DSPT · 1 July 2026
DSPT for care homes: a practical guide
If your care home receives NHS-funded care, uses NHSmail, or shares data with GP practices and community services, you almost certainly need a current Data Security and Protection Toolkit (DSPT). This guide explains what that means for a care home specifically, without assuming you have an IT department.
Why care homes need the DSPT
Care homes handle a great deal of sensitive personal and health information — care plans, medication records, GP correspondence, and more. Where that data touches NHS systems or NHS-funded care, the DSPT is how you demonstrate you’re protecting it properly.
There’s also a regulatory dimension. The CQC looks at data security within the well-led domain, and commissioners increasingly expect to see a completed toolkit. A current DSPT keeps your NHS data flows switched on and gives families and partners confidence in how you handle their information.
What’s realistic for a care home
The good news is that the DSPT is proportionate to your organisation. A care home isn’t expected to answer the same questions as a large NHS trust — the assessment reflects your size and the way you use NHS data. Our guide to DSPT assessment levels and profiles explains how that works, but in short: the expectations are achievable for a typical care setting.
The evidence care homes usually need
Most of what the toolkit asks for, you already have in some form. The task is organising it. Key items include:
- A named person responsible for data protection — often the registered manager
- A data protection or information governance policy that reflects how you actually work
- Staff training records showing everyone completes annual data security training, including new starters at induction
- An information asset register listing the data you hold, where it’s kept, and who’s responsible
- Access controls — who can see care records, and a process to remove access when staff leave
- A tested backup of your important records, whether paper-based systems are digitised or you use care planning software
- An incident and breach procedure, plus a log of anything that’s gone wrong and what you learned
- Supplier assurance for any system that holds resident data on your behalf
Our DSPT evidence checklist sets all of this out in detail.
Common sticking points for care homes
| Sticking point | What helps |
|---|---|
| High staff turnover | A simple joiners and leavers log to keep training and access current |
| Agency and bank staff | Confirm they receive the same data security briefing |
| Paper and digital mix | Include both in your asset register and access controls |
| Reliance on a care system supplier | Get written assurance and a processing agreement |
| No dedicated IT | Lean on your software provider’s security and consider certification |
These map closely to the common DSPT mistakes we see across the sector, so they’re worth pre-empting.
The deadline
The standard annual deadline is 30 June, and the toolkit resets each year. Because gathering training logs and testing a backup takes time, start a couple of months ahead. Our guide to the DSPT deadline and annual cycle shows how to plan the year, and what happens if you miss the deadline covers the consequences of slipping.
Aim for Standards Met
Your goal is the Standards Met status rather than stopping at Approaching Standards, which leaves work outstanding. Our guide on Standards Met vs Approaching Standards explains the difference.
Wider data protection
The DSPT overlaps with your UK GDPR obligations — the same asset register and policies support both. And because several assertions cover technical controls, Cyber Essentials can make those answers more straightforward. Any unfamiliar terms are explained in the glossary.
Making it manageable for a busy home
The single biggest worry we hear from registered managers is time — the toolkit can feel like one more thing on an already full plate. The way to make it manageable is to break it into small pieces rather than tackling it in one sitting. Spend an hour tidying your training log one week, an afternoon listing your information assets the next, and a short session confirming your leavers process after that. By the time the deadline approaches, most of the work is already done, and the submission itself becomes a straightforward tidy-up. Involving your team also helps: a senior carer can own training records, an administrator can maintain the asset register, and the manager can hold the whole picture together.
Keeping it fresh each year
Because the toolkit resets annually, the effort you put in now pays off every future year — provided you keep your evidence in one place. Store your policies, training log, asset register, backup test records and incident log together, each with a review date, and next year’s submission becomes a quick refresh rather than a fresh start. This is especially valuable in a sector with high turnover, where the person completing the DSPT may change from one year to the next. A simple, well-organised evidence folder is the best gift you can leave your future self or your successor.
Check where you stand
Our DSPT readiness checker gives you a quick sense of how much work is ahead in just a few minutes.
How we can help
Most care homes don’t have a dedicated information governance lead — which is exactly where we come in. We offer a clear, fixed-fee engagement that maps your existing records against every assertion, tells you plainly what’s missing, and supports you through to submission, all in plain English. Explore our DSPT service or get in touch for a friendly, no-obligation chat.
Need help in practice? See our DSP Toolkit (DSPT) service.