Commissioners and the DSPT

Local authority and NHS commissioners require the services that they commission to keep data safe.

Social care providers delivering work under an NHS contract must have reached at least Standards Met on the DSPT as it is a requirement within NHS England’s Standard Conditions Contract.

Local authorities are increasingly adding the requirement to have the DSPT in place to their contracts – and it is clearly the direction of travel.

Better Security, Better Care is working with ADASS and local authorities to explore how they can strengthen care providers’ data protection through their role as commissioners.

Including the DSPT in adult social care contracts

We worked with the North West Association of Directors of Adult Social Services (NW ADASS) to develop guidance to support Adult Social Care (ASC) Commissioners in increasing implementation of the Data Security and Protection Toolkit (DSPT) across the ASC market.

This is an important step that will help councils encourage adult social care providers to evaluate and improve their data security by completing their DSPT.

What Good Looks Like Framework

In May 2023, the government published guidance for care providers and local authorities on What Good Looks Like (WGGL) for digital working in adult social care.

The guidance details 7 success measures which provide common goals for organisations to work towards. The guidance is aimed at people who have a responsibility for digital transformation in local authorities.

Success Measure 3 – Safe Practice

This success measure details the importance of taking informed steps to protect people’s health and care information against cyber threats and data breaches. This includes making sure that staff are trained, the organisation has clear policies and processes, including business continuity plans, to respond to a data breach or cyber attack.

The guidance recommends that local authorities should:

  • work with providers to ensure robust resilience plans are in place, and there is confidence in responding to cyber and information governance incidents across the sector.
  • support the sector in safe practice and cyber security, and use contracting and commercial mechanisms to incentivise commissioned care providers to complete the Data Security and Protection Toolkit (DSPT), recognising that care providers are at different levels of digital maturity.
  • embed good cyber security practices, and complete the DSPT if processing health and care data.

The guidance recommends that care providers should:

  • complete the DSPT annually, to a minimum level of ‘standards met’ if  CQC registered. Non-CQC registered providers should use the DSPT to check and improve their data and cyber security arrangements.
  • make use of available free support and guidance through the Better Security, Better Care programme.

Case Studies – what are other Local Authorities doing?

Buckinghamshire Council’s Head of Integrated Commissioning writes a blog post on the value of supporting care providers to use the DSPT.

Durham County Council’s Supporting the Provider Market team speak to Digital Care Hub about what they’re doing to improve cyber security practices within their provider market.

What’s the difference between Cyber Essentials and the DSPT?

Some local authorities might ask providers for Cyber Essentials. Cyber Essentials is a useful resource that helps organisations to protect themselves from common cyber threats. The DSPT covers the same topics as cyber essentials, but also helps organisations to protect their data security arrangements and meet their minimum GDPR requirements.

The Local Government Association (LGA) recommends that “commissioners should support providers to complete the DSPT to Standards Met level”.  Other than including the DSPT in contracts, commissioners can also support providers by putting them in touch with their Local Support Organisation or signposting them to resources available from Better Security, Better Care.

Business Continuity Plan Audit Tool

Buckinghamshire Council have developed a business continuity plan audit tool which supports local authorities to check how robust a care provider’s business continuity plan is.

A robust business continuity plan that includes data protection and cyber security will help to minimise the impact of a data breach or cyber attack.

2024 webinar recordings

LA Commissioners: Why & How to Support Care Providers use the DSPT