NHS DSPT Compliance Guide for Scottish Healthcare Organisations

In May 2017, the WannaCry ransomware attack brought large parts of the NHS to a standstill. In Scotland, NHS Lanarkshire alone had almost 500 patient appointments and procedures cancelled, with more than 1,300 computers infected. Across the UK, the Department of Health and Social Care later put the total cost at £92 million in lost output and IT recovery (DHSC, October 2018). That figure has been updated since: the 2024 ransomware attack on NHS Dumfries and Galloway – a Scottish health board – led to approximately 3 terabytes of patient data being published on the dark web by criminal group Inc Ransom (NHS Dumfries and Galloway, 2024).

This NHS DSPT compliance Scotland guide covers the requirements and how to meet them. The NHS Data Security and Protection Toolkit (DSPT) exists precisely to prevent incidents like these. It is both a compliance obligation and a practical security baseline – a structured framework that forces organisations to examine their people, processes, and technology before attackers do it for them. For Scottish healthcare organisations, however, the DSPT comes with some important local context that purely England-focused guides routinely miss.

This guide is written for IT managers, practice managers, and information governance (IG) leads at Scottish GP practices, dental practices, pharmacies, NHS Scotland partner organisations, and independent healthcare providers. It covers the current version requirements, the Scotland-specific regulatory picture, evidence you will need, and the technical controls that trip most organisations up at Standard 9.

What Is the NHS DSPT and Who Must Complete It?

Cyber Essentials coverage remains limited, with reporting indicating that only about 25% of UK businesses with 250 or more employees hold the baseline certification, leaving supply-chain assurance gaps, according to NHS Digital (2025). The DSPT is an online self-assessment platform hosted at dsptoolkit.nhs.uk that enables any organisation handling NHS patient data or using NHS systems to demonstrate its data security and protection arrangements. As of 2025/26, the current version is Version 8, which introduces full alignment with the NCSC Cyber Assessment Framework (CAF) – a shift from checklist compliance towards evidence-based, outcome-driven assurance (NHS England, September 2025).

Who must submit in Scotland?

The DSPT scope is determined by data access, not geography – and it explicitly applies across the whole of the UK. Any organisation that:

• Holds or processes NHS patient data (including data originating from NHS Scotland)
• Uses NHS digital systems such as NHSmail, e-Referrals, or the Summary Care Record
• Has a contract with NHS England or NHS Scotland that references DSP Toolkit compliance

…is required to submit annually. In a Scottish context, this includes:

• GP practices (GMS, PMS, and APMS contract holders)
• Dental practices providing NHS dental services
• Community pharmacies under the Pharmacy First and Minor Ailment Service contracts
• NHS Scotland partner organisations and commissioned independent providers
• IT suppliers with access to NHS systems or patient data

Our assessment Scottish NHS boards often have specific legacy system integration and data sovereignty requirements that standard UK-wide DSPT advice ignores. A common misconception is that DSPT is purely an NHS England requirement. In practice, Scottish independent healthcare providers that process NHS patient data – including those regulated by Healthcare Improvement Scotland (HIS) rather than the English Care Quality Commission – are bound by the same DSPT obligation. HIS is the Scottish equivalent of CQC for independent healthcare scrutiny, and the Care Inspectorate handles care services regulation in Scotland. Neither HIS nor the Care Inspectorate exempts organisations from DSPT submission. If you access NHS data or systems, you submit – regardless of which UK nation you operate in.

The DSPT replaced the older IG (Information Governance) Toolkit in April 2018. Where the IG Toolkit focused primarily on governance process, the DSPT deliberately shifted weight towards cyber security controls – a response to WannaCry and the growing sophistication of attacks on health sector infrastructure.

What Is the 10 National Data Guardian Standards?

The DSIT Cyber Security Breaches Survey (2025) found that Only a small fraction of UK SMEs hold baseline supply chain certifications. The NHS is aggressively tightening vendor risk management to prevent third-party breaches. Achieving DSPT Standards Met status gives you a massive competitive advantage in local tenders.

The DSPT is structured around 10 data security standards developed by the National Data Guardian (NDG). These are grouped under three leadership obligations: People, Process, and Technology. Every assertion in the DSPT maps back to one of these standards.

Standards 1 – 3 address your people; standards 4 – 7 your processes; standards 8 – 10 your technology. A weak score in any pillar will prevent you reaching Standards Met.

How to Access and Set Up Your DSPT Account

URM Consulting (2026) shows that the average ICO fine for security breaches reached £1.45 million in 2025, reflecting zero tolerance for healthcare data loss. DSPT compliance ensures you meet the strict baseline for safeguarding patient data. It fundamentally protects your business from devastating regulatory financial penalties.

The DSPT portal is accessed at dsptoolkit.nhs.uk. Registration requires your organisation’s ODS (Organisation Data Service) code, which is the unique identifier assigned to all NHS-connected organisations. GP practices, pharmacies, and dental practices in Scotland will already have ODS codes from their NHS contract.

To create or access your account:

1. Navigate to dsptoolkit.nhs.uk and select Register.
2. Enter your ODS code. If your organisation type is not listed or your code is not recognised, contact the DSPT helpdesk at exeter.helpdesk@nhs.net.
3. Set up your organisation’s profile, including the contact details of the Senior Information Risk Owner (SIRO) – the board-level or senior management lead accountable for data security.
4. Assign additional users (such as your IG lead or IT manager) within the portal – multiple users can contribute to the same submission.

Most Scottish GP practices will find their organisation is pre-populated from prior years. If you are new to the DSPT – perhaps an independent provider newly contracted to deliver NHS services – allow additional time for registration and account verification before the deadline.

What Is the Annual Submission Process (Step by Step)?

The DSPT runs on a fixed annual cycle (NHS Digital, 2025). For 2025/26 (Version 8), the key dates are:

• Submission window opens: September 2025
• Baseline submission deadline: 31 December 2025 (for NHS Trusts and designated OES organisations requiring independent CAF-aligned audits)
• Final submission deadline for all organisations: 30 June 2026

The submission process follows these steps:

1. Log in to your DSPT account and confirm that your organisation profile is current.
2. Review all mandatory assertions for your organisation type. Mandatory items must all be addressed; recommended items are good practice but do not block submission.
3. Upload evidence against each assertion (see the next section for specifics).
4. Self-assess your status – the portal will indicate whether your responses support Standards Met or Approaching Standards based on your answers.
5. Have your SIRO review and sign off the assessment. The SIRO declaration is a formal confirmation that the submission is accurate.
6. Publish your submission. An unpublished assessment has no standing – you must hit the Publish button before the deadline.

The DSPT does not send automatic reminders to individuals. It is good practice to set internal calendar reminders at 90, 60, and 30 days before the June deadline, and to assign a named owner for each standard within your practice or organisation.

What Is Evidence Requirements: What You Actually Need to Upload?

NHS Digital (2025) reports that the DSPT is a self-assessment, but assertions are not taken on trust – you must be able to produce evidence on request, and some mandatory items require evidence to be uploaded directly to the portal. Understanding what counts as evidence is where many organisations struggle.

Commonly required evidence items by standard:

Standard 3 (Training): A training completion report from your IG/data security training platform – showing staff names, completion dates, and pass status. NHS England’s e-Learning for Healthcare (e-LfH) module completion certificates are widely accepted for GP and dental practices.

Standard 4 (Managing Data Access): An access control log, starters/leavers process documentation, or a screenshot from your Active Directory / NHSmail admin confirming accounts are reviewed. Evidence that leavers’ accounts are disabled promptly is a common audit focus.

Standard 6 (Responding to Incidents): A documented incident response policy (can be a simple Word document) and, ideally, a log of any incidents reported during the year – even if that log records zero incidents.

Standard 7 (Continuity Planning): A business continuity plan and evidence of a test or exercise within the past 12 months. For small practices, a documented tabletop walkthrough counts.

Standard 8 (Unsupported Systems): A current asset register identifying any software or hardware that has reached end-of-life, plus a documented risk acceptance or migration plan for anything still in use.

Standard 9 (IT Protection): Technical evidence of controls – see the dedicated section below.

Standard 10 (Accountable Suppliers): Evidence of Data Processing Agreements (DPAs) with all third-party suppliers who access personal data. Your clinical system supplier (e.g., EMIS, Vision, SystmOne), your email provider, and any cloud storage vendor all require DPAs in place.

What Is Standard 9: Cyber Security – What DSPT Requires Technically?

According to NHS Digital (2025), standard 9 is the most technically demanding section of the DSPT and the one most commonly cited in failed or delayed submissions. It requires that a strategy is in place to protect IT systems from cyber threats, based on a proven cyber security framework such as Cyber Essentials, and that this strategy is reviewed at least annually (National Data Guardian Data Security Standards).

The core technical controls Standard 9 expects to see in place are:

Firewalls and boundary protection. Your network must have a properly configured firewall separating it from the internet. For most small practices, this means a business-grade router/firewall with default-deny rules – not a consumer broadband router with factory settings.

Patch management. Operating systems and applications must be kept up to date. Standard 8 specifically addresses unsupported systems, but Standard 9 requires an active patching process. NHS guidance recommends critical patches applied within 14 days of release. Automated update policies in Windows Group Policy or Intune are acceptable evidence.

Multi-factor authentication (MFA). MFA must be enabled on any remote access to systems and on accounts with administrative privileges. For NHSmail-connected organisations, MFA is now enforced by default – but local systems (your clinical software admin account, your firewall management interface) also require MFA or compensating controls.

Endpoint protection. All devices accessing NHS systems or patient data must have up-to-date anti-malware protection. A centralised management console showing coverage and update status constitutes strong evidence.

Data backups. Regular, tested backups stored separately from primary systems (ideally offline or in a separate cloud tenancy) are required. Evidence should show that backups exist, are encrypted, and have been tested for restoration.

Alignment with Cyber Essentials. The DSPT explicitly references Cyber Essentials as the baseline framework for Standard 9. Holding a valid Cyber Essentials certificate satisfies the core technical control requirements. Holding Cyber Essentials Plus – the independently verified version – qualifies your organisation for Standards Exceeded status on your DSPT submission.

Our assessment Scottish NHS boards often layer additional local governance requirements on top of the national DSPT framework, catching unprepared suppliers off guard. Scotland has its own Cyber Essentials delivery infrastructure through the Scottish Business Resilience Centre (SBRC), which can guide Scottish healthcare organisations through both Cyber Essentials certification and DSPT Standard 9 evidence gathering. The SBRC operates independently of NHS England bodies, meaning Scottish practices can access local, Scotland-based support rather than relying solely on England-centric resources.

The five Cyber Essentials technical controls – secure configuration, boundary firewalls and internet gateways, access controls, patch management, and malware protection – map directly to Standard 9 assertions. Preparing for Cyber Essentials and preparing Standard 9 evidence are, in practice, the same exercise.

What Is Common Failures and How to Avoid Them?

Analysis of DSPT submissions consistently reveals the same failure patterns across small and medium healthcare organisations, according to NHS Digital (2025). Knowing them in advance means you can address them before they block your submission.

Failure 1: Training not completed by all staff. Standard 3 requires evidence that every member of staff with access to patient data has completed annual data security training. A single lapsed completion – a receptionist who changed roles, a locum who was never enrolled – can block Standards Met. Build an automated monthly reminder into your HR or practice management system.

Failure 2: No evidence of leavers process. Access accounts that survive beyond an employee’s last working day are a significant security risk and a direct DSPT non-compliance under Standard 4. Maintain a documented starters/leavers log and conduct a quarterly access review – even in a small practice.

Failure 3: Missing or unexecuted supplier DPAs. Standard 10 requires written data processing agreements with all suppliers handling personal data. Many practices have never formalised this with their CCTV provider, their appointment reminder service, or their accountancy software vendor. Conduct a data flow mapping exercise early in the cycle to identify all processors, then check your contract files.

Failure 4: No business continuity plan. Standard 7 requires a continuity plan and evidence of testing. For a single-handed GP practice, a two-page document describing what happens if your clinical system is unavailable – who calls who, where backups are located, how you revert to paper processes – is sufficient. The absence of any document, however, is an automatic fail.

Failure 5: Publishing deadline missed. Completing your assessment is not the same as submitting it. The Publish step in the portal must be completed before 30 June. Organisations that leave submission to the final week regularly encounter portal slowdowns as volume spikes. Aim to publish by mid-June at the latest.

What Is After Submission: Addressing Assertions Not Met?

Industry research (2025) found that If your submission results in Approaching Standards rather than Standards Met, this is not necessarily the end of the matter – but it has practical consequences. Organisations must reach at least Approaching Standards to fulfil NHS Standard Contract obligations and retain access to NHSmail accounts. Standards Met is required to fully satisfy most NHS data sharing agreements.

The Approaching Standards pathway is primarily designed for social care and smaller independent providers who are on a genuine improvement trajectory. It requires answering 27 mandatory questions and submitting an improvement plan detailing how you will achieve Standards Met. For most GP practices, dental practices, and pharmacies, the expectation from NHS England and NHS Scotland contract managers is Standards Met – not Approaching Standards.

If you identify gaps after submission:

1. Document the gap and the date it was identified. This is evidence of active management, not negligence.
2. Raise a corrective action within the DSPT portal or your internal IG log.
3. Set a remediation timeline – most gaps can be closed within 30 days with appropriate resource.
4. Inform your contract manager or commissioner if the gap relates to a standard that may affect your contract compliance status. Proactive notification is always better than waiting for an audit finding.
5. Re-assess during the following year’s cycle with the corrective actions evidenced as complete.

DSPT is an annual cycle, not a one-time pass/fail event. Organisations that engage with it genuinely – tracking progress, addressing gaps, keeping evidence current – consistently find it less burdensome than those who treat it as a last-minute paper exercise.

What Is Related Articles?

• Cyber Security guide for Edinburgh businesses
• GDPR Cyber Security obligations Edinburgh
• Cyber Essentials certification Scotland

Frequently Asked Questions

Is DSPT mandatory for Scottish GP practices?

Yes. The DSPT is mandatory for all GP practices that have access to NHS patient data or NHS digital systems, regardless of which UK nation they operate in. Scottish GP practices operating under GMS, PMS, or APMS contracts hold data derived from NHS Scotland systems and are required to submit annually to dsptoolkit.nhs.uk. Non-submission can result in restrictions on NHS system access.

When is the DSPT submission deadline?

The final submission deadline for 2025/26 (Version 8) is 30 June 2026. NHS Trusts and organisations designated as Operators of Essential Services (OES) face an earlier baseline deadline of 31 December 2025 for independent CAF-aligned audit purposes. Most GP practices, dental practices, and pharmacies fall into the general submission category with the 30 June deadline.

What happens if we miss the DSPT deadline?

Missing the 30 June deadline means your organisation has no current, published DSPT assessment. This can result in contractual non-compliance under the NHS Standard Contract, potential suspension of NHSmail access, and complications with data sharing agreements that require a current DSPT submission as evidence of data security assurance. If you miss the deadline, publish as soon as possible and notify your NHS contract manager proactively.

Does achieving Cyber Essentials help with DSPT compliance?

Yes, significantly. Cyber Essentials covers the five core technical controls that Standard 9 of the DSPT requires: secure configuration, firewalls, access controls, patch management, and malware protection. Holding a current Cyber Essentials certificate satisfies the primary technical evidence requirements for Standard 9. Holding Cyber Essentials Plus (the independently audited version) elevates your DSPT status to Standards Exceeded – the highest available level.

What is the difference between “Standards Met” and “Approaching Standards”?

Standards Met means your organisation has fulfilled all mandatory requirements for your organisation type – every mandatory assertion answered, all required evidence available, SIRO sign-off complete. Approaching Standards applies to organisations (primarily social care providers) that are working towards Standards Met but have not yet completed all mandatory requirements; it requires submitting a formal improvement plan. For GP practices, dental practices, and pharmacies, the contractual expectation is Standards Met, not Approaching Standards.