DSPT Staff Training Requirements: What Counts as Evidence
Standard 3 of the DSPT — staff training — is the evidence item that catches more small providers out than any other. It's also the one that changed most significantly in recent versions. The old "95% of staff must complete training" rule is gone. What replaced it is more flexible but also less clear.
This guide explains exactly what training evidence you need for DSPT v8 (2025/26), what's changed, and how to handle the practical challenges that care homes, pharmacies, and GP practices face — high turnover, agency staff, mixed IT literacy, and limited training budgets.
What changed: the 95% rule is gone
Previous DSPT versions required proof that 95% of staff had completed data security awareness training. That threshold has been removed.
The replacement is broader: you must demonstrate that all staff have an "appropriate understanding of information governance and cyber security" through training methods proportionate to your organisation's size and the roles people hold.
This sounds vague, and it is — deliberately. NHS England wants organisations to think about what training their staff actually need, rather than chasing a percentage on a single e-learning module.
In practice, this means three things:
- Training Needs Analysis (TNA) — a formal assessment of what different roles need to know
- Delivery — evidence that you've actually delivered the training
- Evaluation — proof that the training worked
The Training Needs Analysis (TNA)
The TNA is the new requirement that most small providers haven't heard of. It's a document — it doesn't need to be long — that sets out:
- Which roles exist in your organisation (registered manager, senior carer, care assistant, administrator, domestic staff, agency/bank staff)
- What each role needs to know about data security, based on the data they access and the systems they use
- What training will be provided to each role and how often
A registered nurse who accesses clinical records, NHSmail, and electronic MAR charts needs different training from a domestic staff member who never touches a computer. The TNA makes this distinction explicit.
The critical part: Your TNA must be formally endorsed by senior leadership — for a care home, that's the registered manager or nominated individual. For a GP practice, the senior partner or practice manager. This isn't optional. The DSPT looks for evidence that leadership has approved the training approach, not just that training happened.
What a small provider TNA looks like
You don't need a 20-page document. A 1-2 page table works:
| Role | Data access | Systems used | Training required | Frequency |
|---|---|---|---|---|
| Registered manager | Full resident data, staffing, financial | Care planning, NHSmail, DSPT portal | Full data security + DSPT awareness | Annual |
| Senior carer | Resident care plans, MAR charts | Care planning software | Data security awareness, confidentiality | Annual |
| Care assistant | Resident care plans (read) | Care planning software (limited) | Data security basics, incident reporting | Annual |
| Admin/receptionist | Resident demographics, billing | Office systems, email | Data security awareness, email security | Annual |
| Domestic/catering | No data access | None | Confidentiality awareness only | Annual |
| Agency/bank staff | As per assigned role | As per assigned role | Data security basics + policy acknowledgement | Each assignment |
Add a signature block at the bottom: "Approved by [name], [role], [date]." That's your endorsed TNA.
Training delivery: what counts as evidence
The DSPT no longer prescribes a single training format. You can use:
- Formal e-learning — the free NHS e-Learning for Healthcare data security module generates certificates automatically. This is the easiest option for most staff.
- Face-to-face sessions — group training sessions with attendance records and topic summaries
- Supervised group e-learning — for staff who struggle with independent online learning, run the e-learning module on a projector with a group and record individual attendance
- Induction training — data security awareness as part of new starter induction, with signed acknowledgement
- Informal awareness — newsletters, team meeting briefings, poster campaigns (supplementary — not a replacement for formal training)
What evidence to keep:
- Individual training certificates or completion confirmations with dates and names
- Attendance registers for face-to-face sessions (date, topic, attendees, facilitator)
- Signed policy acknowledgements from induction
- A training log or spreadsheet tracking completion by staff member
The training log is your primary evidence document. It should show: staff name, role, training type completed, date completed, and next due date. Update it in real time — don't try to reconstruct it in May.
Handling the hard cases
High staff turnover
A care home with 30 staff and 30% annual turnover has roughly 10 starters and leavers per year. Each new starter needs training before the DSPT deadline, and each leaver needs removing from your records.
Approach: Build data security training into your induction process so it happens in the first week, not three months later. Keep your training log as a live document — update it on the day someone starts or leaves.
Agency and bank staff
Agency staff handling resident data need data security awareness too. Three options:
- Request certificates from the agency — ask your agency for proof that each worker has completed data security training. Some agencies include this in their mandatory training; many don't.
- Include them in your own training — add agency workers to your group sessions
- Policy acknowledgement — at minimum, require every agency worker to read and sign your data security policy on their first shift. Keep the signed forms on file.
Option 3 is the minimum. If your agency can provide certificates (option 1), that's strongest.
Staff who can't do online training
Not every member of staff is comfortable with e-learning. For care homes, this often includes older care assistants, domestic staff, and night shift workers.
Approach: Run supervised group sessions. Display the NHS e-Learning for Healthcare module on a projector or large screen. Work through it together. Record individual attendance with signatures. This satisfies the DSPT requirement and is often more effective than leaving people to struggle through it alone.
Part-time and zero-hours staff
Part-time staff and zero-hours workers still need training. The easiest approach is to include them in your next scheduled group session. If timing is difficult, the NHS e-learning module can be completed on any device with internet access — send the link and set a deadline.
Training evaluation: the new requirement
DSPT v8 expects evidence that your training actually works — not just that people attended. This is the "evaluation" component.
For small providers, this doesn't need to be sophisticated:
- Post-training quiz — 5-10 questions after completing the e-learning module. The NHS e-Learning for Healthcare module includes a built-in assessment.
- Spot checks — during team meetings, ask a quick data security question: "What would you do if you found a USB drive in the car park?" Document the question and responses.
- Incident tracking — if data security incidents decrease after training, that's evidence the training worked. If you've had zero incidents, note that in your evaluation.
Write a short evaluation statement: "Training evaluation for 2025/26: 28/30 staff completed the NHS e-learning module with pass scores. Two new starters completed during induction. Zero data security incidents reported since training. Evaluation: training objectives met." Date it, sign it, keep it on file.
Timeline for getting training evidence ready
| When | Action | Time needed |
|---|---|---|
| January | Send e-learning links to all staff, start tracking | 1 hour |
| February | First chase — follow up with non-completions | 30 mins |
| March | Group session for staff who haven't completed online | 2 hours |
| April | Second chase — agency staff certificates | 30 mins |
| May | Final push — complete the training log, write evaluation | 1-2 hours |
| June | Upload evidence to DSPT portal | 30 mins |
Starting in January gives you 6 months — enough time to reach everyone without it consuming every spare hour.
Evidence checklist for Standard 3
Before submitting your DSPT, verify you have:
- TNA document signed by senior leadership
- Training certificates or completion records for every staff member
- Training log showing names, roles, dates, and training types
- Agency/bank staff training evidence (certificates or policy acknowledgements)
- Training evaluation statement
- Evidence that training is included in induction process
For a complete list of evidence items across all 10 standards, use the evidence checklist generator — select your category and get the full breakdown.
Next steps
- Generate your full evidence checklist to see what's needed beyond training
- Read the DSPT guide for care homes for care-home-specific training context
- Read the complete DSPT guide for an overview of all 10 standards
- Check the deadline calculator to plan your training timeline
- Take the readiness quiz to identify other gaps in your submission
This guide is based on DSPT v8 (2025/26) training requirements as published by NHS England. The official training guidance provides the definitive requirements. Always verify current requirements on the official DSPT portal. This is not legal or compliance advice.