CAF-aligned DSPT: Evolution of our assurance model

Changes to the DSPT assurance framework

Starting in September 2024, some organisations will be asked to measure themselves differently when using the DSPT. Since 2018, the DSPT has used the National Data Guardian’s 10 data security standards as the measure against which organisations must assess their data protection and security capability and preparedness. However, the National Data Guardian standards will gradually be phased out as the basis of the DSPT’s assessment and replaced by the National Cyber Security Centre’s Cyber Assessment Framework (CAF).

When first introduced, the change will impact only a specific group of large health and care organisations, which have already been notified. However, it will eventually be introduced for other types of organisations. Those who have not transitioned will continue to use the version of the DSPT aligned to the 10 security standards and will be informed by NHS England when it is their time to transition.

Progress under the 10 security standards

In 2016, the National Data Guardian conducted a review of data security, consent and opt-outs to strengthen the security of health and care information and ensure people can make informed choices about how their data is used. This review proposed 10 security standards for health and care and a mechanism for monitoring compliance with them, the DSPT. The standards were designed to build on existing good principles and address the root causes of security breaches.

By adopting the 10 security standards as its basis for assurance, the DSPT drove a shift in thinking. This shift involved moving away from considering data protection and security solely as a set of privacy controls. Instead, it outlined them as obligations for organisational leaders, tasking them with considering and managing data security across three key areas: people, process, and technology.

New challenges in data security and protection

This new approach to protecting patient information has significantly helped organisations mature their strategies for safeguarding patient information and cyber-security. We recognise the sector still has further to go. Keeping data safe is a continually evolving challenge as it adapts to new threats and innovations. Long-term planning, investment, and effective leadership across professional and organisational boundaries are needed to anticipate and manage privacy and cyber security risks, and to strengthen and build resilience in our systems.

Adopting the CAF

The CAF was adopted as the new basis for DSPT assurance in the 2023-2030 health and care cyber strategy, and evolves the approach in two significant ways.

First, it sets a high bar for achievement (at least equivalent to the previous DSPT) and will give organisations a long-term roadmap of yearly incremental improvement. This will give clear visibility of expectations over the next five years, enabling long-term strategic investments in people, processes, and technology.

Second, the CAF-aligned DSPT focuses on achieving outcomes instead of simply passing or failing defined security controls. It helps organisations apply strong information governance and cyber security principles to make informed decisions at a local level.

This approach allows professionals to use their own judgment to implement the data protection measures that best serve their organisation, patients, and service users. It also encourages professionals to apply best practice tactics against new and emerging threats.

Maintaining a commitment to safeguarding data protections

To make sure that the key principles and protections afforded by the 10 security standards were maintained through the transition to CAF, NHS England and the Department of Health and Social Care conducted a detailed mapping exercise. This exercise ensured that the protections afforded by the CAF-aligned DSPT are, as a minimum, equivalent to those offered by the security standards aligned DSPT (and in some instances stronger). It also identified any health and care-related gaps in the original CAF. As a result, a 'health and care overlay' was added to the CAF-aligned DSPT to make the framework fully inclusive of information governance as a discipline.

In addition, a new objective was added: Objective E – Using and sharing information appropriately. This covers essential information governance principles and ensures that the important requirements in relation to the appropriate use of data, including confidential patient information, in the National Data Guardian’s standards are not lost.

Role of the 10 security standards

After transitioning to the new CAF-aligned DSPT, organisations will assess themselves against the CAF, not the National Data Guardian’s 10 security standards. However, the basic principles embodied in the three leadership obligations of ‘people, process and technology’ and the standards that accompany them remain fundamental and are built into the CAF’s requirements. The CAF-aligned DSPT will, however, be the only instrument for assessment and assurance.

The intent is for all health and care organisations to move to the CAF-aligned DSPT, which will be implemented progressively (and in different ways) for different types of organisations. Organisations that have not moved to the CAF-aligned DSPT will continue to use the National Data Guardian standards as the basis of their assessment.

Achieving and maintaining ‘standards met’ for the DSPT (whether CAF-aligned or otherwise) is the means by which organisations can meet the National Data Guardian’s expectations.

Continuing engagement with the National Data Guardian

The National Data Guardian will continue to work with NHS England and the Department for Health and Social Care on the development and implementation of this new framework. The programme team will continue to present a yearly review of the DSPT to the National Data Guardian’s Panel.

For help and support, you can visit the DSPT website.