Skip to content

The DSPT Deadline Is 30 June 2026: Your 90-Day Action Plan

The DSPT submission deadline is 30 June 2026. If you haven't started yet, you have roughly 90 working days from early April to get it done. That's tight but workable — if you have a plan.

This guide breaks the submission down into a week-by-week action plan for Category 3 and Category 4 organisations. Each week has one clear task that takes 1-2 hours. No marathons, no June panic.

The 90-day timeline at a glance

Week Dates (approx.) Focus Time
1 1-4 Apr Log in, check category, download evidence spreadsheet 1 hour
2 7-11 Apr Audit existing evidence (what you have vs what you need) 2 hours
3 14-18 Apr Send staff training out to all employees 1 hour
4 21-25 Apr Review and update data security policy 1-2 hours
5 28 Apr - 2 May Review business continuity plan 1-2 hours
6 5-9 May Document access controls (who has access to what) 1-2 hours
7 12-16 May Request supplier assurance statements 1 hour
8 19-23 May Chase outstanding training completions 1 hour
9 26-30 May Upload all evidence to the portal 2-3 hours
10 2-6 Jun Review, fill gaps, do final checks 2 hours
11 9-13 Jun Submit for "Approaching Standards" 1 hour
12 16-20 Jun Buffer week — handle any issues As needed

Total time: approximately 15-20 hours spread over 12 weeks. That's under 2 hours per week — manageable alongside running a care home, pharmacy, or practice.

Week 1: Log in and orient yourself

Task: Log in to dsptoolkit.nhs.uk, confirm your organisation's category (3 or 4), and download the v8 evidence spreadsheet for your category from the downloads page.

If you can't log in, your NHSmail account may need reactivating or your ODS code may not be linked. Contact your ICB's IT team — this can take a week to resolve, which is why it's Week 1.

Deliverable: Printed or saved copy of the v8 evidence spreadsheet, annotated with your category's assertions.

Week 2: Audit what you already have

Task: Go through each evidence item in the spreadsheet and mark it red/amber/green:

  • Green: Evidence exists and is current (dated within 12 months, matches v8 requirements)
  • Amber: Evidence exists but needs updating (out of date, or from v7 and may not match v8 wording)
  • Red: No evidence exists — you need to create this

This audit tells you exactly how much work remains. In our experience, a typical Category 3 organisation with reasonable practices in place often finds roughly half their items green, with the remainder split between amber and red — though this varies widely by organisation.

Use our evidence checklist generator for a structured version of this audit.

Deliverable: Colour-coded evidence spreadsheet showing your gaps.

Week 3: Launch staff training

Task: Send annual data security awareness training to every member of staff. This is the longest lead-time item — it depends on other people completing something, and some will need chasing.

Free option: the NHS e-Learning for Healthcare data security awareness module. It takes about 45 minutes and generates a downloadable certificate.

Who needs to complete it: Every person with access to patient data or NHS systems. This includes:

  • Permanent staff (all roles, including kitchen, maintenance, and admin staff at care homes if they have any access to patient areas)
  • Part-time and bank staff
  • Agency staff (ask agencies for training certificates or require completion of your training)

Deliverable: Training sent to all staff. Set up a tracking sheet or use our tools to monitor completions weekly.

Weeks 4-5: Policies and plans

Week 4 — Data security policy:

  • Does your current policy reflect v8 requirements?
  • Has it been reviewed in the last 12 months?
  • Have staff acknowledged reading it? (A signature sheet or email confirmation counts)

If your policy is older than 12 months, update it now. It doesn't need to be long — 4-6 pages covering data handling, access controls, incident reporting, and staff responsibilities is sufficient for a small provider.

Week 5 — Business continuity plan:

  • Do you have a documented plan for what happens if you lose access to your IT systems?
  • Does it cover cyber attack scenarios (ransomware, data breach)?
  • When was it last tested or reviewed?

A business continuity plan for a 30-bed care home doesn't need to be a 50-page document. It needs to answer: who does what if the systems go down, how do we access patient records in the interim, and who do we contact?

Week 6: Access controls

Task: Document who has access to which systems, when access was last reviewed, and your process for removing access when someone leaves.

Specifically:

  • List every system containing patient data (clinical systems, email, shared drives, cloud storage)
  • For each system, record who has access and what level (admin, standard user, read-only)
  • Check for leavers who still have active accounts — this is a common gap
  • Document your joiner/leaver access process

For GP practices, this includes EMIS/SystmOne access, NHSmail admin, and any shared drives. For pharmacies, include PharmOutcomes, NHSmail, and dispensing system access. For care homes, include care planning software, NHSmail, and any electronic records systems.

Deliverable: Access control register and documented joiner/leaver process.

Week 7: Supplier assurance

Task: Contact your IT suppliers and request written confirmation that they meet data security standards.

Most managed IT service providers can supply a standard assurance letter covering:

  • Data handling and encryption
  • Patching and update schedules
  • Backup and recovery procedures
  • Staff vetting and training

For clinical system vendors (EMIS, SystmOne, PharmOutcomes), these organisations typically publish their own DSPT submissions or provide assurance documentation. Check their support portals or ask your account representative.

Deliverable: Assurance letters or statements from each supplier handling patient data.

Week 8: Chase training

Task: Check your training tracker. By now (mid-May), you should have 80%+ completion. Chase anyone who hasn't completed the training.

Common holdouts: night shift staff, part-time workers, and staff on leave. For staff on long-term leave, document that they'll complete training on return — this shows you have a process even if completion isn't 100%.

Deliverable: Updated training completion records. Aim for 100% or documented exceptions.

Week 9: Upload everything

Task: Work through each assertion in the DSPT portal and upload your evidence. This is the most time-intensive single session — budget 2-3 hours and do it in one sitting if possible.

Tips for efficient uploading:

  • Name files clearly before uploading (e.g., "Data_Security_Policy_v3_May2026.pdf")
  • Add a brief note for each evidence item explaining what it shows
  • Upload training completion records as a single summary document, not individual certificates
  • Cross-reference your colour-coded spreadsheet to ensure nothing is missed

Deliverable: All available evidence uploaded to the portal.

Week 10: Gap check

Task: Review the portal's completion dashboard. Identify any assertions still showing as incomplete. For each gap:

  1. Can you source the evidence quickly? (e.g., a supplier hasn't replied — chase them)
  2. Is it a mandatory assertion? (If not, and you're aiming for "Approaching Standards", it can wait)
  3. Is it something you genuinely can't evidence? (Document why and check the DSPT help pages for support options)

Deliverable: All mandatory assertions complete, or a clear list of items to resolve in Week 11.

Week 11: Submit

Task: Submit your DSPT for "Approaching Standards" (mandatory assertions complete) or "Standards Met" (all assertions complete).

Don't wait until 30 June. Submitting in mid-June gives you a buffer for technical issues, portal downtime, or evidence that needs correcting.

After submission: Save a copy of your submission summary for your records. This is your evidence of compliance for CQC inspections, ICB contract reviews, and your own internal audit trail.

Week 12: Buffer

Task: Handle any post-submission issues. Occasionally the portal flags items for review or requests clarification. Having a buffer week means these don't become a crisis.

If you're starting later than April

The action plan compresses, but the priorities stay the same:

Starting in May (60 days):

  1. Staff training — send immediately, this is your bottleneck
  2. Audit evidence — skip the detailed colour-coding, just identify red items
  3. Policies — update only what's expired, don't rewrite everything
  4. Upload and submit — aim for "Approaching Standards"

Starting in June (30 days or less):

  1. Focus exclusively on mandatory assertions
  2. Send training today and chase daily
  3. Upload what you have — partial evidence is better than no evidence
  4. Contact NHS England before the deadline if you genuinely can't finish — check the DSPT help pages for current support options

Check exactly how many working days you have left with our DSPT deadline calculator. For help choosing the right approach for tracking your progress, see our guide on what to look for in a DSPT compliance tracker.

This guide is based on DSPT v8 (2025/26) requirements. Always verify current requirements on the official DSPT portal. This is not legal or compliance advice.

Sources

Get guided DSPT compliance when we launch

Join the waitlist for early access to DSPTready — step-by-step DSPT guidance built for small providers.

No spam. Unsubscribe any time. Privacy policy

Related guides

DSPT Evidence Requirements: A Category-by-Category Breakdown

What evidence the DSPT actually requires — broken down by category and standard, with specific examples for Category 3 and Category 4 organisations.

DSPT for Pharmacies: A Community Pharmacy Compliance Guide

A pharmacy-specific DSPT guide — what evidence a superintendent pharmacist or pharmacy owner needs, PMR supplier coordination, and multi-site batch submissions.

DSPT Toolkit: Everything You Need to Know Before You Start

A prep guide for the DSPT toolkit — what to gather before you log in, how to register, and what to expect when you open the portal for the first time.