Folelse

Product

Features Live Demo Pricing Roadmap

NHS & Compliance

DSPT Guidance NHS Data Guide ICO Resources Free DPA Template

Resources

Blog Resource Hub FAQ

Company

About System Status
Support
Log in Get started free
Back to Blog
DSPT 14 Feb 2026 8 min read

DSPT 2025/26: Key Changes and What They Mean for NHS Organisations

NHS England has updated the Data Security and Protection Toolkit for 2025/26. We break down the new mandatory assertions, changes to the cyber security area, and what evidence you need to gather before the June submission deadline.

FC

Folelse Team

Folelse

Each year, NHS England updates the Data Security and Protection Toolkit (DSPT) to reflect changes in legislation, cyber-threat intelligence, and best practice. The 2025/26 edition introduces several notable changes to mandatory assertions, evidence requirements, and the cyber security standard. This guide walks through everything you need to know ahead of the June 2026 submission deadline.

What is the DSPT?

The DSPT is an online self-assessment tool published by NHS England. Health and social care organisations that access NHS patient data or systems — including NHS trusts, GP practices, ICBs, and independent providers with NHS contracts — must complete an annual submission. The toolkit is built around ten National Data Guardian (NDG) data security standards, covering people, processes, and technology.

A compliant submission requires organisations to reach 'Standards Met' status across all ten standards. Organisations that reach 'Standards Exceeded' demonstrate a higher level of maturity. The submission window typically opens in April and closes in late June each year.

Key Changes for 2025/26

1. Cyber Security: Raised Evidence Bar

Standard 9 (Cyber Security) continues to be the area generating the most queries. For 2025/26, NHS England has aligned the mandatory assertions more closely with Cyber Essentials Plus, rather than the basic Cyber Essentials certification. Organisations will need to evidence:

  • Multi-factor authentication (MFA) on all remote access and cloud services, with evidence of its enforced application
  • A documented and tested patch management process with evidence that critical patches are applied within 14 days
  • Up-to-date asset inventory covering all endpoints, servers, and network devices
  • Evidence of active mobile device management (MDM) for corporate devices
  • Annual penetration testing for organisations in scope of the higher assertion tier

2. People: Updated Training Thresholds

Standard 1 (People) requires that all staff complete annual data security awareness training. For 2025/26, the threshold for 'Standards Met' has been reviewed. The current position is that:

  • 95% of directly employed staff must complete the Data Security Awareness training by the submission deadline
  • Bank, agency, and locum staff require a proportionate approach with documented processes
  • New starters must complete training within 12 weeks of joining — evidence of an induction training process is now mandatory
  • Evidence of a consequence management process for non-completion is required

3. Processes: Data Security Incident Reporting

Organisations must demonstrate that a clear data security incident reporting policy exists and that staff know how to use it. For 2025/26, the toolkit asks for evidence that:

  • Near-misses are captured and reviewed, not just notifiable incidents
  • Lessons learned from incidents are shared with staff and documented
  • There is a named SIRO (Senior Information Risk Owner) and Caldicott Guardian where applicable, with documented sign-off of the organisation's approach to information risk

4. New: Supply Chain Assertions

Following the NCSC's increased focus on supply chain security, the 2025/26 DSPT introduces strengthened assertions around supplier management. Organisations must now evidence:

  • A maintained register of all data processors and suppliers with access to patient or NHS system data
  • Current Article 28-compliant Data Processing Agreements (DPAs) with all processors
  • A process for reviewing supplier security posture — at minimum, reviewing DSPT or equivalent certification for NHS-connected suppliers

Submission Deadline and Consequences

The 2025/26 submission window is expected to close in late June 2026. Organisations that miss the deadline or fail to reach 'Standards Met' status may face:

  • Inclusion on NHS England's published non-compliance list
  • Reporting to ICBs (Integrated Care Boards) and NHS England regional teams
  • Contract implications for independent providers with NHS commissioning
  • Referral to the ICO if breaches of UK GDPR are identified during the submission process

How to Prepare

With the submission window typically opening in April, now is the time to:

  • Review your training completion rates and chase outstanding completions
  • Audit your DPA register and identify any suppliers missing valid agreements
  • Confirm your cyber essentials certification is in date and evidenced in the toolkit
  • Ensure your SIRO and Caldicott Guardian roles are documented and up to date
  • Familiarise yourself with the updated assertions in the toolkit portal before starting your submission

Folelse automates DSPT evidence gathering and tracks your assertion status in real time. Start your free trial to see how much time you can save on this year's submission.

Start free trial

More from the blog

View all
SARs 28 Jan 2026

Five Common SAR Mistakes — and How to Avoid Them

Subject Access Requests are the most common data protection complaint to the ICO. We look at the five most frequent mistakes organisations make — from missing the one-month deadline to over-redacting — and how to build a compliant process.

Read more
UK GDPR 10 Jan 2026

ICO Enforcement in 2025: What UK Organisations Need to Know

The ICO issued significant fines in 2025, with marketing opt-outs and cyber security failures the leading causes. We analyse the enforcement trends and what your organisation should prioritise.

Read more