DSPT Toolkit: Everything You Need to Know Before You Start

You're about to log in to the DSPT toolkit for the first time — or maybe you logged in last year, closed the browser in confusion, and haven't been back since. Either way, spending 30 minutes preparing before you touch the portal will save you hours of frustration later.

This guide covers what to gather before you start, how registration and login work, what you'll see on screen, and the most common mistakes that waste time.

Before you log in: what to gather first

The biggest time sink in the DSPT isn't answering questions — it's hunting for evidence. If you open the portal without preparation, you'll spend most of your time switching between the toolkit and your email, filing cabinet, and IT provider's inbox.

Gather these before you start:

Documents you'll need:

• Your current data security policy (with a review date in the last 12 months)
• Business continuity plan covering IT failure and cyber attack
• Incident reporting procedure
• Staff training records — certificates or completion confirmations with dates
• Confidentiality agreements or employment contract clauses covering data security
• Data processing agreements (DPAs) with IT suppliers and software vendors

Information you'll need to look up:

• Your Organisation Data Service (ODS) code — this determines your DSPT category
• A list of every system holding patient/resident data (care planning software, NHSmail, paper records, spreadsheets)
• Who has access to each system and at what level
• Your IT asset register — every computer, tablet, and phone used by staff, with operating system versions
• Your IT provider's contact details (you'll need assurance statements from them)

People you'll need to involve:

• Your IT provider or managed service company — for technical security evidence
• A named data protection lead (usually the registered manager or practice manager)
• Someone to chase staff training completions

If you can tick off even half this list before opening the portal, you're ahead of most providers.

Registration and login

The toolkit is at dsptoolkit.nhs.uk. You'll need:

1. An ODS code — your organisation's unique identifier. If you don't know yours, Digital Care Hub explains how to find your ODS code, or you can search directly on the DSPT portal during registration.
2. An email address — ideally your NHSmail address. If you don't have NHSmail, a work email address is accepted for registration.
3. Authorisation — you need to be authorised to submit on behalf of your organisation. For a care home, this is typically the registered manager. For a GP practice, the practice manager.

If your organisation submitted last year, your account should still exist — log in with your existing credentials. If this is your first submission, you'll need to register your organisation and create an account.

Common login issue: If you're searching for "dspt toolkit login" and can't find the portal, the direct URL is dsptoolkit.nhs.uk. There is no separate app — it's entirely browser-based.

What you'll see on the dashboard

Once logged in, the dashboard shows your submission for the current year (2025/26). You'll see:

• Your category — Category 3 (care homes, pharmacies, dentists, opticians) or Category 4 (GP practices). This is assigned automatically based on your ODS code.
• The 10 standards listed as sections, each expandable to show the assertions and evidence items underneath
• Progress indicators — showing which items are complete, in progress, or not started
• Your publication status — draft (not yet submitted), published (submitted), or overdue

Each of the 10 National Data Guardian standards contains several assertions — statements about what your organisation should be doing. Under each assertion, there are evidence items — specific documents, confirmations, or screenshots you need to provide.

For Category 3, expect approximately 42 mandatory evidence items across all 10 standards. Category 4 (GP practices) has a similar count but with some GP-specific items.

How to work through it efficiently

Don't try to do it in one sitting. The portal saves your progress automatically. Most small providers complete the DSPT in 6-10 sessions spread over 2-4 months.

Work by evidence type, not by standard. Instead of completing Standard 1, then Standard 2, gather similar evidence together:

1. Policy documents first — upload your data security policy, acceptable use policy, incident response procedure, and business continuity plan. These cover multiple standards in one go.
2. Training records next — certificates, completion logs, your Training Needs Analysis. This covers Standard 3 and parts of Standard 2.
3. IT technical evidence — ask your IT provider for a single assurance letter covering firewall configuration, patching, encryption, and antivirus. This covers Standards 8 and 9.
4. Access control records — document who has access to what systems and when access was last reviewed. Standards 1 and 4.
5. Supplier assurance — email your software vendors and IT provider for data processing agreements and DSPT completion status. Standard 10.

This approach means fewer context switches and less time repeating similar tasks.

Save evidence files with clear names. "Training_log_2025-26.xlsx" is findable next year. "Document1.docx" isn't. The portal doesn't enforce naming conventions, but your future self will thank you.

Common mistakes that waste time

Starting too late. If you begin in June, you're chasing evidence under deadline pressure. Start by March for a calm submission.

Uploading expired documents. Policies from 2023 without a 2025/26 review date won't pass. Check every document has a current review date before uploading.

Forgetting agency staff. Your training records need to cover everyone who handles data — including temporary and agency workers. This catches many care homes out.

Treating it as a tick-box exercise. v8 requires outcome-based evidence. "We have a data security policy" isn't enough — you need evidence that staff have read and acknowledged it. For each assertion, ask: "Can I prove this actually happens, not just that a document exists?"

Not involving your IT provider early. Standards 8 and 9 (unsupported systems and IT protection) need technical evidence. If your IT provider takes two weeks to respond to requests, factor that into your timeline.

Ignoring the help resources. The DSPT support pages include guidance for each assertion. Digital Care Hub provides free templates and local support for social care providers. Use them — they're specifically designed for small organisations.

Your pre-start checklist

Before opening the portal, confirm you have:

• ODS code for your organisation
• Login credentials (or readiness to register)
• Data security policy with current review date
• Staff training log with completion dates
• Business continuity plan
• List of systems holding patient/resident data
• IT asset register (devices and OS versions)
• IT provider's contact details for assurance requests
• Named data protection lead

For a complete breakdown of every evidence item by category, use the evidence checklist generator — it shows exactly what you need before you upload anything.

Next steps

• Check your readiness with the DSPT readiness quiz — 10 questions to identify gaps
• See how much time you have with the deadline calculator
• Read the complete DSPT guide for a full overview of v8 requirements
• Follow the step-by-step completion guide when you're ready to start

This guide is based on DSPT v8 (2025/26). Always verify current requirements on the official DSPT portal. This is not legal or compliance advice.

Sources

• Data Security and Protection Toolkit — NHS England
• DSPT support and guidance — NHS England
• DSPT support for social care — Digital Care Hub
• National Data Guardian data security standards — GOV.UK