Managed IT for UK private clinics, dental practices, GP surgeries and care providers. NHS Data Security and Protection Toolkit (DSPT) submission supported, clinical systems integrated properly, and the receptionist's PC working before the first patient walks in.
Inology IT supports UK private clinics, dental practices, GP surgeries and care providers across Greater Manchester as a registered NHS Data Security and Protection Toolkit (DSPT) supplier, with the same submission run annually for our own organisation. We support clinical systems — SystmOne, EMIS Web, Dentally, iSmile, Carestream — around their vendors, plus the network, devices, M365 integration and printing they sit on. Practice-day pre-checks mean front-desk PCs are logged in and connected before the first patient walks in. UK GDPR breach playbooks are documented and tabletop-tested, and CQC inspection evidence is kept live so visits stay short.
DSPT is mandatory for any organisation handling NHS patient data. The IT-related sections are dense, technical and unforgiving. We complete them with you (not for you — accountability stays with the practice) and provide the evidence pack the toolkit asks for.
SystmOne, EMIS, Dentally, iSmile — they're brittle, opinionated about networking, and intolerant of well-meaning IT changes. We've broken enough of them across enough practices to know how to keep them running. We escalate to TPP / EMIS / Dentally support cleanly when we need to.
Healthcare runs on a tight clock. If the front-desk PC isn't logged in and connected before the first patient walks in, the day is on the back foot for hours. We pre-deploy practice-day startup scripts and monitor key endpoints from before opening — failures wake us up, not your receptionist.
When a USB stick goes missing or a phishing click happens, the ICO has a 72-hour clock and the patients have a right to know. We provide a documented breach playbook, run a tabletop exercise annually, and step in within an hour when the worst happens.
We're not auditors and we don't pretend to be — but we know which IT-side evidence each of these standards expects, and we keep it ready.
Helpdesk, device care, monthly reporting. Practice-day pre-checks built in.
Tenant hardened for clinical use. Sensitivity labels for patient data. DLP rules for outbound mail.
Certification path with DSPT mapping. Most healthcare clients reuse 60% of CE+ evidence for DSPT.
Clinical data backed up to immutable storage. Restore tested quarterly. Retention aligned to records guidance.
We support an NHS-aligned dental practice in Tameside, a multi-site private clinic in Stockport, and a small care home group — but we haven't published yet because (a) healthcare clients are appropriately cautious about PR and (b) we want their full sign-off, not a sanitised summary. Ask for a private reference if you want one.
Ask for a reference →Yes. Inology completes its own DSPT submission annually as a supplier handling patient data. That listing means we can be added to your supplier roster without additional due-diligence work, and we know the technical evidence the toolkit asks for because we've answered the same questions ourselves.
We don't replace the vendor's first-line support — TPP for SystmOne, EMIS Health for EMIS Web, Dentally for Dentally — but we do everything around them. Network, devices, M365 integration, printing, scanning, signal capture for handheld devices. We escalate to vendor support cleanly with proper logs and reproduction steps.
Documented playbook. First hour: contain (isolate affected systems, preserve evidence), assess (scope of exposure, identifiable individuals), notify (your DPO, your senior partner, your ICO contact). 72-hour clock for ICO notification. We coordinate with your DPO and provide the technical evidence; the breach decisions stay with you, where they belong.
We maintain an evidence pack for both. CQC's IT-related questions are largely about access control, data protection and business continuity. ICO would dig deeper into specific incidents. Both have been visited at clients we support; both have left without significant findings on the IT side.
Yes, with conditional access. Personal device, MFA enforced, work data isolated in a managed app context (Outlook, Teams, OneDrive) with selective wipe on departure. They can't print to local printers without going through your network's secure print queue. It's the right balance — work happens, patient data doesn't leak.
Significant overlap. CE+ covers around 60% of DSPT's IT-related evidence. We typically run them together — CE+ first (3 months), then DSPT submission off the back of it. Practices that try DSPT alone often discover halfway through that they need to go back and do CE work first; doing them in sequence saves time.
It happens — the X-ray machine PC running Windows 7, the dental imaging workstation that needs a specific driver. We segregate these onto a controlled sub-network with no internet access, document the scope exclusion for CE+ and DSPT, and plan replacement when the clinical equipment refreshes. Honest scoping beats pretending the problem isn't there.
Documented offboarding workflow. Account disabled in Entra ID immediately, mailbox converted to shared, OneDrive contents transferred to manager, mobile devices remote-wiped, access to clinical systems revoked (we coordinate with your clinical-system vendor). Audit trail kept for 7 years. The whole process takes 10 minutes if you give us notice; an hour if it's emergency.
Healthcare, GPs & Care clients across Tameside, Stockport, Manchester. If you're outside Greater Manchester, we still might be a fit — see the service area.
Talk to Brett or Simon. 30 minutes, on the phone or video. No deck, no decision pressure — we'll tell you honestly whether we can help.