11 Days Left: GP Surgeries, Dentists and Care Homes Must Complete DSPT Self-Assessment by 30 June 2026

The DSPT 2025-26 deadline is 30 June 2026 — and if your organisation handles NHS or adult social care data, you must complete your annual self-assessment before that date. That includes GP surgeries, dental practices, care homes, pharmacies, opticians, social care providers, and local authorities.

This year's version (v8) adds two new mandatory questions, bringing the total to 45. Failing to reach "Standards Met" status risks loss of NHS data access, contract issues, and a potential referral to the ICO.

This guide covers exactly who must complete the DSPT, what's new in 2025-26, how to submit, and how to get your evidence in order before the deadline.

Who Must Complete the DSPT in 2025-26?

Any organisation that accesses, stores, or processes NHS patient data or adult social care data must complete the Data Security and Protection Toolkit (DSPT) annually. This covers a wide range of health and care settings.

You must complete the DSPT if you are:

• A GP surgery (NHS primary care contractor)
• A dental practice (NHS contract holder)
• A care home, domiciliary care provider, or supported living service
• A pharmacy (dispensing NHS prescriptions)
• An optician with an NHS contract
• A social care provider handling adult social care data
• A local authority with adult social care responsibilities
• An NHS trust, foundation trust, or integrated care board
• An IT supplier processing NHS data (with additional requirements — see below)

If you are unsure whether your organisation is in scope, check the DSPT Toolkit portal (dsptoolkit.nhs.uk) or contact NHS England directly.

What's New in DSPT 2025-26 (Version 8)?

The 2025-26 cycle introduces two new mandatory questions, raising the total from 43 to 45. NHS England has not yet published a public change log with full question text for general use, but the additions address updated expectations around data security governance — consistent with NHS England's ongoing alignment to NCSC guidance and post-Optum incident lessons.

What has stayed the same: the four core topic areas, the "Standards Met" threshold as the pass mark, and the annual submission requirement. Organisations that completed DSPT 2024-25 will find the process familiar — but must answer all 45 questions, not just the 43 from last year.

The key change for IT suppliers: organisations with 50 or more employees and a turnover of £10 million or more that supply IT systems processing NHS data must now undergo an independent audit covering 11 specific controls. This is a significant uplift for larger technology vendors.

The 45 Mandatory Question Categories

The 45 mandatory questions are grouped across four broad topic areas. Each question requires you to self-assess your current position — "met", "not yet met", or "not applicable" — and upload supporting evidence where required.

Topic Area	What It Covers	Evidence Typically Required
Staffing & Roles	Named Senior Information Risk Owner (SIRO), Data Security & Protection Lead, Caldicott Guardian (where applicable). Annual data security training completion rates.	Training completion records, role assignment documents
Policies & Procedures	Up-to-date data security policies, data protection impact assessments (DPIAs), consent management, subject access request (SAR) procedures.	Current policy documents with review dates
Data Security	Incident reporting processes, data breach procedures, records of near-misses and reportable incidents, ICO breach notifications.	Incident log, breach register, reporting evidence
IT Systems & Devices	Device inventory, encryption status, software patching, network security, remote access controls, supplier contracts with data processing agreements.	Asset register, patch records, DPAs with suppliers

The two new questions in version 8 fall within the existing topic areas — you will see them presented alongside the 43 carry-over questions when you log into the portal.

What Does "Standards Met" Mean?

To successfully complete your DSPT submission, your organisation must reach "Standards Met" status. This means answering all 45 mandatory questions and providing satisfactory responses — typically with supporting evidence — for each.

There are three possible submission statuses:

• Standards Met — all 45 mandatory items completed satisfactorily. This is the required pass mark.
• Approaching Standards — some items are incomplete or evidence is missing. You can submit at this status as a time-limited acknowledgement that work is in progress, but it flags your organisation as non-compliant until corrected.
• Not Yet Started / Incomplete — no submission made. The most serious outcome.

Integrated care boards (ICBs) and NHS England regional teams monitor DSPT status for all primary care contractors. "Approaching Standards" triggers a follow-up; "Not Yet Started" can result in formal intervention.

IT Suppliers: New Independent Audit Requirement

If your organisation is an IT supplier to the NHS and you have 50 or more employees and a turnover of £10 million or more, the 2025-26 DSPT introduces a new obligation: an independent audit covering 11 specific data security controls.

This audit must be conducted by a qualified third party — not a self-certification. It provides NHS clients with additional assurance that large-scale data processors meet a higher standard of scrutiny. Smaller IT suppliers and health and care providers without NHS IT contracts are not subject to this requirement.

If you think this applies to your organisation, review the guidance on dsptoolkit.nhs.uk and engage an independent assessor well before 30 June.

What Happens If You Miss the Deadline?

Missing the 30 June 2026 deadline is not a technical formality — it has real operational and contractual consequences for NHS-contracted organisations.

Immediate risks include:

• Loss of NHS data access — your ICB or NHS England regional team can restrict or withdraw access to NHS Spine, N3/HSCN, and other NHS digital systems until you comply.
• Contract breach — NHS primary care contracts (GMS, PDS, PMS for GPs; GDS/PDS for dentists) include obligations to maintain current DSPT status. Non-completion is a breach.
• ICO referral risk — failure to maintain adequate data security governance is a UK GDPR concern. While the ICO does not automatically receive DSPT non-compliance notices, an incident at a non-compliant organisation would face far greater scrutiny.
• CQC scrutiny — for care homes and social care providers, CQC inspectors may ask to see your DSPT status as part of their assessment of governance and information management.

The reputational damage of a public record of non-compliance — visible to anyone checking the DSPT public register — should also not be underestimated.

How to Complete and Submit Your DSPT

The DSPT is completed entirely online via the portal at dsptoolkit.nhs.uk. Here is the step-by-step process:

1. Log in — Use your existing DSPT account credentials. If you have lost access, contact the NHS Digital Service Desk to reset.
2. Check your organisation profile — Confirm your organisation type, ODS code, and named roles (SIRO, DSP Lead, Caldicott Guardian) are current.
3. Work through the 45 questions — Answer each mandatory item honestly. Where evidence is required, upload the document directly in the portal.
4. Review your status — The portal shows a progress dashboard. Aim for "Standards Met" on every item before submitting.
5. Submit before 30 June 2026 — Once all 45 questions are complete and your status shows "Standards Met", click Submit. You will receive a confirmation email and a submission reference number.
6. Retain your evidence — Keep copies of all uploaded documents and the submission confirmation. These may be requested by your ICB, CQC, or ICO.

Useful resources: NHS England DSPT guidance and the Digital Care Hub, which publishes sector-specific DSPT support for social care providers.

Evidence Checklist: What to Prepare Before 30 June

The questions that most commonly cause delays are those requiring uploaded evidence. Gathering these documents in advance makes the submission process significantly faster. Here is a practical checklist by evidence type:

Staffing & Training

• Annual data security training completion report (showing % of staff who have completed, with dates)
• Named SIRO appointment letter or board resolution
• Named DSP Lead role description or formal delegation
• Caldicott Guardian appointment (NHS primary care and trusts)

Policies & Procedures

• Data Security & Protection Policy (reviewed within 12 months)
• Acceptable Use Policy
• Subject Access Request (SAR) procedure
• Data Breach Response Procedure
• Records Retention Schedule

Data Security & Incidents

• Incident log covering the 2025-26 year (even if no reportable incidents — a nil return log is valid evidence)
• Evidence of any ICO breach notifications made during the year
• Evidence of near-miss reviews and lessons learned

IT Systems & Devices

• Asset register (all devices that access NHS data)
• Evidence of full-disk encryption on laptops and portable devices
• Patch management records (showing OS and software updates)
• Data Processing Agreements (DPAs) with all key IT suppliers
• Remote access policy and multi-factor authentication evidence

Frequently Asked Questions

What is the DSPT 2025-26 deadline?

The DSPT 2025-26 self-assessment must be submitted by 30 June 2026. This is the standard annual deadline for all organisations in scope. The portal closes to new submissions at midnight on that date.

How many questions are there in DSPT 2025-26?

DSPT 2025-26 (version 8) contains 45 mandatory questions. This is two more than the previous year (v7 had 43). All 45 must be completed to reach "Standards Met" status.

Does a small GP surgery or dental practice need to complete the DSPT?

Yes. Any organisation that holds an NHS contract or accesses NHS patient data must complete the DSPT annually, regardless of size. There is no minimum employee threshold for primary care contractors. The requirement applies to sole-trader dentists, single-handed GP practices, and large group practices equally.

What happens if we submit at "Approaching Standards" rather than "Standards Met"?

"Approaching Standards" is a permissible submission if you genuinely need more time to complete all 45 items — but it flags your organisation as not yet fully compliant. Your integrated care board may follow up to understand your timeline for reaching "Standards Met". Persistent "Approaching Standards" submissions over multiple years attract greater scrutiny. Aim for "Standards Met" by 30 June.

We had no data security incidents this year — do we still need an incident log?

Yes. A nil return is acceptable evidence, but you still need to provide documented confirmation that incidents were monitored and none were reportable. A simple log entry stating "no reportable incidents identified in 2025-26 — reviewed [date] by [SIRO name]" satisfies this requirement. Keep it in writing.

Can ComplianceAlert help with DSPT preparation?

Yes. ComplianceAlert is designed for exactly this kind of audit-readiness work. The Evidence Vault lets you upload your DSPT supporting documents — training records, policies, incident logs, DPAs — in one organised place throughout the year, not just at deadline time. Alice, our AI compliance assistant, can answer questions like "what evidence do I need for my DSPT submission?" based on your specific organisation type and what you have already uploaded. A free forever plan is available — no payment card required.

Key Takeaways

• Deadline: 30 June 2026 — 11 days to complete and submit.
• Who must complete: GPs, dentists, care homes, pharmacies, opticians, social care providers, and local authorities handling NHS or adult social care data.
• What's new: 45 mandatory questions (up 2 from last year), plus independent audit requirements for large IT suppliers.
• Pass mark: "Standards Met" — every question answered with satisfactory evidence.
• Consequences of missing the deadline: loss of NHS data access, contract breach risk, ICO scrutiny.
• Start now: log in at dsptoolkit.nhs.uk and gather your evidence this week.