DSPT for Pharmacies: A Community Pharmacy Compliance Guide
As a superintendent pharmacist or pharmacy owner, the DSPT is a condition of your NHS Terms of Service. Miss the 30 June deadline and you risk losing access to the Electronic Prescription Service — which effectively halts NHS dispensing. But most DSPT guidance is written for care homes or NHS trusts, not community pharmacies.
This guide covers the DSPT specifically for community pharmacies — what category you fall under, what evidence you need, how to work with your PMR supplier, and how multi-site operators can use batch submissions.
Your DSPT category
Community pharmacies are Category 3 in the DSPT. This means:
- You complete a core self-assessment against the 10 National Data Guardian standards
- No independent audit required
- Approximately 42 mandatory evidence items to complete
- You need to reach "Approaching Standards" as the minimum by 30 June 2026
Your category is assigned automatically based on your pharmacy's ODS code when you register at dsptoolkit.nhs.uk.
Pharmacy-specific challenges
Community pharmacies face DSPT challenges that differ from care homes and GP practices:
PMR system dependency. Your Patient Medication Record system holds the bulk of your patient data. Much of your DSPT evidence — access controls, data encryption, audit trails — depends on what your PMR system provides. You can't answer many technical questions without your supplier's input.
Multiple data touchpoints. A typical community pharmacy handles data across several systems: PMR, NHSmail, NHS Spine, the Electronic Prescription Service (EPS), summary care records, and potentially a delivery management system. Each one needs documented access controls.
Small teams with high volume. A community pharmacy may have 3-8 staff handling hundreds of prescriptions daily. There's limited time for compliance administration between dispensing, clinical checks, and patient consultations.
Extended hours and locums. Pharmacies operating 12-hour days across 6-7 days rely on locum pharmacists and relief staff. Each locum needs data security awareness and access credentials — but they may work at your pharmacy for a single day.
Controlled drugs and clinical records. Pharmacies handle controlled drug registers, clinical interventions, and Medicines Use Reviews alongside routine dispensing data. The data sensitivity profile is different from a care home.
Evidence requirements for pharmacies
Here's what Category 3 pharmacies typically need for each of the 10 NDG standards under DSPT v8. Verify against the official portal for your specific assertion list.
Standard 1: Personal confidential data
What you need:
- A list of all systems holding patient data (PMR, NHSmail, EPS, delivery logs)
- Who can access each system and their access level
- Confidentiality clauses in employment contracts or signed agreements
Pharmacy tip: Your PMR system has a user management screen showing individual logins and access levels. Screenshot this — it shows role-based access in action. If locums use a shared "locum" login, this is a problem. Each user should have an individual login.
Standard 2: Staff responsibilities
What you need:
- Data security policy reviewed in the last 12 months
- Evidence that staff have read and acknowledged it
- Named data protection lead (superintendent pharmacist or pharmacy manager)
Pharmacy tip: Use your daily team briefing to cover data security awareness annually. Record the date, topic, and attendees. A signed attendance sheet plus a copy of the policy with "read and understood" signatures is solid evidence.
Standard 3: Training
What you need:
- Training completion records for all staff, including locums
- Training Needs Analysis endorsed by the superintendent pharmacist
- Training evaluation evidence
Pharmacy tip: The free NHS e-Learning for Healthcare module works well for permanent staff. For locums, the minimum is a signed acknowledgement of your data security policy — keep a blank form at the dispensary counter for them to sign on arrival. Better still, ask locum agencies for training certificates.
Standard 4: Managing data access
What you need:
- Access control records for all systems
- Joiner/leaver/mover process for system access
- Evidence of regular access reviews
Pharmacy tip: When a dispenser or pre-reg leaves, remove their PMR access the same day. Screenshot the disabled account as evidence. For locums, decide whether they get temporary individual accounts or supervised access under another user's login — individual accounts are stronger evidence but more administrative work.
Standard 5: Process reviews
What you need:
- Policy review schedule with dates
- Evidence of annual review
Pharmacy tip: Review all data-related policies together in January — data security, acceptable use, retention, breach notification. Date-stamp each policy when reviewed. One session covering all policies takes 1-2 hours and generates evidence for the full year.
Standard 6: Responding to incidents
What you need:
- Incident reporting procedure
- Staff awareness of how to report data incidents
- Incident log (even if empty)
Pharmacy tip: Common pharmacy data incidents include: misdirected prescription bags (wrong patient), NHSmail sent to wrong address, delivery driver accessing patient names, and lost prescriptions. Your procedure should cover what to do in each case and when to report to the ICO.
Standard 7: Continuity planning
What you need:
- Business continuity plan covering IT failure and cyber attack
- Evidence of plan review
Pharmacy tip: Your BCP should answer: if the PMR goes down, can you dispense manually using emergency supply procedures? If NHSmail fails, how do you communicate with GPs? If EPS is unavailable, can you process paper prescriptions? If you suffer ransomware, who do you call? (Your IT provider, and Action Fraud on 0300 123 2040.) A 2-3 page document covering these scenarios is sufficient.
Standard 8: Unsupported systems
What you need:
- IT asset register with OS versions
- Confirmation that no unsupported operating systems are in use
Pharmacy tip: Check the computers running your PMR. Older pharmacies sometimes have Windows 7 or Windows 8 machines that haven't been replaced. These are unsupported and a DSPT failure point. Your PMR supplier may have minimum OS requirements — check with them.
Standard 9: IT protection
What you need:
- Firewall, patching, encryption, and antivirus confirmation
- Multi-factor authentication (MFA) for remote access
Pharmacy tip: If your pharmacy has a managed IT provider, ask them for an assurance letter covering all technical controls. If you manage IT yourself, document what's in place: Windows Defender (built-in antivirus), Windows Update (automatic patching), BitLocker (disk encryption), and your router's firewall settings.
Standard 10: Accountable suppliers
What you need:
- Data processing agreements with IT and software suppliers
- Supplier assurance statements
Pharmacy tip: Your key suppliers are your PMR provider, your managed IT company (if any), and any delivery management software. Email each one requesting: (a) their DSPT completion status, and (b) a copy of your data processing agreement.
Working with your PMR supplier
Your PMR supplier is critical for DSPT completion. Several technical questions — about encryption, access controls, audit logging, and data backup — can only be answered with information from your PMR system.
Community Pharmacy England notes that some PMR suppliers have built DSPT integration into their systems. The toolkit's "PMR feature" allows supplier-provided information to be bulk-inserted into your submission, saving significant time.
Before you start the DSPT:
- Contact your PMR supplier and ask what DSPT support they offer
- Ask specifically whether they can auto-populate any DSPT responses
- Request a data processing agreement and a supplier assurance statement
- Ask for confirmation of encryption, backup, and access control features
Getting this information in February or March avoids a panicked email exchange in June.
Multi-site operators: batch submissions
If you operate three or more pharmacies, you can use the DSPT's batch submission functionality. Instead of completing individual assessments for each branch, you submit a single HQ-level assessment covering common policies and controls, with branch-specific evidence where needed.
Community Pharmacy England provides batch submission guidance including how to set up your HQ-branch structure and ensure all branches are correctly linked via their ODS codes.
Important: Even with batch submission, you need to verify that each branch's ODS code is correctly linked to your organisation in the DSPT portal. Incorrect linkages mean missed submissions.
Timeline for pharmacies
| When | Action | Time needed |
|---|---|---|
| January | Contact PMR supplier for DSPT support, start staff training | 1-2 hours |
| February | Policy review — update all data security policies | 2-3 hours |
| March | Create IT asset register, request supplier assurance | 1-2 hours |
| April | Complete access control records, chase training completions | 2-3 hours |
| May | Upload evidence to portal, identify gaps | 2-3 hours |
| June | Final review and publish submission | 1-2 hours |
Total: approximately 10-15 hours over 6 months.
Next steps
- Use the evidence checklist generator for a complete Category 3 checklist
- Read the staff training requirements guide for detailed training evidence guidance
- Take the readiness quiz to identify where your pharmacy has gaps
- Check the deadline calculator for your timeline
- Read the complete DSPT guide for an overview of all v8 requirements
- Follow the step-by-step completion guide when you're ready to start
This guide is based on DSPT v8 (2025/26) requirements for Category 3 organisations. Always verify current requirements on the official DSPT portal. Community Pharmacy England provides pharmacy-specific guidance. This is not legal or compliance advice.