| Reference | FOI 2025/1492 |
|---|---|
| Description | DSPT-Relevant Current & Incoming Suppliers |
| Date Requested | 03/12/2025 |
| Date Replied | 05/01/2026 |
| Category | Contract Management |
Under the Freedom of Information Act 2000, please provide the following information:
This includes any supplier that handles patient data, accesses NHS systems, or provides digital, software, cloud, data-processing, or cyber-security services requiring DSPT compliance.
– Whether they are required to maintain a “Standards Met” DSPT submission
– The date you last checked or verified their DSPT status (or expected verification date for new suppliers)
– If yes, please provide the relevant extract.
– If no, please confirm that no such register exists.
Providers delivering healthcare services are mandated to use the NHS Standard Contract for healthcare. Within this contract, there is a clause that specifies ‘The Provider must complete and publish an annual information governance assessment in accordance with, and comply with the mandatory requirements of, the NHS Data Security and Protection Toolkit, as applicable to the Services and the Provider’s organisation type.’ This applies to all providers on an NHS Standard Contract for healthcare – for NHS GM, this list of providers can be found on our website. Please see the healthcare services contract register under ‘Lists and Registers’ – https://gmintegratedcare.org.uk/publication-scheme/
Non-Healthcare Services
Providers delivering non-healthcare services are not mandated to use a specific contract. Before a contract with a supplier of non-healthcare services is signed, a Data Protection Impact Assessment (DPIA) proforma is undertaken to identify the need for a DPIA. This captures where the provider has, or is required to complete the NHS Data Security and Protection Toolkit. The list below represents the suppliers NHS GM have contracted with for services, where it was identified a DPIA was required.
**An excel document was sent to the requester with this response. If you require a copy of the full response, together with the attachments, please contact NHS GM’s FOI team – nhsgm.foi@nhs.net **
Section 12(1)
Under the Freedom of Information Act 2000 (FOIA), this section of your request is exempt by virtue of the following exemption, Section 12(1). Section 12. — (1) Section 12(1) does not oblige a public authority to comply with a request for information if the authority estimates that the cost of complying with the request would exceed the appropriate limit.
NHS GM consists of the 10 Greater Manchester localities, Bolton, Bury, Heywood, Middleton and Rochdale, Manchester, Oldham, Salford, Stockport, Tameside, Trafford and Wigan, which are the former Clinical Commissioning Groups (CCGs). They are also still responsible for commissioning some local services, and therefore, documents are held on various data bases. NHS GM would be required to review every contract individually to look at each DSPT status. Therefore, the cost of complying with your request would exceed the limit set by the Freedom of Information Act. As such, on this occasion it is with regret NHS GM are not able to process this section of your request further.
The Freedom of Information Act allows Public Authorities to decline to answer FOI requests when we estimate it would cost us more than £450 (equivalent to 18 hours, calculated at £25 per hour) to identify, locate, extract, and then provide the information that has been asked for.
Although we cannot answer your request, we might be able to answer a refined request within the cost limit. For example, you may wish to consider determining a specific service that you wish to receive information about.
Please be aware that we cannot guarantee at this stage that a refined request will fall within the cost limit, but NHS GM would do our upmost to assist you.
