What is the DSPT deadline for 2025/26?

The final submission deadline for the 2025/26 DSPT is 30 June 2026. All organisations should also have submitted an interim baseline self-assessment by 31 December 2025. Care homes that miss the June deadline risk losing access to NHSmail and may face contractual issues with NHS-funded placements and ICB contracts.

What DSPT category is a care home?

Adult social care providers — including residential care homes, nursing homes and domiciliary care agencies — sit in Category 3. For 2025/26 you must evidence around 42–45 mandatory items to reach Standards Met. Category 3 providers do not require an independent audit (that applies only to Categories 1 and 2).

What's the difference between Approaching Standards and Standards Met?

Approaching Standards is an entry-level publication where you evidence the 27 mandatory questions and submit an auto-generated action plan for the rest. You can only publish at Approaching Standards once. Standards Met requires all category-3 mandatory items to be evidenced. Standards Exceeded is achieved automatically when you hold Cyber Essentials Plus alongside Standards Met.

What are the new mandatory questions for 2025/26?

Two new mandatory questions were added for 2025/26: 4.3.1 (all IT system administrators must have signed an agreement holding them to higher standards of confidentiality) and 7.1.1 (the organisation must maintain a current asset register of hardware, software and data, reviewed in the last twelve months). Category 3 providers now answer 45 mandatory questions, up from 43.

Does CQC look at DSPT?

Yes. The Care Quality Commission has stated that it increasingly expects good providers to comply with the DSPT (or an equivalent framework such as ISO 27001). DSPT evidence is regularly referenced in CQC Well-Led assessments and is one of the cleanest ways to demonstrate to inspectors that your data and cyber security posture is appropriate to the risk.

Do I need an MSP to complete the DSPT?

No — the toolkit is free, the Digital Care Hub provides excellent templates, and a registered manager can complete it without external help if they have the time. In practice most care providers reach Standards Met faster and more sustainably with a Manchester-based MSP doing the technical evidence (asset register, patching, access control, backup tests) while the manager focuses on the policy and training items.

What happens if we miss the 30 June deadline?

Missing the deadline means an out-of-date publication on the DSPT register. Practical consequences include potential suspension of NHSmail accounts, gaps in contractual eligibility for new NHS and local authority business, and an automatic red flag for any commissioner reviewing your data security posture. The fix is to publish at Approaching Standards before the deadline if Standards Met isn't reachable in time.

← All insights

Blog 3 June 2026 10 min read

DSPT for care homes in 2026: the 4 most-failed standards and how to fix them

The 30 June 2026 deadline is four weeks away. Two new mandatory questions landed for 2025/26. Here are the four evidence items that catch out adult social care providers every year — and exactly how to clear each one, even if you're starting today.

By Brett Casterton, Founder & Managing Director

A tablet on a warm wooden care home reception desk shows a Data Security checklist with green ticks, beside a teal Registered Manager Policy and Procedures binder. Soft daylight, vase of flowers, calm professional setting.

I'm writing this on 3 June 2026, exactly four weeks before the DSPT submission window closes for the 2025/26 reporting year. Every year around now we field the same panic call from registered managers — usually after a domiciliary or residential provider has just realised that the toolkit they last touched in July 2025 has grown two new mandatory questions and a baseline interim that closed in December.

Good news: the DSPT for adult social care is well-engineered. The questions are answerable, the Digital Care Hub templates are genuinely usable, and Category 3 providers don't need a paid independent audit. The four items below are the ones we see fail most often when we come into a care home for a pre-submission review — and we've put them in the order we'd tackle them.

First, the moving parts you need to know about

Before we get to the four fails, three things have changed for 2025/26 that catch people out:

The deadline is 30 June 2026. A baseline interim submission was due 31 December 2025 — if you missed that, your final submission still counts, but it's a black mark on a commissioner's dashboard. Don't miss this one too. (NHS Standards Directory.)
Category 3 providers now answer 45 mandatory questions, up from 43. The two new items are 4.3.1 (administrator accountability agreement) and 7.1.1 (asset register). Both are on the list below. (Digital Care Hub: new mandatory questions for 2025/26.)
Standards Met is the target — Approaching Standards is the safety net. If you cannot evidence all 45 items by 30 June, you can publish at Approaching Standards (just the 27 mandatory items plus an auto-generated action plan). You can only do that once — second time around you need Standards Met. If you've already used your one Approaching publication in a previous year, you're back to Standards Met or nothing.

Right — the four most-failed items, in priority order.

Fail 1 — The asset register and Record of Processing Activities (new mandatory item 7.1.1)

This is the single most-failed DSPT item I see, and from 2025/26 it is genuinely mandatory rather than recommended. The toolkit wants a documented register that lists every hardware device, every piece of software, and every type of data your care home holds — reviewed at least once in the last twelve months.

Why it goes wrong: nobody owns it. The IT person knows the laptops, the registered manager knows the paper records, the care planning system supplier knows their bit, and nobody has it all in one place. When the question pops up in the toolkit, the honest answer is "we have most of it, somewhere," which doesn't tick the box.

What "good" looks like: a single spreadsheet (or a managed inventory in your IT system) that lists:

Every device that can access service-user data — laptops, desktops, the office iPad, mobile phones issued to seniors, the CCTV recorder, the on-premise server if you still have one
Every system holding personal data — care planning software (PCS, Nourish, Person Centred Software, etc.), payroll, HR, rota software, Microsoft 365 / Google Workspace, NHSmail, the camera system
For each item: who owns it, where it physically sits, what data it holds, how long that data is retained, and the security controls applied
A "last reviewed" date in the last twelve months, signed off by a named person

How to fix it in a week: download the Digital Care Hub's free Information Asset Register template, sit down with your registered manager and IT contact, and walk room by room through the care home filling it in. It's tedious but it's not technical. Where you've got cloud systems, the supplier's contract usually tells you most of what you need.

Fail 2 — Staff training currency and records (questions in section 3)

Every adult social care provider knows staff need data security and protection training. Most have an LMS or an in-house programme that does it. Where the DSPT trips people up is the currency and the records — not the training itself.

Why it goes wrong: training was done eighteen months ago, certificates are filed in three different cabinets, the new starter from January never finished their induction module, and the role-specific training for the care planning admin was assumed but never recorded. When the toolkit asks for evidence that all staff have completed annual data security training, the honest count rarely reaches 100%.

What "good" looks like:

Annual data security and protection training for every member of staff — including agency, bank and volunteer staff if they touch service-user data
A central record (LMS export is ideal, a spreadsheet works) showing name, role, training module, date completed, and renewal date
Role-specific extras for anyone with system administrator access — usually a short course on phishing, password hygiene and account management
An induction module for new starters that has to be completed before they get system access — not after

How to fix it in a week: the NHS Digital free e-learning is genuinely good and free. Set a deadline (we suggest two weekends out from your DSPT submission), email every member of staff their login, and chase the laggards from a single spreadsheet. For new starters, write a one-page induction checklist that says "no system access until rows 1–6 are signed off". Most providers can get to 100% in three weeks if the registered manager pushes it personally.

Fail 3 — Administrator account governance (new mandatory item 4.3.1)

This is the other new mandatory question for 2025/26 and it's the one I expect to catch the most providers off-guard. The toolkit wants written evidence that everyone with system administrator access — anyone who can add users, change permissions or see everything in a system — has signed an agreement holding them to a higher standard of confidentiality than ordinary staff.

Why it goes wrong: in most small care homes "system admin" isn't a job title — it's the registered manager, the deputy, the owner's son who set up the Wi-Fi, and the IT company's account. None of them has a signed document acknowledging that role. When the toolkit asks for one, there isn't one.

What "good" looks like:

A short, signed agreement (one page is fine) for every person who has admin access to your care planning system, Microsoft 365 / Google Workspace, NHSmail, rota or HR system, payroll, CCTV recorder, or the office router
The agreement spells out the higher confidentiality expectation, the requirement not to share credentials, the requirement to use MFA, the requirement to report any suspected misuse
A list of who currently holds admin access, last reviewed in the last twelve months
For your MSP or IT supplier: their contract should already contain equivalent clauses — if it doesn't, get an addendum signed

How to fix it in a week: write or borrow a one-page admin user agreement (Digital Care Hub has templates, and we've a plain-English one we share with clients on request), list everyone who has admin access today, get them to sign it, and store the signed copies in your DSPT evidence folder. While you're doing it, remove admin access from anyone who doesn't genuinely need it — the principle of least privilege is one of the cleanest pieces of compliance work you can do in an afternoon.

Fail 4 — Business continuity that's been tested in the last twelve months (section 7)

Every care provider has a business continuity plan — CQC requires one. What the DSPT specifically asks for is that the data and cyber-security parts of that plan have been tested in the last twelve months, and that the test has been documented.

Why it goes wrong: the plan was written when the home opened (or when the last inspection was due), it lives in a binder in the office, and the test that's recorded is a fire drill from August. The toolkit isn't asking about fires — it's asking what happens if your care planning system goes down on a Friday evening, or if you get a ransomware demand on a Monday morning, or if NHSmail is locked because of a compromised password.

What "good" looks like:

A written plan that names: who you call if the IT goes down out of hours, where the paper backup of today's eMAR / care plans lives, how long you can run on paper before it becomes unsafe, and who decides to escalate to the CQC / local authority commissioner
A tabletop test in the last twelve months — usually a 45-minute meeting where you walk through a realistic scenario ("the care planning system is offline, what happens for the next four hours") and write down what you'd do
Documented backups of the data you'd need on paper — printed weekly MAR sheets, current resident summaries, emergency contact lists
A named recovery contact at your IT supplier, with their out-of-hours number on file (we publish ours; many MSPs don't)

How to fix it in a week: book a 60-minute meeting with the registered manager, the deputy, and one senior carer. Walk through one realistic scenario from start to finish — "the broadband is down, the care planning system is unreachable, the night shift starts in four hours." Write the answers in a Word doc. Save the date and attendees. That meeting is your tabletop test. Stick it in the DSPT evidence folder.

The order to do this in (with four weeks to go)

Week of	Focus	Outcome
Week 1 (3–9 June)	Asset register + admin account audit	One spreadsheet listing every device, system and admin user. Remove access nobody needs.
Week 2 (10–16 June)	Admin agreements signed; staff training push	Signed one-pagers from every admin. Training compliance pushed past 90%.
Week 3 (17–23 June)	Business continuity tabletop + remaining policy gaps	Documented 60-minute tabletop. Backups tested. Policy folder reviewed.
Week 4 (24–30 June)	DSPT walk-through, evidence upload, submission	All 45 mandatory items evidenced. Published before 30 June. Done.

That's a fortnight of registered-manager time plus a few hours of IT support across the month. It's not a re-build — it's a tidy-up.

What we tell clients in practice

If you're a Greater Manchester care provider and you've not opened the toolkit since last July, you've got time — but you need to start this week, not next. The fastest path is:

Log in to dsptoolkit.nhs.uk today, take a look at your current status, and screenshot anything that's flagged red
Aim for Standards Met. Only fall back to Approaching Standards if items 1 and 2 above genuinely won't be ready in time — and remember you only get one bite at that cherry
Pair up the registered manager (who owns the people / training / policy items) with an IT supplier (who owns the technical evidence — patching, MFA, asset register, backup tests). The two of you do it together — neither can do it alone
Submit by Friday 26 June if you can, not Monday 30 June. Last-minute submissions are where mistakes hide

If you'd like a 30-minute pre-submission review where we go through your current status and tell you what's missing — no obligation, no sales pitch — drop us a note. We've taken care providers across Manchester, Tameside, Stockport and Cheshire through the toolkit for years, and there's a particular calm that comes from knowing the boxes are ticked properly. June is a good month to get there.

30 June 2026 deadline coming up?

We've taken care providers across Greater Manchester through the DSPT for years. Book a no-obligation 30-minute pre-submission review and we'll tell you exactly what's missing.

Talk to a human