NHS DSPT compliance has gone through a significant change. The transition from the National Data Guardian’s 10 data security standards structure to the CAF-aligned Data Security and Protection Toolkit (DSPT) is a significant step for UK health and care organisations.

What this blog post is not about:

This is not a guide to CAF, nor any compliance checklist.

What this blog post is about:

An FAQ post that aims to address common questions about the changes, requirements, and implications, providing clear guidance for organisations navigating this transition from previous DSPT to CAF-aligned DSPT.

Expert advice can make all the difference for healthcare organisations seeking support in independent audit assessment, technical risk assessments, data security audits, or compliance services. Check out Cyphere’s services for tailored assistance to healthcare that goes beyond ‘report and run’ approach.

1. General Questions

What is the reason for this change?

To improve the security assurance of healthcare organisations, this change is part of the commitment made in the DHSC security strategy for Health and Social care to 2030.

Which organisations are moving to the CAF-aligned DSPT?

Since summer 2024, the following organisations will adopt the CAF-based DSPT:

• NHS trusts and foundation trusts (acute, mental health, community and ambulance)

• Integrated care boards (ICBs)

• Department of Health and Social Care (DHSC) arm’s length bodies

• Commissioning support units (CSUs)

When will independent providers move to the CAF-aligned DSPT?

Independent providers designated as Operators of Essential Services (OES) and key IT suppliers will remain on the existing DSPT until summer 2025.

DHSC has designated a small number of independent providers as ‘Operators of Essentials Services’ aligned with NIS regulation.

IT suppliers with more than 50 staff and more than £ 10 million turnover will transition to CAF-aligned DSPT in the summer of 2025.

What about ‘other’ organisations like GPs, dentists, and social care providers?

Organiastion that processes patient information for secondary purposes or GPs, dentists, pharmacies, local authorities, universities, and social care providers, will transition to a checklist-based CAF-aligned DSPT by summer 2026.

Why does the CAF-aligned DSPT differ from the NCSC’s CAF?

Current CAF from NCSC has requirements around objectives, principles and outcomes. Each of the four objectives have underlying principles, outcomes and indicators of good practices (IGPs). You can read our detailed guide on NCSC CAF here.

NHS England and DHSC have added a specific health and care overlay that integrates data protection, clinical coding, confidentiality, and other information governance (IG) disciplines to create a holistic assurance framework. This ensures healthcare organisations are equipped to respond to the evolving cyber threats and apply best practices against new and emerging threats.

Cyber security and Information governance are covered in this new compliance requirement on top of existing principles from DSPT.

What are ‘indicators of good practice’?

Your organisation can use these IGPs i.e. examples of processes and procedures to determine whether it has achieved the contributing outcomes. They guide organisations in self-assessing their practices.

2. Evidence, Standards, and Compliance – Cyber Assessment Framework

What evidence is required to meet the DSPT standards?

Each contributing outcome includes a list of suggested evidence items.

Organisations must decide which evidence is sufficient to justify their compliance and prove it with a supporting statement explaining their justification. For example, evidence might include:

• Information asset and flows registers

• Business continuity and disaster recovery plans

• Incident management processes

Struggling with evidence preparation? Cyphere’s cybersecurity audits and compliance services can provide expert review and gap analysis.

Does achieving “partially achieved” mean meeting the standards?

Yes, the minimum standard is “partially achieved for some contributing outcomes.” However, organisations must aim to improve and work toward full achievement over time.

What happens if our organisation doesn’t meet the required standards?

If your organisation does not meet the expected achievement level, you must submit an improvement plan detailing the steps to address the shortfalls. Having a clear roadmap is essential for progressing toward compliance ensuring protection of patient information and associated systems.

3. Interim Assessment and Audits

When is the interim baseline assessment due?

NHS trusts, ALBs, and ICBs must complete their interim baseline assessment by 31st December 2024. This assessment serves as a progress check and allows organisations to identify focus areas ahead of the final submission.

Are audits required for the CAF-aligned Data Security Protection Toolkit?

Yes, independent audits remain mandatory for organisations under the CAF-aligned DSPT.

NHS England is developing a checklist based CAF-aligned audit framework to ensure consistency with the new requirements. Looking for external support? Cyphere’s cybersecurity audits ensure compliance with CAF-based frameworks and provide actionable insights.

4. Cybersecurity and IG Integration

Will there be a focus on cybersecurity and information governance (IG)?

Yes, the CAF-aligned DSPT treats cybersecurity and IG as two aspects of the same domain. This integrated approach ensures no gaps between the two disciplines, improving overall resilience.

For organisations unsure how to align cybersecurity controls with IG requirements, Cyphere offers technical risk assessments tailored to health and care providers.

Does the DSPT include Bring Your Own Device (BYOD)?

Yes, BYOD devices are included in the assurance process if they:

1. Access networks and systems supporting essential functions.

2. Hold personal or sensitive data.

Organisations must manage BYOD and associated cyber security risks effectively, ensuring robust security policies are in place. Cyphere can help implement device security management strategies that meet DSPT requirements.

5. Resilience and Incident Response

What should be included in our incident response plan?

The DSPT requires organisations to have well-defined and tested incident management processes. Plans should:

• Cover various scenarios (cyber incidents, environmental events, major disruptions).

• Ensure continuity of essential functions.

• Protect impacted individuals’ rights.

If your organisation needs help developing or testing response plans, Cyphere’s incident response services provide expert guidance and practical support.

Does the DSPT cover clinical and operational resilience?

Yes, the DSPT ensures that organisations can restore essential healthcare operations even during adverse events. This includes addressing risks to clinical services, IT systems, and supporting networks.

6. Supply Chain and Third-Party Assurance

How should suppliers be assessed under the DSPT?

Organisations must evaluate suppliers based on their impact on essential services.

This includes:

• Reviewing supplier credentials (e.g., Cyber Essentials+, ISO certifications)

• Understanding their supply chain risks including current threats and new threats.

• Ensuring contractual agreements cover security and recovery responsibilities

For a thorough review of your supply chain risks, Cyphere’s supply chain risk assessment services can help demonstrate compliance and build resilience.

Are IT suppliers required to upload evidence on data protection measures?

Yes, IT suppliers must respond to all evidence requests in the DSPT, including text responses, dates, and document uploads.

7. Platform and Toolkit Functionality

Will evidence from previous DSPT versions be carried over?

No, due to the significant changes in the CAF-aligned DSPT, evidence from previous versions will not automatically populate.

Does the DSPT support multi-factor authentication (MFA)?

Yes, the DSPT supports MFA for secure access. Organisations are encouraged to enable this feature for enhanced security.

8. Local Authorities and Adult Social Care

When will local authorities adopt the CAF-aligned DSPT?

Local authorities will continue with incremental toolkit changes until at least 2026. Full alignment with the CAF-aligned DSPT is expected by 2026-2027.

9. Standards and Certifications

Does the DSPT provide exemptions for ISO 27001 or Cyber Essentials+ certifications?

No, organisations with these certifications still need to meet the CAF-aligned DSPT requirements. However, mappings between the DSPT and other standards are being developed to reduce duplication.

Should organisations pursue additional standards like ISO 27001?

While not required under the DSPT, organisations may pursue additional standards to meet broader business needs or contractual obligations.

How can Cyphere help your organisation?

The CAF-aligned DSPT introduces new challenges and opportunities for health and care organisations. Cyphere provides expert support in areas such as:

• Technical Risk Assessments: Technical risk assessments such as CREST penetration testing and secure configuration reviews help identify and mitigate applications, API, network, and system vulnerabilities and configurations.

• Independent Audit Assessment and Security Audit Offerings: Ensure compliance with CAF-based requirements and improve your security posture.

• Supply Chain Risk Assessments: Evaluate third-party risks and strengthen supplier contracts including security compliance such as DTAC, Cyber Essentials Plus certifications, cloud security 14 principles to reduce likelihood for security breaches.

• Cyber Security Maturity Assessments: Assess and improve your security strategy against maturity assessments framed around NCSC cyber security guidance.

To learn more about how Cyphere can support your organisation, contact us today.