Skip to content
360 Cyber Compliance

Example engagement — illustrative

Helping a small care home reach Standards Met before the DSPT deadline

Residential care home (~35 beds) · DSP Toolkit (DSPT)

The challenge

A residential home relied on NHSmail for GP and pharmacy correspondence but had never completed the toolkit, and its NHS data flows were at risk with the 30 June deadline approaching.

What we did

  • Confirmed the correct organisation profile and ODS registration so the right assertion set was in view
  • Mapped existing evidence — policies, training records, backups — against each assertion to find the real gaps
  • Refreshed the information governance policy and rolled out annual data security awareness training for all staff
  • Tightened user access with unique logins, a joiners/movers/leavers process and confirmed working backups
  • Assembled a single evidence pack and completed the submission with the registered person's sign-off

The outcome

The home reached a Standards Met submission ahead of the 30 June deadline and kept its NHSmail access uninterrupted.

Background

This illustrative example is based on a common situation we see: a family-run residential home of around 35 beds that had grown steadily but never had a dedicated IT or information-governance lead. The registered manager knew the Data Security and Protection Toolkit existed, but the account had sat untouched since it was first registered. Correspondence with the local GP surgery and dispensing pharmacy ran through NHSmail, so a lapse would have meant chasing prescriptions and discharge notes by phone — a real safety and workload risk.

With only a few weeks left before the annual deadline, the manager was anxious that “Standards Met” felt out of reach and worried the toolkit was really an IT exercise in disguise.

What we did

We started with a short scoping call to confirm the home was on the correct social care profile, so time was not wasted answering assertions meant for larger organisations. From there the work was mostly governance and routine, not technology. We mapped what already existed — a data protection policy, some ad-hoc training notes, a backup arrangement with the IT support company — against each assertion, then worked through the gaps in priority order.

The biggest wins came from unglamorous things: giving every staff member a unique login rather than a shared one, writing down the joiners/movers/leavers process that already happened informally, recording that annual data security awareness training had actually been completed, and getting written confirmation that backups were running and had been test-restored. Our DSPT evidence checklist shaped the order of work so nothing was missed, and we steered the manager clear of the pitfalls set out in our note on common DSPT mistakes.

Result

Every declaration was backed by a document the manager could produce if asked, rather than an optimistic tick. The submission was published as Standards Met comfortably before 30 June, and — just as valuable — the evidence now lives in one place, so next year is an update rather than a scramble.

This is an illustrative example of the kind of work we do. Details are representative, not a specific named client.

Facing something similar?

Book a free, no-obligation readiness check and we’ll map out your options.