The Data Security and Protection Toolkit (“DSPT”) is undergoing the most significant changes since it was introduced back in 2018. In 2023, the Department of Health and Social Care committed to adopting the National Cyber Security Centre’s Cyber Assessment Framework (“CAF”) as the principal cyber standard. This move aims to emphasise good decision-making, support a culture of evaluation and improvement, and create opportunities for better practice.
Which organisations are affected by these changes?
The changes will only affect a few types of organisations for the 2024/2025 submissions. It is anticipated that the affected organisations will be able to view the new DSPT interface from the first week of September. The first round of organisations affected by the changes are as follows:
- NHS Trusts
- Integrated Care Boards
- Arm’s Length Bodies
- Commissioning Support Units
It is planned that these changes will also affect different types of organisations in later DSPT submissions and the remaining organisations’ requirements will be derived from the CAF outcomes. Therefore, all other organisations are also advised to watch the developments in this space.
New DSPT Interface and “Expected Standards”
Organisations will now need to familiarise themselves with a brand new DSPT. The new DSPT will restructure the order and specificities of most evidence items, now called “outcomes”. This means that the organisations affected by these changes will need to reevaluate their DSPT action plans to account for the changes in the way evidence is presented and the types of evidence presented as part of the new DSPT submissions.
The new DSPT employs a different type of thinking about meeting standards. The CAF-aligned DSPT will include 47 outcomes in total; however, organisations will not be expected to meet all of them; the minimum expected standard for some outcomes will be “partially achieved” or “not achieved” for the 2024/2025 submissions, although NHS organisations might be subject to increased expectations in the following years to come. The organisations affected by the changes will be expected to both demonstrate that they fulfil the good practice indicators under their expected standard and demonstrate that they do not fall under any of the indicators under the “not achieved” standard, meaning they will need to be cognisant of a wider set of factors whilst completing their toolkit returns for the upcoming years.
Are there any material changes to the DSPT outcomes?
The content of the CAF-aligned DSPT will be comparable to that of the existing DSPT, although NHS England have indicated that there will be certain outcomes where they have tightened the requirements on and/or increased the standard that is expected to be met by the organisations in the upcoming year. For example, under “Objective A: Managing Risk”, the areas of increased standards include, but are not limited to:
- Evidence that risk decisions are joined up between different departments;
- Adoption of clear and unambiguous risk appetite statements;
- Penetration and behavioural testing (e.g., simulated phishing);
- More comprehensive due diligence over contracts in place with all third-party organisations.
One immediate practical change to note is that the “baseline submissions” (now called “interim submissions”) are being pulled forward to 31 December 2024 for the 2024/2025 DSPT.
The guidance for the new CAF-aligned DSPT standards is expected to be published in September 2024 which leaves around three months for NHS organisations to get familiar with the new requirements and undertake their gap analyses before making their interim submissions in December 2024.
