DSPT, CQC and ICO: The Data Security Requirements Every GP Surgery Must Meet

GP surgeries face the same multi-regulator data security landscape as dental practices, with the additional complexity of NHS contractual obligations, CQC registration requirements, and the specific sensitivity of primary care patient records. Understanding how these frameworks interact — and what genuine compliance with each of them requires — is essential for practice managers and GP principals who are responsible for the practice's regulatory posture.

The NHS Data Security and Protection Toolkit

The DSPT is mandatory for all GP practices with NHS contracts. It must be completed annually and submitted to NHS England. The toolkit maps to the National Data Guardian's Ten Data Security Standards and requires practices to demonstrate that they have implemented appropriate controls across staff training, data governance, cyber security, and business continuity.

For GP practices, Standard 6 (Cyber Attacks) and Standard 7 (Continuity Planning) are the standards most directly relevant to cyber security. Standard 6 requires that the organisation has processes to identify, report, and learn from cyber attacks and security breaches. Standard 7 requires that a business continuity plan exists, is tested, and covers cyber incident scenarios. Both standards require more than a theoretical commitment — they require documented processes that can be demonstrated to an assessor.

The DSPT completion levels — Approaching Standards and Standards Met — have different consequences. A practice that submits at Approaching Standards is flagging known gaps to NHS England, which triggers a requirement to provide an improvement plan. A practice that submits at Standards Met is declaring that all required controls are in place. Submitting at Standards Met without the controls to support the declaration is a materially inaccurate statement to NHS England. Following an incident that reveals the gap, the contractual and regulatory consequences are more serious than if the practice had honestly declared its position and submitted an improvement plan.

The Care Quality Commission

The CQC regulates GP practices under the Health and Social Care Act 2008 and assesses them against five key questions: safe, effective, caring, responsive, and well-led. The well-led domain includes assessment of governance arrangements, which encompasses information governance and cyber security.

CQC inspectors ask about data protection policies, information governance lead responsibilities, staff training completion, and data breach response procedures. A practice that cannot demonstrate these arrangements will receive findings under the well-led domain. Repeated or serious failures can result in requirement notices, warning notices, and — in the most serious cases — enforcement action that affects the practice's CQC registration.

The CQC and NHS England increasingly share intelligence about practices. A DSPT submission that reports significant gaps is visible to both. A CQC inspection that identifies serious information governance failures may trigger NHS England scrutiny of the practice's DSPT compliance position.

UK GDPR and the ICO: Special Category Data

All patient health records held by a GP practice are Special Category data under Article 9 of UK GDPR. The security obligation under Article 32 applies with heightened force to Special Category data. The ICO's guidance is explicit: the more sensitive the data, the more robust the technical measures must be.

The ICO has taken enforcement action against NHS primary care organisations — including individual GP practices — for security failures. Common findings in ICO enforcement decisions against primary care include: inadequate encryption on portable devices, failure to apply security patches to clinical systems, inadequate staff training, and — increasingly — the absence of any monitoring capability that would have allowed the practice to detect a breach.

The 72-hour notification obligation for personal data breaches is particularly challenging for GP practices because the systems at risk — practice management systems, NHS Mail, the EPS — may be shared infrastructure whose compromise may not be immediately obvious. Having a security monitoring service that can rapidly assess the scope of a potential breach, and a documented notification procedure that can be executed within 72 hours, is not merely good practice — it is the practical minimum for a practice handling the volume and sensitivity of data that a GP surgery handles.

The NHS Cyber Security Framework

NHS England's Cyber Security Strategy and the associated Cyber Resilience Framework establish expectations for NHS organisations that go beyond the DSPT minimum. The framework requires organisations to be able to protect, detect, respond, and recover — a four-stage model that explicitly recognises that prevention alone is insufficient and that detection and response capability is a required component of NHS cyber resilience.

For GP practices, this means that having antivirus installed is not a satisfactory answer to the question of whether the practice has adequate cyber security. Detection — the ability to identify a breach in progress — and response — the ability to contain it and notify appropriately — are requirements of the framework as well as of the DSPT and UK GDPR.

What Demonstrable Compliance Looks Like

The combination of DSPT, CQC, and ICO requirements converges on a consistent set of evidence requirements:

• A current DSPT submission at Standards Met, supported by the controls that the submission declares to be in place
• An information governance lead with documented responsibilities and evidence of relevant training
• Staff data security training records demonstrating annual completion
• A documented business continuity and incident response plan that explicitly covers cyber incidents, tested at least annually
• Cyber Essentials certification — NHS England has encouraged GP practices to achieve Cyber Essentials as a component of their DSPT submission
• Evidence of continuous security monitoring — monthly reports from a named analyst are the most credible form of ongoing detection capability evidence available to a small practice