Including DSPT requirements in Adult Social Care contracts

North West ADASS (NW ADASS) in partnership with Better Security, Better Care have developed a document to support adult social care commissioners to increase the implementation of the Data Security & Protection Toolkit (DSPT) across the adult social care market. 

It does this by providing example wording of DSPT requirements in adult social care contracts, and guidance on monitoring provider adherence to DSPT requirements as part of the Better Security, Better Care programme.

North West ADASS logo


The Better Security, Better Care programme is a national and local support programme to help adult social care providers to store and share information safely. It covers paper and digital records and focuses on helping care providers to complete the Data Security and Protection Toolkit – the annual, online self-assessment. NW ADASS works with councils in support of the programme to encourage providers to evaluate and improve their data and cyber security, follow best practice and meet their legal and regulatory requirements.


This document provides:

  1. Example ASC contract wording relating to DSPT requirements for councils to adopt and adapt as contracts are revised or renewed
  2. Guidance on the monitoring of provider adherence to DSPT requirements within contracts

In combination, the intention is that this should support commissioners to develop greater consistency across ASC contracts to drive improvements in data security and protection across the ASC market in the North West.

The following have been developed with input from colleagues at Wakefield, Tameside, Lancashire and Blackburn with Darwen Councils. With thanks to colleagues from the Institute of Public Care, Oxford Brookes University also for their invaluable input.


NHS Contract Wording

Some areas may choose to utilise or adapt NHS contract wording for adult social care providers. While there can be a variety of local reasons or benefits from this approach, there are a number of differences between the requirements of NHS providers and adult social care providers. This includes references to NICE Clinical Guidance such as 138, and terminology such as terms like ‘patient’. When developing joint contract wording local authorities may want to ensure that terminology and requirements are relevant across both health and social care sectors, or adapt these to avoid confusion.

Legislative Developments

A range of developments in data protection legislation have occurred between 2020 and 2022, and more changes are expected. The key change that may be worth noting is that, as of September 2022, only NHS organisations and local authorities are required to have a Caldicott Guardian. The Guidance about the appointment of Caldicott Guardians, their role and responsibilities, published by the National Data Guardian for Health and Social Care in August 2021 changes that, by widening the requirement to include organisations providing publicly funded adult social care or adult carer support. Now, these organisations are being asked to put in place a Caldicott Guardian, whether by appointing a member of their own staff or making other arrangements. The guidance states that:

  • Caldicott Guardians will operate differently depending on type or size of organisation (2.8 of NDG guidance).
  • An individual may undertake the Caldicott Guardian role in addition to another role or duty within their organisation (3.2 of NDG guidance).
  • Caldicott Guardians must be afforded the freedom to raise concerns at senior management or board level (6.3 of NDG guidance).
  • If it is not proportionate or feasible for an organisation to appoint a member of its own staff to the Caldicott Guardian role, it should arrange for the function to be provided in another way (3.4 of NDG guidance).
  • If an organisation chooses not to appoint a Caldicott Guardian, it should document this decision and the reasons for it (3.7 of NDG guidance).

Organisations are encouraged to be compliant with the NDG guidance by 30 June 2023. This includes registering the details of their Caldicott Guardian(s) on the Caldicott Guardian Register and providing details about its Caldicott Guardian(s) as part of their DSPT submission.


The DSPT requires providers to demonstrate their understanding and commitment to requirements such as the management and reporting of data breaches, and their processes for fulfilling these commitments. The suggested wording included here is intended to be concise and does not duplicate the content of the Toolkit in outlining or specifying individual requirements. A council may choose to emphasise certain requirements already included in DSPT compliance, but this wording does not provide this additional layer.

Suggested Contract Wording

General Responsibilities

The provider must nominate a Data Security and Protection Lead for their organisation. Information on what the responsibilities of this person are can be found here:

The provider must ensure that the Co-ordinating Commissioner is kept informed at all times of the identities and contact details of the Data Security and Protection Lead.

The provider may also have nominated additional roles for their organisation, for example a Data Protection Officer or a Caldicott Guardian. Information on the responsibilities of these roles can be found here: If so, the provider should ensure that the Co-ordinating Commissioner is kept informed at all times of the identities and contact details of these roles.

The Provider must complete and publish an annual self-assessment in accordance with and comply with the Data Security and Protection Toolkit (“the Toolkit”) produced by NHS Digital to a minimum of ‘Standards Met’ by 30th June each year. This enables health and social care organisations to assess themselves against the National Data Guardian’s Data Security Standards. The Service Provider shall ensure that Personal Data is processed in accordance with its annual DSPT submission. For the avoidance of doubt, this Clause applies even if a notification is not required under the GDPR.

The Provider must adopt and implement the National Data Guardian’s Data Security Standards and must comply with further Guidance issued by the Department of Health and Social Care, NHS England and/or NHS Digital pursuant to or in connection with those standards. The Provider must be able to demonstrate its compliance with those standards in accordance with the requirements and timescales set out in such Guidance.

Contract Monitoring

In order to monitor the Agreement and assess the quality and performance of the service being delivered, the Council may request evidence of a current Toolkit submission to the minimum of ‘Standards Met’ on an annual basis.

Guidance for Monitoring

In monitoring DSPT compliance Councils may, as suggested in the wording included, request evidence of a current Toolkit submission to the minimum of ‘Standards Met’ on an annual basis, and this is recommended.

Independent verification of DSP Toolkit compliance can also be undertaken searching the NHS Digital Data Security and Protection Toolkit organisation database using the Organisation Data Service (ODS) code, or organisation name for the individual site.

  • Download a copy of the guidance here.