The NHS DSP Toolkit Deadline Is 30 June: The Website Parts You Shouldn't Overlook

Every year, GP practices in England complete the NHS Data Security and Protection Toolkit (DSP Toolkit) — a self-assessment confirming the practice is handling patient data securely and meeting the standards set by the Department of Health and Social Care. For the current year, the submission deadline is 30 June 2026.

Most of the DSP Toolkit has nothing to do with your website. It covers clinical systems, staff training, physical security and a great deal more. But a handful of the assertions do touch your practice website directly, and they’re easy to overlook when you’re focused on the bigger items. This article walks through the website-related parts so you can be confident that side is covered before you submit.

What the DSP Toolkit is, and why 30 June matters

The DSP Toolkit is an online self-assessment tool. Every organisation with access to NHS patient data — including GP practices — completes it once a year to provide assurance that good data security practice is in place. It isn’t optional: it’s a contractual requirement, and your submission is visible to your ICB and other NHS bodies.

The 30 June 2026 deadline is the date by which this year’s assessment must be submitted. Leaving it to the final week is a common source of stress, particularly when an assertion turns out to need evidence you don’t have to hand. The website-related items below are quick to check well in advance.

The website-related parts of the DSP Toolkit

These are the areas where your practice website genuinely intersects with the DSP Toolkit. None of them are difficult, but each needs to be true and, ideally, evidenced.

1. Your privacy notice
Your practice must publish a clear privacy notice explaining how patient data is collected and used. The website is where patients expect to find it. Check that yours is present, current, and easy to reach — ideally linked from every page footer.

2. Cookie consent
If your website uses cookies or analytics, patients must be able to give or withhold consent. A compliant cookie banner, plus a cookie policy page, covers this. If your site sets analytics cookies before the patient has chosen, that’s a gap worth closing.

3. Secure hosting and HTTPS
Your website should be served entirely over HTTPS, with a valid certificate and no insecure pages. This protects any information patients submit through online forms and is a baseline expectation for any NHS-facing service. The security of the hosting underneath matters too — we covered that in our post on the NHS cyber alert about cPanel and WHM.

4. Accessibility
Providing information in a way every patient can access is part of handling data lawfully and inclusively. NHS GP practice websites are expected to meet WCAG 2.2 (AA) accessibility standards. An accessible site is also a data-protection positive: patients who can read and use your site are less likely to need to share information through less secure channels.

5. Website access control
Consider who can log in and edit your website. Editor accounts should belong to named individuals, use strong unique passwords, and be removed promptly when a staff member leaves. Shared logins are a common weak point.

A quick website self-check before you submit

Five questions to run through. If you can answer yes to all five, the website side of your DSP Toolkit is in good shape:

• Is our privacy notice published, current, and linked from the website footer?
• Does our website handle cookie consent compliantly, with a cookie policy page?
• Is the whole site served over HTTPS with a valid certificate?
• Does our website meet WCAG 2.2 (AA) accessibility standards?
• Are website editor accounts named, individually owned, and removed when staff leave?

What is not a website issue

It’s worth being clear about the limits. The DSP Toolkit is far broader than your website. The majority of its assertions cover areas a website provider has nothing to do with: the security of your clinical systems, staff information-governance training, physical security of the premises, business continuity planning, and backup of clinical records.

For those, your practice should follow the official DSP Toolkit guidance and draw on your ICB’s support. Treat the website as one contained part of a much larger picture. A web provider can give you confidence about the website slice; it can’t complete the toolkit for you.

What this means for Tree View Designs customers

If your practice website is built and hosted by Tree View Designs, the website-related items above are already handled as standard:

• HTTPS is enforced across the whole site
• Cookie consent and a cookie policy are built in
• Every site is built to WCAG 2.2 (AA) accessibility standards
• Privacy notice pages are part of the standard build
• Editor access is account-based, not shared logins

We’re also Cyber Essentials Plus accredited and align our own operations with the DSP Toolkit, which is the supplier-assurance evidence your practice may want to reference. You can read more about how we approach this on our security and compliance page. If you’d like anything specific for your submission, your usual support contact can help.

Closing thoughts

The website-related parts of the DSP Toolkit aren’t complicated, and they’re quick to verify. The value of checking them early is simply that: you remove a small but real source of last-minute deadline stress, and you can submit knowing that side is sound.

If you’re not certain whether your website side is covered, the five-question self-check above is the fastest way to find out. And if the answer to any of them is “not sure”, that’s worth raising with your website provider well before 30 June.

If you’d like a no-obligation second opinion on whether your practice website meets NHS standards, or you’re weighing up a provider who builds NHS compliance in as standard, get in touch. We’re always happy to talk it through.