Bondgate IT White Logo

DSPT 2025/26

NHS DSPT
Last updated: May 2026 Compliance Guide

DSPT 2025/26: What GRC Leaders Need to Get Right Before 30 June

A practical guide for care homes, charities, community services, and other NHS-aligned organisations on completing the Data Security and Protection Toolkit before the deadline.

Book a Readiness Review 01325 369 950
30 June 2026 submission deadline
Cat. 3 NHS DSPT specialists
ISO 27001 Certified
CE Cyber Essentials
NHS DTAC Familiar with NHS standards
26+ Years. Since 1998
What is it?

What is the DSPT and why does it apply to your organisation?

Definition
Data Security and Protection Toolkit (DSPT)

A mandatory annual self-assessment required by NHS England for any organisation that handles health or care data, connects to NHS systems, or delivers services under an NHS or local authority contract. It measures performance against the National Data Guardian’s ten data security standards.

The DSPT applies well beyond NHS Trusts. If your organisation handles patient or service user data, or operates under an NHS or local authority contract, you are required to complete it. That includes:

  • Care homes and residential care providers
  • Domiciliary and home care services
  • Charities delivering health or care services
  • Community service providers
  • Hospices and specialist care organisations
  • GP practices and primary care networks
  • Community pharmacy organisations

Most of these organisations submit under Category 3 of the framework. The assessment is not a tick-box exercise. It requires evidence that your controls are genuinely in place and working.

The deadline for final submission is 30 June 2026. Missing or failing the submission has immediate operational consequences, not gradual ones.

If the deadline landed next week, would you be ready?

Most organisations do not ignore DSPT. It sits on the list, gets discussed, and there is usually a broad expectation that it will get done.

Then June arrives and the tone changes.

Questions start surfacing that no one can answer quickly. Where is the training evidence? Who last reviewed access permissions? Has anyone checked whether your suppliers meet the required standard?

At that point, the issue is whether the organisation can stand behind what it believes is in place. That gap between belief and proof is where pressure builds and where risk sits.

Free download

DSPT 2025/26 Evidence Checklist

A printable checklist mapping every Category 3 mandatory evidence item to where it typically lives. Used by our own consultants on engagements.

Download checklist
Operational Risk

Why DSPT carries more weight than most compliance work

Many compliance frameworks allow for a degree of slippage. A delayed internal audit or a late policy review tends to have a gradual impact. DSPT does not work that way. It is tied directly to your ability to operate within the NHS ecosystem. If a submission is not completed, or if compliance falls short, the consequences are immediate:

  • Access to NHSmail can be restricted, disrupting day-to-day communications
  • Connectivity to NHS systems and the Spine can be affected
  • Care providers can lose visibility of critical patient information
  • Pharmacies may be unable to process certain prescriptions
  • Contract renewals and commissioning approvals can be delayed or blocked

For anyone with responsibility for governance, risk, or compliance, whether that is a Finance Director, Operations Director, or a senior manager, this is not an abstract risk. It sits close to day-to-day operations, which makes the June deadline far more significant than it might initially appear.

Version 8 Updates

What has actually changed for 2025/26

On paper, the updates look measured. But several changes have a meaningful practical effect, and the underlying shift is significant: the DSPT now expects you to evidence that controls are working, not just that they exist on paper.

For example, in earlier versions you could meet the training requirement by stating that staff had access to e-learning. Under 2025/26, you need records showing who completed what, when, and how any gaps were managed. The same shift applies across access control, asset registers, and supplier assurance.

Senior leadership accountability Leaders are now expected to own and direct data security. Endorsing a policy is no longer sufficient. You must demonstrate active oversight.
Top three cyber and data risks Organisations must formally identify their top three risks and ensure that accountable leaders are aware of them. This needs to be documented.
Asset registers A maintained register of hardware, software, and data, reviewed within the last 12 months, is now a mandatory focus area. If yours does not exist or is out of date, this needs attention now.
Business continuity planning Plans must now explicitly include communications and data protection obligations. A generic BCP that predates this requirement will need updating.
Supplier contracts Contracts with suppliers who handle your data must now reflect GDPR compliance and DSPT completion requirements. Verbal assurances are not sufficient.
Training and awareness A range of methods is now expected, not just an annual e-learning module. Records must show who completed what, when, and how gaps were managed.

The toolkit now aligns more closely with the NCSC Cyber Assessment Framework. It is no longer enough to state that a policy exists. You are expected to demonstrate that controls are working in practice and being maintained over time. If your organisation already holds Cyber Essentials Plus or ISO 27001, much of this evidence will already exist in a usable form.

The Reality

Where the real work sits

The questions in the toolkit are the straightforward part. The effort sits in gathering and validating the evidence behind them.

Training records

Often spread across different systems or held informally. The DSPT requires you to show who completed what, when, and how gaps were addressed.

Access control

Understood operationally but formal reviews and audit trails are harder to demonstrate. Access must be actively managed, not just assumed to be correct.

Policies and documentation

Often exist but may not have been reviewed recently, updated to reflect current practice, or formally acknowledged by staff.

Asset registers

Frequently incomplete or based on an out-of-date snapshot. A maintained register reviewed in the last 12 months is now a mandatory requirement.

20–40
Hours a first-time submission typically takes to complete
10
National Data Guardian standards your submission must address
30 Jun
Final submission deadline for 2025/26

Individually, none of these gaps are difficult to address. Together, they create friction, particularly when time is limited. This is why leaving DSPT to June consistently creates pressure that could have been avoided.

The supplier question that catches organisations out

DSPT does not stop at your internal controls. It extends to the organisations you rely on to deliver IT services, host systems, or manage data on your behalf.

Under the 2025/26 requirements, supplier contracts must now comply with GDPR and reflect DSPT completion requirements. That creates a clear shift in accountability. Even where your internal position is strong, gaps in supplier assurance still sit with your organisation.

For those responsible for GRC, this raises a straightforward but uncomfortable question: you may trust your providers based on experience, but can you evidence that trust in a way that stands up to scrutiny?

If the answer is uncertain, that needs to be addressed before submission, not during it.

Completing DSPT is not the same as being confident in it

It is possible to complete DSPT and still feel uneasy about the result.

That tends to happen when the focus is on getting through the process rather than understanding what sits behind it. Evidence is gathered, documents are uploaded, and the submission is made, but there is still a sense that it was held together rather than fully controlled.

Confidence is different. It comes from knowing that training is genuinely embedded, that system access is actively managed, that asset registers are current, and that plans exist in a form that could be put to use under pressure. The submission itself is a requirement. The underlying position is what determines how the organisation responds if something goes wrong.

If the deadline were brought forward by a week, would you be confident?

Most organisations understand what DSPT requires. If you are uncertain about your current position, that uncertainty is where the risk sits today. A short readiness review gives you a clear answer without a drawn-out engagement.

Book a Readiness Review 01325 369 950

Or email hello@bondgate.co.uk

A Structured Approach

A more controlled way to approach the next few weeks

With the deadline approaching, the aim is not perfection. It is to regain control of the process and reach a submission you can stand behind.

01

Confirm your current position

Identify your DSPT category, review the evidence you already hold, and map where the gaps sit. You cannot address what you have not assessed.

02

Address the high-impact areas first

Training records, access control, asset registers, and MFA have the greatest effect when resolved early. These are also the areas most commonly queried on submission.

03

Update policies and documentation

Ensure they reflect what is actually happening in the organisation, not what was intended when they were written. Review supplier contracts against the new requirements.

04

Prepare for submission

Organise evidence so it aligns clearly with the toolkit, check for consistency, and make sure what is presented can be explained if challenged.

What’s included

Inside the Bondgate IT Readiness Review

A focused 90-minute session with one of our DSPT specialists. No charge, no obligation, no procurement involvement required.

  • Confirmation of your DSPT category and scope
  • Gap assessment against the 2025/26 mandatory items
  • Review of existing evidence and where it falls short
  • Top three risks for your organisation, documented
  • Prioritised action list with realistic timescales
  • Written summary you can take to your senior leadership
How We Help

How Bondgate IT supports this process

Bondgate IT works with care homes, charities, community service providers, and other NHS-aligned organisations managing competing operational priorities. DSPT is rarely the only pressure point, which is why it often gets pushed later than it should.

DSPT readiness assessment

We assess where you are, identify what is missing, and give you a clear picture of your position before you commit to a submission.

Technical controls

Access control, MFA, asset register management, and vulnerability scanning. We put the technical foundations in place and document them properly.

Governance and documentation

Policies, training records, incident response plans, and supplier contracts reviewed and updated to meet the 2025/26 requirements.

Submission support

We help you organise evidence, align it to the toolkit, and ensure the submission reflects reality rather than something held together under pressure.

The aim is not to take ownership away from your team. It is to ensure that when you submit, you understand what sits behind it and can stand behind it with confidence.

Common Questions

Frequently asked questions about DSPT

Do care homes have to complete the DSPT?
Yes. Any organisation that handles health or care data, accesses NHS systems, or delivers services under an NHS or local authority contract is required to complete the DSPT annually. Care homes typically submit under Category 3 of the framework. Failure to submit, or a submission that falls below the required standard, can result in restricted access to NHS systems and risk to contract renewals.
Does the DSPT apply to charities working with the NHS?
Yes. Charities that handle patient or service user data, or that deliver care services under NHS or local authority contracts, are required to complete the DSPT. The framework applies to the data you hold and the systems you access, not your legal structure. If your charity delivers health or care services, you are in scope.
What happens if we miss the DSPT deadline?
Missing or failing the DSPT submission can result in restricted access to NHSmail, loss of connectivity to NHS systems, inability to process certain referrals or prescriptions, and risk to contract renewals. The consequences are operational and immediate. For organisations that depend on NHS system access day to day, this is a significant operational risk.
How long does DSPT take to complete?
First-time submissions typically take between 20 and 40 hours. The questions themselves are straightforward. The time is spent gathering and organising evidence: training records, access control documentation, asset registers, incident response plans, and supplier contracts. Organisations that have structured their evidence in advance complete the process considerably faster.
What is the difference between DSPT and the Cyber Assessment Framework?
The DSPT is the NHS-specific annual self-assessment for organisations handling health and care data. The NCSC Cyber Assessment Framework (CAF) is a broader framework for assessing cyber resilience. For 2025/26, the DSPT has been aligned more closely with the CAF, which raises the bar for evidence. It is no longer sufficient to state that a control exists. You are expected to demonstrate it is working and being maintained.
Can Bondgate IT help us complete the DSPT?
Yes. We work with care homes, charities, community service providers, and other NHS-aligned organisations across the UK. Our support covers technical requirements, including MFA, access control, and asset registers, as well as the governance and documentation that underpin them. We start with a readiness review so you have a clear picture of where you stand before any work begins. Contact us on 01325 369 950 or via bondgate.co.uk/contact.
Next Step

Not sure where you stand? Start with clarity.

A short readiness review gives you a clear view of your current DSPT position, the gaps that need attention, and the next steps required to reach a confident submission. No drawn-out engagement. Just a straight answer.

Book a Readiness Review 01325 369 950

Bondgate IT is ISO 27001 and Cyber Essentialscertified, with over 26 years supporting regulated organisations across the UK.

Facebook
Twitter
LinkedIn
WhatsApp
Email
Print