Improvement Plans - Instructions for 2023-2024
Guidance and Instructions for 2023-24 Data Security and Protection Toolkit. This applies to NHS Trusts, Integrated Care Boards (ICBs), CSUs, Independent Providers who are Operators of Essential Services under NIS, Key IT Suppliers, Local Authorities and DHSC Arm's Length Bodies.
Improvement Plans - Instructions for 2023-2024
Guidance to support NHS Trusts, Integrated Care Boards (ICBs), CSUs, Independent Providers who are Operators of Essential Services under NIS, Key IT Suppliers, Local Authorities and DHSC Arm's Length Bodies to submit a 23-24 Data Security and Protection Toolkit (DSPT) improvement plan, if required.
The Improvement Plan process is designed to support those organisations who have not quite achieved Standards Met on the DSPT and only have a few outstanding evidence items to meet. Organisations who have achieved Standards Met for the 23-24 DSPT can ignore this guidance.
NHS Trusts, ICBs, CSUs, Independent Providers who are Operators of Essential Services under NIS, Integrated Care Boards, Key IT Suppliers, Local Authorities and DHSC Arm's Length Bodies that have not met all mandatory evidence items, should publish a Standards Not Met assessment and submit an Improvement Plan.
Your plan will be reviewed by the relevant NHS England and Department of Health and Social Care teams and, if approved, your DSPT status will be amended to Approaching Standards.
Completing the outstanding DSPT evidence items and consulting the Cyber Assessment Framework (CAF) mappings should also assist you in preparing to demonstrate compliance of relevant CAF-based DSPT outcomes when these apply to your organisation. Further details on CAF is available here.
How to complete your Improvement Plan.
From the DSP Toolkit Assessment screen, click the publish assessment button. (Note: you can do this in advance of publication, and it does not commit you to publish at this point)
If you have not achieved Standards Met (i.e., not completed all the mandatory evidence items and confirmed the assertions with mandatory evidence items), you will be presented with the Provide an improvement plan screen.
After 21st May 2024, click the download an improvement plan template link. This will automatically list the evidence items you have not responded to.
If you are not ready to complete your improvement plan, you can click the back to assessment link and continue to work on your DSPT assessment).
For evidence items where you have provided a partial response, but it is not enough to reach the standard, then you should manually add a row to the improvement plan template and complete a return for that evidence item.
Complete your improvement plan, using the prescribed template, to explain the steps your organisation is taking towards achieving Standards Met on the DSPT.
Where the following organisations are aware they will not meet the requirements, they should inform the relevant NHS England and DHSC teams in advance of the 30 June 2023 deadline and work with them on developing an improvement plan. The contacts are as follows:
Independent providers who are Operators of Essential Services under NIS should contact the Joint Cyber Unit via NIS.Authority@dhsc.gov.uk and DHSC’s arm’s length bodies should contact the Joint Cyber Unit via england.cyber@nhs.net.
NHS trusts, ICBs and CSUs should contact their NHSE Regional Security Lead (see contacts by region below):
Note: IT Suppliers and Local Authorities are not required to contact the teams in advance.
Regional Security Leads
Victoria Axon
Midlands
Ian Fletcher
South West
Peter Hartley
London
Matthew Lutkin
North East
Daniel Oliver
South East
Steven Shaw
North West
Mark Dimock
East
The improvement plan must include:
- all the mandatory evidence items where there is a gap between Standards Met on the DSPT and your organisation’s current position. This must include outstanding actions raised as part of your DSPT audit.
- the actions required to meet the outstanding evidence item.
- the organisation’s plan for achieving the outstanding actions including milestones. This must include any outstanding activity to secure funding and resourcing to ensure the plan is achieved by the completion date.
- the action owner for each item.
- the planned completion date for each item.
- the status of the item
-any local references for the action such as risk register or audit action number
There is also the opportunity on the template to confirm if any dependencies such as Electronic Patient Records implementation that have or may impact your Organisation meeting the evidence item.
When to submit your Improvement Plan
Your improvement plan should be uploaded at the point of publishing your DSPT assessment. Upload a copy of your plan on the Provide an improvement plan screen which is displayed when you click the publish assessment button.
The reviewers will also cross reference the Improvement plan to your DSPT audit report and may require further information from the organisation y actions raised in the DSPT audit were not included in the DSPT Improvement plan.
The deadline for completing the 2023-2024 toolkit is 30 June 2024.
Once you have uploaded your Improvement Plan and published your assessment please confirm to: cybersecurity@nhs.net and request a review of your improvement plan.
What happens once you have submitted your Improvement Plan?
The relevant NHS England and DHSC teams, namely the DSP Toolkit team, Regional Security Leads and Joint Cyber Unit, will review your plan for robustness and achievability. If approved, the DSP Toolkit team will update your toolkit status to Approaching Standards. This will NOT publish any detail of which area requires improvement.
Where an organisation’s improvement plan is not initially agreed, an email will be sent to the organisation to arrange a call with the NHS England Regional Security Lead or Joint Cyber Unit to discuss what is required to agree an Improvement plan.
Improvement plans will not be agreed where:
- completion dates are not provided
- dates go beyond June 2025, unless there are exceptional circumstances agreed with NHS England and DHSC
- there is no realistic or robust plan to achieve the evidence requirement
You should continue to work on the actions in your plan.
If you complete your outstanding actions, please send in an updated plan to: cybersecurity@nhs.net, so that your toolkit status can be reviewed. Where you have successfully completed all the actions and met the requirements your toolkit status will be updated to Standards Met.
You will be contacted for a progress update on your Improvement Plan in September and December 2024 (unless you have already completed Improvement Plan).
For more information, please see the Improvement plan process overview below.
Overview and timeline of the DSPT Improvement Process for Organisations who do not meet the 2022/23 standard.
An improvement plan process is in place to assist those organisations which do not meet the 2023/24 DSPT Standards Met in demonstrating the progress they are making to achieve compliance. The process aims to minimise the administrative burden placed on organisations by providing clear expectations and touchpoints. The process also signposts support services provided by NHS England for NHS organisations and arm’s length bodies.
For Independent Providers who are Operators of Essential Services under NIS, who have moved up to Category One for the 2023/24 DSPT, there is a marked increase in expectations, and it is recognised that some organisations may not achieve all of the new requirements in the first year. Engagement with the dedicated Improvement Plan process enables organisations to demonstrate the progress they are making to NHS England, DHSC and to commissioners.
Organisations are encouraged to take reasonable steps at each point of the process to provide information as required or to make necessary improvements to meet the DSPT standard. Failure to engage with DSPT team and Regional Security Leads where required, will result in escalation to NHS England or DHSC for Arm’s Length Bodies and Independent Providers who are Operators of Essential Services.
The following timescales will be applied and should be used to assist organisations with their improvement planning and to understand when updates will be requested by NHS England DSP Toolkit team. Please note these timescales are subject to change.
June 2024
Organisations who are aware they will not meet the requirements need to inform their contacts (included above at How to complete your improvement plan) by 1 June 2024, in advance of the 30 June deadline and discuss their plan.
Where an organisation does not meet DSPT Standards Met, they should follow the improvement plan instructions provided via this guidance.
Where relevant, the organisation will be directed to appropriate Cyber Security Operations services and any exemplar organisations within the Region.
The NHS England Regional Digital Transformation teams may be informed and asked to work with any Trusts/CSUs/ICBs who fail to submit an improvement plan. With NHS England or DHSC informed for Arm’s Length Bodies and Independent Providers who are Operators of Essential Services who fail to submit an improvement plan.
July/August 2024
The NHS England DSP Toolkit team, in collaboration with the Regional Security Leads and Joint Cyber Unit, will review improvement plans and where they determine that an improvement plan meets the requirement:
The organisation will achieve the status ‘Approaching Standards’ subject to delivery of the agreed improvement plan and updates.
If the above fails:
- The organisation’s status will remain at ‘Standard Not Met’ until such time as a satisfactory improvement plan is provided.
- If required, the NHS England Regional Security Lead will be formally asked to work with the Trust/CSU/ICB to produce a satisfactory improvement plan.
- The organisation produces an updated plan, re-publishes its Data Security and Protection Toolkit including its updated plan and it will be reviewed again.
On a case-by-case basis, where the National Chief Information Security Officer judges it to be appropriate, an improvement plan which does not meet the criteria may be accepted.
September 2024 and December 2024
Organisations will be reminded to provide an improvement plan update by the 30 September 2024 and 31 December 2024.
Where an organisation completes all actions within its improvement plan, they should email their completed plan to: cybersecurity@nhs.net. The organisation’s DSP Toolkit status will be amended to Standards Met.
October 2024 and January 2025
NHS England will review improvement plan updates:
Where an improvement plan update has not been received as required:
- The NHS England Regional Security Lead, NHS England Regional Digital Transformation team and Joint Cyber Unit where relevant will be informed and asked to work with the Trust/CSU/ICB to provide the update by 14 October and 14 January respectively.
Ongoing
The NHS England DSPT team will review final improvement plan updates:
Where an organisation has met the standard:
- It will be assigned ‘Standard Met’ status.
Where an organisation has still not met the DSPT standard:
- The organisation’s status will remain at ‘Approaching Standards’ until such time as the plan is confirmed as completed
- Where relevant, the organisation will be directed to appropriate Cyber Security Operations services and best practice from exemplar organisations within the Region.
Network and Information Systems Regulations 2018 (NIS Regulations)
NHS trusts and foundation trusts, ICBs, and certain independent providers of healthcare are designated as Operators of Essential Services (OESs) under the NIS Regulations. The Regulations require organisations identified as OESs to take appropriate and proportionate measures to:
- manage risks posed to the security of the network and information systems on which their essential services rely
- prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of their essential services and
- report any incident which has an adverse effect on the security of network and information systems, and which has a significant impact on the continuity of an essential service that the OES provides.
The DSPT is a requirement for OESs to demonstrate their fulfilment of the security duties of the NIS Regulations, and failure to fully engage with the DSPT improvement plan process may result in regulatory action being taken under the NIS Regulations. For example, an OES may be issued an information notice to require them to provide information or an enforcement notice requiring them to take specified action. This may include cases where DHSC has insufficient reassurance because there is no plan or the plan is incomplete, the quality or detail of the plan is insufficient, or progress is slipping against agreed completion dates in the plan.
The NIS Healthcare sector guide can be accessed here for information.