Skip to content
360 Cyber Compliance

DSPT · 1 July 2026

DSPT for GP practices: a practical guide

For GP practices, the Data Security and Protection Toolkit (DSPT) is a core part of operating within primary care. You handle highly sensitive patient data and connect to a range of NHS systems every day, so completing the toolkit each year is essential — not optional. This guide sets out what it involves specifically for a practice.

Why the DSPT is essential for GP practices

GP practices sit at the heart of NHS data flows. You use clinical systems, GP Connect, the Electronic Prescription Service and NHSmail, and you share information with hospitals, community services and other practices. The DSPT is how you demonstrate that all of this sensitive patient data is protected to the expected standard.

A current DSPT keeps those NHS connections switched on and supports your wider obligations as a data controller under UK GDPR. It’s also part of the assurance commissioners and your integrated care system expect to see.

What a practice needs to evidence

Practices are generally more mature in their information governance than many care settings, but the toolkit still expects clear evidence. Key items include:

  • A named information governance and Caldicott lead, with clear accountability
  • Up-to-date data protection and confidentiality policies reflecting how the practice works
  • Annual staff training records covering all clinical and administrative staff, including new starters
  • An information asset register and a record of processing activities
  • Access controls across clinical systems, with a robust joiners, movers and leavers process
  • Tested backups and secure configuration of devices
  • An incident and breach response procedure, including awareness of ICO reporting within 72 hours
  • Data sharing agreements with partners, and supplier assurance for systems that process patient data

Our DSPT evidence checklist covers each of these in detail.

Common sticking points for practices

Sticking pointWhat helps
Multiple clinical systemsMap access and leavers processes across all of them
Locums and shared staffConfirm training and time-limited access
Branch sitesInclude every site in your asset register and controls
Smart cards and shared devicesEvidence secure configuration and account management
Reliance on the CCG/ICS IT teamDocument who owns which control

Several of these echo the common DSPT mistakes we see across primary care.

The deadline and annual cycle

The standard annual deadline is 30 June, and the toolkit resets each year. Because practices juggle many priorities, it helps to keep a live evidence pack rather than starting fresh each spring. Our guide to the DSPT deadline and annual cycle sets out a sensible rhythm, and what happens if you miss the deadline explains the risks of slipping.

Aim for Standards Met

Your target is Standards Met rather than stopping at Approaching Standards, which leaves work outstanding. Given how central NHS system access is to a practice, reaching Standards Met with time to spare is well worth the effort. See our guide on Standards Met vs Approaching Standards.

Strengthening your technical controls

Many of the DSPT’s technical assertions — patching, anti-malware, secure configuration, access management — align with Cyber Essentials. Certification gives you independent evidence and can streamline these answers. Our guide on how the DSPT and Cyber Essentials relate explains the overlap, and the glossary covers any unfamiliar terms.

Sharing the load across the team

In a practice, the DSPT works best when it isn’t left solely to the practice manager. Your Caldicott lead can own the information governance side, your reception and administrative team can help maintain training records, and whoever manages your clinical systems can confirm access controls and secure configuration. Spreading ownership not only lightens the load but also produces stronger, more accurate evidence, because the people closest to each control are the ones confirming it. A short annual meeting to review your DSPT position keeps everyone aligned and surfaces any gaps well before June.

The value of keeping evidence live

Practices generate a lot of the necessary evidence naturally — training completions, access changes, incident logs — but that evidence is only useful for the DSPT if it’s findable when you need it. Keeping a single, well-organised evidence pack, refreshed through the year, means renewal is a quick confirmation rather than a scramble to reconstruct records. It also helps if you’re ever asked to demonstrate a control: you can produce the log or agreement immediately rather than searching across systems. This discipline pays off every year the toolkit resets, and it strengthens your wider information-governance position at the same time.

Check where you stand

Our DSPT readiness checker gives you a quick read on how much work is ahead in just a few minutes.

Getting the most from your systems and support

Practices rarely start from zero. Your clinical system suppliers, your ICS digital team and any managed IT provider all play a part in your data security, and much of the technical evidence the DSPT expects may already exist within those arrangements. The key is to know who owns which control and to be able to point to the evidence. Ask your IT support to confirm how devices are patched and protected, ask your clinical system supplier about their own security assurance, and record those answers. Mapping this out once means you’re not rediscovering it at every renewal, and it removes the uncertainty that often surrounds the technical assertions.

Keeping it steady year on year

Because the toolkit resets annually, the practices that find it easiest are the ones that keep their evidence current rather than rebuilding it each spring. Store your policies, training log, asset register, data sharing agreements and incident log together, each with a review date, and treat renewal as a confirmation exercise. This steadiness also protects continuity: if your practice manager or IG lead changes, a well-maintained evidence pack means the knowledge doesn’t leave with them, and your submission stays on track regardless.

How we can help

Even well-organised practices value a clear, methodical approach to the DSPT — especially when the team is stretched. We offer a transparent, fixed-fee engagement that maps your existing governance against every assertion, flags any gaps, and supports you through to submission. Explore our DSPT service or get in touch for a straightforward conversation about where you stand.

Need help in practice? See our DSP Toolkit (DSPT) service.

Need a hand with this?

Book a free, no-obligation readiness check.