.svg)
In the 2024-25 period, a significant change is coming to how certain health and care organisations manage their Data Security and Protection Toolkit (DSPT) submissions. A specific group of organisations will transition to the new CAF-aligned DSPT, which introduces a new user interface and an updated framework for cyber security and information governance (IG) assessments. This change is part of a broader effort to enhance cyber resilience across the sector, driven by the Department of Health and Social Care's (DHSC) cyber security strategy to 2030.
The organisations moving to the CAF-aligned DSPT for 2024-25 include:
If you’re part of one of these organisation types, you'll see the changes when you log in to file your DSPT submission. It's important to note that other organisation types will not be transitioning to the CAF-aligned DSPT this year. For more information on which organisation types are affected, you can refer to the DSPT's help page.
If you're a cyber or IG professional in one of the organisations transitioning to the CAF-aligned DSPT, preparation will be key to ensuring a smooth submission process. Here are some steps you should take ahead of the transition:
The new CAF-aligned DSPT focuses on contributing outcomes that reflect the security and governance practices required by your organisation. Review these outcomes carefully and consider how they align with your current practices. Think about how your approach to cyber security and IG might need to evolve to meet the new standards. This could include a shift away from compliance-based thinking toward a more outcome-focused mindset.
One of the first tasks will be to conduct a scoping exercise to identify which of your organisation’s information, systems, and networks are in scope for the DSPT submission. This will ensure that you're focusing your efforts on the most critical areas of your organisation's cyber and IG infrastructure.
The CAF-aligned DSPT requires collaboration across teams. You’ll need to decide how the various DSPT activities will be delegated across your organisation, particularly between cyber security and IG teams. Most of the contributing outcomes will need joint working between these functions, so clear lines of responsibility are essential to a successful submission.
For more detailed guidance on these preparation steps, NHS England and DHSC have developed resources that can help you navigate the new toolkit.
While the CAF-aligned DSPT introduces new ways of thinking, it doesn’t necessarily mean you’ll need to overhaul your existing processes. In most cases, the shift will require you to assess your current practices in light of the new outcomes and decide whether they adequately contribute to improving your organisation’s cyber security and IG resilience.
The key difference is that the CAF-aligned DSPT is less about ticking compliance boxes and more about using your professional judgment to evaluate the effectiveness of your current approach. NHS England and DHSC have provided guidance to support you in making these assessments, but ultimately, you'll need to think about whether your people, processes, and technology are delivering the right outcomes for your organisation’s security needs.
As we approach the DSPT submission window for 2024-25, now is the time to start preparing if your organisation is among those transitioning to the CAF-aligned DSPT. By planning ahead, scoping your essential functions, and ensuring clear ownership of responsibilities across your team, you'll be well-positioned to meet the new requirements.
This transition represents a significant step forward in how cyber security and IG are managed within the healthcare sector, offering organisations the opportunity to improve their resilience against evolving cyber threats. Start thinking now about how your organisation can use the CAF-aligned DSPT to drive meaningful improvements in both security and governance.
If you're looking for expert support on how to best approach the new DSPT requirements, Periculo offers consultancy services designed to help organisations navigate these changes with confidence. Get in touch with us to ensure your organisation is fully prepared for the 2024-25 submission.
Contact Periculo for expert cyber security solutions tailored to the digital health industry.
