DSPT Compliance for Care Homes: Building the Evidence Trail

The Data Security and Protection Toolkit (DSPT) is an annual self-assessment framework published by NHS England. It requires every organisation that handles NHS patient data or connects to NHS systems to demonstrate that it meets defined data security and information governance standards.

For care homes, the obligation is broader than many operators realise. Residential and nursing providers that access NHSmail, use e-referral services, share data with local authority or NHS commissioners, or receive NHS-funded placements are all required to submit. If your home touches NHS data or systems in any meaningful way, a DSPT submission is almost certainly a requirement.

This article covers what the DSPT involves for care homes, where providers commonly struggle to build sufficient evidence, and how technology can make compliance a manageable, year-round process rather than an annual scramble.

What the DSPT Requires of Care Homes

The DSPT groups organisations into four categories. Residential care homes, nursing homes and domiciliary care providers fall into Category 3, alongside pharmacies and other community providers. This is the lightest of the four frameworks, with around 42 mandatory evidence items compared to the 166 or more required of NHS Trusts at Category 1.

Category 3 organisations are assessed against the National Data Guardian's 10 Data Security Standards rather than the more complex NCSC Cyber Assessment Framework applied to larger bodies. The submission process involves a self-assessment through the DSPT portal at dsptoolkit.nhs.uk, with evidence uploaded to support each assertion.

There are two submission statuses. "Approaching Standards" means the mandatory assertions are complete with minimum required evidence uploaded. "Standards Met" means all assertions, including non-mandatory items, are evidenced fully. Most care homes should target "Approaching Standards" as a floor and work toward "Standards Met" as evidence is strengthened over the course of the year.

What Evidence Category 3 Organisations Need to Produce

Version 8 of the DSPT, which became the active framework in September 2025, moved away from a simple checklist approach. The requirement is now to show that data security controls work in practice, not just that a policy document exists somewhere. For care homes, the key evidence areas are:

• Staff data security awareness training records showing that every member of staff has completed appropriate training within the last 12 months
• A digital asset register recording all hardware and software in use across the home
• A data protection policy that is current, accessible to staff, and reflected in day-to-day practice
• A business continuity plan covering data and system access during an incident, with evidence it has been reviewed and tested
• Evidence of appropriate access controls, demonstrating that staff can only access the data their role requires
• A process for reporting and responding to data security breaches and near misses
• Records of data sharing agreements with third-party software suppliers and other partners
• Confirmation that mobile devices and portable media are encrypted and actively managed

The shift to outcome-based evidence means that having a policy is no longer sufficient on its own. Inspectors and the DSPT portal both expect proof that the policy is implemented: training completion records, access review logs, breach reporting records, and so on.

Where Care Homes Commonly Fall Short

The same evidence gaps appear repeatedly when care homes approach their DSPT submission. Staff training records are frequently incomplete, particularly for agency and bank staff who may not appear in the main HR system. Information asset registers, now required as digital asset registers under version 8, are either missing or held in spreadsheets that have not been updated since they were first created.

Access control is another common weak point. Many care homes operate with informal IT arrangements where staff share logins or retain system access after leaving the organisation. The DSPT requires evidence that access is actively managed and reviewed, which demands more than a note in a folder.

Third-party supplier assurance has become increasingly scrutinised. If a home uses software for care planning, eMAR, finance or rostering, it needs to demonstrate that those suppliers handle data to an appropriate standard. This typically means obtaining and retaining evidence of each supplier's own compliance position, including DSPT submissions or equivalent certifications.

How Advantage and EdgeCare Support DSPT Compliance

Advantage is a Microsoft Solutions Partner, and EdgeCare is built on the Microsoft technology stack: Dynamics 365 Business Central and Customer Engagement, Power Platform, Microsoft 365 and Microsoft Copilot. That foundation matters for DSPT purposes because Microsoft maintains extensive data security and compliance certifications, including ISO 27001, SOC 2 and Cyber Essentials Plus. When a care home uses EdgeCare as its operational platform, several DSPT evidence requirements become considerably more straightforward to meet.

Audit trails and access logs

Dynamics 365 records a full audit trail of who accessed what data, when, and what changes were made. This provides exactly the kind of evidenced access management the DSPT requires, without needing to manually compile records from disconnected systems.

Role-based access control

EdgeCare is configured with role-based security, so staff see only the data appropriate to their function. A care worker accessing resident records does not have visibility of financial data. A finance manager cannot access clinical care notes without explicit authorisation. This structure supports the DSPT access control assertions and provides a clear, auditable record for submission.

Digital asset register

Version 8 introduced a requirement for a digital asset register covering hardware and software. For homes running on Microsoft 365 and Dynamics 365, the technology estate is already documented, licensed and under active management. Advantage can help produce the asset register in the format the DSPT requires.

Training records via Microsoft 365

Microsoft Viva Learning, integrated within Microsoft 365, allows care homes to assign, track and evidence staff training completion. DSPT-aligned data security awareness training can be delivered through the platform, with completion records automatically maintained and exportable for submission.

Business continuity and data resilience

Data held within Dynamics 365 and Microsoft 365 benefits from Microsoft's enterprise-grade backup, geo-redundancy and disaster recovery infrastructure. Advantage can help document these protections in the format required by the DSPT business continuity assertions.

Managed IT and cyber security

For care homes without in-house IT resource, Advantage's managed IT service provides ongoing device management, patching, endpoint security and monitoring. Our Secure365™ cyber security suite adds identity protection, email security and threat response on top of the Microsoft foundation. Together, these services address many of the technical assertions in the DSPT that smaller providers find hardest to evidence independently.

DSPT and CQC: the Compliance Connection

The DSPT does not sit in isolation from wider regulatory obligations. CQC inspectors are increasingly attentive to how care providers manage digital data, particularly as more clinical and operational information moves onto electronic systems. A well-evidenced DSPT submission demonstrates that a home has structured governance around data, which aligns directly with the Safe and Well-Led quality themes in the CQC assessment framework.

Local authorities conducting due diligence on care providers prior to contract award are also beginning to ask DSPT-related questions as part of their procurement process. For multi-site operators, having a consistent, technology-supported approach to DSPT compliance across all homes is far more manageable than coordinating evidence gathering manually across multiple locations. EdgeCare provides a single platform spanning the group, making compliance evidence available at group level without duplicating effort home by home.

A Practical Approach to Year-Round DSPT Compliance

The care homes that find the annual DSPT submission straightforward are not the ones that work hardest in the weeks before the deadline. They are the ones that maintain their evidence as a continuous discipline throughout the year. In practice, that means treating the 10 NDG standards not as a submission checklist but as an ongoing operational framework.

Staff training should be assigned and tracked through a system that records completion automatically. Access rights should be reviewed whenever someone joins, changes role or leaves. The digital asset register should be updated whenever hardware or software changes. The business continuity plan should be reviewed at least annually and tested in practice. Breach reporting should be embedded in team culture so that near misses are logged, not ignored.

When these disciplines are built into normal operational practice, the DSPT submission becomes a matter of pulling together evidence that already exists rather than creating it from scratch under time pressure.

To discuss how Advantage can help your home build a stronger DSPT compliance position, contact us on 020 3004 4600, email hello@advantage.co.uk, or book a free care home technology workshop.

Related Resources

EdgeCare - The AI Accelerator for Care Homes
Advantage Secure365™ Cyber Security
Managed IT Services
Cyber Security Intelligence Hub
Free Workshop for Care Homes