Data Security and Protection Toolkit (DSPT) guidance to reflect two new mandatory questions that you must answer to reach Standards Met. This means there are now 45 questions to complete to achieve Standards Met.
The new questions
The two new questions are:
4.3.1: Have all the administrators of your organisation’s IT system(s) signed an agreement to hold them accountable to higher standards?
(This sits under our DSPT guidance on Passwords, backups and access.)
7.1.1: You have an asset register detailing your organisation’s hardware, software and data, which is kept up to date.
(This sits under our DSPT guidance on Systems and software.)
Both of these new requirements focus on accountability and oversight. They are designed to help you manage who has administrative access to your IT systems and ensure you have a clear, up-to-date picture of the technology and data your organisation relies on.
New supporting resources
To help you answer these questions with confidence, we’ve developed two new resources:
- Privileged Access Agreement – template statement of complianceThe people within your organisation who are IT system administrators may have access to more information than other staff. Therefore, they need to be held accountable in a formal way to higher standards of confidentiality than others.
This requirement applies to IT system administrators working in external companies who support your organisation’s IT systems. This formal agreement could be part of a job description or a contract with your IT support company and/or systems supplier/s.
You can also download and adapt the wording in this Privileged Access Agreement – Statement of Compliance.
- Asset management quick guide and templates
This practical guide walks you through why asset management matters, what types of assets you need to consider, what to include in your register, and how to keep it up to date. The accompanying template makes it easy to start recording your hardware, software, and data assets straight away. View our quick guide and templates
These resources are designed to save you time and give you a clear, straightforward way to meet these new DSPT requirements.
Why these updates matter
Knowing what systems and information you have, and who has access to them is essential to good data protection. By formalising administrator accountability and keeping track of your organisation’s digital assets, you reduce the risk of data breaches, improve business continuity, and stay compliant with national data protection standards.
These updates also support better planning. A good asset register helps you budget for upgrades and replacements, avoid service disruption, and respond quickly if you need to recover from a cyber incident.
Explore the updated guidance
You can read the updated guidance and download the new resources now on the Digital Care Hub:
- DSPT guidance – Passwords, backups and access
- DSPT guidance – Systems and software
- Privileged Access Agreement template
- Asset management quick guide and Digital Assets Register template
Take a few minutes to familiarise yourself with these changes and update your DSPT so you stay on track to meet Standards Met.
View all News