How to prepare for a DSPT submission without the panic

The words "DSPT submission" can strike dread into even the most organised practice managers. Every year, the requirement to complete NHS England’s Data Security and Protection Toolkit (DSPT) returns - and for many practices, it’s a last-minute scramble. But it doesn’t have to be. The DSPT is a practical framework to help you demonstrate that your practice is handling patient data safely and legally. When embedded into your regular governance calendar, it becomes far less of a burden - and far more of a tool for improvement. This guide walks you through how to prepare for your DSPT submission with minimal stress, including timelines, top tips, and common pitfalls to avoid. 

What is the DSPT and why does it matter? 

The DSPT is a self-assessment tool that every general practice in England must complete annually. It’s used to: 

• Demonstrate compliance with data protection legislation. 

• Confirm that your systems meet NHS security standards. 

• Fulfil your obligations under the NHS contract. 

• Provide assurance to commissioners, partners, and the CQC. 

• Access NHSmail, shared care records, and other secure services. 

Your submission status can affect your ability to collaborate with other providers - and failure to complete it may be flagged to your ICB. The deadline typically falls in March or June, depending on NHS England’s annual timetable. 

Why panic happens - and how to avoid it

The DSPT covers a wide range of governance areas: cyber security, data sharing, smartcard use, policies, staff training, and more. The panic usually happens when: 

• Tasks have been left to one person. 

• Evidence isn’t saved or tracked throughout the year. 

• There’s no clear timeline or delegated responsibilities. 

• Policies haven’t been reviewed or updated in time. 

• Staff haven’t completed the required training. 

The trick is to treat the DSPT as a year-round process, not a one-off deadline. 

How to prepare for your DSPT submission 

1. Understand what’s required 

Visit https://www.dsptoolkit.nhs.uk and register or log in with your practice ODS code. You’ll see a list of assertions, each with required evidence. Focus on achieving “Standards Met” - the minimum level for compliance. This means confirming: 

• All staff have completed appropriate IG training. 

• You have up-to-date policies and procedures. 

• You’ve completed a baseline cyber security checklist. 

• You’ve carried out a data protection impact assessment (DPIA). 

• Your practice has business continuity plans in place. 

The toolkit now includes simplified language and links to guidance for general practice - but it still takes time to navigate. 

2. Create a DSPT working folder

Save all relevant evidence in one central location - ideally on your shared drive with restricted access. Create subfolders for: 

• Policies (for example, IG, confidentiality, SARs, acceptable use). 

• Staff training records. 

• Risk assessments. 

• DPIAs and audits. 

• Incident logs. 

• Data sharing agreements.

Use file names and versions that are easy to track. This will save hours when it’s time to upload or reference them. 

3. Assign responsibilities and delegate 

Don’t do it alone. Break the DSPT into sections and assign owners: 

• Practice manager: overall coordination. 

• IT lead: cyber checklist, smartcard access, backups. 

• Caldicott Guardian: data sharing and confidentiality 

• Admin team lead: training logs, policy awareness. 

• Reception lead: SAR and FOI log oversight. 

A small planning meeting at the start of the year can help divide the load fairly. 

4. Add it to your IG calendar

Use your IG calendar to spread the workload. For example: 

• January: Review policies and DPIAs. 

• February: Complete staff training refresher. 

• March: Upload evidence and submit DSPT. 

If you already run quarterly IG checks, use these as an opportunity to gather evidence throughout the year - not just in the final weeks. 

5. Use support tools and templates

There’s no need to start from scratch. You can use: 

• NHS England’s DSPT support pages. 

• Templates from your ICB, CSU, or local DPO. 

• Webinars or local drop-in support sessions. 

• GP-specific guidance built into the DSPT website. 

• NHS Digital’s IG Portal. 

You can also view last year’s submission for reference - but avoid copying it forward without review. 

What happens if you miss the deadline?

Failure to submit by the required date could result in: 

• Flags on your contractual compliance. 

• Loss of access to NHSmail or national systems. 

• Extra scrutiny from the ICB or CQC. 

• Delays in digital upgrades or data-sharing initiatives. 

If you know you’ll struggle, speak to your ICB early - they may grant extensions or offer targeted support. 

Final word: Make it manageable, not monumental

The DSPT is not just a bureaucratic hurdle - it’s a reflection of your practice’s approach to data safety, cyber resilience, and staff awareness. Done properly, it can prompt overdue reviews, help identify risks, and provide assurance to patients and partners alike. With a shared plan, a clear calendar, and a sensible folder system, your DSPT can stop being a source of panic - and start being a well-managed part of your annual governance cycle.