SBS10521 Made Easy: A Step-by-Step Guide for Professionals

SBS10521 Made Easy: A Step-by-Step Guide for Professionals

By the end of this guide, you will know exactly what SBS10521 requires, whether your organisation is eligible, and how to move from awareness to active compliance. That includes which documentation to prepare, which Lot to procure under, and how a compliant hybrid mail or omnichannel platform makes the entire process measurably simpler.

‍

According to NHS England Digital, there were 146.1 million total outpatient hospital appointments in England in 2024-25. Yet according to Health Industry Leaders, approximately 8 million of those appointments are missed every year. The pressure on public sector organisations to communicate effectively and compliantly has never been greater. SBS10521 exists to help.

‍

If you are new to this framework, start with our full overview in What Is the NHS SBS Patient and Citizen Communications Framework (SBS10521)? before returning to this step-by-step guide.

‍

What Is SBS10521 and Why Does It Matter?

SBS10521 is the official reference code for the NHS Shared Business Services (NHS SBS) "Patient/Citizen Communication, Engagement and Hybrid Mail Solutions Framework Agreement." It is a pre-tendered, GDPR-aligned procurement vehicle that allows eligible public sector organisations to access approved communication technology suppliers without the burden of running a full standalone tender process.

‍

Crucially, this is not a healthcare-only framework. NHS trusts, local councils, housing associations, and other approved UK public sector bodies can all access SBS10521.

‍

The framework was designed to modernise public sector engagement, support accessibility through multi-language and alternative format communications, and actively reduce "Did Not Attend" (DNA) rates - a financial and operational drain costing the NHS an estimated £160 to £165 per missed appointment.

‍

Definition: SBS10521 is a pre-tendered, GDPR-aligned procurement framework that enables NHS organisations, councils, and other public sector bodies to source compliant communication solutions - covering digital messaging, hybrid mail, and integrated omnichannel platforms - through a streamlined, legally sound buying route.

‍

To understand how this sits alongside other NHS procurement routes, see our guide to procuring communication technology in the public sector.

‍

Step 1: Confirm Your Organisation's Eligibility

Before initiating any procurement activity, confirm that your organisation qualifies to use the framework.

‍

Eligible organisation types include:

• NHS trusts and integrated care boards
• Local authorities and metropolitan councils
• Housing associations and registered social landlords
• Other central and devolved government bodies approved by NHS SBS

‍

Action points:

1. Review the NHS SBS eligibility criteria on the official framework documentation.
Confirm your organisation's status with your procurement or legal team.

• If eligibility is uncertain, contact NHS SBS directly for a written confirmation before proceeding.

‍

Tip: Many local authorities and housing providers are unaware that SBS10521 is open to them. If your organisation sends regulated, transactional, or citizen-facing communications, you are very likely eligible.

‍

Step 2: Identify the Right Lot for Your Requirements

According to Digital Health, organisations can procure specific communication tools through pre-approved categories, known as Lots. Selecting the correct Lot is critical because it determines which suppliers you can engage and what services fall within scope.

‍

The primary Lots under SBS10521 are:

• Lot 1 - Digital and online communication: Web-based engagement tools, digital notice and messaging platforms.
• Lot 2 - Messaging services: SMS, email, and automated outbound notification services.
• Lot 4 - Hybrid mail services: Physical letter production and delivery managed digitally - ideal for organisations transitioning away from in-house print operations.
• Lot 7 - Integrated communication solutions: End-to-end omnichannel platforms combining digital and physical channels in a single managed service.

‍

Action points:

1. Map your current and intended communication workflows against each Lot's scope.
Identify whether you need a single Lot or a combination of Lots.

• Consult your procurement lead to confirm alignment before issuing any call-off.

‍

Warning: Procuring services outside the defined scope of your selected Lot may invalidate the framework route and expose your organisation to procurement challenge. Always verify scope boundaries in the framework documentation.

‍

For a practical overview of how hybrid mail fits into regulated communications, see our guide to hybrid mail for transactional and regulatory communications.

‍

Step 3: Choose Your Procurement Route - Direct Award or Further Competition

Once you have confirmed eligibility and identified the right Lot, you must select the appropriate call-off mechanism.

‍

Option A - Direct Award

Use this route when one supplier on the framework clearly meets your requirements based on the existing ranked or evaluated position. This is the faster option and is appropriate for lower-value or straightforward requirements.

‍

Option B - Further Competition

Use this route when your requirements are complex, high value, or where you need to test pricing and capability across multiple framework suppliers. A further competition mini-tender is issued to all Lot-appointed suppliers, who then submit tailored responses.

‍

Action points:

1. Define your requirements in a structured statement of requirements document.
Establish your evaluation criteria - typically covering price, technical capability, compliance, and service delivery.

• Confirm with your procurement team whether a direct award is defensible or whether a further competition is required.
• Issue the relevant documentation through the NHS SBS framework portal.

‍

Tip: Even when using direct award, document your rationale clearly. A written record of the decision-making process is essential for audit readiness and internal governance.

‍

Step 4: Verify Supplier Compliance and Security Standards

Not all suppliers on a public sector framework carry equal compliance credentials. Before confirming a supplier appointment, conduct a structured due diligence review.

‍

Key compliance areas to verify:

• GDPR and UK data protection compliance: Is personal data processed lawfully, with appropriate data processing agreements in place?
• ISO 27001 or equivalent: Does the supplier hold recognised information security certification?
• Audit trails: Can the supplier provide full delivery audit trails for every communication sent?
• Accessibility standards: Does the platform support multi-language output and alternative formats for citizens with additional needs?

‍

According to Business Lancashire, suppliers appointed to the framework - such as Micom Technologies - have undergone rigorous assessment to ensure they meet strict standards for data security, operational efficiency, and GDPR compliance. This pre-vetting process significantly reduces your organisation's due diligence burden, but it does not replace your own contractual and governance checks.

‍

For a detailed breakdown of what secure communication compliance looks like in practice, read our article on whether hybrid mail is secure.

‍

Step 5: Implement and Integrate Your Chosen Solution

Once a supplier is appointed, the implementation phase begins. This is where compliance obligations meet operational reality.

Key implementation actions:

1. Agree a data processing agreement (DPA) with the supplier before any live data is shared.
Map communication workflows to the platform - identifying which letters, notifications, and messages will be routed through the new system.

• Configure channel preferences and fallback rules - for example, digital-first with physical letter fallback for citizens without confirmed digital contact details.
• Run a pilot phase with a defined subset of communications before full rollout.
• Establish reporting and audit trail access for your compliance and operations teams.

‍

Tip: A phased rollout reduces operational risk and allows your team to validate output quality, delivery confirmation, and audit data before scaling.

‍

To understand how multichannel configuration supports citizen engagement outcomes, see our article on engaging patients and citizens through multi-channel communication.

‍

Step 6: Measure Outcomes and Maintain Ongoing Compliance

Compliance is not a one-time event. SBS10521 obligations continue throughout the life of the contract, and your organisation should establish a rhythm of regular review.

‍

Ongoing compliance activities:

• Monitor delivery rates and DNA rate trends on a monthly basis.
• Review audit trail reports quarterly to confirm all communications are logged and traceable.
• Conduct annual supplier performance reviews against the original evaluation criteria.
• Ensure any changes to communication templates or channels are assessed for data protection impact.
• Keep internal stakeholders - including procurement, information governance, and operations teams - aligned on framework obligations.

‍

Warning: Framework agreements are subject to their own expiry dates and extension terms. Ensure your call-off contract duration does not exceed the overarching framework term without appropriate renewal or re-procurement.

‍

For further context on the measurable operational benefits of getting this right, read the real benefits of hybrid mail for business communications.

‍

SBS10521 Compliance Checklist

Use this checklist to track your progress through each stage of the process.

• [ ] Confirmed organisational eligibility to use the SBS10521 framework
• [ ] Identified the correct Lot or combination of Lots for your requirements
• [ ] Selected and documented your procurement route - direct award or further competition
• [ ] Defined your statement of requirements and evaluation criteria
• [ ] Conducted supplier due diligence covering GDPR, security certification, and accessibility
• [ ] Agreed and signed a data processing agreement before going live
• [ ] Mapped communication workflows and configured channel preferences
• [ ] Completed a pilot phase with validated audit trail access
• [ ] Established a schedule for ongoing performance and compliance reviews
• [ ] Confirmed your call-off contract duration aligns with the framework term

‍