DSPT Compliance Guide for Care Providers

At its core, DSPT stands for the Data Security and Protection Toolkit. It is an online self‑assessment tool created by NHS England to help health and social care organisations demonstrate that they handle personal and confidential data securely and responsibly.

If your care service uses NHS patient data, NHSmail, or integrates with NHS systems, you are expected to complete the DSPT annually. In practical terms, DSPT provides a structured way to show that:

• Data is stored and shared securely
• Staff understand their data protection responsibilities
• Appropriate policies and procedures are in place to prevent breaches
• There are clear processes for responding if an incident occurs

DSPT also supports compliance with legal obligations under UK GDPR and the Data Protection Act 2018. When people refer to NHS DSPT, they are talking about this national standard for information governance and cyber security across health and social care.

The DSPT Toolkit is the online platform where care providers complete their annual submission. It combines structured questions, declarations and evidence uploads to demonstrate that the required standards are being met.

Organisations log in, respond to a set of assertions, and provide supporting evidence where required. The toolkit covers several key areas, including:

• Data protection and governance
• Staff training and awareness
• Cyber security measures
• Incident reporting and breach management
• Access control and system security
• Data sharing practices

The aim is not simply to complete a checklist, but to ensure that data protection and security are embedded into everyday practice. For care providers, this typically includes resident care records, medication information, staff records and secure communication with healthcare professionals.

DSPT requirements are based on a combination of legal, technical and operational expectations. Although submissions are self‑assessed, care providers must be able to evidence their responses if requested by commissioners, NHS partners or auditors. Core expectations include:

1. Clear data protection policies aligned with UK GDPR.
2. Regular staff training on data security and confidentiality.
3. Strong password controls and user access management.
4. Use of secure systems for storing and sharing information.
5. Documented incident and breach reporting procedures.
6. Evidence of leadership accountability for data protection.

Care providers are also expected to ensure that third‑party suppliers, such as software vendors, meet appropriate security standards. This is particularly important when using digital care planning systems or electronic medication records.

One useful feature within the DSPT toolkit is the DSPT organisation search function. This allows stakeholders, including NHS partners and commissioners, to quickly check whether an organisation has completed its DSPT submission and whether its status is up to date.

This visibility is important because DSPT compliance is often treated as a gateway requirement for working across health and social care systems. For example, it can influence access to NHSmail, the ability to enter data sharing agreements, integration with NHS systems, eligibility for local authority contracts, and even participation in certain digital transformation funding programmes.

If a service is not listed as compliant, it can create barriers that limit how effectively it can operate within integrated care systems or collaborate with NHS partners.

In practice, maintaining a “standards met” status is more than just a tick-box exercise. It helps demonstrate credibility, reliability, and trustworthiness in a highly regulated sector where data security is taken seriously.

For care providers, DSPT compliance is not just an administrative task. It directly supports safe, high‑quality and person‑centred care. Care homes routinely handle highly sensitive information, including:

• Care plans and risk assessments
• Medication administration records
• Hospital discharge summaries
• Personal and family contact details
• Staff HR and payroll data

Without appropriate controls, this information could be exposed to risks such as cyber-attacks, data breaches or accidental loss. DSPT helps care providers reduce these risks and demonstrate readiness for inspection by regulators such as the Care Quality Commission. Strong data protection also supports dignity, confidentiality and trust for residents, families and staff.

Many care providers find DSPT challenging to manage alongside day‑to‑day service delivery. Time and resource pressures are a common issue, particularly in busy care environments where focus must remain on people receiving care.

Gathering evidence can also be difficult when documentation is spread across multiple systems, shared drives or paper files. This can make the submission process feel fragmented and time‑consuming.

Some providers struggle with the technical aspects of cyber security, especially where there is limited in‑house IT expertise. Staff turnover can further complicate matters, making it harder to keep training records and compliance knowledge consistent.

As a result, DSPT is sometimes treated as an annual task rather than an ongoing part of governance, increasing pressure as submission deadlines approach.

Improving DSPT compliance does not need to be complex. Most improvements focus on consistency, visibility and embedding good practice into everyday workflows. Care providers often strengthen compliance by:

• Centralising policies in one secure digital location
• Ensuring staff training is updated annually and recorded
• Regularly reviewing user access permissions
• Using secure, cloud-based care record systems
• Assigning a clear data protection lead or champion

Embedding these activities into routine processes helps reduce last‑minute pressure and supports continuous compliance rather than annual catch‑up.

The checklist below provides a practical overview of what care providers typically need to have in place when completing the Data Security and Protection Toolkit. It is intended as a guide and should be used alongside the official NHS DSPT guidance.

Governance and Accountability

• A named senior lead responsible for data protection and information governance.
• Up‑to‑date data protection and information security policies aligned with UK GDPR.
• Clear documentation showing leadership oversight and accountability.

Staff Training and Awareness

• Evidence that all staff receive regular data protection and confidentiality training.
• Training records kept up to date and accessible.
• Clear guidance for staff on recognising and reporting data incidents.

Data Security and Systems

• Secure systems used for storing and sharing personal and confidential data.
• Strong password controls and user access management are in place.
• Regular reviews of user permissions, particularly following staff role changes or leavers.

Incident and Breach Management

• A documented process for reporting and managing data incidents.
• Evidence that incidents are logged, reviewed and escalated appropriately.
• Clear understanding of when incidents must be reported to external bodies, such as the ICO.

Data Sharing and Third‑Party Assurance

• Data sharing agreements in place where information is shared with external partners.
• Assurance that third‑party suppliers meet appropriate data security standards.
• Awareness of responsibilities when using digital care planning or workforce systems.

Evidence and Ongoing Compliance

• Evidence is stored centrally and is easy to access for DSPT submissions or audits.
• Regular reviews of policies, training and system controls.
• DSPT is treated as an ongoing governance activity rather than a once‑a‑year task.

Using a checklist like this can help care providers stay organised, reduce last‑minute pressure and demonstrate a proactive approach to data security and protection.

1. Who needs to complete the DSPT?

Any care provider in England that handles NHS patient data, uses NHSmail, or connects with NHS systems is expected to complete the DSPT each year. This includes care homes, domiciliary care providers and supported living services working with NHS partners.

2. How often does DSPT need to be completed?

DSPT is completed on an annual basis. Providers must review and update their submission each year to reflect current policies, training, systems and governance arrangements.

3. What type of evidence is required for DSPT?

Care providers are usually asked to evidence policies, staff training records, system security controls and incident reporting procedures. Evidence should clearly show how data protection and security are managed in day‑to‑day practice.

4. Does using digital care software make us DSPT compliant?

No. Digital systems can support DSPT compliance by improving security, access control and audit trails, but responsibility for meeting DSPT requirements always sits with the registered provider. Software helps evidence good practice rather than guaranteeing compliance.

5. What happens if a provider does not complete DSPT?

If DSPT is not completed, providers may face restrictions when accessing NHSmail, data sharing agreements or NHS system integrations. It can also affect eligibility for certain contracts, partnerships or digital transformation initiatives.

DSPT compliance is an essential part of modern care delivery. While it can feel complex, its purpose is to protect residents, staff and organisations from data security risks and to support safe, reliable and transparent care.

Digital transformation plays an important role in simplifying how DSPT requirements are evidenced and maintained. Solutions from The Access Group are designed to support care providers by centralising information, improving visibility and strengthening governance, while recognising that compliance responsibility always sits with the provider. Our connected suite of care and governance software includes:

• Access Care Compliance – keeps policies, audits, and governance in one place so you can easily evidence DSPT requirements.
• Access Care Planning – ensures care records are digital, secure, and fully auditable, reducing reliance on paper or fragmented systems.
• Access People Planner – helps control secure access to sensitive information and supports safe workforce data handling.
• Access Evo – connects systems together with consistent security controls and centralised user management.

Together, this joined‑up approach helps care providers strengthen data security, reduce administrative pressure and remain audit‑ready for DSPT and wider compliance expectations. If you would like to learn more about our Care Management platform, get in touch with one of our experts today or book a demo to see how our solution can work for you in real time.