Example engagement — illustrative
DSPT for a domiciliary care provider with a mobile workforce
Domiciliary care provider (~120 care workers) · DSP Toolkit (DSPT)
The challenge
A home care agency whose staff worked from personal and shared mobile devices in the community struggled to show it controlled access to service-user data across a dispersed team.
What we did
- Scoped the correct social care profile and mapped where NHS and service-user data actually flowed
- Introduced a clear mobile and remote-working policy covering personal devices used in the community
- Set up unique logins, screen locks and remote wipe on the care-planning app, replacing shared credentials
- Delivered short, practical data security training suited to staff who are rarely at a desk
- Documented the incident and breach reporting route, including the 72-hour reporting expectation
The outcome
The provider achieved a Standards Met submission with access controls that genuinely reflected how its mobile team works.
Background
Domiciliary care presents a particular DSPT challenge: the data does not sit safely in one building. In this illustrative example, an agency with around 120 care workers ran electronic care plans on a mix of company and personal smartphones, with rotas and visit notes accessed on the move. The registered manager could describe good practice in principle, but the toolkit asks you to evidence that access to data is controlled — and shared logins and unmanaged personal devices made that hard to demonstrate.
What we did
We began by mapping where NHS and service-user data actually travelled: into the care-planning app, across NHSmail for GP liaison, and onto the phones staff carried between visits. That map made the real gaps obvious and stopped the project drifting into controls the agency did not need.
The centrepiece was replacing shared credentials with unique logins, then enabling screen locks and remote wipe on the care-planning app so a lost phone did not become a data breach. We wrote a plain mobile and remote-working policy that acknowledged the reality of personal devices rather than pretending they were not used, and paired it with short, practical training designed for staff who are rarely sitting at a computer. We also documented the incident and breach reporting route so any lost device or misdirected message had a clear path, including the expectation to report a notifiable personal data breach to the ICO within 72 hours. Our DSPT evidence checklist kept each assertion tied to something concrete.
Result
The agency published a Standards Met submission in which the access controls matched how the team genuinely operates, rather than a paper description that would not survive scrutiny. The manager also gained a repeatable onboarding routine — unique login, device set-up, short training — that keeps new starters compliant from day one.
This is an illustrative example of the kind of work we do. Details are representative, not a specific named client.