Today, the National Data Guardian (NDG) and NHS England jointly announced a significant update to how health and social care organisations measure and self-report their data security capabilities.
Read the full joint statement on NHS England’s website.
This change, part of the Department of Health and Social Care’s cyber security strategy for health and social care: 2023 to 2030, aims to align health and care with cyber resilience standards across other sectors.
Starting from 2 September 2024, the NHS Data Security and Protection Toolkit (DSPT) will gradually transition from using the NDG’s 10 data security standards to the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as its underpinning assessment mechanism. NHS England will notify organisations when it is their turn to transition and guide them through the process.
Introduced in the National Data Guardian’s 2016 review of data security, consent, and opt-outs, the 10 data security standards have been essential in protecting patient information by encouraging a focus on three key areas: people, process and technology. While these core principles remain fundamental within the CAF, the rapidly changing landscape of technology and cyber threats requires the more advanced approach the CAF provides.
Dr. Nicola Byrne, the National Data Guardian, said:
I fully support this transition to the CAF. It represents a positive evolution, offering organisations a more current framework for evaluating and improving their data protection and cyber resilience. I remain committed to supporting NHS England in maintaining and advancing the highest standards of data security across health and care.