NHS DSPT 2026: A Practice Manager’s Step-by-Step Guide to Passing Self-Assessment

If you’re staring at the DSPT portal wondering where to start, you’re not alone. The Data Security and Protection Toolkit looks intimidating — long evidence requirements, jargon that assumes you already understand it, and a deadline that always feels closer than it should.

The good news: it’s much more manageable than it looks once you know the shape of it. This guide walks you through the 2026 self-assessment from start to submit, and tells you the specific places practice managers get stuck.

What the DSPT actually is

The Data Security and Protection Toolkit (DSPT) is the NHS’s annual cyber security and data-handling assessment for every organisation that connects to NHS systems. It’s run by NHS England (formerly NHS Digital), and you’ll find it at dsptoolkit.nhs.uk.

If you use NHS Mail, NHSnet, the Summary Care Record, or any of the clinical systems that talk to NHS infrastructure, you need to complete it. That covers virtually every GP practice, pharmacy, dental practice, community provider, social care org, and many smaller suppliers.

The toolkit replaced the IG Toolkit in 2018 and gets refreshed each year. The current edition (2025/26) is what you’re being asked to complete; the next refresh (2026/27) becomes available later in the year.

Who has to complete it

Every organisation that uses NHS infrastructure has to complete a DSPT, but which version depends on what type of organisation you are:

  • General medical practices, GP federations, primary care networks — Category 1 (“Health and Care Organisations”)
  • Pharmacies (community) — Category 2 (slightly lighter requirement set)
  • Care providers (residential, domiciliary) — Category 3
  • Suppliers / processors — Category 4 (different evidence structure entirely)

If you’re not sure which category you fall into, the portal asks at registration. Pick the one that matches your CQC registration if you’ve got one. Practice managers reading this are almost certainly Category 1.

The deadline

The current submission window for the 2025/26 edition closes on 30 June 2026. Late submission used to be tolerated; it isn’t any more. From 2024 onwards, if you don’t have a “Standards Met” status by the deadline, your organisation is flagged as non-compliant and ICB and CQC have visibility of this.

What “Standards Met” means

A DSPT submission can result in three statuses:

  1. Standards Met — you’ve answered every mandatory evidence requirement and supplied valid evidence. This is the only “pass”.
  2. Standards Not Met — there are gaps in your evidence. You can keep working on it after the deadline but you’re non-compliant until you resolve them.
  3. Standards Exceeded — you’ve gone beyond mandatory and completed the additional “Improvement” requirements.

For practice managers, the goal is Standards Met. Standards Exceeded is nice-to-have but rare in primary care.

Step 1 — Gather your evidence before you start

The single biggest reason practice managers get stuck is that they try to complete the toolkit live, hunting for evidence as they go. That’s a four-hour torture session. The right way to do it is to gather everything first and then plough through.

You will need to be able to evidence:

  • Information governance training records — every staff member (clinical and non-clinical), in date (within 12 months), with completion certificates or your e-learning platform’s report
  • Your registered Data Protection Officer’s contact details and qualifications
  • Your latest data flow map — who collects what data, where it’s stored, who it’s shared with
  • Your Records of Processing Activity (ROPA) — the GDPR document
  • Your Information Asset Register — every system that stores patient data and who owns it
  • Your most recent risk assessment — including specific identified risks and mitigation
  • Network diagram — broadly what’s on your network, internet connection, firewall, key servers
  • Evidence of antivirus / endpoint protection — typically a screenshot from your IT provider showing coverage across all devices
  • Backup verification — evidence that your last backup test actually worked (not just that backups are scheduled)
  • Business continuity / disaster recovery plan — current and tested
  • Cyber Essentials certificate if you have one (highly recommended; we’ll come back to this)
  • Subject Access Request (SAR) procedure — written, accessible
  • Your data breach response procedure — written, with timescales and named responsible person

If you can’t supply something on this list, that’s the gap you need to fix before you submit, not while you’re submitting.

Step 2 — Register or log in

Go to dsptoolkit.nhs.uk, log in (or register if you’re a new organisation), and select the current 2025/26 assessment.

If you’ve completed the toolkit before, your previous answers are pre-loaded. Don’t just leave them as-is. Re-check every single answer — staff change, systems change, suppliers change, and an out-of-date answer that says “yes we have annual training” when half your reception team are six months overdue is the kind of thing that gets flagged.

Step 3 — Work through the assertions in order

The toolkit is organised into ten “National Data Guardian Standards”, each containing several assertions. You don’t have to do them in order, but it helps because the early ones set up the context for later ones.

The standards are:

  1. Senior Information Risk Owner — who’s in charge?
  2. Staff awareness and training — IG training, recent and current
  3. Data security policies — written, in force, reviewed annually
  4. Records of Processing Activity — your GDPR documentation
  5. Senior leadership engagement — your SIRO’s involvement in IG decisions
  6. Incident response — what you do when something goes wrong
  7. Continuity of service — backups, DR, BCP
  8. Anti-malware — endpoint protection coverage
  9. Cyber Essentials or equivalent — strongly recommended; can be assertion answer
  10. Supplier assurance — who you trust with your data and how you check them

Each assertion asks specific questions and asks you to upload evidence. The trick is not to over-explain — answer the question, attach the evidence, move on. Long discursive answers are often where assessors find inconsistencies.

Step 4 — The four assertions that catch practice managers out

These are the most common stuck-points based on the patterns we see across UK practices:

2.3 — All staff complete information governance training annually

This trips people up because the toolkit wants evidence of all staff (including locums, agency, sessional GPs, cleaners with system access). The exemption many practices try to apply (“Mrs Smith only does admin”) doesn’t usually fly. Make sure every person on the rota for the year has a training record.

4.4 — A Records of Processing Activity exists and is current

This is the document GDPR Article 30 requires. If you’re using a template ROPA from your CCG / ICB and haven’t reviewed it in the last 12 months, it’s stale. Update it before you submit — the assessors will check the dates.

7.1 — Backup tested in the last 12 months

“We have backups” is not enough. The toolkit wants evidence the backups were tested — typically a restore test from a backup, with a date. If you can’t show this, the answer here should be “No” not “Yes”, and that’s a gap to fix before you submit. Your IT provider should be able to run a test restore for you within 24 hours.

9.x — Cyber Essentials or equivalent

You don’t have to have a Cyber Essentials certificate to pass the toolkit, but it’s the easiest way to satisfy several of the technical assertions. If you don’t have one and you’re answering this assertion with “we follow Cyber Essentials principles”, the toolkit asks you to evidence each control. That’s a lot of evidence. A current Cyber Essentials certificate short-circuits all of that.

Step 5 — Submit and what happens next

When every mandatory assertion is answered with valid evidence, the “Submit” button activates. Once you submit, you get an automated email confirming the status (Met / Not Met / Exceeded), and ICB and CQC can see your status in their dashboards.

You can amend a submission after the deadline if you spot a mistake, but ideally don’t — the optics aren’t great.

Step 6 — What changes for the 2026/27 edition

The next refresh of the toolkit comes out later this year. Based on NHS England’s published roadmap, the 2026/27 edition is expected to:

  • Strengthen the supplier assurance requirements (you’ll need to evidence supplier checks more thoroughly)
  • Add explicit AI/ML system inventory questions (if you use any AI-powered clinical tools, expect to declare them)
  • Tighten the multi-factor authentication requirements (likely “MFA on every account with access to clinical systems”)
  • Continue the trend toward referencing Cyber Essentials directly

Plan ahead by making sure your IT provider has these on their radar for the year ahead.

When to ask for IT help

Practice managers are usually the right person to drive the toolkit because most of it is about processes (training records, policies, roles), not technology. But four assertions consistently need IT input:

  • 7.1 backup testing — your IT provider runs the test, gives you the evidence
  • 8.x antivirus / endpoint protection — your IT provider gives you coverage evidence
  • 9.x technical controls — Cyber Essentials work, vulnerability management
  • 10.x supplier assurance — they help you compile the list of cloud services and check their certifications

If your IT provider isn’t proactively offering this support as part of their service, that’s worth a conversation. Most managed IT providers for healthcare include DSPT support in their contract; if yours doesn’t, get in touch with us — we help UK practices, pharmacies and care providers get to Standards Met every year.


Need help getting your practice to Standards Met before the deadline?

Aurora Tech Support helps UK GP practices, community pharmacies, and care providers complete the DSPT every year. We provide the technical evidence (backup verification, endpoint protection coverage, Cyber Essentials certification, network documentation) and we’ll review your toolkit answers before you submit so you don’t get stuck on assessor feedback.

Give us a shout on (0330) 223 5401 or book a no-pressure DSPT review chat at auroratechsupport.co.uk.