Skip to content

DSPT 2025/26: The Complete Guide for Care Homes, Pharmacies and GP Practices

Last reviewed: 10 March 2026

If you manage a care home, community pharmacy, or GP practice in England, you're required to complete the Data Security and Protection Toolkit (DSPT) every year by 30 June. Miss the deadline and you risk losing access to NHSmail, the NHS Spine, and the Electronic Prescription Service — systems your organisation relies on daily.

This guide covers the DSPT v8 (2025/26) requirements specifically for Category 3 and Category 4 organisations. No enterprise jargon, no assumptions about having an IT department.

What is the DSPT?

The Data Security and Protection Toolkit is an annual online self-assessment run by NHS England. It measures how well your organisation protects patient data against the 10 National Data Guardian (NDG) data security standards.

Every organisation that accesses NHS patient data or connects to NHS systems must complete it. That includes:

  • Residential and nursing care homes
  • Domiciliary care agencies
  • Community pharmacies
  • GP practices
  • Dental practices
  • Opticians

The toolkit is hosted at dsptoolkit.nhs.uk and the 2025/26 submission deadline is 30 June 2026.

What changed in DSPT v8 (2025/26)?

DSPT v8, released on 18 September 2025, is now fully aligned with the National Cyber Security Centre's Cyber Assessment Framework (CAF) version 3.4 — as confirmed in the official v8 announcement. This is a significant shift from previous versions.

What this means for small providers:

  • Outcome-based evidence. You need to show that your security controls actually work — not just that you have a policy document sitting in a drawer. If your data security policy says "all staff complete annual training," you need records proving they did.
  • Updated assertions and evidence items. The structure has moved from the old question format to Outcomes, Assertions, and Evidence items. For Category 3 organisations, the workload is broadly similar to previous years, but some evidence requirements have changed.
  • No carry-forward from v7. Evidence uploaded to v7 does not automatically transfer. You'll need to re-upload or re-confirm evidence items for v8.

Check the official v8 announcement for the full change log and downloadable spreadsheets showing the exact assertions and evidence items for your category.

DSPT categories: which one are you?

Your DSPT category determines which assertions and evidence items apply to your organisation.

Category Typical organisations Scope
Category 1 Large NHS trusts, ALBs Full CAF assessment + independent audit
Category 2 IT suppliers, larger NHS organisations Extended assessment + independent audit
Category 3 Care homes, domiciliary care, pharmacies, dentists, opticians Core assessment — no independent audit required
Category 4 GP practices Tailored assessment — GP-specific evidence items

Most readers of this guide will be Category 3 or Category 4. The key difference: Category 3 has a general set of assertions covering the 10 NDG standards, while Category 4 includes GP-specific items (for example, around clinical system access controls and NHS Spine usage).

If you run a residential or domiciliary care provider, our DSPT for care homes guide walks through the Category 3 evidence requirements with care-home-specific examples.

If you're unsure of your category, log in to dsptoolkit.nhs.uk — your category is assigned based on your organisation's ODS code.

The 10 National Data Guardian standards

The DSPT is structured around these 10 standards. Each one maps to specific assertions and evidence items:

  1. Personal confidential data — only accessed by authorised staff who need it
  2. Staff responsibilities — everyone understands their data security duties
  3. Training — all staff complete annual data security awareness training
  4. Managing data access — access is limited to what each person needs
  5. Process reviews — processes are regularly reviewed for compliance
  6. Responding to incidents — data breaches are detected and reported
  7. Continuity planning — plans exist to respond to threats to data security
  8. Unsupported systems — no unsupported operating systems or software
  9. IT protection — technical controls are in place (firewalls, encryption, patching)
  10. Accountable suppliers — third-party suppliers meet data security standards

For Category 3 organisations, the evidence across these standards includes items like staff training records, data security policies, risk assessment logs, business continuity plans, and records of who has access to what systems.

Key deadlines for 2025/26

Date What's due
18 September 2025 DSPT v8 opened for 2025/26 submissions
31 December 2025 Mid-year review updates due (if applicable)
January–June 2026 Independent assessments window (Categories 1 and 2 only)
30 June 2026 Final DSPT submission deadline for all categories

Missing the 30 June deadline has operational consequences. Non-compliant organisations can lose access to:

  • NHSmail — used for secure communication with other NHS organisations
  • NHS Spine — the central database connecting GP records, prescriptions, and patient demographics
  • Electronic Prescription Service (EPS) — pharmacies processing NHS prescriptions need Spine access
  • Data Sharing Agreements — ICBs may refuse to renew data sharing agreements with non-compliant providers

For a care home, this can disrupt medication management, hospital discharge communications, and referral pathways. For a pharmacy, losing EPS access effectively halts NHS dispensing.

"Approaching Standards" vs "Standards Met"

The DSPT has two compliance levels:

  • Approaching Standards — you've completed the mandatory assertions and uploaded the minimum required evidence. This is the baseline that most small providers should aim for first.
  • Standards Met — you've completed all assertions, including the non-mandatory ones, with full evidence. This is the higher bar.

Practical advice: If this is your first time completing the DSPT (or your first time with v8), focus on reaching "Approaching Standards" by 30 June. You can work toward "Standards Met" afterward — the toolkit stays open for updates throughout the year.

Common evidence items you'll need

While the exact requirements depend on your category and the v8 assertion list, most Category 3 organisations will need:

  • Staff training certificates — proof that every member of staff has completed annual data security awareness training. This is consistently the item that causes the most last-minute scrambling.
  • Data security policy — a current, reviewed policy that staff have read and acknowledged.
  • Risk assessment log — documenting identified data security risks and what you've done about them.
  • Business continuity plan — what happens if your systems go down, you suffer a cyber attack, or you lose access to patient records.
  • Access control records — who has access to which systems, when access was last reviewed, and how leavers' access is removed.
  • Incident response procedure — how you detect, report, and respond to data security incidents.
  • Supplier assurance — evidence that your IT suppliers (managed service providers, software vendors) meet data security standards.

For a more structured breakdown, try our free evidence checklist generator — select your category and get a categorised list of what you need to gather. If you're evaluating tools to help with tracking, see our guide on what to look for in a DSPT compliance tracker.

How long does it take?

There's no single answer — it depends on how organised your existing records are. But based on typical Category 3 organisations:

  • First submission: 20-40 hours over 3-5 months. The bulk of the time is gathering evidence, not answering questions. If your training records are scattered across email, your policy is three years old, and you've never documented your access controls, expect to be at the higher end.
  • Repeat submissions: 8-15 hours if you maintained your evidence throughout the year. Much less if your evidence from last year carries forward cleanly (though v8's changes mean some items need refreshing regardless).

The most effective approach is to spread the work across January to May rather than scrambling in June. A 90-day action plan starting in April gives you enough time without it consuming every spare moment. See our DSPT deadline action plan for a week-by-week breakdown.

FAQ

What does DSPT stand for? Data Security and Protection Toolkit. It replaced the old Information Governance Toolkit (IGT) in 2018.

Is the DSPT mandatory? Yes, for any organisation accessing NHS patient data or systems. Completion is a condition of your Data Sharing Agreement and, for CQC-registered providers, is checked during inspections.

Can I complete the DSPT without a consultant? Yes. The DSPT is designed as a self-assessment. Many small providers complete it independently — it takes longer the first time, but you build capability for future years. Tools like our readiness quiz can help you identify gaps before you start.

What if I can't meet the 30 June deadline? Contact NHS England before the deadline to discuss your options. Check the DSPT help pages for current guidance on support routes available to your organisation category. Submitting at "Approaching Standards" with some gaps is better than a missed submission.

How often does the DSPT change? Annually. NHS England releases a new version each September. The v7-to-v8 change (CAF alignment) was the largest structural change in several years. Future versions are expected to be incremental updates rather than full restructures.

Next steps

  1. Check your category — log in to dsptoolkit.nhs.uk and confirm whether you're Category 3 or 4.
  2. Prepare for first login — our DSPT toolkit prep guide covers what to gather before you open the portal so you don't waste your first session hunting for documents.
  3. Download the v8 evidence spreadsheet — see exactly which assertions and evidence items apply to you.
  4. Audit your current evidence — use our evidence checklist generator to see what you need and identify gaps.
  5. Plan your timeline — the DSPT deadline calculator shows how many working days you have left and suggests milestones.
  6. Start with training records — this is the evidence item most providers leave until last. Get it done first.

If you run a community pharmacy, our DSPT for pharmacies guide covers PSNC-specific evidence patterns and the NHSmail/EPS access points that matter most for pharmacy continuity. For the underlying nationally-mandated framework, see our overview of the NHS Data Security and Protection Toolkit.

This guide is based on DSPT v8 (2025/26) requirements as published by NHS England. Always verify current requirements on the official DSPT portal. This is not legal or compliance advice.

Sources

Get guided DSPT compliance when we launch

Join the waitlist for early access to DSPTready — step-by-step DSPT guidance built for small providers.

No spam. Unsubscribe any time. Privacy policy

Related guides

DSPT Evidence Requirements: A Category-by-Category Breakdown

What evidence the DSPT actually requires — broken down by category and standard, with specific examples for Category 3 and Category 4 organisations.

DSPT for Pharmacies: A Community Pharmacy Compliance Guide

A pharmacy-specific DSPT guide — what evidence a superintendent pharmacist or pharmacy owner needs, PMR supplier coordination, and multi-site batch submissions.

DSPT Toolkit: Everything You Need to Know Before You Start

A prep guide for the DSPT toolkit — what to gather before you log in, how to register, and what to expect when you open the portal for the first time.