By Isabel De La Haye 6th of March 2024

4 min read

person using laptop computer
person using laptop computer

With the introduction of CQC’s new regulatory approach, the Single Assessment Framework (“SAF”), it is essential providers understand what the changes mean for them and how easy it may be for CQC to perform certain assessments remotely which may adversely affect their rating.

Understanding SAF’s Impact

Despite the reassuring narrative being delivered by CQC that neither the regulations themselves nor the 5 key questions have changed, the reality is there is a lot that is new. The Quality Statements, the Evidence Categories and the corresponding links to best practice guidance are new and whilst many care providers will already be able to provide evidence to demonstrate quality, some Evidence Categories require information which providers may not already have to hand, for example in relation to environmental sustainability under the well-led key question.

Underneath each key question sits a set of Quality Statements, expressed as ‘We’ statements, which describe what good care looks like. Importantly, where CQC refers to ‘people’ in these Quality Statements, it means people who use services, their families, friends and unpaid carers. Evidence Categories underpin the Quality Statements, and some best practice guidance has been made available for some Evidence Categories with CQC making clear its expectation that providers will be cognisant of and follow this guidance. Scoring will take place at Evidence Category level, feeding into the score for the relevant Quality Statement, which in turn translates into a rating at key question level.

Remote Assessments and DSPT

For some Evidence Categories, CQC will be able to perform remote assessments very easily and providers have questioned how CQC might be able to do this.

By way of example, under the key question ‘well-led’ there is a Quality Statement relating to governance, management and sustainability. CQC has provided a list of the corresponding evidence categories and best practice, one of which relates to the Data Security Protection Toolkit (“DSPT”). CQC simply states “We expect providers to be aware of and follow the following best practice guidance.” It is this expectation that represents a risk to providers and an opportunity for a remote assessment to easily determine if a provider is meeting CQC’s expectation.

The DSPT is an online tool that enables relevant organisations, including care providers, to self-assess their compliance against evidence and statements, and measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care. All CQC-registered care providers are expected to complete the DSPT process annually and there is support available from the Digital Care Hub to complete the process. Larger providers should check their DSPT is assigned to an Organisation Data Code (ODS) which can then be cascaded to their locations, franchises ordinarily would require their own individual ODS.

CQC highlighted in its December 2023 bulletin to providers that there is a free eLearning course for all staff working in adult social care services in England, importantly the course meets the training requirements within the DSPT.

Compliance and CQC Ratings

It is very simple for anyone, including the CQC, to check online if a provider has at least met the standards required within the DSPT.  It is currently unknown how negatively CQC would view a “standards not met” DSPT outcome or an organisation which has not registered and what their precise judgement and score would be.

In May 2023, DHSC published guidance named “Digital working in adult social care: What Good Looks Like” which states that care providers should “…complete the DSPT annually, to a minimum level of ‘standards met’ if you are CQC registered.”.

Data analysis from 1 December 2023 by Better Security, Better Care highlights that 32.65% of CQC registered locations are neither compliant with the DSPT nor approaching standards met.

 How will this impact CQC ratings?

Given that CQC’s expectation is that providers should be aware of and following the best practice guidance, it is likely that the Evidence Category score would be ‘1 – Evidence shows significant shortfalls’ or at best ‘2 – Evidence shows some shortfalls’ if the provider is not compliant with the DSPT.

The impact of a score of 1 or 2 at Evidence Category level is that CQC could use its professional judgement and determine the Quality Statement score should be limited. This in turn could impact a provider’s overall rating. If the key question score is within the good range, but there is a score of 1 for one or more Quality Statement scores, the rating is limited to Requires Improvement. If the key question score is within the Outstanding range, but there is a score of 1 or 2 for one or more Quality Statement scores, the rating is limited to Good.

It is vital providers familiarise themselves with the new SAF terminology, the best practice identified by CQC, and consider what evidence they will provide to CQC if asked – as well as what evidence CQC can obtain remotely and without provider involvement. The Better Security, Better Care team at the Digital Care Hub offer free one to one support to providers including to complete the DSPT.


The team of specialist care solicitors are supporting providers navigate the CQC changes.  You can join our mailing list for further updates here or get in touch to discuss how we can help you on 01202 786135 or