DSPT · 1 July 2026
DSPT for dental practices: a practical guide
Dental practices that hold patient records and connect to NHS systems need a current Data Security and Protection Toolkit (DSPT). Whether you’re wholly NHS, mixed, or largely private but using NHSmail, the toolkit is how you demonstrate you’re protecting patient data properly. This guide explains what it means for a dental practice specifically.
Why dental practices need the DSPT
Dental practices hold detailed clinical records, medical histories and personal data, and many use NHSmail and other NHS systems to share information securely. Where NHS data or systems are involved, the DSPT is the recognised way to show that this information is well protected.
Completing it keeps your NHS connections switched on and supports your obligations as a data controller under UK GDPR. It also provides reassurance to patients and to the bodies you work with.
What a dental practice needs to evidence
Most dental practices are smaller organisations, and the toolkit is proportionate to that. The core evidence includes:
- A named person responsible for data protection — often the practice principal or manager
- Data protection and confidentiality policies that reflect how the practice actually runs
- Annual staff training records covering dentists, nurses, hygienists, reception and any associates or locums
- An information asset register listing the patient and staff data you hold and where it lives
- Access controls for your practice management software, with a process to remove access when someone leaves
- Tested backups of clinical records and secure configuration of devices
- An incident and breach procedure, with awareness of ICO reporting duties
- Supplier assurance for your practice software and any third parties handling patient data
Our DSPT evidence checklist walks through each of these.
Common sticking points for dental practices
| Sticking point | What helps |
|---|---|
| Associates and locums | Confirm training and appropriate, time-limited access |
| Mixed NHS and private work | Include all patient data in scope, not just NHS |
| Small team, no IT lead | Lean on your software provider and consider certification |
| Practice management software | Get written supplier assurance and a processing agreement |
| Imaging and X-ray systems | Include them in your asset register and backups |
Many of these mirror the common DSPT mistakes seen across smaller practices.
The deadline
The standard annual deadline is 30 June, and the toolkit resets each year. For a busy practice, the trick is to start a couple of months ahead and keep your evidence in one place so renewal is a quick refresh. Our guide to the DSPT deadline and annual cycle shows how, and what happens if you miss the deadline covers the risks of slipping.
Aim for Standards Met
Your goal is Standards Met rather than stopping at Approaching Standards, which leaves work outstanding. Our guide on Standards Met vs Approaching Standards explains the difference and how to close the gap.
Technical controls made easier
Several DSPT assertions cover technical controls — patching, anti-malware, secure device configuration and access management. Holding Cyber Essentials gives you independent evidence for many of these, which is helpful for a small team without in-house IT. See our guide on how the DSPT and Cyber Essentials relate, and the glossary for any unfamiliar terms.
Fitting it around a clinical day
The most common concern in dental practices is finding the time — clinical days are full, and the toolkit can feel like an administrative intrusion. The trick is to break it into small tasks rather than blocking out a whole day. Tidy your training log one week, list your information assets the next, confirm your leavers process after that. Sharing the work helps too: the practice manager can hold the overall picture, while nurses and reception staff maintain the records closest to their roles. Approached this way, the submission itself becomes a straightforward final review rather than a daunting project.
Private practices aren’t automatically exempt
A frequent misunderstanding is that a mostly private practice doesn’t need the DSPT. In reality, if you use NHSmail or any NHS system, or you hold data that flows to or from NHS services, the toolkit is likely to apply. And even where an assertion is framed around NHS data, the underlying good practice — protecting patient records, training staff, controlling access — applies to all your patients regardless of how their care is funded. Treating your whole patient record base as in scope keeps you on the right side of both the DSPT and your UK GDPR obligations.
Keeping it easy year on year
Because the toolkit resets annually, keeping your evidence in one place turns each renewal into a quick refresh rather than a fresh start. Store your policies, training log, asset register, backup test records and incident log together, each with a review date. In a small team where roles overlap, this simple habit protects you if the person who completed the toolkit this year isn’t the one doing it next.
Check where you stand
Our DSPT readiness checker gives you a quick sense of how much work is ahead in just a few minutes.
How we can help
Most dental practices don’t have a dedicated information governance lead, and the toolkit can feel like an unwelcome extra on top of a full clinical day. We offer a clear, fixed-fee engagement that maps your records against every assertion, tells you plainly what’s missing, and supports you through to submission. Explore our DSPT service or get in touch for a friendly, no-obligation chat.
Need help in practice? See our DSP Toolkit (DSPT) service.