Data protection. The scored line where one outdated citation can lose the section. We have seen providers cite the Data Protection Act 1998 in 2025 submissions and lose marks across the entire governance section. This blog covers the DPA 2018 versus 1998 pitfall, the DSP Toolkit threshold, and the drafting discipline that scores 5/5.

This blog sits within our local authority tenders hub, which maps the standard governance scoring weightings across upper-tier councils, NHS Trusts and Integrated Care Boards.

The procurement context matters. Information governance scoring is now a contested line on every adult social care, children's services and NHS procurement issued under the Procurement Act 2023 Schedule 5 Light Touch Regime. The standstill (Alcatel) period allows unsuccessful bidders to test governance scoring, which means a weak data protection response is both a band-cap risk in the procurement and an audit-trail risk post-award.

What does data protection mean in a tender?

Compliance with the live regulatory frame. The Data Protection Act 2018 is the live UK statute. UK GDPR applies in parallel. The Data Protection Act 1998 was repealed on 25 May 2018; citing it is a clear evaluator-recognised compliance error.

For providers handling NHS data, the NHS Data Security and Protection Toolkit annual self-assessment is mandatory, with Standards Met as the baseline status.

Typical weighting on a council or NHS bid: 5-10% of total quality marks (split across IG, data protection, cyber). UK GDPR Article 6 (lawful basis for processing) and Article 9 (special category data, including health) are the two articles that bite hardest in social care, alongside DPA 2018 Schedule 1 Part 1 (special category processing conditions) and Schedule 1 Part 2 (substantial public interest conditions).

What buyers actually score

Four sub-criteria recurring across our register.

Sub-criterion 1: Statutory compliance

Direct. Does the provider name the correct statutory frame?

Top-band answer pattern. Named Data Protection Act 2018 compliance. Named UK GDPR compliance with Article 6(1)(e) or 6(1)(f) lawful basis, and Article 9(2)(h) special category condition for health and social care purposes. Named DPO or DPO service. Named Schedule 1 condition.

The named lawful basis matters because the evaluator can verify it against the provider's published privacy notice. A mismatch between the bid claim and the public privacy notice fails audit and feeds back into the scoring. The Information Commissioner's Office guidance on lawful basis assessment is the published reference.

Sub-criterion 2: DSP Toolkit status

Bound. Has the provider submitted the DSP Toolkit with Standards Met status?

Top-band answer pattern. Named DSP Toolkit organisation code (ODS code). Named submission date. Named Standards Met status. Named annual review cadence.

The Toolkit aligns to the National Data Guardian's 10 standards and overlaps with UK GDPR Article 32 (security of processing). Providers below Standards Met cap their NHS bidding scope until remediation closes. The DSP Toolkit Approaching Standards status is a transition flag; a credible action plan to Standards Met is the floor expectation.

Sub-criterion 3: Breach notification protocol

Bound. What is the named breach notification protocol?

Top-band answer pattern. Named 72-hour ICO notification protocol per UK GDPR Article 33. Named internal escalation route. Named affected data subject notification protocol under Article 34 where the breach is likely to result in a high risk to the rights and freedoms of natural persons. Named lessons-learned cycle post-breach using the Five-Beat Lessons-Learned cycle (Identification, Intervention, Outcome, Lessons, Policy Change).

The breach register is logged in the digital governance system (Radar Healthcare, Quality Compliance Systems) and reviewed by the Nominated Individual fortnightly. Regulation 17 (good governance) under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 binds the audit trail.

Sub-criterion 4: Subject rights handling

Bound. How does the provider handle subject access requests, rectification and erasure?

Top-band answer pattern. Named one-month response window per UK GDPR Article 12(3). Named SAR triage process. Named identity verification protocol. Named extension protocol (two further months for complex requests under Article 12(3)).

Special category data handling in care files requires the Article 9 condition to be in place before disclosure; the SAR triage process names the redaction protocol for third-party data under Section 45 of the DPA 2018. The DPO signs off any complex SAR before release.

The DPA 2018 versus 1998 pitfall

We see this in roughly 5% of submissions we audit. The provider cites the Data Protection Act 1998. The Act was repealed in May 2018. The DPA 2018 is the live statute. Citing the 1998 Act in a 2025 or 2026 submission signals one of two things to the evaluator:

• The provider's policy library has not been updated since 2018.
• The provider does not understand the regulatory frame.

Either reading bleeds marks across the governance section. We catch the pitfall on every pre-submission review by running a search-and-replace on "1998" in the data protection section. The Quality Gate audit hard-flags any 1998 citation as a band-cap risk.

A related pitfall is citing the Care Standards Act 2000 as the live regulatory anchor for adult social care. The 2000 Act is largely superseded for adult social care by the Health and Social Care Act 2008 and the 2014 Regulations; it remains relevant for some children's care settings. Drafting that cites the 2000 Act for adult work without flagging the 2008/2014 succession caps at middle band.

Anonymised Essex and Children's Trust context

Two procurements illustrate the pattern.

A domiciliary care provider in our portfolio bid for an Essex Tier 2 Live at Home framework. The data protection section scored 5/5. The driver: a named DPO service, a named DSP Toolkit Standards Met submission, a named ISA per partner agency, and a named subject rights handling protocol. The evaluator's anonymised feedback cited "regulatory fluency and operational specificity" as the differentiating elements.

A children's residential provider in our portfolio bid for an East of England Children's Residential Framework. The data protection section scored 5/5. The driver: a named DPO, a named DSP Toolkit organisation code, named compliance with the Children Act 1989 Section 22 information sharing duties and Working Together to Safeguard Children 2023 multi-agency information sharing principles, and a named ICO registration number.

The drafting pattern that scores 5/5

Five elements per sub-criterion answer.

1. Direct answer in 1-4 words. "DPA 2018 compliant."
2. Statutory anchor named. "Data Protection Act 2018 and UK GDPR Article 6(1)(e) and 9(2)(h)."
3. Named operational mechanism. "DPO service contracted with named provider; monthly compliance review."
4. Named cadence. "Annual DSP Toolkit submission; quarterly internal IG audit."
5. Evidence of prior compliance. "Standards Met status on DSP Toolkit submission for the past 3 years; zero notifiable breaches in the past 36 months."

Five sentences per sub-criterion. Four sub-criteria. Twenty sentences carry the section.

Why providers under-write data protection

Three patterns.

Pattern A: The legacy citation. Cites the Data Protection Act 1998 (repealed 2018). Immediate compliance flag.

Pattern B: The blanket assertion. "We comply with all relevant data protection legislation." No named statute, no named DPO, no named DSP Toolkit status. Middle band.

Pattern C: The toolkit omission. Provider omits the DSP Toolkit submission status. NHS-aligned bids penalise the omission heavily.

The 5/5 pattern requires all four sub-criteria answered explicitly with named statute, named tools and named evidence. Evaluator psychology reads the unsupported governance claim as a flag of post-award compliance risk; named statute fluency is the proxy for compliant operations.

Evaluator psychology and procurement journey context

Data protection scoring is locked at ITT submission and tested through the Section 50 assessment summary under the Procurement Act 2023. Unsuccessful bidders use the standstill (Alcatel) window to test the moderator's reading where the assessment summary lacks explicit reference to the DPA 2018 and UK GDPR anchors. The Information Commissioner's Office accountability framework provides the cross-verification reference.

Evaluator psychology rewards rubric fluency hard on this line. Named statute (DPA 2018, not 1998), named UK GDPR Article 6 lawful basis, named Article 9 special category condition, named DPA 2018 Schedule 1 Part 1 condition and named DSP Toolkit status combine into the audit trail the procurement evaluator and the ICO would both verify. Drafting that confuses Article 6 (lawful basis) with Article 9 (special category condition) caps the response.

Sector dynamics are tightening. The Data Protection and Digital Information Bill ran through Parliament with several amendments before lapsing; the Data (Use and Access) Bill carries forward many of the proposed reforms but the DPA 2018 and UK GDPR remain the live framework. The Cyber Essentials Plus certification is now common as a PQQ pass/fail gate; providers without it cap their bidding scope.

Frequently asked questions

Do we need a full-time DPO?

Not necessarily. Most small and medium care providers contract a DPO service. UK GDPR Article 37 sets the conditions for a mandatory DPO; for most care providers it bites because of the regular and systematic monitoring or large-scale special category data processing they undertake. The named DPO service is sufficient evidence for the DPO sub-criterion provided the named individual and contact details are in the bid.

What if our DSP Toolkit status is "Approaching Standards"?

Cite the current status, name the gap, and commit to Standards Met by a named date. The buyer scores transparency plus a credible plan equivalently for the threshold sub-criterion. The Better Security, Better Care grant programme has historically supported small care providers transitioning to Standards Met; named programme participation strengthens the commitment.

Does this apply to non-NHS bids?

DSP Toolkit applies where you handle NHS data. Council bids without NHS data integration weight the DPA 2018 and UK GDPR sub-criteria but not the DSP Toolkit one. Always check the specification. The Cyber Essentials Plus certification is the parallel cyber threshold; many councils now require it as a PQQ pass/fail gate.

Do you draft data protection responses for tenders without an IG section?

Yes. Data protection often appears under Safeguarding, Governance or Quality Assurance rather than as a standalone section. The drafting discipline is identical; the section header changes.

The synthesis is straightforward. Data protection sections that name DPA 2018 (not 1998), UK GDPR Article 6 lawful basis, Article 9 special category condition, DSP Toolkit Standards Met status and the breach notification protocol per Article 33 score band consistency. Sections that cite the 1998 Act, omit the DSP Toolkit submission status or blanket-assert compliance cap at middle band or below.

Speak to Derrick Mwesigwa, Head of Bid Operations. We respond within 4 working hours. Email [email protected] or call 01707 240393. TenderLab Ltd, Companies House 17184263. 92% win rate across 200+ submissions. Book a free 30-minute consultation via our bid writing service.

Related content

• Local authority tenders
• NHS tenders
• PQQ writing