Introduction

The Data Security and Protection Toolkit (DSPT) changes in September 2024 to align with the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). This was a commitment made in the Department of Health and Social Care’s (DHSC) cyber security strategy to 2030. 

The CAF-aligned DSPT approach is geared towards using principles and expert judgment to guide competent decision-making, with a focus on achieving key outcomes. It will affect the way that people, processes and technology are evaluated and assured in cyber security and information governance (IG). 

The goals of moving to the CAF-aligned DSPT are to:

• emphasise good decision-making over compliance, with better understanding and ownership of information risks at the local organisation level where those risks can most effectively be managed
• support a culture of evaluation and improvement, as organisations will need to understand the effectiveness of their practices at meeting the desired outcomes – and expend effort on what works, not what ticks a compliance box
• create opportunities for better practice, by prompting and enabling organisations to remain current with new security measures to meet new threats and risks

A specific group of health and care organisations will be moving to the CAF-aligned DSPT in 24-25 and will see a new user interface when they log in to file their submission. These organisations are:

• NHS trusts and foundation trusts
• Commissioning support units (CSUs)
• Arm’s length bodies (ALBs) of the Department of Health and Social Care (DHSC)
• Integrated care boards (ICBs)

Other organisation types will not be moving to the CAF-aligned DSPT in 24-25. See the DSPT’s help page on organisation types for more information. 

If you are a cyber or IG professional within one of the organisation types listed above, you should be prepared to undertake the following activities ahead of your submission:

• plan your approach – read through the contributing outcomes of the CAF-aligned DSPT and think about how they relate to your current cyber security and IG practices
• scope your essential functions – undertake a scoping exercise to identify which information, systems and networks are in scope for your DSPT submission
• allocate ownership of contributing outcomes – make decisions about how DSPT activities should be delegated, bearing in mind that the majority of outcomes will require joint working across cyber security and IG teams 

See guidance on how to approach the CAF-aligned DSPT for more information on the points outlined above.

You should be prepared to use your own judgment, following the guidance created by NHS England and DHSC, to assess whether your organisation has met the new CAF-aligned DSPT contributing outcomes. In most cases, this should not mean making significant changes to your local cyber security and IG procedures. However, the new toolkit requires you to think differently about what your approach to people, processes and technology achieves in terms of increasing your organisation’s cyber and IG resilience.

To create the CAF-aligned DSPT, NHS England and DHSC have enhanced NCSC’s existing cyber framework with a health and care CAF overlay which covers data protection, confidentiality, and other information governance disciplines such as clinical coding. The overlay amends some CAF terminology, extends some of the existing contributing outcomes, and features a new IG-focussed section: 

• Objective E – Using and sharing information appropriately

The goal of the health and care CAF overlay is to ensure a joined-up approach to cyber security and IG in health and care, preventing gaps and minimising unnecessary duplication between disciplines. It also ensures that existing safeguards and standards in health and care are maintained and built upon with the implementation of the CAF-aligned DSPT.

NHS England and DHSC have provided specific guidance for each of the contributing outcomes in the new CAF-aligned DSPT:

• Objective A - Managing risk
• Objective B - Protecting against cyber attack and data breaches
• Objective C - Detecting cyber security events
• Objective D - Minimising the impact of incidents
• Objective E - Using and sharing information appropriately

The guidance will help you understand: 

• how the contributing outcomes in each objective should be interpreted in the context of health and care
• how the requirements of the CAF-aligned DSPT compare to the previous DSPT assessment
• where there are additional or increased expectations which organisations should consider

The purpose of the detailed guidance is to increase consistency and harmonisation across DSPT submissions, helping to inform organisations’ judgments. However, it does not prescribe exact methods for meeting each of the contributing outcomes.

Decisions about how to achieve each contributing outcome should be made by each organisation’s own cyber security and IG professionals. This forms part of the CAF-aligned DSPT approach to achieve better security outcomes by emphasising good decision-making at the local organisation level.

It remains the responsibility of the Senior Information Risk Owner (SIRO) in each organisation to approve the DSPT submission. In the context of the CAF-aligned DSPT, this means the SIRO must give approval for the organisation’s:

• scoping of their essential functions 
• final toolkit submission

As was the case under the previous 23-24 DSPT, NHS England and DHSC do not hold the CAF-aligned DSPT to be the entirety of organisations’ legal and regulatory obligations. The DSPT assesses a particular subset of controls and practices to assure that health and care organisations are practising good cyber security and handling personal information appropriately.

Each legal entity is fully accountable for their own obligations, and should seek their own legal assurances where they are needed.