How to Complete the DSPT: A Step-by-Step Guide for Small Providers
You've been told you need to complete the DSPT by 30 June. You've logged in to dsptoolkit.nhs.uk and found a list of assertions, evidence items, and standards that don't obviously connect to running a care home or dispensing prescriptions.
This guide walks you through the entire process — from first login to final submission — specifically for Category 3 and Category 4 organisations. No IT background assumed.
Before you start: what you need
You'll need these before you sit down with the toolkit:
- Your ODS code — this is the Organisation Data Service code that identifies your organisation to NHS systems. If you don't know it, Digital Care Hub explains how to find your ODS code, or you can search during DSPT registration. Care homes, pharmacies, and GP practices each have one.
- An email account — you can log in to the DSPT portal using either an NHSmail or a work email address. NHSmail is not required for registration or access.
- Access to your organisation's records — training certificates, policies, risk logs, and IT supplier contracts. You won't need all of these at once, but you'll need to locate them over the course of the submission.
Step 1: Log in and check your category
Go to dsptoolkit.nhs.uk and log in with your email account. Your organisation's category is assigned automatically based on your ODS code:
- Category 3 — care homes, domiciliary care agencies, pharmacies, dentists, opticians
- Category 4 — GP practices
Your category determines which assertions and evidence items you need to complete. Category 4 includes GP-specific items around clinical system access and NHS Spine usage.
Step 2: Download the evidence spreadsheet
Before working through the toolkit online, download the v8 evidence spreadsheet for your category from the DSPT v8 downloads page. This spreadsheet lists every assertion and evidence item in a format you can print, annotate, and use as a tracking sheet.
Why this helps: The online portal shows one assertion at a time. The spreadsheet gives you the full picture — you can see which items share evidence (for example, a staff training record might satisfy multiple assertions) and plan your evidence gathering more efficiently.
Step 3: Audit what you already have
Go through the spreadsheet and mark each evidence item as one of:
- Already have it — you can upload this immediately (e.g., current data security policy dated within the last 12 months)
- Have it but needs updating — the document exists but is out of date or doesn't match v8 requirements (e.g., a business continuity plan that hasn't been reviewed since 2024)
- Don't have it — you need to create this from scratch (e.g., no documented access control process)
This audit is the most important step. It turns an overwhelming list into a prioritised task list.
For a structured version of this audit, use our evidence checklist generator — it outputs a categorised checklist you can work through.
Step 4: Tackle the evidence in priority order
Work through your evidence items in this order:
Start with: staff training records. Every staff member needs to complete annual data security awareness training. This is the item that causes the most deadline-week panic because it depends on other people completing something. Start now — send training out to staff this week and chase completions monthly.
Free training options include the NHS e-Learning for Healthcare data security awareness module. It's free, takes about 45 minutes, and generates a certificate you can upload directly to the DSPT.
Next: policies and procedures. Review and update your:
- Data security policy
- Acceptable use policy
- Incident reporting procedure
- Business continuity plan
If your policies are current (reviewed within 12 months and signed off by a senior person), you can upload them as-is. If they're outdated, update them now rather than in May.
Then: technical controls evidence. This covers items like:
- Who has access to which systems (and when access was last reviewed)
- Whether unsupported software has been removed or ring-fenced
- Whether encryption is enabled on devices holding patient data
- Patching and update schedules
If you use a managed IT service provider, ask them for a written statement confirming these controls are in place. Many providers can supply this as a standard letter.
Finally: supplier assurance. You need evidence that third-party suppliers handling patient data meet data security standards. For most small providers, this means getting confirmation from your IT supplier, clinical system vendor (EMIS, SystmOne, PharmOutcomes, etc.), and any cloud services storing patient data.
If you're a Category 3 care provider, our care home evidence guide walks through each of these categories with care-sector-specific examples and the kinds of evidence inspectors expect to see.
Step 5: Upload evidence to the portal
For each assertion in the online toolkit:
- Read the assertion and its associated evidence items
- Upload the relevant document(s) — the portal accepts PDFs, Word documents, and images
- Add a brief note explaining what the evidence shows (e.g., "Staff training completion report — all 23 staff completed data security awareness training between January and March 2026")
- Mark the assertion as complete
Tip: Name your files clearly before uploading. "Data_Security_Policy_v3_March2026.pdf" is much more useful than "Document1.pdf" — both for the DSPT assessors and for your own reference next year.
Step 6: Review and submit
Before hitting submit:
- Check for gaps — the portal shows a completion dashboard. Any assertions marked incomplete or missing evidence will block submission.
- Verify dates — evidence should be current. A policy last reviewed in 2023 may not satisfy v8 requirements.
- Choose your target — "Approaching Standards" requires only the mandatory assertions. "Standards Met" requires all assertions. If time is tight, submit at "Approaching Standards" and work toward "Standards Met" afterward.
- Submit before 30 June — don't wait until the last day. Technical issues, missing evidence, or staff availability problems are easier to resolve with a buffer.
How long should this take?
For a first-time submission (Category 3, ~20-40 staff):
| Phase | Time estimate | When to do it |
|---|---|---|
| Initial audit (Step 3) | 2-3 hours | January-February |
| Staff training rollout | 1 hour setup + ongoing chasing | February onwards |
| Policy review and updates | 4-8 hours | February-March |
| Technical controls evidence | 2-4 hours (more if no IT provider) | March-April |
| Supplier assurance | 1-2 hours | April |
| Portal upload and submission | 3-5 hours | May-June |
| Total | 13-23 hours over 5 months |
Spread across 5 months, that's roughly 1 hour per week. Concentrated into June, it's a stressful full week.
Common mistakes to avoid
- Leaving training until May. Staff training takes calendar time — you need every member of staff to complete it, and some will need chasing. Start in February.
- Uploading generic policies. A template policy downloaded from the internet without customisation will be obvious. Your data security policy should reference your specific organisation, systems, and processes.
- Ignoring leavers' access. "When did you last review who has access to your systems?" is a common evidence item. If ex-staff still have active accounts, that's a gap.
- Assuming your IT provider handles everything. The DSPT is your organisation's responsibility. Your IT provider can supply evidence, but you need to coordinate and verify it.
If you're behind schedule
If you're reading this in April or May and haven't started:
- Focus exclusively on mandatory assertions for "Approaching Standards"
- Send staff training out immediately — this is the longest lead-time item
- Contact your IT provider for a technical controls statement
- Upload what you have, even if it's not perfect — partial progress is better than a blank submission
If you genuinely can't complete by 30 June, contact NHS England before the deadline to discuss your options. Check the DSPT help pages for current support routes available to your category. A partial submission is better than a missed one.
Check our DSPT deadline calculator to see exactly how many working days you have left and plan your milestones.
This guide is based on DSPT v8 (2025/26) requirements. Always verify current requirements on the official DSPT portal. This is not legal or compliance advice.