Introduction

The Data Security and Protection Toolkit (DSPT) changed in September 2024 to align with the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). This was a commitment made in the Department of Health and Social Care’s (DHSC) cyber security strategy to 2030. 

The CAF-aligned DSPT approach is geared towards using principles and expert judgment to guide competent decision-making, with a focus on achieving key outcomes.

The goals of the CAF-aligned DSPT are to:

• emphasise good decision-making over compliance, with better understanding and ownership of information risks at the local organisation level where those risks can most effectively be managed
• support a culture of evaluation and improvement, as organisations will need to understand the effectiveness of their practices at meeting the desired outcomes – and expend effort on what works, not what ticks a compliance box
• create opportunities for better practice, by prompting and enabling organisations to remain current with new security measures to meet new threats and risks

A specific group of health and care organisations have moved to the CAF-aligned DSPT. These organisations are:

• NHS trusts and foundation trusts
• commissioning support units (CSUs)
• arm’s-length bodies (ALBs) of the Department of Health and Social Care (DHSC)
• integrated care boards (ICBs)
• independent health organisations who have been designated as 'operators of essential services' under the Network and Information Systems (NIS) regulations 2018
• genomics organisations as nominated by DHSC

If you are a cyber or IG professional within one of the organisation types listed above, you should be prepared to undertake the following activities ahead of your submission:

• plan your approach – read through the contributing outcomes of the CAF-aligned DSPT and think about how they relate to your current cyber security and IG practices
• scope your essential functions – undertake a scoping exercise to identify which information, systems and networks are in scope for your DSPT submission
• allocate ownership of contributing outcomes – make decisions about how DSPT activities should be delegated, bearing in mind that the majority of outcomes will require joint working across cyber security and IG teams 

See guidance on how to approach the CAF-aligned DSPT for more information on the points outlined above.

You should be prepared to use your own judgment, following the guidance created by NHS England and DHSC, to assess whether your organisation has met the new CAF-aligned DSPT contributing outcomes. The toolkit requires you to think critically about what your approach to people, processes and technology achieves in terms of increasing your organisation’s cyber and IG resilience.

For the CAF-aligned DSPT, NHS England and DHSC enhanced NCSC’s existing cyber framework with a health and care overlay which covers data protection, confidentiality, and other information governance disciplines such as clinical coding. The overlay amends some CAF terminology, extends some of the existing contributing outcomes, and features a new IG-focussed section: 

• Objective E – Using and sharing information appropriately

The goal of the health and care overlay is to ensure a joined-up approach to cyber security and IG in health and care, preventing gaps and minimising unnecessary duplication between disciplines. It also ensures that existing safeguards and standards in health and care are maintained and built upon with the implementation of the CAF-aligned DSPT.

Separate guidance reconciling the aims of the CAF with the legal requirements of UK GDPR has been published by the Information Commissioner’s Office (ICO) and NCSC, which you can read for assurance about how the outcomes-based approach helps organisations meet data protection principles.

NHS England and DHSC have provided specific guidance for each of the contributing outcomes in the CAF-aligned DSPT:

• Objective A - Managing risk
• Objective B - Protecting against cyber attack and data breaches
• Objective C - Detecting cyber security events
• Objective D - Minimising the impact of incidents
• Objective E - Using and sharing information appropriately

The guidance will help you understand: 

• how the contributing outcomes in each objective should be interpreted in the context of health and care
• how the requirements of the CAF-aligned DSPT compare to the previous DSPT assessment
• where there are additional or increased expectations which organisations should consider

The purpose of the detailed guidance is to increase consistency and harmonisation across DSPT submissions, helping to inform organisations’ judgments. However, it does not prescribe exact methods for meeting each of the contributing outcomes.

Decisions about how to achieve each contributing outcome should be made by each organisation’s own cyber security and IG professionals. This forms part of the CAF-aligned DSPT approach to achieve better security outcomes by emphasising good decision-making at the local organisation level.

Under the DSPT framework which was in place before the adoption of the CAF, your organisation was required to perform activities that help meet the expectations of CAF-aligned DSPT contributing outcomes. 

For more detail on what these activities were, see the mapping exercise published by NHS England and DHSC.

NHS England and DHSC have also produced a mapping document showing where the requirements of the CAF-aligned DSPT overlap with those of other cyber frameworks.

It is the responsibility of the Senior Information Risk Owner (SIRO) in each organisation to approve the DSPT submission. In the context of the CAF-aligned DSPT, this means the SIRO must give approval for the organisation’s:

• scoping of their essential functions 
• final toolkit submission

As has always been the case for the DSPT, NHS England and DHSC do not hold the CAF-aligned DSPT to be the entirety of organisations’ legal and regulatory obligations. The DSPT assesses a particular subset of controls and practices to assure that health and care organisations are practising good cyber security and handling personal information appropriately.

Each legal entity is fully accountable for their own obligations, and should seek their own legal assurances where they are needed.