DSPT Deadline 30 June: GP Surgeries, Dentists and Care Homes Risk Losing NHS Mail Access

The annual Data Security and Protection Toolkit (DSPT) submission deadline is 30 June 2026. Miss it, and your practice risks losing access to NHS Mail, the NHS e-Referral Service, and the Summary Care Record — the systems your team uses every working day to deliver patient care. This is not a routine admin reminder. NHS England and NHS Digital treat a failed or overdue DSPT submission as a data governance failure, with real operational consequences for the practice.

With eleven days remaining, many practices are still in the middle of their submission — or haven't started. This guide explains exactly what the DSPT requires, what you stand to lose if you miss the deadline, and the practical steps to complete your submission before 30 June.

What Is the DSPT — and Who Must Submit?

The Data Security and Protection Toolkit is an online self-assessment tool developed by NHS England and NHS Digital. It allows healthcare organisations to measure their performance against the National Data Guardian's ten data security standards and demonstrate that they handle NHS and patient data responsibly.

The DSPT replaced the old Information Governance Toolkit in 2018 and has been an annual requirement ever since. Every organisation that has access to NHS patient data, NHS systems, or NHS infrastructure must complete and submit a DSPT assessment each year. That includes:

• GP surgeries — including single-handed practices and Primary Care Network (PCN) members
• NHS dentists — including mixed NHS/private practices where the NHS element uses NHS systems
• Pharmacies — including independent community pharmacies on the NHS dispensing contract
• Opticians — providing NHS-funded sight tests and using the NHS Ophthalmic Online (NOO) system
• Care homes and home care providers — with access to Electronic Palliative Care Coordination (EPaCCS), Summary Care Records, or NHS-funded digital tools
• Out-of-hours and urgent care providers — GP federations, NHS 111 clinical partners, walk-in centres
• Allied health professionals and community providers — physio, community nursing, district nurses accessing NHS systems

If your organisation connects to any NHS system — including NHS Mail — you must submit a DSPT assessment by 30 June 2026.

What Happens If You Miss the 30 June Deadline?

The consequences of a missed or failed DSPT submission are operational, not just bureaucratic. NHS Digital enforces the DSPT programme directly and takes a staged approach to non-compliance.

NHS Mail access suspended

NHS Mail (@nhs.net accounts) is the primary secure email channel for patient referrals, results, and inter-practice communication. NHS Digital can suspend NHS Mail access for organisations whose DSPT submission has expired. For a GP surgery or pharmacy that relies on NHS Mail for prescribing, referrals, and discharge summaries, a suspension is immediately disruptive to patient care — and creates a safeguarding risk that will attract attention from your ICB.

NHS e-Referral Service access removed

The NHS e-Referral Service (e-RS) is how GP practices make outpatient and specialist referrals. Losing access to e-RS means paper-based referral workarounds, delays for patients, and the administrative burden of manual processes. ICBs (Integrated Care Boards) are required to monitor DSPT compliance among their member organisations and can escalate persistent non-compliance to NHS England.

Summary Care Record and shared record access restricted

The Summary Care Record (SCR) gives GP surgeries, pharmacies, and urgent care providers access to core patient information — medications, allergies, adverse reactions. Restricted access to the SCR introduces clinical risk. For care homes with access to EPaCCS or shared care records, a DSPT failure can mean losing the data connections that coordinate end-of-life care and hospital discharge.

CQC and regulatory exposure

CQC's new single assessment framework — currently in its pilot phase — includes data governance and cyber security within its "Safe" and "Well-Led" quality statements. An overdue or failed DSPT submission is visible to CQC inspectors. If your practice is visited during a period of DSPT non-compliance, you can expect the inspector to probe your data security governance as part of the well-led assessment. A combination of a DSPT failure and a CQC inspection creates significant reputational and regulatory exposure for the practice.

What the DSPT Self-Assessment Actually Covers

Many smaller practices treat the DSPT as a box-ticking exercise — they answer questions without checking whether the controls they're describing actually exist. This is a compliance risk: the DSPT requires you to evidence your assertions, not simply confirm them. An ICO or DSPT audit can request the underlying documentation at any time.

The DSPT assessment is structured around the National Data Guardian's ten standards. For the purposes of the June 30 submission, here are the areas where smaller practices most commonly struggle:

1. Training and awareness

You must demonstrate that all staff who handle personal data have completed data security training in the past twelve months. This includes receptionists, care coordinators, administrative staff, and clinical staff — not just the data protection lead. Training records must be kept. If your last training cycle was in 2024 or early 2025, check your records now: staff who haven't completed a refresher within the twelve-month window prior to 30 June 2026 will cause a gap in your assertion.

2. Password and access management

The DSPT requires multi-factor authentication (MFA) for all remote access to NHS systems and for privileged accounts accessing clinical systems. Many small practices still have clinical staff accessing remote desktops with a single password. If you haven't enabled MFA on NHS Mail, NHSmail 2, or your clinical system's remote access portal, this will be flagged during the assessment.

3. Cyber security incident response

You must have a documented process for responding to a cyber security incident — including ransomware, phishing attacks, and data breaches. This does not need to be a twenty-page document, but it must exist, be accessible to staff, and describe the steps the practice takes in the first 24 hours of a suspected incident. You must also know whether and when to report to the Data Security Centre (DSC) and the ICO.

4. Information asset register

The DSPT requires an up-to-date register of information assets — the systems and data sets your practice uses to process personal data. For a GP surgery, this includes the clinical system (EMIS, SystmOne), NHS Mail accounts, referral platforms, document management systems, and any third-party processors (cloud storage, referral software, remote consultation tools). If this register hasn't been updated since last year's submission, check whether you've added any new systems since June 2025.

5. Data protection impact assessments (DPIAs)

If your practice has introduced any new digital tool, sharing arrangement, or data processing activity since your last DSPT submission, a DPIA may be required. Common triggers in 2025–26 include: adopting AI-assisted triage tools, joining a PCN data sharing agreement, using remote monitoring devices for care home residents, and migrating to cloud-based clinical records. Practices that cannot produce a DPIA for a high-risk new processing activity will have a gap in their DSPT submission.

How to Complete Your DSPT Submission Before 30 June

Step 1: Log in and check your status (today)

Access the DSPT portal at dsptoolkit.nhs.uk. Each organisation has a registered account. If your practice manager has changed and the account credentials are missing, you can request a password reset or account recovery directly from the DSPT helpdesk. Do not leave this step until the last week of June.

Step 2: Review last year's submission and identify gaps

Your 2024–25 submission is visible in the portal. Review the assertions you made last year and identify which ones need updating — particularly if you've had staff changes, system changes, or security incidents since the last submission. Flag the areas where your supporting evidence is weakest: training records, MFA implementation, and the information asset register are consistently the top three gaps for smaller healthcare providers.

Step 3: Gather your evidence

For every assertion you make in the DSPT, you should hold supporting evidence. This does not need to be uploaded to the portal during submission, but it must be held by the practice and available for audit. Key documents to locate or create:

• Staff data security training completion records (for the 12 months to 30 June 2026)
• MFA enablement confirmation for NHS Mail and clinical system remote access
• A current information asset register
• Your data protection complaints procedure (now mandatory under DUAA Section 164A — in force from 19 June 2026)
• Any DPIAs completed in the past twelve months
• Your cyber incident response plan

Step 4: Submit and get to "Standards Met"

The DSPT has two outcome levels: "Standards Met" and "Standards Exceeded". For most small practices, reaching "Standards Met" by 30 June is the primary goal. A submission in "Approaching Standards" status at the deadline is treated differently by NHS Digital depending on your ICB — some accept a plan to reach compliance by a later date, but you should not rely on this. Aim to reach "Standards Met" by the deadline.

Step 5: Document your completion

Once submitted, download and retain a copy of your completed assessment and your submission confirmation. Store these in your practice's compliance evidence folder. If your practice uses ComplianceAlert, upload your DSPT confirmation to the Evidence Vault against your data security action — so you have a timestamped record available for CQC inspections, NHS audit requests, and ICO investigations.

The DSPT and DUAA: Two Deadlines That Overlap This Month

June 2026 is an unusually heavy compliance month for healthcare providers. On top of the DSPT deadline, DUAA Section 164A came into force on 19 June 2026, making a formal written data protection complaints procedure mandatory for all data controllers — including every GP surgery, dental practice, pharmacy, and care home. The two obligations overlap: the DSPT asks you to confirm that you have a documented process for handling data subject complaints and requests. DUAA now makes having that procedure a legal requirement in its own right.

If you haven't yet put a DUAA-compliant data complaints procedure in place, do it this week — before you submit your DSPT. Your DSPT submission will be stronger for it, and you'll satisfy both regulatory requirements in a single workflow.

Two June deadlines for healthcare providers:

• DUAA S164A formal complaints procedure — in force from 19 June 2026
• DSPT annual submission — deadline 30 June 2026

Both are data governance obligations. Completing one supports the other.

Summary: What You Need to Do Before 30 June

• Log in to the DSPT portal today and check your current submission status
• Update your information asset register — include any new systems added since June 2025
• Confirm MFA is enabled on NHS Mail and remote clinical system access for all staff
• Check training records — all staff must have completed data security training within the last 12 months
• Review your data protection complaints procedure — ensure it complies with DUAA S164A and is documented
• Submit your DSPT assessment and save the confirmation to your compliance evidence folder

ComplianceAlert monitors DSPT deadlines, DUAA obligations, and CQC compliance requirements for healthcare providers. Use the Action Centre to activate your DSPT compliance checklist and the Evidence Vault to store your submission confirmation, training records, and DPIA documentation. When CQC visits, your Inspection Pack pulls everything together in one exportable file.

It's not enough to submit the DSPT. You need to be able to prove you acted on it — and on every other data governance obligation your practice carries. That's what ComplianceAlert is built for.

Start free at compliancealert.co.uk/healthcare — free forever plan, no card required.

Frequently Asked Questions

What happens if my DSPT submission is late?

NHS Digital monitors submission deadlines by organisation. An overdue submission can trigger suspension of NHS Mail access, e-RS access, and shared care record connectivity. Your ICB will be notified. The consequences depend on how late the submission is and whether you have communicated a remediation plan to your ICB in advance of the deadline.

Does the DSPT apply to private-only practices?

Only if your practice accesses NHS systems — including NHS Mail. A private-only dental practice with no NHS contract and no NHS system access is not required to complete the DSPT. However, if you use NHS Mail for any purpose, or if any clinician at your practice has NHS login credentials, you should confirm your status with NHS Digital before assuming you are exempt.

We're part of a PCN — does the PCN submit on our behalf?

No. Each individual organisation must complete its own DSPT submission. Being a member of a Primary Care Network does not transfer the DSPT obligation to the network body. The network itself may also have a separate DSPT obligation if it processes patient data directly.

What support is available to complete the DSPT?

NHS Digital provides a DSPT helpdesk for technical support with the portal. NHS England and many ICBs offer DSPT guidance sessions for smaller practices. Many practices use a data protection officer or NHS IG consultant to manage their submission — you can find verified DSPT advisors and data protection specialists at compliancemarket.co.uk/cqc-consultants.

Need professional help with your DSPT submission or data protection compliance? Find a verified specialist at compliancemarket.co.uk.