DSPT for Dental Practices: A Principal Dentist's Compliance Guide
As a principal dentist or practice manager handling your practice's NHS obligations, the DSPT sits alongside GDC standards, CQC registrations, and BDA guidance as one of the annual compliance tasks that falls to you. Most guidance on the toolkit is aimed at care homes or GP practices — this one focuses specifically on what dental practices need.
Dental practices are Category 3 in the DSPT, alongside pharmacies, care homes, and opticians. That means approximately 42 mandatory evidence items across the 10 National Data Guardian standards, a 30 June 2026 submission deadline, and no requirement for an independent audit. You complete the self-assessment and publish your result.
What makes dental practices different
The underlying 10 NDG standards are the same across all Category 3 organisations, but the evidence you gather is shaped by how a dental practice actually operates. Three things set dental practices apart from pharmacies or care homes.
Practice management software. Whether you use Dentally, SOE Exact, R4 Practice Management, or another system, your clinical and administrative data lives in that platform. Your DSPT evidence needs to include supplier assurance from your PMS provider — confirming they meet data security standards — and your own evidence of how you manage access to the system.
NHS Spine and NHSmail. Practices with NHS contracts typically have access to NHS Spine (for NHS Business Services Authority claims and real-time eligibility checking) and NHSmail accounts. These connections mean you have data-sharing obligations that extend beyond your own four walls. Your evidence needs to show that these access points are appropriately managed and that staff using NHSmail understand their responsibilities.
Staff mix and turnover. Many dental practices employ a mix of permanent staff (receptionists, nurses, practice manager), self-employed associates, and locum dentists. Each person with access to patient records needs to be covered by your training records and your access controls. Associates and locums are a common gap — your DSPT can't assume they'll organise their own data security training.
The evidence you'll need
Category 3 dental practices need to demonstrate compliance with all 10 NDG standards. Here's how each one plays out in a dental context.
Standard 1 — Personal confidential data: Your evidence needs to show that patient data is only accessed by people who need it. A data flow map or system inventory works well: list each system that holds patient or staff data (PMS, NHSmail, NHSBSA portal, cloud storage), what data it holds, and which roles have access. Associates who access clinical records need to appear on this list.
Standard 2 — Staff responsibilities: A current data security policy, reviewed in the last 12 months, with evidence that staff have read it. For a small practice, a signature sheet or email confirmation from each staff member suffices. The policy doesn't need to be long — 4-6 pages covering data handling, access management, incident reporting, and responsibilities is appropriate.
Standard 3 — Training: The old 95% rule is gone. You now need to show that all staff have an appropriate understanding of data security, through a documented Training Needs Analysis (TNA), evidence of training delivery, and some form of evaluation. The NHS e-Learning for Healthcare data security awareness module is free and generates a certificate — useful for nurses, receptionists, and admin staff. For self-employed associates, you'll need to establish how they meet the training requirement.
Standard 4 — Managing data access: An access control register (who has access to which systems at what level), a joiner/leaver process, and — new in v8 — a signed agreement holding your IT system administrators to higher standards of confidentiality. Whoever administers your PMS, NHSmail admin access, and any NHSBSA portal administrator (including an external IT provider) all need to be covered by that agreement.
Standard 5 — Process reviews: Evidence that your data security processes are reviewed regularly. A review schedule and dated policy documents showing when they were last updated. An annual meeting where policies are reviewed and sign-off recorded is sufficient.
Standard 6 — Responding to incidents: An incident response procedure and an incident log. The procedure covers how staff identify, report, and escalate data incidents. The log records incidents (even minor ones like an email sent to the wrong address) and the actions taken. If you've had no reportable incidents, an empty log with the procedure attached demonstrates you have a working system.
Standard 7 — Continuity planning: A business continuity plan covering what happens if your PMS goes down, your internet connection fails, or you suffer a cyber attack. For a dental practice, this includes: paper backup procedures for appointments and patient notes, how to access NHSBSA claims if your system is unavailable, and who to contact in an emergency. The plan should be reviewed or tested annually.
Standard 8 — Unsupported systems: A list of all devices (computers, laptops, tablets) used in the practice, with their operating systems confirmed as currently supported. If any device runs an end-of-life OS (Windows 7 or 8, for example), it needs to be replaced or isolated before you can achieve Standards Met. Ask your IT provider for a device list if you don't have one.
Standard 9 — IT protection: Confirmation that firewalls, anti-malware, encryption, and patching are all active. For most dental practices, a single assurance letter from your IT provider covering all five controls is the most efficient evidence. If you manage IT yourself, screenshots of Windows Security, Windows Update, and BitLocker suffice. Multi-factor authentication for remote access is given new emphasis in v8 — if any staff access patient records from outside the practice, MFA should be in place.
Standard 10 — Accountable suppliers: Data processing agreements (DPAs) and assurance statements from suppliers handling patient data. For dental practices, this typically includes:
- Your practice management software provider
- Your managed IT provider (if you use one)
- Your cloud backup service
- Your NHSBSA portal access (if relevant)
- Any third-party appointment booking or patient communication platform
Most PMS providers have a standard DPA and DSPT assurance letter available on request or via their support portal. Your IT provider should be able to supply a letter confirming they meet data security standards.
Common evidence gaps in dental practices
Three areas consistently create gaps for dental practices at assessment time.
Associates and locums. Their training status, system access, and acknowledgement of your data security policy need to be documented even if they're self-employed. The simplest approach: include them in your training tracking spreadsheet, send them your policy for acknowledgement, and note whether they complete training through your route or independently.
PMS access for leavers. When a dental nurse, associate, or receptionist leaves, their PMS access, NHSmail account, and any shared drive access need to be revoked promptly. This sounds obvious, but access registers at many practices haven't been audited recently — accounts for staff who left 12+ months ago may still be active. Check your PMS user list and your NHSmail admin panel.
Supplier assurance. Many practices have a verbal relationship with their IT provider and PMS vendor but no written confirmation of their data security standards. The DSPT requires written evidence. A single email to each key supplier requesting either their DSPT submission reference or a brief assurance statement usually resolves this within a few days.
Preparing your submission
The most efficient approach for a dental practice:
- Download the v8 evidence spreadsheet for Category 3 from the official v8 announcement page. This gives you the complete list of assertions and evidence items in a format you can annotate.
- Work through each item and mark it red/amber/green — existing evidence, needs updating, or doesn't exist yet.
- Group your gaps: policies (week 1), training records (week 2-3), IT evidence (one request to your IT provider), supplier assurance (email each key vendor).
- Upload to the portal once evidence is gathered. The DSPT portal at dsptoolkit.nhs.uk is where you submit your assessment.
- Submit at Approaching Standards if you can't reach Standards Met by the deadline — partial compliance is far better than a missed submission.
For a category-specific checklist of exactly which evidence items apply to you, use our free evidence checklist generator. For a week-by-week timeline, our DSPT 90-day action plan works for dental practices as well as care homes and pharmacies.
To see how a dental practice's evidence requirements compare with other Category 3 organisations, see our complete guide to DSPT evidence requirements.
FAQ
Is the DSPT mandatory for dental practices? Yes. Any dental practice providing NHS services — and most providing private services that connect to NHS systems — must complete the Data Security and Protection Toolkit by 30 June each year. Completion is a condition of your NHS contract and is relevant to CQC inspections under Regulation 17 (good governance).
What DSPT category are dental practices in? Dental practices are Category 3, the same category as pharmacies, care homes, and opticians. Category 3 has approximately 42 mandatory evidence items across the 10 National Data Guardian standards. No independent audit is required.
How is the dental practice DSPT different from other organisations? The core 10 NDG standards are the same across Category 3. What differs is the evidence context: dental practices rely heavily on practice management software, have patient record access through NHS Spine for some services, and may use NHSmail.
What happens if a dental practice misses the 30 June deadline? A missing or out-of-date DSPT can affect your NHS contract compliance and your ability to access NHS systems. If you're at risk of missing the deadline, submit at Approaching Standards rather than not submitting at all. Check the DSPT help pages for current support options.
This guide is based on DSPT v8 (2025/26) requirements as published by NHS England. Always verify current requirements on the official DSPT portal. This is not legal or compliance advice.