Improvement Plans - Instructions for 2021-2022 (26 May 2022)

Guidance to support NHS Trusts, CCGs, CSUs, Local Authorities and DHSC Arm's Length Bodies to submit a DSPT improvement plan. Updated as reporting arrangements.

Guidance to support NHS Trusts, CCGs, CSUs, Local Authorities and DHSC Arm's Length Bodies to submit a DSPT improvement plan. 

 

The Improvement plan process is designed to support those organisations who have not quite met the toolkit standard and only have a few outstanding evidence items to meet.  NHS Trusts, CCGs, CSUs, Local Authorities and DHSC Arm's Length Bodies who have achieved Standards Met can ignore this guidance.

NHS Trusts, CCGs, CSUs, Local Authorities and DHSC Arm's Length Bodies that have not met all mandatory evidence items, should publish a Standards Not Met assessment and submit an Improvement Plan.

Your plan will be reviewed by NHS Digital and, if approved, your toolkit status will be amended to Approaching Standards.

 

How to complete your Improvement Plan.

From the DSP Toolkit Assessment screen, click the publish button. (Note: you can do this in advance of publication and it does not commit you publish at this point)

If you have not achieved Standards Met you will be presented with the Provide an improvement plan screen.

Click the download an improvement plan template. This will automatically list the evidence items you have not responded to.

If you are not ready to complete your Improvement plan now, you can click the back to assessment link and continue work on your Data Security and Proection Toolkit)

Where there are evidence items where you have provided a partial response, but it is not enough to reach the standard then you should add a row to the template for that evidence item.

Complete your improvement plan, using the prescribed template, to explain the steps your organisation is taking towards meeting the Data Security and Protection Toolkit Standard.

Organisations who are aware they will not meet the requirements should inform their NHSD Regional Security Leads in advance of the 30 June deadline and work with them on developing a plan. (Note: Local Authorities and ALBs are not required to contact the NHS Digital Regional leads).

Regional Security Leads

Victoria Axon

Midlands 

Victoria.axon1@nhs.net

Ian Fletcher

South West

ian.fletcher7@nhs.net

Peter Hartley

London

peter.hartley2@nhs.net

Matthew Lutkin

North East

Matthew.lutkin@nhs.net

Daniel Oliver

South East

daniel.oliver@nhs.net 

Steven Shaw

North West

steven.shaw2@nhs.net

Mark Dimmock

East

mark.dimmock1@nhs.net

 

 

 

The plan must include:

- all the mandatory evidence items where there is a gap between the DSP Toolkit standard and your organisation’s current position. 

- the actions required to meet the outstanding evidence item.

- the organisation’s plan for achieving the outstanding actions including milestones.

- the action owner for each item.

There is also the opportunity on the template to confirm whether your Covid response has impacted on your Organisation meeting the evidence item.

CCGs must include details of who they are handing actions onto once they are replaced by Integrated Care Boards.

 

When to submit your Improvement Plan

Your Improvement Plan should be uploaded at the point of publishing your assessment. Upload a copy of your plan on the Provide an improvement plan screen which is displayed when you click the publish button.

https://www.dsptoolkit.nhs.uk/News/improvement-plans

The deadline for completing the 2021-2022 toolkit is 30 June 2022.

Once you have uploaded your Improvement Plan and published your assessment please confirm to: cybersecurity@nhs.net and request a review of your improvement plan.

 

What happens once you have submitted your Improvement Plan?

NHS Digital (DSP Toolkit and Regional Cyber Leads) will review your plan for achievability and, if approved, will update your toolkit status to Approaching Standards. This will NOT show any detail of which area requires improvement.

Where an organisation’s Improvement plan is not initially agreed, an email will be sent to the organisation and a call will be arranged between NHS Digital and the organisation to discuss what is required to agree an Improvement plan.

Improvement plans will not be agreed by NHS Digital where:

- completion dates are not provided.

- there is no achievable, realistic plan to achieve the evidence requirement.

You should continue to work on the actions in your plan. 

If you complete your outstanding actions, please send in an updated plan to cybersecurity@nhs.net so that your toolkit status can be reviewed. Where you have successfully completed all the actions and met the requirements your toolkit status will be updated to Standards Met. 

You will be contacted for a progress update on your Improvement Plan if no update has been received. 

DSPT Improvement Process for Organisations who do not meet the 2021/22 standard

An improvement process is in place to assist those organisations which do not meet the 2021/22 DSPT standard. The process is aimed at minimising the administrative burden placed on organisations and includes support services provided by NHS Digital.

Organisations are encouraged to take reasonable steps at each point of the process to provide information as required or to make necessary improvements to meet the DSPT standard. Failure to engage with NHS Digital will result in escalation to NHS England or DHSC for Arm’s Length Bodies.

The following timescales will be applied and should be used to assist organisations with their improvement planning and to understand when updates will be requested by NHS Digital. Please note these timescales are subject to change.

 

June 2022

Organisations who are aware they will not meet the requirements need to inform their NHSD Regional Security Leads in advance of the 30 June deadline and work with them on developing a plan.

Where an organisation does not meet the standard, they should follow the improvement plan instructions provided on the DSP Toolkit website.

 

NHS Digital Regional Security Leads will help the Trust/CSU/CCG meet the DSPT standard by directing the Trust/CSU/CCG to appropriate Data Security Centre services and any exemplar organisations within the Region.

 

The NHS England Regional Digital Transformation teams may be informed and asked to work with any Trusts/CSUs/CCGs who fail to submit an improvement plan.

 

July/August 2022

NHS Digital (DSP Toolkit and Regional Cyber Leads) will review improvement plans including the DSP Toolkit team and the Regional Security leads.

 

Where NHSD determines that an improvement plan meets the requirement:

The organisation will achieve the status ‘Approaching Standards’ subject to delivery of the agreed improvement plan and updates.

 

If the above fails:

- The organisation will remain at ‘Standard Not Met’ status until such time as a satisfactory improvement plan is provided.

 

- If required, the NHS Digital Regional Security Lead will be asked to work with the Trust/CSU/ICB to produce a satisfactory improvement plan.

 

- The organisation produces an updated plan, re-publishes its Data Security and Protection Toolkit including its updated plan and it will be reviewed again.

 

On a case-by-case basis, where the NHSX SRO judges it to be appropriate, an improvement plan which does not meet the criteria may be accepted.

 

September 2022 and December 2022

Organisations will be reminded to provide an improvement plan update.

Where an organisation completes delivery of its improvement plan, it should email its completed plan to: cybersecurity@nhs.net . The organisation’s (or the historic CCG if appropriate) DSP Toolkit status will be amended to Standards Met.

October 2022 and January 2023

NHSD will review improvement plan updates:

Where an improvement plan update has not been received as required:

- The NHS Digital Regional Security Lead and NHS England Regional Digital - Transformation team will be informed and asked to work with the Trust/CSU/ICB to provide the update by 14 October at the latest.

 

Ongoing

NHSD will review final improvement plan updates:

Where an organisation has met the standard:

- It will be assigned ‘Standard Met’ status.

 

Where a Trust/CSU/ICB has still not met the DSPT standard:

- NHSD Regional Security Leads will direct the Trust/CSU/ICB to appropriate Data Security services and identify any exemplar organisations within the Region in order that best practice can be shared.

 

 

All NHS Trusts and Foundation Trusts are classified as Operators of Essential Services under the Network and Information Systems (NIS) Regulations 2018. The Regulations require organisations identified as Operators of Essential Services to take appropriate and proportionate measures to:

 

- manage risks posed to the security of the network and information systems on which their essential services rely

- prevent and minimise the impact of incidents on the delivery of essential services and

- report serious network and information incidents that impact on provision of the essential service.

 

The DSPT is a requirement for Operators of Essential Services to demonstrate their fulfilment of the security duties of the NIS Regulations, and failure to engage with the improvement plan process may result in regulatory action being taken under the Regulations. For example, a Trust may be issued with an Information Notice to require them to provide information or an Enforcement Notice requesting them to take specified steps as required under the regulations.

 

The NIS Healthcare sector guide can be accessed here for information.