How to prepare for a DSPT submission without the panic
A step-by-step guide to getting your Data Security and Protection Toolkit done calmly, correctly and on time
Escrito por Thomas Andrew Porteus, MBCSPublicado originalmente 9 Jul 2025
Cumple con las directrices editoriales
- DescargarDescargar
- Compartir
- Language
- Discusión
- Versión en audio
- Agregar a fuentes preferidas en Google
Profesionales Médicos
Los artículos de Referencia Profesional están diseñados para ser utilizados por profesionales de la salud. Están escritos por médicos del Reino Unido y se basan en evidencia de investigación, así como en guías del Reino Unido y Europa. Puede encontrar uno de nuestros artículos de salud más útil.
The words "DSPT submission" can strike dread into even the most organised practice managers. Every year, the requirement to complete NHS England’s Data Security and Protection Toolkit (DSPT) returns - and for many practices, it’s a last-minute scramble. But it doesn’t have to be. The DSPT is a practical framework to help you demonstrate that your practice is handling patient data safely and legally. When embedded into your regular governance calendar, it becomes far less of a burden - and far more of a tool for improvement. This guide walks you through how to prepare for your DSPT submission with minimal stress, including timelines, top tips, and common pitfalls to avoid.
What is the DSPT and why does it matter?
The DSPT is a self-assessment tool that every general practice in England must complete annually. It’s used to:
Demonstrate compliance with data protection legislation.
Confirm that your systems meet NHS security standards.
Fulfil your obligations under the NHS contract.
Provide assurance to commissioners, partners, and the CQC.
Access NHSmail, shared care records, and other secure services.
Your submission status can affect your ability to collaborate with other providers - and failure to complete it may be flagged to your ICB. The deadline typically falls in March or June, depending on NHS England’s annual timetable.
Why panic happens - and how to avoid it
The DSPT covers a wide range of governance areas: cyber security, data sharing, smartcard use, policies, staff training, and more. The panic usually happens when:
Tasks have been left to one person.
Evidence isn’t saved or tracked throughout the year.
There’s no clear timeline or delegated responsibilities.
Policies haven’t been reviewed or updated in time.
Staff haven’t completed the required training.
The trick is to treat the DSPT as a year-round process, not a one-off deadline.
How to prepare for your DSPT submission
1. Understand what’s required
Visit https://www.dsptoolkit.nhs.uk and register or log in with your practice ODS code. You’ll see a list of assertions, each with required evidence. Focus on achieving “Standards Met” - the minimum level for compliance. This means confirming:
All staff have completed appropriate IG training.
You have up-to-date policies and procedures.
You’ve completed a baseline cyber security checklist.
You’ve carried out a data protection impact assessment (DPIA).
Your practice has business continuity plans in place.
The toolkit now includes simplified language and links to guidance for general practice - but it still takes time to navigate.
2. Create a DSPT working folder
Save all relevant evidence in one central location - ideally on your shared drive with restricted access. Create subfolders for:
Policies (for example, IG, confidentiality, SARs, acceptable use).
Staff training records.
Risk assessments.
DPIAs and audits.
Incident logs.
Data sharing agreements.
Use file names and versions that are easy to track. This will save hours when it’s time to upload or reference them.
3. Assign responsibilities and delegate
Don’t do it alone. Break the DSPT into sections and assign owners:
Practice manager: overall coordination.
IT lead: cyber checklist, smartcard access, backups.
Caldicott Guardian: data sharing and confidentiality
Admin team lead: training logs, policy awareness.
Reception lead: SAR and FOI log oversight.
A small planning meeting at the start of the year can help divide the load fairly.
4. Add it to your IG calendar
Use your IG calendar to spread the workload. For example:
January: Review policies and DPIAs.
February: Complete staff training refresher.
March: Upload evidence and submit DSPT.
If you already run quarterly IG checks, use these as an opportunity to gather evidence throughout the year - not just in the final weeks.
5. Use support tools and templates
There’s no need to start from scratch. You can use:
NHS England’s DSPT support pages.
Templates from your ICB, CSU, or local DPO.
Webinars or local drop-in support sessions.
GP-specific guidance built into the DSPT website.
NHS Digital’s IG Portal.
You can also view last year’s submission for reference - but avoid copying it forward without review.
What happens if you miss the deadline?
Failure to submit by the required date could result in:
Flags on your contractual compliance.
Loss of access to NHSmail or national systems.
Extra scrutiny from the ICB or CQC.
Delays in digital upgrades or data-sharing initiatives.
If you know you’ll struggle, speak to your ICB early - they may grant extensions or offer targeted support.
Final word: Make it manageable, not monumental
The DSPT is not just a bureaucratic hurdle - it’s a reflection of your practice’s approach to data safety, cyber resilience, and staff awareness. Done properly, it can prompt overdue reviews, help identify risks, and provide assurance to patients and partners alike. With a shared plan, a clear calendar, and a sensible folder system, your DSPT can stop being a source of panic - and start being a well-managed part of your annual governance cycle.
Actualizaciones exclusivas para profesionales de la salud
Mantente informado con las últimas actualizaciones clínicas, perspectivas profesionales y orientación basada en evidencia. El boletín de Patient Pro selecciona contenido esencial para profesionales de la salud, entregado directamente en tu bandeja de entrada.
Al suscribirte aceptas nuestros Política de Privacidad. Puedes darte de baja en cualquier momento. Nunca vendemos tus datos.
Sobre el autorVer biografía completa

Thomas Andrew Porteus, MBCS
HealthTech
MBCS
Thomas escribe para informar, inspirar y equipar a líderes de práctica y profesionales de la salud que navegan por el cambio, basándose en dos décadas de trabajo práctico en el sistema de salud del Reino Unido.
Historial del artículo
La información en esta página está escrita y revisada por pares por clínicos calificados.
Artículo también disponible en Inglés, Alemán, Español, Francés, Italiano, Portugués, Hindi, Hebreo, Árabe, y Sueco.
Próxima revisión: 9 de julio de 2028
9 Jul 2025 | Publicado originalmente
Escrito por:
Thomas Andrew Porteus, MBCS

Pregunta, comparte, conecta.
Navega por discusiones, haz preguntas y comparte experiencias en cientos de temas de salud.

¿Te sientes mal?
Evalúa tus síntomas en línea de forma gratuita
More in information governance and security
- Data Use and Access Act 2025 - what it means for general practice
- How to avoid IG headaches when working with PCN staff
- How to conduct a practice-wide IG risk assessment
- How to create a culture of IG awareness in your practice
- How to create a practice IG calendar that actually works
- How to handle a patient data breach
- How to handle a subject access request (SAR)
- How to handle common patient questions about information security
- How to manage cyber security in a hybrid-working practice
- How to prevent smartcard sharing and why it matters
- How to respond to a suspicious email in under 60 seconds
- How to run a 15-minute IG refresher at your next team meeting
- How to spot and stop internal IG risks
- How to train staff on cyber security without boring them
- How to write a patient-facing privacy notice that builds trust