The CAF-aligned DSPT sets out to:
- “emphasise good decision-making over compliance, with better understanding and ownership of information risks at the local organisation level …”
- “support a culture of evaluation and improvement, as organisations will need to understand the effectiveness of their practices at meeting the desired outcomes – and expend effort on what works, not what ticks a compliance box”; and
- “create opportunities for better practice, by prompting … organisations to remain current with new security measures to meet new threats and risks”.
In this blog, we provide an overview of the CAF and DSPT, explain who falls within the scope of the CAF-aligned DSPT, and outline the key submission milestones to help organisations prepare effectively. We also highlight the differences between the DSPT and other CAF profiles and take a closer look at some of the data privacy controls that will be assessed.
What is the CAF?
The Cyber Assessment Framework is a structured, outcome-based framework created by the UK National Cyber Security Centre to help organisations understand, measure, and improve their cyber resilience. It is widely used in critical national infrastructure (CNI) sectors and is referenced by regulators in their compliance assessments.
The CAF is designed to help organisations strengthen their resilience against cyber threats. It enables them to identify and manage risks, implement proportionate and effective security controls, monitor and detect cyber events, and respond to and recover from incidents. It’s often used as a tool to demonstrate compliance to regulators and is designed to be practical, scalable, and technology-neutral.
The CAF is built around four high-level objectives and 14 principles that define what good cyber security looks like. The four objectives are:
- Objective A – Managing Security Risk
Establish governance, accountability, and risk management processes. - Objective B – Protecting Against Cyber Attack
Implement controls to prevent or reduce the impact of attacks. - Objective C – Detecting Cyber Security Events
Ensure the organisation can detect abnormal activity and cyber incidents. - Objective D – Minimising the Impact of Cyber Incidents
Ensure resilience, response, and recovery capabilities.
Each objective contains multiple principles and Indicators of Good Practice (“IGPs”) describing expected behaviours.
What is the DSPT, What Has Changed, and Who is in Scope of the CAF-aligned DSPT?
The DSPT has historically been a self-assessment tool for health and care providers to assess their data protection and cyber security practices against ten Security Standards set by the National Data Guardian (“NDG”). Since late 2024, NHS England (“NHSE”) have been incorporating the CAF into DSPT assurance – to increase the maturity of in scope organisations’ data protection and cyber security posture, particularly in light of the increasingly aggressive and evolving threat landscape. This was a commitment made in the Department of Health and Social Care’s (DHSC) cyber security strategy to 2030.
NHS England’s CAF-aligned DSPT adapts these standards for health and care, adding outcomes tailored to information governance, including the responsible handling and disclosure of patient data. Before alignment with the CAF, the DSPT was largely checklist-driven with a focus on the existence of policies and procedures. The CAF-aligned DSPT now adopts an outcomes-driven approach, requiring organisations to demonstrate that processes work in practice rather than merely producing a policy document.
Organisations assess themselves against 47 outcomes, each with supporting IGPs, and rate their responses on a three-point maturity scale: ‘Not Achieved’, ‘Partially Achieved’, or ‘Achieved’. The aim is not to reach full maturity immediately; NHSE will set a ‘baseline’ CAF profile, based on aggregate submission responses – currently expected to be ‘Partially Achieved’. The profile then rises over time to an ‘Enhanced Profile’ as organisations’ data protection and cyber security posture matures, giving organisations a predictable path for continuous security improvement whilst minimising the disruption to business processes.
The CAF-aligned DSPT does provide some flexibility with how to meet the objectives. Instead of prescribing certain controls, it focuses on whether risks are properly managed. For example, IGP A#3, which states “Information which is used or shared for direct care is relevant and proportionate”, seeks to assess whether personnel consider the relevance of the information they will use and if it is excessive (i.e. could they achieve the same outcome without using or sharing all of the information, or doing so in an identifiable format?). Instead of relying on the existence of a policy document or guidance note, personnel would be expected to demonstrate how they consider this in practice (e.g. through an email exchange confirming that certain medical data types are not required, or a data protection assessment, such as an anonymisation assessment).
The DSPT groups organisations into four categories, and this classification determines which questions they must complete, what evidence they need to provide, and whether an independent audit is required. Organisations in scope of the CAF-aligned DSPT include:
- All Category 1 Organisations, such as:
- NHS Trusts
- Department of Health and Social Care (DHSC) Arm’s Length Bodies (ALBs), such as NHS England, Medicines and Healthcare products Regulatory Agency (MHRA)
- Integrated Card Boards (ICBs)
- Commissioning Support Units
- Independent health organisations designated as ‘Operators of Essential Services (OES) Independent Providers’ (Category 2) under the Network and Information Systems (NIS) Regulations 2018; and
- Certain genomics organisations as nominated by the Department of Health and Social Care
Organisations that remain on the standard, non-CAF DSPT are:
- Category 2 IT Suppliers
- All Category 3 Organisations, such as:
- Local Authorities
- Dentists
- Opticians
- Pharmacies
- Other in-scope organisations (e.g. Charities)
- Social Care Providers
- Universities
- Category 4 Organisations (General Practitioners (GPs))
What is CAF ‘Objective E’ and Why Does it Matter?
Previously, the CAF contained the following four objectives:
- Objective A – Managing Security Risk
- Objective B – Protecting Against Cyber Attacks and Data Breaches
- Objective C – Detecting Cyber Security Events
- Objective D – Minimising the Impact of Incidents
Unlike other industries, and following alignment with the DSPT, the CAF-aligned DSPT now contains a fifth objective: Objective E – Using and Sharing Information Appropriately.
Objective E is broken down into four Principles:
- Principle: E1 Transparency
- Principle: E2 Upholding the rights of individuals
- Principle: E3 Using and sharing information
- Principle: E4 Records management
Some of the key controls and practices that will be assessed under Objective E include:
| Principle | Examples of what may be assessed |
| E1 Transparency Informing individuals about how and why their medical data is used and shared. | · Patients or service users are informed about how their medical and personal data is used and shared, for example via a Privacy Notice. · Information is provided clearly, in plain language, and in a concise, accessible format. |
| E2 Upholding the Rights of Individuals Facilitating individuals’ data protection rights, choices, and objections. | · How the organisation responds to data subject rights requests, such as subject access requests. · How consent is managed, including whether staff receive clear guidance on collecting and handling consent. · Whether there is a procedure for processing requests to withdraw consent. |
| E3 Using and Sharing Information Considering data minimisation and purpose limitation principles, and when and how to share information appropriately. | · Personnel can demonstrate how they assess whether the information they use or share is relevant and proportionate to the specific activity. · Staff understand secure methods for sharing information to ensure protection during transit. · Information is shared strictly on a need-to-know basis and handled confidentially. · Data sharing and processing agreements are in place with other organisations, where required. · Staff are aware of limitations and permissible secondary uses of medical data beyond direct care, such as research or public health purposes. |
| E4 Records Management Managing medical records across their lifecycle – from creation to storage, to use and sharing, to disposal. | · Medical records and other patient data are stored and disposed of correctly and comply with the organisation’s records retention and disposition policy. |
Key milestones: What Organisations Need to Do and When For This Submission Cycle
- 31 December 2025 - Organisations that fall in scope of the CAF-aligned DSPT must complete an interim self-assessment.
- January – June 2026 - Following the interim self-assessment, organisations must undergo an independent assessment to validate the self-assessment ahead of the final submission.
- Note: NHS England encourages organisations to choose assessors from the NCSC Cyber Resilience Audit Scheme, one of which is Bridewell.
- 30 June 2026 – Organisations must make their submissions to NHS England for DSPT 2025/26.
Thus, organisations should begin seeking independent auditors by Q1 of 2026, to provide them with enough time to undertake the audit and remediate any findings ahead of the submission deadline. Note, like other CNI industries, it is expected that the Department of Health and Social Care (“DHSC”), as the competent authority for the health and care sector under the NIS Regulations, may access information from the CAF-aligned DSPT to fulfil its regulatory purpose, including overseeing and/or advising on any remedial action arising from the June 2026 submission.
Key Takeaways: What This All Means For In-Scope Health and Care Organisations
- If your organisation falls under the CAF-aligned DSPT and Objective E, you must complete a self-assessment and undergo an audit against the expanded Data Security and Protection Toolkit.
- The CAF-aligned DSPT is outcomes-based, so organisations must show that processes work in practice - not just tick off a compliance checklist. This may require investment in people (e.g. training and awareness), processes (e.g. policies & procedures, agreements, assessments), and technology (e.g. secure systems, logging, access controls).
- The submission timeline is fast approaching. If you haven’t started an internal self-assessment, you have less than two weeks.
- If you haven’t appointed an independent assessor, aim to do so by the end of Q1 to allow time for the audit and remediation before the June 2026 deadline.
