The NDG and NHS England have issued a joint statement addressing the ‘NHS Data Security and Protection Toolkit’ (DSPT). The statement explains why NHS England is adopting the ‘Cyber Assessment Framework’ (CAF) and moving away from the NDG 10 data security standards as the assessment mechanism for the DSPT.
The change is part of the Department of Health and Social Care’s ‘Cyber security strategy for health and social care for 2023 to 2030’. It aims to align health and care with cyber resilience standards across other sectors.
From September 2, 2024, the DSPT will gradually transition from using the NDG’s 10 data security standards to the National Cyber Security Centre’s CAF as its underpinning assessment mechanism.
NHS England will notify organisations when it is their turn to transition and guide them through the process.
Introduced in the National Data Guardian’s 2016 review of data security, consent, and opt-outs, the 10 data security standards have been essential in protecting patient information by encouraging a focus on three key areas: people, process and technology.
While these core principles remain fundamental within the CAF, the rapidly changing landscape of technology and cyber threats requires a more advanced approach, which the CAF provides.
Nicola Byrne, the national data guardian, said, “I fully support this transition to the CAF. It represents a positive evolution, offering organisations a more current framework for evaluating and improving their data protection and cyber resilience.
“I remain committed to supporting NHS England in maintaining and advancing the highest standards of data security across health and care.”