Information for Social Care Providers (updated 5 September 2018)

Citizen care and support relies on timely and secure information sharing and strong data security. All organisations should provide assurance that they are practicing good data security and that personal information is handled correctly. However, all too often information is still shared via post or fax. There are numerous examples of social care providers receiving important information about citizens in this way, which puts people at risk of coming to harm.


The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool for data security which supports organisations in demonstrating:

  1. General Data Protection Regulation (GDPR)  
  2. Compliance with the expected data security standards for health and social care for holding, processing or sharing personal data. 
  3. Readiness to access secure health and care digital methods of information sharing, such as NHSmail and Summary Care Records (a summary of GP information about an individual) and local information sharing solutions. 
  4. Good data security to the CQC as part of the Key lines of Enquiry (KLOEs).


The Department for Health and Social Care recommends that all social care providers complete the DSPT as they will hold, process or share personal data. Completing the DSPT is a contractual requirement for those who provide care through the NHS Standard Contract and the Toolkit helps all providers to demonstrate compliance for the GDPR, the CQC and supports information sharing.

We have worked with the Care Provider Alliance to develop the ‘Entry level’ for social care organisations, as it is understood that for many this will be a new process. ‘Entry level’ is a stepping stone to achieving at the ‘Standards Met’ level, will be time limited (subject to review) but will allow you to begin using NHSmail.


A document to help adult social care organisations with ODS codes is attached under 'Supporting documents'.


Actions to take

Step 1:

Register for the Data Security and Protection Toolkit (

Step 2:

Complete your organisation profile, you will be asked a series of questions about your organisation.

Step 3:

Read the Entry level evidence items ( and start pulling this information together.

Step 4:

Go to your assessment on Data Security and Protection Toolkit and start with the Entry level evidence items (


Registering and support available

Additional help is available on Requests for support can be made by email to or telephone 0300 3034034.

The Care Provider Alliance has also produced specific Care Provider Guidance and Templates on their website to complement the Toolkit. This resource contains a good overview of the Toolkit and other useful information.


Overview of levels in the Data Security and Protection Toolkit



 Entry Level

 Time-limited level (subject to review) for social care providers.

 Evidence items for critical legal requirements are being met; but some expected mandatory  requirements have not been met. (

 Allows access to NHSmail.

 Standards Met

 Evidence items for all mandatory expected requirements have been met.

 Access to NHSmail and other secure national digital solutions, e.g. Summary Care Records, and potentially local digital information sharing solutions.

 Standards Exceeded

 Evidence items for all mandatory expected requirements have been met.

 The organisation has external cyber security accreditation.

 Evidence of best practice.

 Critical Standards Not Met

 Evidence items for critical legal requirements have not been met by the organisation.

 No access to information sharing tools, e.g. NHSmail.