Example engagement — illustrative
A GP practice catching up on a lapsed DSPT submission
GP practice (~9,000 patients) · DSP Toolkit (DSPT)
The challenge
A busy general practice had let its toolkit slip after a change of practice manager, leaving a lapsed status while it depended on GP Connect and the Electronic Prescription Service every day.
What we did
- Recovered access to the toolkit account and confirmed the practice profile and ODS code were correct
- Reviewed the previous year's submission to reuse what still held and flag what had aged out
- Updated the information governance and data protection policies and confirmed the Caldicott Guardian and IG lead
- Verified staff data security training completion and closed gaps in access controls and device patching
- Checked data processing agreements with clinical-system and IT suppliers before publishing the new status
The outcome
The practice restored a current Standards Met status and protected its ongoing access to national NHS systems.
Background
Staff turnover is one of the most common reasons a DSPT submission lapses, and this illustrative example reflects that. When a practice manager moves on, the toolkit login and its half-finished evidence pack often move on with them. Here, a training practice serving around 9,000 patients found its status had expired, and the incoming manager inherited an account they could not sign into, with no clear record of what had already been done.
Because the practice relied on GP Connect, the Electronic Prescription Service and NHSmail throughout the working day, an expired status was not an abstract compliance point — it was a live risk to the systems clinicians used every appointment.
What we did
The first job was practical: recovering access to the toolkit and confirming the practice was registered under the right profile and ODS code. Rather than starting from a blank page, we pulled the previous year’s responses forward, keeping what still stood up and clearly marking what had aged out — expired training, superseded policies, staff who had left.
Much of the value was in the governance layer that practices already have but rarely document neatly. We refreshed the information governance and data protection policies, confirmed the named Caldicott Guardian and IG lead, and checked that annual data security awareness training was genuinely complete rather than assumed. On the technical side we tidied user access, confirmed devices were on supported and patched operating systems, and reviewed the data processing agreements with the clinical-system and IT suppliers. Our DSPT evidence checklist kept the catch-up methodical.
Result
Within the assessment window the practice published a fresh Standards Met status, every assertion supported by evidence the manager could locate at short notice. Access to national NHS systems continued without interruption, and the practice left with a tidy pack that turns next year’s return into a review rather than a rebuild.
This is an illustrative example of the kind of work we do. Details are representative, not a specific named client.