DSPT Evidence Requirements: A Category-by-Category Breakdown
The DSPT portal tells you which assertions you need to complete, but it doesn't always make clear what evidence will actually satisfy each one. "Provide evidence of appropriate technical controls" is vague when you're a care home manager staring at the screen wondering whether a screenshot of Windows Defender counts.
This guide breaks down the evidence requirements by category and standard — what types of evidence are accepted, what "good" evidence looks like versus "just-enough" evidence, and where most small providers get stuck.
How evidence works in DSPT v8
DSPT v8 structures requirements as:
- Outcomes — high-level security goals (e.g., "data is protected at rest and in transit")
- Assertions — specific statements about what your organisation does (e.g., "we encrypt all devices holding patient data")
- Evidence items — the proof that the assertion is true (e.g., screenshot of BitLocker enabled, IT provider assurance letter)
The key shift in v8 is outcome-based evidence. Previous versions accepted "we have a policy" as sufficient. v8 asks: does the policy work? Is it followed? Can you prove it? This means most evidence items need two components: the document itself AND proof that it's implemented.
Evidence volume by category
| Category | Total evidence items | Mandatory items | Independent audit? |
|---|---|---|---|
| 1 (Large NHS trusts) | ~179 | ~166 | Yes |
| 2 (IT suppliers, larger NHS) | ~120 | ~100 | Yes |
| 3 (Care homes, pharmacies, dentists) | ~50 | ~42 | No |
| 4 (GP practices) | ~50 | ~42 | No |
Categories 3 and 4 have broadly similar evidence counts, but Category 4 includes GP-specific items around clinical system access and NHS Spine connectivity. Categories 1 and 2 require significantly more evidence and an independent audit — these categories are for NHS trusts, large providers, and IT suppliers.
If you're a care home, pharmacy, or dental practice, you're Category 3. If you're a GP practice, you're Category 4. The rest of this guide focuses on these two categories.
Evidence by standard: what you actually need
Standard 1: Personal confidential data
What they want to know: Is personal data only accessed by people who need it for their role?
Evidence required:
- Data flow map or system inventory — a document listing every system that holds patient/resident data, what data each system holds, and who accesses it
- Confidentiality agreements — signed by all staff, ideally as part of employment contracts
- Access justification — evidence that access levels match job roles (not everyone having admin access)
What good evidence looks like: A spreadsheet listing: system name, data held, staff roles with access, access level (read/write/admin), and date last reviewed. Updated within the last 12 months.
What weak evidence looks like: A generic "data protection policy" with no specifics about which systems exist or who accesses them.
Standard 2: Staff responsibilities
What they want to know: Do staff understand their data security duties?
Evidence required:
- Data security policy — customised to your organisation, reviewed within the last 12 months
- Staff acknowledgement — proof that staff have read and understood the policy (signature sheets, email confirmations)
- Named data protection lead — documented assignment of responsibility
What good evidence looks like: A dated policy with a review schedule, plus a signed acknowledgement sheet showing every staff member's name, signature, and date. The policy includes your organisation's specific systems and procedures — not a generic template.
What weak evidence looks like: A policy downloaded from the internet with your organisation's name pasted in, no signatures, and a review date from two years ago.
Standard 3: Training
What they want to know: Has every staff member received appropriate data security training?
Evidence required:
- Training Needs Analysis (TNA) — endorsed by senior leadership, showing what training each role needs
- Training completion records — certificates, attendance registers, or completion logs for every staff member
- Training evaluation — evidence that training was effective (quiz results, assessment scores)
What good evidence looks like: A TNA table listing each role and the training required, signed by the registered manager or practice manager. A training log spreadsheet showing every staff member's name, role, training completed, date, and certificate reference. An evaluation statement noting completion rates and any follow-up actions.
What weak evidence looks like: A list of staff names with "completed" next to each one but no certificates, dates, or evidence of what was completed.
Common gap: Agency and locum staff. Your training records need to cover everyone who accesses patient data, including temporary staff.
Standard 4: Managing data access
What they want to know: Are access controls properly managed throughout the employment lifecycle?
Evidence required:
- Access control register — who has access to which systems, at what level
- Joiner/leaver process — documented procedure for granting and revoking access
- Regular access reviews — evidence that access is reviewed periodically (at least annually)
- System administrator account register — new in v8, listing all admin-level accounts
What good evidence looks like: A spreadsheet listing every staff member, the systems they access, their access level, when access was granted, and the last review date. A separate column for "date access removed" for leavers. Screenshots of system admin panels showing disabled leaver accounts.
Common gap: The system administrator register is new in v8. List every account with admin or superuser access across all systems — PMR, care planning software, NHSmail admin, router/firewall management.
Standard 5: Process reviews
What they want to know: Are your data security processes reviewed regularly?
Evidence required:
- Policy review schedule — showing when each policy was last reviewed and when the next review is due
- Review evidence — updated dates on policy documents, review meeting notes, or signed-off review records
What good evidence looks like: A single-page review schedule: policy name, last reviewed date, next review date, reviewed by. Each policy document shows the matching review date in its header or footer.
Standard 6: Responding to incidents
What they want to know: Can you detect and respond to data security incidents?
Evidence required:
- Incident response procedure — step-by-step process for reporting and handling data breaches
- Staff awareness — evidence that staff know how to report incidents (covered in Standard 3 training)
- Incident log — a record of incidents reported and actions taken
What good evidence looks like: A procedure document covering: what counts as a data incident, who to report to, initial response steps, ICO notification thresholds (within 72 hours for notifiable breaches), and post-incident review process. An incident log — even if empty — with column headers for date, description, reporter, actions taken, and resolution.
What if you've had zero incidents? That's fine. An empty incident log with the procedure attached proves you have a working system. The DSPT doesn't penalise you for having no incidents — it penalises you for having no process to detect them.
Standard 7: Continuity planning
What they want to know: What happens if your systems fail or you suffer a cyber attack?
Evidence required:
- Business continuity plan (BCP) covering IT failure, cyber attack, and data loss scenarios
- Plan review or testing evidence — proof that the plan has been reviewed or tested
What good evidence looks like: A 2-4 page BCP covering:
- PMR/clinical system failure — manual backup procedures, paper-based alternatives
- NHSmail outage — alternative communication methods
- Ransomware/cyber attack — who to contact (IT provider, Action Fraud 0300 123 2040), isolation steps
- Data loss — backup locations, recovery process
- Reviewed date and next review date
A plan that's been "tested" can mean a tabletop exercise: walk through the scenarios with your team, document what you'd do, note any gaps, and fix them. Record the date, participants, and outcomes.
Standard 8: Unsupported systems
What they want to know: Are all devices running supported software?
Evidence required:
- IT asset register — every device (computer, tablet, phone) used by staff, with make, model, OS version, and key software
- Confirmation that no unsupported operating systems or software are in use
What good evidence looks like: A spreadsheet listing every device: location (reception, dispensary, office), device type, make/model, OS version (e.g., Windows 11 23H2), key software installed. Confirmation that no device runs Windows 7, Windows 8, or any other end-of-life OS.
Common gap: Old devices in back offices or nurse stations that nobody remembers. Walk the building and check every screen. If your IT provider manages your devices, ask them to generate this list — most remote management tools can do it automatically.
Standard 9: IT protection
What they want to know: Are technical security controls in place and working?
Evidence required:
- Firewall — confirmation that a firewall is active and configured
- Patching — evidence that operating systems and software are kept up to date
- Encryption — confirmation that devices holding patient data use disk encryption
- Anti-malware — antivirus or anti-malware installed and updated
- Multi-factor authentication (MFA) — for remote access to systems holding patient data (new emphasis in v8)
What good evidence looks like: If you have a managed IT provider: a single assurance letter from them confirming all five controls are in place. This is the most efficient approach — one document covering the entire standard.
If you manage IT yourself: screenshots of Windows Security (Defender status), Windows Update (last update date), BitLocker (encryption status), and your router admin page (firewall enabled).
Standard 10: Accountable suppliers
What they want to know: Do your IT suppliers meet data security standards?
Evidence required:
- Data processing agreements (DPAs) — contracts with suppliers handling patient data
- Supplier assurance — evidence that suppliers meet data security standards (their own DSPT completion, ISO 27001, or similar)
What good evidence looks like: Emails or letters from each key supplier confirming: (a) their DSPT completion status or equivalent certification, and (b) a copy of or reference to your data processing agreement. Keep these organised by supplier.
Key suppliers for small providers:
- PMR system / care planning software provider
- Managed IT provider
- Any cloud storage or backup service
- Delivery management software (pharmacies)
- Clinical system provider (GP practices)
Category 3 vs Category 4: key differences
Most evidence requirements are shared between Categories 3 and 4. The main differences for Category 4 (GP practices):
- Clinical system access controls — specific evidence around GP clinical system (EMIS, SystmOne) user roles, access levels, and audit trails
- NHS Spine connectivity — evidence that Spine access is appropriately managed and monitored
- Smartcard management — evidence that NHS smartcards are issued, managed, and revoked correctly
- Clinical safety — additional items around clinical data integrity
If you're a GP practice, check the v8 assertion spreadsheet for Category 4 specifically — some items are worded differently even where the underlying requirement is similar.
Getting your evidence ready
Rather than working through the DSPT standard by standard, group your evidence preparation by type:
- Policies first — review, update, and date-stamp all data-related policies. One session, multiple standards covered.
- Training records next — the most time-consuming evidence to gather. Start early.
- IT technical evidence — one request to your IT provider covers Standards 8, 9, and parts of 4 and 7.
- Access records — document who has access to what. Standards 1 and 4.
- Supplier evidence — email requests to 3-4 key suppliers. Standard 10.
For a complete, categorised checklist of every evidence item for your category, use the evidence checklist generator.
Next steps
- Generate your full evidence checklist by category
- Check the deadline calculator for your submission timeline
- Take the readiness quiz to see which standards need the most work
- Read the complete DSPT guide for a full overview of v8
- Follow the step-by-step completion guide when you're ready to start
This guide is based on DSPT v8 (2025/26) requirements. Evidence item counts are approximate and may vary by organisation sub-type. Always verify current requirements on the official DSPT portal and download the v8 assertion spreadsheets for your category. This is not legal or compliance advice.