The Data Security and Protection Toolkit (DSPT) is a free online self-assessment that every CQC-registered care home in England must complete. The deadline for the 2025-26 assessment is 30 June 2026. This guide explains what the DSPT actually asks, what your software needs to support, and how to prepare without drowning in jargon.
Speak to us about care home software · +44 7494 618 651 · Mon to Fri, 9am to 6pm
The Data Security and Protection Toolkit is an online self-assessment run by NHS England. It replaced the old Information Governance Toolkit in 2018. You complete it at dsptoolkit.nhs.uk, and it is free to use.
The purpose is straightforward. It checks that your care home handles personal data safely: resident records, staff information, medical details, and anything else that could cause harm if it were lost, stolen, or accessed by the wrong person. The assessment is based on the National Data Guardian's 10 Data Security Standards, grouped into three categories: People, Process, and Technology.
For care homes specifically, the DSPT uses a simplified version called Category 3. This means you face fewer questions than an NHS trust or a large hospital, but the expectations are still serious. The current version (Version 8, released September 2025) includes 35 assertions and 45 mandatory evidence items.
Yes. Completing the DSPT is legislatively mandatory under the Health and Social Care Act 2012, as amended by the Health and Care Act 2022. The Data (Use and Access) Act 2025 reinforces this further, introducing mandatory information technology standards for health and adult social care providers.
Every CQC-registered adult social care provider in England is expected to complete the DSPT annually. That includes residential care homes, nursing homes, and domiciliary care providers.
The DSPT runs on an annual cycle. For the 2025-26 assessment (Version 8), the submission deadline is 30 June 2026. If you miss it, several things happen.
Loss of NHSmail access. NHSmail is only available to CQC-registered providers who have achieved "Standards Met" on the DSPT. Without it, you lose a secure communication channel with GPs, pharmacies, and NHS services.
No proxy access to GP records. Care homes need DSPT at Standards Met to use proxy access for ordering medication and viewing resident GP records. Losing this means more phone calls, more faxes, and more delays in medication rounds.
No DSCR funding. Digital Social Care Records funding from the NHS requires your DSPT to be at Standards Met (or a commitment to achieve it within 12 months). If you are applying for government funding to offset your care home software costs, the DSPT is a prerequisite.
Commissioner confidence. Local authorities and Integrated Care Systems increasingly require DSPT compliance as part of their commissioning contracts. Non-compliance can affect your standing when contracts are renewed or new placements are made.
CQC expectations. While the DSPT is not formally part of the CQC inspection framework, having it at Standards Met provides ready-made evidence for the "Well-led" and "Safe" domains. Not having it raises questions inspectors will want answers to.
The 10 National Data Guardian standards sound technical, but most of them are about people and process rather than IT systems. Seven of the ten are things your team does day to day. Only three are purely technical. Here is what each one means in plain language.
Version 8 added two new mandatory requirements that were not in previous versions:
The DSPT and the CQC Single Assessment Framework are separate processes, but they overlap significantly. CQC assesses care homes against 34 quality statements across five key questions: Safe, Effective, Caring, Responsive, and Well-led. Data governance falls primarily under "Well-led", but evidence from the DSPT also supports "Safe".
From 9 February 2026, CQC rejects new registration applications that do not include key policies covering consent and data governance. If you are registering a new service, your digital records and data governance must be in order from day one.
Having your DSPT at Standards Met gives you a head start on CQC inspections. Much of the evidence you gather for the DSPT (training records, access control policies, incident logs, continuity plans) maps directly onto what inspectors ask for. It does not guarantee a good rating, but it removes a category of risk that would otherwise require additional preparation.
CQC is on track for 9,000 assessments by September 2026. If your home is due for inspection in that window, having a current DSPT submission strengthens your position considerably.
Your care home software is not a box-ticking exercise for the DSPT. It is the infrastructure that either supports compliance or undermines it. Here is what the DSPT expects your system to provide.
Every access to resident data, every edit, every deletion must be recorded with a timestamp and the name of the person who did it. These logs must be tamper-proof, meaning staff cannot go back and alter them. This directly supports Standards 4 and 6. If your current system does not produce a clear audit trail, it is a compliance gap.
Different staff roles need different levels of access. A carer needs to see care plans and record daily notes. A kitchen team member does not need to see medication records. An agency worker needs temporary access that is removed when their shift ends. Your software should enforce this automatically, not rely on trust.
No shared logins. Every person who accesses the system must have their own username and password. This is non-negotiable under Standard 4. If your software licences are priced per user and that makes individual accounts expensive, that is a cost problem, not an excuse to share credentials.
Resident data must be encrypted both at rest (when stored on a server or device) and in transit (when sent between devices or to the cloud). Standard 1 requires this. Most modern cloud-based care systems handle encryption automatically, but if you are using older software or local-only systems, check whether encryption is actually in place.
If a carer walks away from a tablet or desktop without logging out, the system should lock itself after a short period of inactivity. This prevents unauthorised access from unattended devices, which is one of the most common security gaps in care homes.
Your software should help you detect unusual activity (such as bulk data downloads or access outside normal hours) and provide the information you need to report a breach within the 72-hour DSPT requirement. If a breach occurs, you also need to report it to the ICO where applicable.
Standard 7 requires a tested continuity plan. Your software must support regular backups, ideally automated, with the ability to restore data quickly if something goes wrong. Ask your provider: how often are backups taken, where are they stored, and how long does a full restore take?
Go to dsptoolkit.nhs.uk and register your organisation using your ODS (Organisation Data Service) code. If you do not have one, you can request it through the toolkit. Registration is free.
Most standalone care homes fall into Category 3, which is the simplified version with 35 assertions and 45 mandatory evidence items. Larger organisations or those processing data on behalf of the NHS may fall into a higher category. The toolkit tells you which category applies when you register.
All staff must complete annual data security awareness training. The free module on e-Learning for Health is accepted. Keep records of who completed it and when, because the DSPT asks for this as evidence.
Work through the assertions one by one. For each, you need to provide evidence that your home meets the standard. This might be a policy document, a screenshot from your software showing audit logs, a signed agreement from your IT provider, or a record of your last continuity plan test.
Make sure your admin accountability agreements are signed and your asset register is up to date. These are new for this year and easy to overlook.
Once all mandatory items are complete, submit your assessment. If you cannot complete everything in time, you can submit at "Approaching Standards" with an improvement plan. This is better than not submitting at all, but it does not give you access to NHSmail, proxy access, or DSCR funding.
You do not need to do this alone. The Digital Care Hub provides free guidance, templates, and walkthroughs specifically for social care providers. The Better Security, Better Care programme offers regional support. Your local ICS digital lead can also help.
Having supported care homes with their digital systems, these are the problems we see repeatedly.
Off-the-shelf care home platforms handle many DSPT requirements out of the box. But "out of the box" only works if the box fits your home. Where we see problems is in the gaps: systems that technically have audit logging but do not make it easy to extract the reports the DSPT asks for, access control that exists but cannot be configured granularly enough for your team structure, or backup systems that run but have never been tested for a real restore.
A bespoke system can be designed with DSPT compliance built into the architecture from the start. That means audit logs formatted the way the toolkit expects, role-based access that maps to your actual team roles (not generic templates), encryption that covers every data flow in and out of the system, and automated breach detection that triggers alerts rather than waiting for someone to notice.
This does not mean every care home needs a bespoke system. For many homes, a well-configured off-the-shelf platform is perfectly adequate. But if your current software is creating workarounds (manual logs, separate spreadsheets for asset tracking, shared logins because individual accounts are too expensive), those workarounds are exactly the gaps the DSPT is designed to expose.
The DSPT is not going away. It is legislatively mandatory, increasingly linked to CQC expectations, and a prerequisite for essential NHS services like NHSmail and proxy access. The 30 June 2026 deadline for Version 8 is approaching, and 31% of care providers are still not compliant.
The assessment itself is manageable. Most of what it asks is about good practice that your home should already be following: training staff, controlling who can access what, keeping records of incidents, and making sure your IT systems are secure and up to date. The technology side, while important, is only part of the picture.
Start with the free resources at the Digital Care Hub. Register at dsptoolkit.nhs.uk if you have not already. Work through the assertions methodically rather than leaving it until the last week of June. And if your software is making compliance harder than it needs to be, that is worth addressing sooner rather than later.
Speak to us about care home software · +44 7494 618 651 · Mon to Fri, 9am to 6pm