DSPT for GP Practices: A Practice Manager's Compliance Guide
If you manage a GP practice, the Data Security and Protection Toolkit (DSPT) sits on a long list of annual obligations alongside CQC, QOF, the GP contract, and day-to-day operations. The good news: general practice has its own DSPT category with evidence items written specifically for how practices actually work. The catch: most DSPT guidance online is written for care homes or NHS trusts, not for a practice manager juggling EMIS, GP Connect, and a Caldicott Guardian who is also a part-time partner.
This guide covers the DSPT specifically for GP practices — why you're Category 4, what evidence you need for DSPT v8 (2025/26), how to coordinate with your clinical system supplier, and how to hit the 30 June 2026 deadline.
Your DSPT category: why GP practices are Category 4
General practice is Category 4 in the DSPT. This is its own category — separate from Category 3, which covers dentists, opticians, pharmacies, social care providers, and small IT suppliers.
Your category is assigned automatically based on your ODS code when you register at dsptoolkit.nhs.uk. You don't choose it — the toolkit presents you with the Category 4 evidence items once it recognises you as a GP practice.
What Category 4 means in practice:
- You complete a self-assessment against the 10 National Data Guardian (NDG) standards — the same underlying standards every category works to.
- The evidence items are worded for general practice — they reference the systems and roles that exist in a practice rather than generic "organisation" language.
- No independent audit is required (that applies to Categories 1 and 2 — NHS trusts and large IT suppliers).
- You work toward Standards Met, or Approaching Standards as a minimum, by 30 June 2026.
For the 2025/26 (version 8) toolkit, NHS England made minor wording amendments to the Category 4 evidence items rather than a wholesale change. If you submitted last year, the shape of your task will feel familiar — but the underlying structure changed at v8 (more on that below).
Don't assume the Category 3 numbers apply to you. A lot of online guidance quotes "around 42 mandatory evidence items" — that's the commonly cited figure for Category 3 (care homes, pharmacies). Category 4 has its own pre-determined set. Always work from the Category 4 evidence list the toolkit shows you, not a number from a care-home guide. Download the official Category 4 spreadsheet from the v8 announcement to see your exact list.
What changed at DSPT v8 (and why it matters for GP practices)
DSPT v8 opened for the 2025/26 cycle on 18 September 2025 and is structurally different from v7. Instead of the old question format, v8 uses Outcomes, Assertions, and Evidence items, and the whole toolkit is aligned to the NCSC Cyber Assessment Framework. (DSPT v8 is aligned to CAF version 3.4, per the official v8 announcement.)
For a practice manager, the headline effects are:
- Outcome-based evidence. It's no longer enough to say "we have an information governance policy." You need to show the policy is in use — for example, training completion records, not just a training policy. If you want the full change log, see our DSPT v8 changes explained guide, and if "CAF" is unfamiliar, our Cyber Assessment Framework explained guide covers what the framework is and why it now shapes the DSPT.
- Evidence doesn't carry forward from v7. You'll need to re-confirm or re-upload evidence in the new structure even where nothing has actually changed in your practice.
- A digital asset register and system administrator account register are part of the v8 emphasis. For a practice, that means a list of every device and every admin-level account across your clinical system, NHSmail, and network kit.
GP-practice-specific challenges
General practice faces DSPT challenges that care homes and pharmacies don't:
Clinical system dependency (EMIS / TPP SystmOne). The bulk of your patient data lives in your clinical system. Much of your DSPT technical evidence — access controls, audit logging, encryption, role-based access — depends on what EMIS or SystmOne provides and how it's configured. You can't answer many assertions without your supplier's standing assurance documentation.
Multiple data flows. A practice handles data across the clinical system, NHSmail, GP Connect, the Summary Care Record, online consultation tools, the NHS App, document management, and often a separate appointment or telephony system. Each is a data touchpoint that needs documented access control.
Caldicott Guardian and IG lead roles. Practices are expected to have a Caldicott Guardian (a senior clinician responsible for protecting patient confidentiality) and an Information Governance lead. The DSPT asks you to evidence that these roles exist and are active — minutes, role descriptions, and named individuals.
PCN and federation complexity. If you share staff, premises, or systems across a Primary Care Network, data flows between practices need documenting. Shared roles (a PCN-wide IG lead, for example) still need to map cleanly to each practice's own submission.
High patient and data volume with a small admin team. A practice with 8,000 patients may run with a handful of administrative staff. Compliance work competes with appointment management, prescriptions, recalls, and inbound clinical correspondence.
What evidence GP practices typically need
The exact items come from your Category 4 list, but most practices will need to gather evidence across these themes. This is a practical orientation, not a substitute for the official spreadsheet.
Governance and accountability
- A named Caldicott Guardian and IG lead (and SIRO where applicable), with evidence the roles are active.
- An information governance policy and a data protection / privacy notice that staff and patients can access.
- Evidence your practice is registered with the ICO as a data controller (a requirement under the Data Protection Act 2018 / UK GDPR).
Staff training and awareness
- Annual data security training completion records for all staff — clinical, administrative, and including locums, GP registrars, and bank staff. The standard route is the e-Learning for Healthcare Data Security Awareness training.
- Evidence that new starters complete training as part of induction.
Access control and technical security
- Role-based access in EMIS/SystmOne — staff see only what their role requires, with smartcard-based access where used.
- A system administrator account register — every admin-level account across the clinical system, NHSmail admin, and network/router management.
- Multi-factor authentication for remote access to systems holding patient data.
- A digital asset register — every device, its operating system version, and key software, with confirmation that nothing runs an unsupported OS.
Supplier assurance
- Standing DSPT assurance from your clinical system supplier (EMIS and TPP both publish DSPT status you can reference) and from your IT support provider.
- A list of your data processors and confirmation that contracts include data protection terms.
Incident response and continuity
- An incident response process — who to contact (your IT provider, and your ICB / NHS England), how to report a personal data breach to the ICO within 72 hours where required, and isolation steps for a suspected cyber attack.
- A business continuity plan covering a clinical-system outage: how you'd run safely if EMIS/SystmOne or NHSmail were unavailable.
A realistic timeline for GP practices
You don't need to do this in one sitting. A workable approach for a practice:
- Register / log in and pull your Category 4 list — confirm the toolkit recognises you as a GP practice and download the v8 Category 4 evidence spreadsheet.
- Request supplier assurance early — EMIS/SystmOne and your IT provider's DSPT documentation can take time to obtain. Start here.
- Gather the people-and-policy evidence — Caldicott Guardian, IG lead, training records, policies. This is the bulk of the work and doesn't depend on anyone else.
- Confirm the technical evidence — access controls, asset register, admin account register, MFA — with your IT provider.
- Review against each assertion and submit — aim for Standards Met, or Approaching Standards with a clear improvement plan, by 30 June 2026.
Spreading this across the spring rather than scrambling in June is the difference between a calm submission and a stressful one. Our DSPT deadline action plan breaks the work into a week-by-week schedule.
Next steps
- Read the complete DSPT guide for the full v8 overview across all categories.
- Check your current position with the DSPT readiness quiz — 10 questions to identify gaps before you open the toolkit.
- Use the evidence checklist generator to plan what to gather.
- See exactly how long you have with the deadline calculator.
This guide is based on DSPT v8 (2025/26) requirements for Category 4 (GP practice) organisations and is current as of 4 June 2026. Category 4 evidence items are specific to general practice and may be updated — always verify against the official Category 4 spreadsheets on the DSPT portal. This is not legal or compliance advice.