Data Security and Protection Toolkit Standard for 2019-20 (updated 7 June 2019)

The Data Security and Protection Toolkit Standard (DSPT) has been reviewed for 2019-20.  The new standard builds on the work and learning from 2018-19.

 

Changes have been made in order to:

  • respond to lessons learned and direct feedback from users following the first year of the DSPT
  • improve the targeting of requirements to different categories of organisations
  • rationalise some of the General Data Protection Regulation (GDPR) evidence items which are now considered “business as usual”
  • incorporate the requirements of Cyber Essentials and the Minimum Cyber Security Standard (MCSS) for relevant larger NHS organisations
  • incorporate key elements of the Network and Information Systems (NIS) Regulations 2018 Cyber Assessment Framework (CAF) for relevant larger NHS organisations as advised by the National Cyber Security Centre

 

The proposed updates to the DSPT 2019-20 standard have led to an increase from 100 to 116 mandatory evidence items for NHS trusts. This is due to additional evidence items being added to cover Cyber Essentials, MCSS and key NIS/CAF requirements.  This has been balanced partially by a rationalisation of GDPR requirements within the toolkit.  The rationalisation of GDPR requirements has led to a reduction in the evidence items for most smaller organisations.

The requirements of the new standard (and a mapping document from the 18/19 standard) are provided here:

DSPT Requirements 19-20 V1.9.6.xlsx

DSPT Changes 2018-19 to 2019-20.xlsx

 

The toolkit is being updated to reflect the new standard.  This work will be complete very shortly at which point organisations can start their assessment against the 19/20 standard.  Confirmation of the anticipated launch date will be provided in a future news item.

Where evidence items are not materially changed – existing responses will be carried forward.  Assertions must be re-confirmed prior to publishing an assessment against the new standard. 

Once the new standard goes live you will not be able to publish against the old standard so if you are still intending to make changes to/or publish your 2018-19 toolkit assessment, please do so (and publish) before midday on 3rd June 2019.

 

Further detail applicable to NHS Trusts, CCGs, CSUs and Arm’s Length Bodies:

To ensure high data security standards are in place for the organisations which process the highest risk information in the health and care system, the standards for the above organisations have been raised to match those required by Government departments.

The Lessons learned review of the WannaCry Ransomware Cyber Attack from February 2018 recommended that all NHS organisations (Trusts) move towards Cyber Essentials PLUS, as recommended by the National Cyber Security Centre (NCSC). The DSPT standard for NHS Trusts has been uplifted to assist these organisations to meet this standard by March 2021.  Note, not all Cyber Essentials requirements will be mandatory in 2019-20.

An updated audit regime is in development to validate DSPT submissions. This will help provide assurance of data security and identify common problem areas.

We recommend organisations review the new standard and begin planning for their 2019-20 assessment now.

 

Version control:

4 June: Requirements sheet updated (v1.9.6):  Evidence item 9.3.9 removed (duplicate).  8.2.2 tooltip updated.

7 June: Additional notes attached (including sector mapping):  DSPT 19-20 Notes v1.00.docx