DSPT for Care Homes: A Practical Guide to Compliance

If you run or manage a care home, you have almost certainly heard of the DSPT. You may have been told you need to complete it. You may have started and given up. You may have submitted once and are now dreading doing it again.

The Data Security and Protection Toolkit is not optional for care providers who handle NHS data, and most do. But it does not need to be the annual scramble that so many care homes experience. This guide explains what the DSPT is, who needs to complete it, and how to approach it in a way that actually sticks.

What is the DSPT?

The Data Security and Protection Toolkit is an online self-assessment tool managed by NHS England. It replaced the old Information Governance Toolkit in 2018 and is designed to measure how well your organisation protects the personal data it handles.

The DSPT is based on the National Data Guardian's 10 data security standards, a set of principles covering everything from staff training to incident response to IT protection. Completing the DSPT means confirming that your organisation meets these standards and providing evidence to back that up.

You can access the toolkit at dsptoolkit.nhs.uk. For adult social care providers, a simplified version of the assessment is available with guidance from Digital Social Care.

Who needs to complete it?

Any organisation that has access to NHS patient data or NHS systems must complete the DSPT. For care homes, this includes providers who:

• Receive NHS referrals or discharge summaries
• Share care records with NHS partners
• Use NHSmail for communication with GPs, hospitals, or commissioners
• Access the Summary Care Record or shared care record platforms
• Have NHS-funded residents

In practice, this covers most CQC-registered residential care homes and nursing homes. Even where it is not strictly mandatory, commissioners and Integrated Care Boards increasingly expect a current DSPT submission. Without one, your existing data-sharing arrangements may be at risk, and you will be at a disadvantage when competing for new placements and contracts.

DSPT statuses are publicly searchable. Commissioners, CQC inspectors, and NHS partners can check whether your care home has submitted and what status it achieved.

The 10 data security standards

The DSPT maps to the National Data Guardian's 10 standards. Understanding these helps you see that the toolkit is not just about technology. The majority of the standards focus on people and processes.

People and process standards:

1. Personal confidential data: Staff handle personal data securely, and it is only accessible to those who need it for their role.
2. Staff responsibilities: Everyone understands their obligations around data security and their accountability for breaches.
3. Training: All staff complete annual data security awareness training. Free training is available through Digital Social Care and e-Learning for Health.
4. Managing data access: Access to personal data is on a strict need-to-know basis, actively managed and regularly reviewed.
5. Process reviews: Processes that have caused breaches or near misses are reviewed and improved at least annually.
6. Responding to incidents: Cyber attacks are identified and resisted. Data breaches are reported to senior management within 12 hours, and significant incidents are reported to the ICO.
7. Continuity planning: A tested plan exists for responding to threats to data security, including significant data breaches.

Technology standards:

8. Unsupported systems: No unsupported operating systems, software, or browsers are used.
9. IT protection: A strategy is in place for protecting IT systems from cyber threats, based on a framework such as Cyber Essentials.
10. Accountable suppliers: IT suppliers are held accountable for protecting the data they process and meeting the data security standards.

The split matters. Many care homes assume the DSPT is purely a technical exercise and hand it to their IT provider. But seven of the ten standards are about how your staff handle data, how you train them, how you manage access, and how you respond when things go wrong. These are management responsibilities, not IT tasks.

The annual cycle

The DSPT operates on an annual submission cycle with a deadline of 30 June each year. The assessment covers the previous period, and your status must be maintained. It is not a one-off certification.

There are two main outcomes:

• Standards Met: All mandatory assertions are confirmed with evidence.
• Approaching Standards: A partial-completion status available for providers working towards full compliance.

The annual cycle is where most care homes struggle. The first submission is hard work, but the real challenge is doing it again the following year without starting from scratch. If your evidence gathering is not built into your ongoing processes, you will face the same scramble every June.

Common challenges for care homes

We work with care homes across the East Midlands, and the same challenges come up repeatedly.

No dedicated compliance staff. Most care homes do not have a Data Protection Officer or IT manager. The registered manager or office manager inherits the DSPT alongside everything else they are responsible for. The toolkit uses information governance terminology that can feel unfamiliar and daunting.

Staff training records. Standard 3 requires all staff to complete annual data security awareness training. With care sector turnover rates often exceeding 30%, keeping training records current is a constant challenge. New starters need training, leavers need removing, and the records need to be ready for both the DSPT submission and CQC inspections.

Shared accounts and passwords. Shared login credentials are extremely common in care settings. Staff share accounts for shift handovers, medication systems, or simply because it is easier. This directly contradicts the standards around data access and individual accountability.

Evidence, not just practice. Many care homes have reasonable processes in place but cannot prove it in the format the DSPT requires. The toolkit needs documented evidence, not just good intentions.

Mobile devices and personal phones. Care workers accessing sensitive data on personal phones, shared tablets, or unmanaged devices creates gaps against the data access and IT protection standards.

Supplier assurance. Standard 10 requires you to assess your IT suppliers' data security. Most care homes have never asked their software vendors for data processing agreements or security certifications.

How the DSPT connects to CQC

The CQC does not directly enforce DSPT compliance, but there is significant overlap. Under the CQC's assessment framework, inspectors assess data security arrangements, staff training on data handling, and how personal information is protected. This falls particularly under the "Safe" and "Well-led" key questions.

Having a current DSPT submission provides ready-made evidence for CQC inspections. It demonstrates that an independent assessment of data security standards has been met. Conversely, if a data breach occurs and your care home has no DSPT submission, this is likely to be viewed unfavourably by both the CQC and the ICO.

The work you do for the DSPT directly supports your CQC readiness. They are not separate exercises. They reinforce each other.

How the DSPT connects to Cyber Essentials

Standard 9 of the DSPT explicitly references Cyber Essentials as an example of a suitable cyber security framework. Having Cyber Essentials certification provides strong evidence for the technology-focused standards (8, 9, and 10), though it is not a requirement. The DSPT accepts other frameworks too.

If you are planning to pursue both, doing them together is more efficient than treating them as separate projects. Much of the evidence overlaps, and the technical work for Cyber Essentials directly supports your DSPT submission.

How to approach it without the scramble

The care homes that find the DSPT manageable are the ones that treat it as an ongoing process, not an annual event.

Start with a baseline assessment. Understand where you stand against each of the 10 standards before you try to complete the submission. This tells you how much work is ahead and lets you prioritise.

Build evidence gathering into your existing processes. Staff training records should be maintained as part of your normal HR and induction processes. Access reviews should happen when staff join, change role, or leave. Incident logs should be updated when incidents happen, not reconstructed months later.

Use Microsoft 365 properly. If you are running Microsoft 365 Business Premium, you already have tools that directly evidence DSPT compliance: Intune for device management, Conditional Access for access control, Defender for threat protection, and audit logs for accountability. The features just need configuring.

Get help where you need it. The DSPT is manageable, but it takes time and knowledge that many care home managers simply do not have spare. Working with a partner who understands both the toolkit and the realities of running a care home makes the process significantly less painful.

What happens if you do not submit

The consequences are practical rather than punitive, but they are real:

• NHS data sharing may be blocked. ICBs and NHS trusts check DSPT status before establishing or renewing data-sharing agreements.
• NHSmail access requires DSPT completion. Without it, your NHSmail accounts are at risk.
• Commissioning disadvantage. Commissioners increasingly include DSPT compliance in tender requirements and contract renewals.
• Reputational exposure. Your DSPT status is publicly searchable. Commissioners and partners can see whether you have submitted.

The direction of travel is clear. The DSPT is becoming a baseline expectation for all CQC-registered providers, not just those with formal NHS data-sharing agreements.

Getting started

If you have not submitted before, Digital Social Care provides free guidance, template policies, and training resources specifically for adult social care providers. This is a good starting point for understanding the requirements.

If you need hands-on support with the technology standards, Microsoft 365 configuration, and building processes that last beyond the first submission, our managed IT service includes DSPT compliance support as part of our ongoing partnership with care providers across the East Midlands.

The DSPT does not need to be a source of dread. With the right approach and the right support, it becomes a structured part of how you protect the people in your care.