Data Security and Protection Toolkit Standard for 2019-20 (updated 21 June 2019)

The Data Security and Protection Toolkit Standard (DSPT) has been reviewed for 2019-20.  The new standard builds on the work and learning from 2018-19.

 

Changes have been made in order to:

  • respond to lessons learned and direct feedback from users following the first year of the DSPT
  • improve the targeting of requirements to different categories of organisations
  • rationalise some of the General Data Protection Regulation (GDPR) evidence items which are now considered “business as usual”
  • incorporate the requirements of Cyber Essentials and the Minimum Cyber Security Standard (MCSS) for relevant larger NHS organisations
  • incorporate key elements of the Network and Information Systems (NIS) Regulations 2018 Cyber Assessment Framework (CAF) for relevant larger NHS organisations as advised by the National Cyber Security Centre

 

The updates to the DSPT 2019-20 standard have led to an increase from 100 to 116 mandatory evidence items for NHS trusts. This is due to additional evidence items being added to cover Cyber Essentials, MCSS and key NIS/CAF requirements.  This has been balanced partially by a rationalisation of GDPR requirements within the toolkit.  The rationalisation of GDPR requirements has led to a reduction in the evidence items for most smaller organisations.

The requirements of the new standard (and a mapping document from the 18/19 standard) are provided here:

DSPT Requirements 19-20 V1.9.6.xlsx

DSPT Changes 2018-19 to 2019-20.xlsx

 

Where evidence items are not materially changed – existing responses have been carried forward.  Assertions must be re-confirmed prior to publishing an assessment against the new standard. 

 

Further detail applicable to NHS Trusts, CCGs, CSUs and Arm’s Length Bodies:

To ensure high data security standards are in place for the organisations which process the highest risk information in the health and care system, the standards for the above organisations have been raised to match those required by Government departments.

The Lessons learned review of the WannaCry Ransomware Cyber Attack from February 2018 recommended that all NHS organisations (Trusts) move towards Cyber Essentials PLUS, as recommended by the National Cyber Security Centre (NCSC). The DSPT standard for NHS Trusts has been uplifted to assist these organisations to meet this standard by March 2021.  Note, not all Cyber Essentials requirements will be mandatory in 2019-20.

An updated audit regime is in development to validate DSPT submissions. This will help provide assurance of data security and identify common problem areas.

We recommend organisations review the new standard and begin their 2019-20 assessment now.

 

Version control:

4 June: Requirements sheet updated (v1.9.6):  Evidence item 9.3.9 removed (duplicate).  8.2.2 tooltip updated.

7 June: Additional notes attached (including sector mapping):  DSPT 19-20 Notes v1.00.docx

21 June: Minor updates to reflect the changes are no longer planned but implemented.