Improvement Plans - Instructions for 2022-2023 (07 June 2023)
Guidance to support NHS Trusts, ICBs, CSUs, Local Authorities and DHSC Arm's Length Bodies to submit a DSPT improvement plan, if required.
Guidance to support NHS Trusts, ICBs, CSUs, Local Authorities and DHSC Arm's Length Bodies to submit a DSPT improvement plan.
The Improvement plan process is designed to support those organisations who have not quite met the toolkit standard and only have a few outstanding evidence items to meet. NHS Trusts, ICBs, CSUs, Local Authorities and DHSC Arm's Length Bodies who have achieved Standards Met can ignore this guidance.
NHS Trusts, ICBs, CSUs, Local Authorities and DHSC Arm's Length Bodies that have not met all mandatory evidence items, should publish a Standards Not Met assessment and submit an Improvement Plan.
Your plan will be reviewed by NHS England and, if approved, your toolkit status will be amended to Approaching Standards.
How to complete your Improvement Plan.
From the DSP Toolkit Assessment screen, click the publish assessment button. (Note: you can do this in advance of publication, and it does not commit you to publish at this point)
If you have not achieved Standards Met (i.e., not completed all the mandatory evidence items and confirmed the assertions with mandatory evidence items), you will be presented with the Provide an improvement plan screen.
Click the download an improvement plan template link. This will automatically list the evidence items you have not responded to.
If you are not ready to complete your improvement plan, you can click the back to assessment link and continue to work on your Data Security and Protection Toolkit assessment).
For evidence items where you have provided a partial response, but it is not enough to reach the standard, then you should add a row to the improvement plan template for that evidence item.
Complete your improvement plan, using the prescribed template, to explain the steps your organisation is taking towards meeting the Data Security and Protection Toolkit Standard.
Organisations who are aware they will not meet the requirements should inform their NHS England Regional Security Lead in advance of the 30 June 2023 deadline and work with them on developing an improvement plan. (Note: Local Authorities and ALBs are not required to contact the NHS England Regional Security Leads).
Regional Security Leads
|
Victoria Axon |
Midlands |
|
|
Ian Fletcher |
South West |
|
|
Peter Hartley |
London |
|
|
Matthew Lutkin |
North East |
|
|
Daniel Oliver |
South East |
|
|
Steven Shaw |
North West |
|
|
Mark Dimock |
East |
The improvement plan must include:
- all the mandatory evidence items where there is a gap between the DSP Toolkit standard and your organisation’s current position.
- the actions required to meet the outstanding evidence item.
- the organisation’s plan for achieving the outstanding actions including milestones.
- the action owner for each item.
There is also the opportunity on the template to confirm whether Covid impacted on your Organisation meeting the evidence item.
When to submit your Improvement Plan
Your improvement plan should be uploaded at the point of publishing your assessment. Upload a copy of your plan on the Provide an improvement plan screen which is displayed when you click the publish assessment button.
https://www.dsptoolkit.nhs.uk/News/improvement-plans
The deadline for completing the 2022-2023 toolkit is 30 June 2023.
Once you have uploaded your Improvement Plan and published your assessment please confirm to: cybersecurity@nhs.net and request a review of your improvement plan.
What happens once you have submitted your Improvement Plan?
NHS England (DSP Toolkit team and Regional Security Leads) will review your plan for achievability and, if approved, will update your toolkit status to Approaching Standards. This will NOT show any detail of which area requires improvement.
Where an organisation’s improvement plan is not initially agreed, an email will be sent to the organisation to arrange a call with the NHS England Regional Security Lead to discuss what is required to agree an Improvement plan.
Improvement plans will not be agreed by NHS England where:
- completion dates are not provided
- plans with dates that go beyond June 2024 will not be accepted unless there are exceptional circumstances agreed with NHS England.
- there is no realistic plan to achieve the evidence requirement.
You should continue to work on the actions in your plan.
If you complete your outstanding actions, please send in an updated plan to: cybersecurity@nhs.net, so that your toolkit status can be reviewed. Where you have successfully completed all the actions and met the requirements your toolkit status will be updated to Standards Met.
You will be contacted for a progress update on your Improvement Plan in September 2023 and December 2023 if no update has been received.
For more information, please see the Improvement plan process overview below.
Overview and timeline of the DSPT Improvement Process for Organisations who do not meet the 2022/23 standard.
An improvement process is in place to assist those organisations which do not meet the 2022/23 DSPT standard. The process is aimed at minimising the administrative burden placed on organisations and includes support services provided by NHS England.
Organisations are encouraged to take reasonable steps at each point of the process to provide information as required or to make necessary improvements to meet the DSPT standard. Failure to engage with DSPT team and Regional Security Leads, will result in escalation to NHS England or DHSC for Arm’s Length Bodies.
The following timescales will be applied and should be used to assist organisations with their improvement planning and to understand when updates will be requested by NHS England DSPT team. Please note these timescales are subject to change.
June 2023
Organisations who are aware they will not meet the requirements need to inform their NHS England Regional Security Lead in advance of the 30 June deadline and work with them on developing a plan.
Where an organisation does not meet the standard, they should follow the improvement plan instructions provided on the DSP Toolkit website.
NHS England Regional Security Leads will help the Trust/CSU/ICB meet the DSPT standard by directing the Trust/CSU/ICB to appropriate Cyber Security Operations services and any exemplar organisations within the Region.
The NHS England Regional Digital Transformation teams may be informed and asked to work with any Trusts/CSUs/ICBs who fail to submit an improvement plan.
July/August 2023
The NHS England DSP Toolkit team, in collaboration with the Regional Security Leads will review improvement plans and where they determine that an improvement plan meets the requirement:
The organisation will achieve the status ‘Approaching Standards’ subject to delivery of the agreed improvement plan and updates.
If the above fails:
- The organisation’s status will remain at ‘Standard Not Met’ until such time as a satisfactory improvement plan is provided.
- If required, the NHS England Regional Security Lead will be formally asked to work with the Trust/CSU/ICB to produce a satisfactory improvement plan.
- The organisation produces an updated plan, re-publishes its Data Security and Protection Toolkit including its updated plan and it will be reviewed again.
On a case-by-case basis, where the NHS England SRO judges it to be appropriate, an improvement plan which does not meet the criteria may be accepted.
September 2023 and December 2023
Organisations will be reminded to provide an improvement plan update by the 30 September 2023 and 31December 2023.
Where an organisation completes all actions within its improvement plan, it should email their completed plan to: cybersecurity@nhs.net. The organisation’s DSP Toolkit status will be amended to Standards Met.
October 2023 and January 2024
NHS England will review improvement plan updates:
Where an improvement plan update has not been received as required:
- The NHS England Regional Security Lead and NHS England Regional Digital Transformation team will be informed and asked to work with the Trust/CSU/ICB to provide the update by 14 October and 14 January respectively.
Ongoing
The NHS England DSPT team will review final improvement plan updates:
Where an organisation has met the standard:
- It will be assigned ‘Standard Met’ status.
Where a Trust/CSU/ICB has still not met the DSPT standard:
- NHSD Regional Security Leads will direct the Trust/CSU/ICB to appropriate Cyber Security Operation service and identify any exemplar organisations within the Region in order that best practice can be shared.
Network and Information Systems
All NHS Trusts, Foundation Trusts and ICBs are classified as Operators of Essential Services (OESs) under the Network and Information Systems (NIS) Regulations 2018. The Regulations require organisations identified as OESs to take appropriate and proportionate measures to:
- manage risks posed to the security of the network and information systems on which their essential services rely
- prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of their essential services and
- report any incident which has an adverse effect on the security of network and information systems, and which has a significant impact on the continuity of an essential service that the OES provides.
The DSPT is a requirement for OESs to demonstrate their fulfilment of the security duties of the NIS Regulations, and failure to engage with the improvement plan process may result in regulatory action being taken under the Regulations. For example, a Trust may be issued with an Information Notice to require them to provide information or an Enforcement Notice requesting them to take specified steps as required under the regulations.
The NIS Healthcare sector guide can be accessed here for information.
