Improvement Plans - Instructions for 2021 (06 October 2021)

This guidance only applies to NHS Trusts, CCGs, CSUs, Local Authorities and DHSC Arm's Length Bodies. 

The Improvement plan process is designed to support those organisations who have not quite met the toolkit standard and only have a few outstanding evidence items to meet.   

NHS Trusts, CCGs, CSUs, Local Authorities and DHSC Arm's Length Bodies that have not met all mandatory evidence items, should publish a Standards Not Met assessment and submit an Improvement Plan

Your plan will be reviewed by NHS Digital and, if approved, your toolkit status will be amended to "Approaching Standards"*. 

 

How to complete your Improvement Plan. 

Please complete the Improvement Plan template provided.

The plan must include:

- all the mandatory evidence items where there is a gap between the DSP Toolkit standard and your organisation’s current position.  

- the actions required to meet the outstanding evidence item.

- the action owner for each item.

- the expected completion date of the outstanding actions - which should be within 6 months i.e. by 30 December 2021. 

There is also the opportunity on the template to confirm whether your Covid response has impacted on your Organisation meeting the evidence item. Where this applies, for these evidence items, dates are still required for when the actions will be completed but these dates can be relative to the return to business as usual, i.e. the policy will be agreed three months after return to BAU. 

 

When to submit your Improvement Plan 

Your Improvement Plan should be uploaded at evidence item 9.4.5 before publishing your assessment, with details of the Improvement plan sign off by the SIRO recorded in the comments section.  

The deadline for completing the 2020-2021 toolkit is 30 June 2021. 

Once you have uploaded your Improvement Plan and published your assessment please confirm to: cybersecurity@nhs.net and request a review of your improvement plan. 

 

What happens once you have submitted your Improvement Plan? 

NHS Digital will review your plan and, if approved, will update your toolkit status to Approaching Standards*. This will NOT show any detail of which area requires improvement. 

Improvement plans will not be agreed by NHS Digital where:

- completion dates are not provided.

- where there is no realistic plan to achieve the evidence requirement.

- the plan covers more than 15 outstanding evidence items. 

You should continue to work on the actions in your plan.  

If you complete your outstanding actions, please send in an updated plan to cybersecurity@nhs.net  so that your toolkit status can be reviewed. Where you have successfully completed all the actions and met the requirements your toolkit status will be updated to Standards Met.  

You will be contacted for a progress update on your Improvement Plan if no update has been received.  

 

Help and advice. 

If you require any further details, please Contact us 


DSPT Standards Improvement Process for NHS Trusts and Foundation Trusts who do not meet the 2020/21 standard
An improvement process is in place to assist those organisations which do not meet the 2020/21 DSPT standard. The process is aimed at minimising the administrative burden placed on organisations and includes support services provided to Trusts by NHS Digital.
Trusts are encouraged to take reasonable steps at each point inf the process to provide information as required or to make necessary improvements to meet the DSPT standard, failure to engage with NHS Digital will result in escalation to NHSX.
The following timescales will be applied and should be used to assist Trusts with their improvement planning and to understand when updates will be requested by NHS Digital. Please note these timescales are subject to change.

 

June 2021
- Organisations who are aware they will not meet the requirements need to inform their NHSD Regional Security Leads in advance of the 30 June deadline Where a Trust does not meet the standard, they should follow the improvement plan instructions provided on the DSP Toolkit website on 19 May 2021.

- NHS Digital Regional Security Leads will help the Trust meet the DSPT standard by directing the Trust to appropriate Data Security services and any exemplar organisations within the Region.

- The NHS England Regional Digital Transformation teams will be informed and asked to work with any Trusts who fail to submit an improvement plan.

 

July/August 2021

- NHSD reviews improvement plans to determine if the Trusts concerned will meet the DSPT standard by the end of December 2021.

- Where NHSD determines that an improvement plan meets this condition:
- The Trust will achieve the status "Approaching Standards"* subject to delivery of the agreed improvement plan and updates.

- If the above fails:
- The Trust will remain at ‘Standard Not Met’ status until such time as a satisfactory improvement plan is provided.
- If required, the NHS Digital Regional Security Lead will be asked to work with the Trust to produce a satisfactory improvement plan

- On a case-by-case basis, where the NHSX SRO judges it to be appropriate, an improvement plan which will not quite bring the Trust to the DSPT standard by the end of December 2021 may be accepted.

 

September 2021

- Trusts will provide an improvement plan update.
- Where a Trust completes delivery of its improvement plan before the end of September, it should email its completed plan to: cybersecurity@nhs.net . Its status will be amended to Standards Met.

 

October 2021
NHSD will review improvement plan updates:
- Where an improvement plan update has not been received as required:
- The NHS England Regional Digital Transformation team will be informed and asked to work with the Trust to provide the update by 14th October at the latest.
- The Trust will be asked to submit a revised improvement plan within two weeks.

 

December 2021
- Trusts will provide a final improvement plan update to NHSD by the end of December at the latest.
- The status will be amended to Standards Met for those improvement plans delivered before the end of December and e-mailed as soon as possible after completion to: cybersecurity@nhs.net.

 

January 2022
NHSD will review final improvement plan updates :
- Where a Trust has met the standard:
- It will be assigned ‘Standard Met’ status.
- Where a Trust has still not met the DSPT standard:
- The Trust will have their DSP Toolkit status amended to ‘Standards Not Met’ status.
NHSD Regional Security Leads will direct the Trust to appropriate Data Security services and identify any exemplar organisations within the Region in order that best practice can be shared.


As all NHS Trusts and Foundation Trusts are classified as Operators of Essential Services under the Network and Information Systems (NIS) Regulations 2018. The Regulations require organisations identified as Operators of Essential Services to take appropriate and proportionate measures to:

- manage risks posed to the security of the network and information systems on which their essential services rely;
- prevent and minimise the impact of incidents on the delivery of essential services; and
- report serious network and information incidents that impact on provision of the essential service.

The DSPT is a requirement for Operators of Essential Services to demonstrate their fulfilment of the security duties of the NIS Regulations, and failure to engage with the improvement plan process may result in regulatory action being taken under the Regulations. For example, a Trust may be issued with an Information Notice to require them to provide information or an Enforcement Notice requesting them to take specified steps as required under the regulations.


The NIS Healthcare sector guide can be accessed here for information.

 

*In October 2021 historic "Standards Not Met (Plan Agreed)" status was renamed to: “Approaching Standards” to aid clarity for new/non-DSPT users and provide consistency with terminology used in social care DSPT assessments.