Skip to content

DSPT for Domiciliary Care: A Home Care Provider's Compliance Guide

By Brian CrockerLast reviewed: 7 July 2026

If you manage a domiciliary care agency, the DSPT creates compliance requirements that residential care homes don't face. Your care workers access patient records while working in patients' homes, often over mobile networks, on devices that travel between multiple addresses every day. That combination — mobile workforce, dispersed data access, devices outside your premises — shapes everything about how you need to approach the DSPT.

Domiciliary care providers fall under Category 3 in the DSPT, the same category as residential care homes, pharmacies, and dental practices. The submission deadline is 30 June each year — the 2025/26 deadline is 30 June 2026. Category 3 requires approximately 42 mandatory evidence items across the 10 National Data Guardian standards, and no independent audit.

What makes domiciliary care different

Mobile devices holding patient data. Care workers in a residential home might access care planning software on a desktop or a tablet that never leaves the building. In domiciliary care, the device travels with the worker to every client visit. If a worker loses their phone or tablet, it may contain appointment schedules, care notes, or access credentials. Every device holding patient data needs to be encrypted — not just locked.

Data access in transit. Some domiciliary care workers use mobile apps to log care notes, medication administration, and visit times in real time. This data travels over the worker's mobile connection, through your care management software, and into your systems. The security of that transit depends partly on your software provider and partly on whether workers are using secure connections. Accessing patient records over a public Wi-Fi hotspot without a VPN or encrypted connection is a risk that needs addressing in your policies.

Workforce structure. Many domiciliary care agencies use a mix of employed staff, bank workers, and sometimes self-employed carers. Each person accessing patient data needs to be covered by your training records, your access controls, and your policy acknowledgements. Bank workers who work infrequently are a common gap — they may not have completed your annual training refresher, or their access may not have been reviewed recently.

Multiple client locations. Unlike a care home where data relates to residents on site, a domiciliary care agency's records span dozens or hundreds of client addresses. Business continuity planning needs to account for what happens if your care management software is unavailable — how do workers know where to go and what care is needed?

The evidence you'll need

Standard 1 — Personal confidential data: A system inventory showing which systems hold client and staff data, who accesses them, and at what level. For domiciliary care, this typically includes your care management platform, NHSmail (if used), and any scheduling or communication apps. Note which data is accessed in the field and on which device types.

Standard 2 — Staff responsibilities: A current data security policy covering mobile device use, remote access, and the specific risks of domiciliary care. Staff acknowledgement that they've read it — a signature sheet or email confirmation. Include bank and agency staff in your acknowledgement records.

Standard 3 — Training: All staff need an appropriate understanding of data security. The NHS e-Learning for Healthcare module is free and suitable for most care worker roles. You need a Training Needs Analysis (TNA) endorsed by senior leadership, delivery records for every staff member, and evidence that training was evaluated. Bank workers and infrequent staff are a common gap — document how they access and complete training.

Standard 4 — Managing data access: An access control register covering every system with patient data, your joiner/leaver process, and — new in v8 — a signed agreement holding your IT system administrators to higher standards of confidentiality (including any external IT provider that administers your systems). Your access register should cover field worker app accounts, not just back-office logins. Document what happens to system access when a carer leaves or moves to bank status.

Standard 5 — Process reviews: Dated review records showing your data security policies are reviewed annually. A review schedule with sign-off documentation is sufficient.

Standard 6 — Responding to incidents: An incident response procedure and an incident log. For domiciliary care, common incidents include lost or stolen mobile devices, care notes accessed on the wrong client, and messages sent to the wrong contact. Your procedure needs to address these field-based scenarios specifically, including reporting timelines and what constitutes a notifiable breach to the ICO.

Standard 7 — Continuity planning: A business continuity plan covering what happens if your care management software is unavailable. In domiciliary care, this is operationally critical: care workers need to know where to go and what care to deliver even if they can't access the digital system. Your plan needs paper-based backup procedures for visit schedules and essential care notes.

Standard 8 — Unsupported systems: All devices, including those used by field workers, should run supported operating systems. For employer-owned devices, your IT provider can confirm this. For bring-your-own-device arrangements, you'll need a policy addressing minimum OS requirements and how workers confirm their device meets them.

Standard 9 — IT protection: Firewall, anti-malware, encryption, patching, and multi-factor authentication for remote access. For domiciliary care, device encryption is particularly important: every device leaving your premises with patient data on it needs full-disk encryption. For employer-provided devices, your IT or device management provider can confirm this. For BYOD arrangements, document your policy and how workers confirm compliance.

Standard 10 — Accountable suppliers: Data processing agreements and assurance from suppliers handling client data. For domiciliary care, key suppliers include:

  • Your care management software provider
  • Your scheduling/workforce management platform
  • Your managed IT provider (if used)
  • Any cloud backup or storage service
  • Your NHSmail account (managed through NHS England — assurance typically comes via their own DSPT status)

Common evidence gaps

Device encryption for field workers. This is the most common gap in domiciliary care DSPT submissions. If care workers use employer-provided tablets or phones, your IT provider should be able to confirm that full-disk encryption is enabled. If workers use personal devices (BYOD), you need a policy requiring encryption and a way to confirm compliance. Assertion without evidence doesn't satisfy the DSPT.

Training for bank and temporary workers. Workers who cover shifts infrequently may not appear in your main training tracking system. Establish a process for confirming training status before a bank worker accesses patient systems, and keep records of how and when training was completed.

Incident log gaps. Small incidents — a care note uploaded to the wrong client profile, a scheduling message sent to the wrong carer — often go unrecorded. Your incident log doesn't need to record every minor administrative error, but it should capture anything involving patient data handled incorrectly. An empty log that clearly captures zero incidents is fine; an absent log suggests no incident-tracking process exists.

Getting your submission ready

Use the Category 3 evidence spreadsheet from the official v8 announcement page to work through your evidence systematically. Group the work:

  1. Policies and acknowledgements — update your data security policy to address domiciliary-specific risks, collect acknowledgements from all staff including bank workers.
  2. Training records — run a training needs analysis, confirm completion records for every worker, address gaps.
  3. Device inventory and assurance — confirm encryption for all devices; get assurance letters from your IT and care management software providers.
  4. Access controls — update your access register, check for leavers still with active accounts, and get your IT system administrators (internal and external) to sign the new v8 accountability agreement.
  5. Incident log and BCP — review your incident procedure and ensure your business continuity plan addresses field-specific scenarios.

For a structured checklist of the evidence items for your category, use our free evidence checklist generator. For a timeline to the submission deadline, use the DSPT deadline calculator.

Our DSPT for care homes guide covers the residential care context — many of the same standards apply, with different evidence challenges around fixed-premises operations.

FAQ

Do domiciliary care providers need to complete the DSPT? Yes. Any domiciliary care provider that handles NHS patient data, uses NHSmail, or connects to NHS systems must complete the DSPT annually. This applies even where all care is provided outside a fixed premises.

What DSPT category are domiciliary care providers in? Category 3, alongside residential care homes, pharmacies, dental practices, and opticians. Approximately 42 mandatory evidence items, no independent audit required.

How is the domiciliary care DSPT different from residential care homes? The 10 NDG standards are the same. The difference is in the evidence: domiciliary care workers access patient data in patients' homes on mobile devices, which introduces risks around device encryption, mobile data transmission, and field-worker training that don't exist for fixed-premises care homes.

What happens if a domiciliary care provider misses the DSPT deadline? A missing or out-of-date DSPT can affect your data sharing arrangements and ICB contract compliance. If you're at risk of missing the deadline, submit at Approaching Standards rather than not submitting. Check the DSPT help pages for current support options.

This guide is based on DSPT v8 (2025/26) requirements as published by NHS England. Always verify current requirements on the official DSPT portal. This is not legal or compliance advice.

Sources

Get guided DSPT compliance when we launch

Join the waitlist for early access to DSPTready — step-by-step DSPT guidance built for small providers.

No spam. Unsubscribe any time. Privacy policy