Your DSPT Final Checklist: What to Do in the Last Weeks Before 30 June
It's the final stretch before the 30 June 2026 DSPT deadline. If your submission is mostly done and you want to confirm you haven't missed anything, or you're behind and need to know where to focus, this checklist is built for the last few weeks rather than a leisurely spring run-up.
The aim here isn't to teach the DSPT from scratch — it's to catch the high-impact gaps that commonly trip up small providers at the last minute, and to give you a clear plan if time is short.
First: know exactly how long you have
The deadline is 30 June 2026 for the 2025/26 (version 8) toolkit. If you're not sure how many working days that leaves you, our DSPT deadline calculator gives you a personalised countdown with milestones for your organisation type.
If you're already short on time, decide your target now: Standards Met if you're close, or Approaching Standards (the mandatory subset) if you're not. Aiming for Approaching Standards and improving afterward is a legitimate, on-time outcome — far better than chasing a perfect submission and missing the date.
The last-weeks checklist
Work through these in order. The first few are the ones most likely to be incomplete and most likely to hold up a submission.
1. Supplier and IT-provider assurance is in hand
Much of your technical evidence depends on someone else. If you haven't already:
- Confirm your clinical/PMR system supplier's DSPT assurance (e.g. EMIS, TPP SystmOne, or your pharmacy PMR provider) — most publish a DSPT status you can reference.
- Confirm your IT support provider has given you the assurance or documentation you need for access control, patching, and backups.
This is the item most likely to stall at the last minute because it depends on a third party's turnaround. Chase it first.
2. Staff training records are complete and current
- Data security awareness training completed by all staff in the current period — including locums, bank, agency, and recent starters.
- Records are dated within the last 12 months and you can produce the completion list, not just the training policy.
Training completion is a frequent gap because of turnover and temporary staff. A single untrained staff member with system access can undermine the assertion.
3. The new v8 evidence items are addressed
DSPT v8 (2025/26) introduced a stronger emphasis on a couple of items that catch people out:
- Digital asset register — every device, its operating system version, and key software, with confirmation nothing runs an unsupported OS.
- System administrator account register — every admin-level account across your clinical system, NHSmail admin, and network kit.
If either of these is missing, build it now — both are straightforward lists, but they're new enough that last year's evidence won't cover them. For the full picture of what changed, see our DSPT v8 changes explained guide.
4. Governance evidence is in place
- Named IG lead (and Caldicott Guardian / SIRO where applicable), with evidence the role is active.
- Information governance policy and privacy notice accessible to staff and patients.
- ICO registration as a data controller is current (a Data Protection Act 2018 / UK GDPR requirement).
5. Incident response and continuity are documented
- An incident response process naming who to contact and how you'd report a personal data breach to the ICO within 72 hours where required.
- A business continuity plan covering a system outage — how you'd operate safely if your clinical/PMR system or NHSmail went down.
6. Every mandatory assertion has evidence attached
Open the toolkit and go assertion by assertion. For v8, remember the standard is outcome-based: "we have a policy" isn't enough — you need evidence the control actually works. Confirm each mandatory item has a document or record attached, not just a tick.
7. Publish — don't just save
The most avoidable miss of all: completing every item but never clicking Publish. A saved-but-unpublished assessment does not count as submitted. Publish before 30 June.
If you're not going to finish in time
If you realistically can't reach your target by 30 June:
- Switch your target to Approaching Standards. Confirm the mandatory subset is complete and publish that. It's an on-time submission.
- Note your gaps as an improvement plan. The toolkit lets you record what you'll strengthen and by when.
- Tell the right people early. Contact your ICB or NHS England before the deadline if you're at risk of missing it — don't wait until 1 July.
A published Approaching Standards submission on 30 June, improved over the following months, is a good outcome. A missed deadline is the thing to avoid.
Next steps
- Run the DSPT readiness quiz for a quick gap score before you do your final review.
- Use the evidence checklist generator to confirm you've covered your category's items.
- For the week-by-week version of this run-up, see our DSPT deadline action plan.
- New to the toolkit this year? Start with the complete DSPT guide.
This checklist is based on DSPT v8 (2025/26) requirements and is current as of 4 June 2026. The deadline is 30 June 2026; always confirm current requirements and deadlines on the official DSPT portal. This is not legal or compliance advice.