DSPT · 1 July 2026
DSPT for pharmacies: a practical guide
Community pharmacies rely on NHS systems every day — the Electronic Prescription Service, NHSmail and more — so a current Data Security and Protection Toolkit (DSPT) is essential. This guide explains what the toolkit means for a pharmacy specifically and how to approach it without an IT department.
Why pharmacies need the DSPT
Pharmacies handle prescriptions, patient medication records and personal data, and connect directly to core NHS systems. The Electronic Prescription Service (EPS) in particular sits at the centre of daily dispensing. The DSPT is how you demonstrate that all this sensitive data is protected to the expected standard.
A current DSPT keeps these NHS connections switched on, supports your obligations under UK GDPR, and gives patients and the NHS confidence in how you handle their information.
What a pharmacy needs to evidence
The toolkit is proportionate to your size, and much of what it asks for you’ll already have in some form. Key evidence includes:
- A named person responsible for data protection — often the superintendent, pharmacy owner or manager
- Data protection and confidentiality policies reflecting how the pharmacy operates
- Annual staff training records covering pharmacists, technicians, dispensers and counter staff, including new starters
- An information asset register listing patient and staff data, including EPS and PMR data
- Access controls for your patient medication record (PMR) system and NHS systems, with a leavers process
- Tested backups and secure configuration of devices and terminals
- An incident and breach procedure, with awareness of ICO reporting duties
- Supplier assurance for your PMR software and any third parties handling patient data
Our DSPT evidence checklist sets all of this out in detail.
Common sticking points for pharmacies
| Sticking point | What helps |
|---|---|
| Multiple branches | Include every site in your asset register and controls |
| Relief and locum staff | Confirm training and appropriate, time-limited access |
| Smart cards and shared terminals | Evidence secure configuration and account management |
| PMR and EPS reliance | Get written supplier assurance and processing agreements |
| No in-house IT | Lean on your software provider and consider certification |
These reflect the common DSPT mistakes we see across community pharmacy.
The deadline
The standard annual deadline is 30 June, and the toolkit resets each year. Given how busy a dispensary is, start a couple of months ahead and keep your evidence in one place so renewal is a quick refresh. Our guide to the DSPT deadline and annual cycle shows how to plan, and what happens if you miss the deadline explains the risks — which, for a pharmacy, can directly affect EPS access.
Aim for Standards Met
Your target is Standards Met rather than stopping at Approaching Standards, which leaves work outstanding. Because your dispensing depends on NHS connectivity, reaching Standards Met with time to spare matters. See our guide on Standards Met vs Approaching Standards.
Strengthening technical controls
Several DSPT assertions cover technical controls — patching, anti-malware, secure configuration and access management. Holding Cyber Essentials provides independent evidence for many of these and can streamline your answers. See our guide on how the DSPT and Cyber Essentials relate, and the glossary for any unfamiliar terms.
Why EPS access makes the DSPT non-negotiable
For most pharmacies, the strongest reason to stay on top of the DSPT is simple: your dispensing workflow depends on NHS connectivity. If your DSPT lapses and that access is affected, the disruption is immediate and felt at the counter. This makes the toolkit less of an administrative box-ticking exercise and more of an operational safeguard. Framing it that way with your team tends to help — keeping the DSPT current isn’t paperwork for its own sake, it’s protecting the systems the pharmacy runs on every single day.
Sharing the work across the team
The DSPT doesn’t have to fall entirely on the responsible pharmacist or owner. Technicians and dispensers can help maintain training records and confirm how they use the PMR and EPS; whoever manages your IT or software relationship can confirm secure configuration and access controls. Spreading ownership produces more accurate evidence and lightens the load. A short annual review with the team keeps everyone aligned and surfaces any gaps well before the 30 June deadline.
Keeping it easy each year
Because the toolkit resets annually, keeping your evidence in one organised place turns renewal into a quick refresh rather than a fresh start. Store your policies, training log, asset register, backup test records and incident log together, each with a review date. In a pharmacy with relief and locum staff, this discipline is especially valuable — it means your training and access records stay current regardless of who’s on the rota, and whoever completes the toolkit can find everything they need in one go.
Check where you stand
Our DSPT readiness checker gives you a quick read on how much work is ahead in just a few minutes.
How we can help
Most pharmacies don’t have a dedicated information governance lead, and the toolkit can feel like a distraction from serving patients. We offer a clear, fixed-fee engagement that maps your records against every assertion, tells you plainly what’s missing, and supports you through to submission. Explore our DSPT service or get in touch for a friendly, no-obligation chat.
Need help in practice? See our DSP Toolkit (DSPT) service.