In September 2024, the Data Security and Protection Toolkit (DSPT) transitioned to using the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) as the foundation for its cybersecurity and information governance assurance, to strengthen the protection of patient data and healthcare systems in response to increasing cyber threats. As healthcare becomes increasingly digital and interconnected, safeguarding vast amounts of sensitive information and ensuring the uninterrupted delivery of critical services has never been more crucial.
As of September 2024, those named below are expected to meet the CAF-aligned requirements by the end of 2024.
- NHS Trusts and Foundation Trusts
- Commissioning Support Units (CSUs)
- Arm’s Length Bodies (ALBs) of the Department of Health and Social Care (DHSC)
- Integrated Care Boards (ICBs)
Other organisations such as GP’s, dentists and IT suppliers will not be moving to the CAF-aligned DSPT in 2024-2025 and will instead transition to the CAF-aligned DSPT over the next few years. These organisations will continue using the existing framework until they receive guidance from NHS England for their transition.
- An important change for the 2024/2025 DSPT is that ‘baseline submissions,’ now called ‘interim submissions,’ are due by 31 December 2024.
- Guidance on the new CAF-aligned DSPT standards released in September 2024 will give NHS organisations approximately three months to familiarise themselves with the new requirements and complete their gap analyses before the December Interim submission deadline.
- The deadline for publishing your full 24-25 DSPT is 30 June 2025.
- Organisations are required to have an independent audit assessment.
At CSS Assure, we can help your healthcare organisation navigate the transition from the DSPT to the CAF framework by providing expert guidance and support. Our services include conducting thorough gap analyses to identify areas needing improvement, providing a clear roadmap for a successful submission. We can also assist you with the new CAF-aligned DSPT requirements, and help you prepare for the earlier interim submission deadlines, as well as conducting a gap analysis of where the CAF-based requirements go beyond the current regime to highlight where your organisation may fall short of the new requirements and provide a roadmap to ensure your Data Security and Protection Toolkit (DSPT) submission includes these changes.
With the introduction of independent audit requirements, we offer audit preparation services to ensure compliance with the new standards and our team is on hand to ensure you are fully prepared to meet these evolving data protection and cybersecurity obligations, minimising risks while maintaining operational efficiency.
This transition represents a critical advancement in cybersecurity and information governance across NHS Trusts, Foundation Trusts, and related healthcare bodies, aligning the DSPT with CAF standards to reinforce risk management, incident response, and supply chain security. Proactive gap analysis and audit preparation will support healthcare providers in meeting these heightened standards and adapting to the evolving digital landscape. Contact a member of our team today for step-by-step support through the process.