Data security and protection toolkit 2023-24

Meeting: Public Meeting

Date: 10 July 2024

Report Title: Data Security and Protection Toolkit 2023-24

Agenda Item: PUB24/07/2.3

Author: Fiona Lennox – Information Governance Manager

Lead director: Jo Cripps – Interim Director of Corporate Affairs and Performance

Purpose: Information/noting

Link toCQC domain:

• Effective
• Well-led

Link to Strategic Objective:

• Be an environmentally and financially sustainable organisation

Link to Strategic Risk:

• SR6: If we do not deliver sustainable regulatory compliance and develop positive relationships, we will have limited ability to deliver our strategy

Equality Impact Assessment: No negative impact identified:

Previously considered by: Information Governance Group, Compliance and Risk Group, Audit Committee.

Recommendation: The Board is asked to receive assurance from the business discussed at the meeting and to review the matters for escalation and referral.

Purpose: This paper provides the Board with oversight of the Trust’s Data Security and Protection Toolkit submission for 2023-24.

Executive Summary:

The Trust submitted the final assessment on 26 June 2024 with Standards Not Met, which has been amended to Approaching Standards. The Improvement Plan has been submitted to and approved by NHS England (NHSE) and the Dept of Health and Social Care teams. The two items within the Improvement Plan are linked and relate to the retention of digital logs which are required if there is a cyber-attack.

The improvement plan has a 6-month target date for completion and requires procurement of a system to achieve Standards Met. Our Regional Cyber Security Lead from NHSE will be meeting with the Head of Information Governance and Data Security and the Information Governance Manager monthly to discuss progress on the improvement plan.

Introduction / Background:

The 2023-24 Data Security and Protection Toolkit was released in 2023, and the Trust was required to submit a baseline submission on or before 29 February 2024, with the final submission submitted by 30 June 2024. As in previous years, all evidence and items were removed to ensure that the evidence provided for this year’s toolkit is relevant and in date for 2023-24.

The Trust submitted the baseline submission on 29 February 2024, and the final assessment on 26 June 2024 with Standards Not Met. The Improvement Plan has been submitted and approved by NHSE and the Dept of Health and Social Care teams; the Trust’s DSPT status has been amended to Approaching Standards. The Improvement Plan was approved by the Trust’s SIRO on 17 June 2024 and was submitted at the same time as the final assessment on 26 June 2024.

There are two items on the Improvement Plan:

• 4.2.3: Logs are retained for a sufficient period, managed securely, reviewed regularly and can be searched to identify malicious activity.
• 4.4.1: The organisation ensures that logs, including privileged account use, are kept securely and only accessible to appropriate personnel. They are stored in a read-only format, tamper-proof and managed according to the organisation information life-cycle policy with disposal as appropriate. These evidence items relate to digital logs the Trust should keep in case of a cyber-attack.

The Trust did have a system in place which allowed the Trust to submit as Standards Met last year but, as the contract expired and a decision was taken not to renew, the Procurement team began to identify a new system provider. The replacement solution that was identified failed the Trust’s procurement checks and currently the Information Governance/Data Security, Digital and Procurement teams are working together to identify a new system to continue with the tender process. Once this system is in place and the data logs are being retained, the Trust will be able to update NHSE who will amend the Trust’s status to Standards Met. The Improvement Plan has a 6-month target date for completion. Our Regional Cyber Security Lead from NHSE will be meeting with the Head of Information Governance and Data Security and the Information Governance manager monthly to discuss progress on the improvement plan. Next year’s toolkit (2024-25) will be released in August/September 2024 and has been merged with the Cyber Assurance Framework (CAF). This will be a drastic change to reporting, with more evidence required around Cyber Security. NHSE have arranged six webinars over the Summer period for organisations to understand the change and new requirements; the Information Governance Manager will be in attendance.

Key Issues / Risks:

1. The requirement for the status to change from Approaching Standards to Standards Met relies on the procurement of a system to hold and retain logs which allow the identification of anomalies that may indicate malicious activity.

2. Next year’s DSPT will incorporate the Cyber Assurance Framework (CAF), which should be released in August/September 2024.