The Board is accountable for Governance, Risk Management and Internal Control. As Chief Executive of the Board, I have responsibility for maintaining appropriate governance structures and procedures as well as a sound system of internal control that supports the achievement of the organisation's policies, aims and objectives, whilst safeguarding the public funds and the organisation's assets for which I am personally responsible. These are carried out in accordance with the responsibilities assigned by the Accountable Officer of NHS Wales.

The annual report outlines the different ways the organisation has worked internally and with partners during 2023/24. It explains arrangements for ensuring standards of governance are maintained, risks identified and mitigated, and assurance has been sought and provided. Where necessary additional information is provided in the Governance Statement (GS), however the intention has been to reduce duplication where possible. It is therefore necessary to review other sections in the Annual Report alongside this Governance Statement.

This Governance Statement explains the composition and organisation of DHCW’s governance structures and how they support the achievement of our objectives. The background to DHCW, its functions and plans are set out in the Performance Report.

The Board sits at the top of our internal governance and assurance system. It sets strategic objectives, monitors progress, agrees actions to achieve these objectives and ensures appropriate controls are in place and working properly. The Board also takes assurance from its committees, assessments against professional standards and regulatory frameworks.

Openness and Transparency

In accordance with the Public Bodies (Admissions to Meetings) Act 1960 and in addition to DHCW being committed to ensure we are being as open and transparent we are:

Live streaming and recording our Public Board meetings and posting them to our website within 3 working days of the meeting being held

Recording our Committee meetings and posting them to our website within 3 working days of the meeting being held

Advising stakeholders of our intention to hold Board meetings 10 days before Board and Committee meetings

Sharing papers with members 7 days before, and publishing public papers to our website 7 days before Board and Committee meetings

Providing a highlight report of all Committee and Advisory Group meetings, covering any agenda items discussed in public and private to the Board and publishing these to our website

The Remuneration and Terms of Service Committee is a private Committee of the Board, in addition the singular advisory group, the Local Partnership Forum (LPF) is currently private, but to commit to openness and transparency, a highlight report from both meetings is shared at each Public Board meeting.

The reporting period for this Annual Governance Statement is primarily focussed on the financial year 1 April 2023 to 31 March 2024.

During 2023/24, DHCW supported the Health and Social Care Committee Session on Gynaecological Cancer. DHCW Representatives attended the inquiry on 29 June 2023, which looked at how cancer data is collected, stored and shared securely and efficiently, digital tools and systems that can improve cancer care and treatment and information held on cancer screening, diagnosis and treatment and how this is used to inform service planning and development.

Our Governance Framework and assurance system

DHCW’s standing orders are designed to translate the statutory requirements set out in the DHCW (Establishment and Constitution) Order 2020 into day-to-day operating practice. Together with the adoption of a scheme of matters reserved to the Board; a scheme of delegation to officers and others; and standing financial instructions, they provide the regulatory framework for the business conduct of DHCW and define its ‘ways of working’. These documents, together with the range of corporate policies, including the Standards of Behaviour Policy set by the Board, make up the Governance Framework.

The Board reviewed and approved DHCW’s standing orders in March 2024, in addition the Board received an update on DHCW’s compliance with standing orders during 2023-24 in March 2024. There have been no variations to DHCW standing orders during 2023-24.

In accordance with DHCW’s standing orders and scheme of delegation, the following policies were approved by the Board and its Committees during 2023/24:

POL-OSD-008 Principles & Standards of Privileged Access Management

POL-OSD-002 Anti-Malware

POL-OSD-001 Access Control

POL-OSD-004 Acceptable Use Policy

POL-OSD-006 Information Security

POL-WIA-002 Wales Informatics Assurance

Service Management

POL-CF-006 Control of Contractors

POL-CF-012 Asbestos Management Policy

POL-CF-17 Fire Safety Policy

POL-CG-018 Environmental and Sustainability Policy

POL-POD-024 Smoke Vape Free Policy

POL-WFOD-022 Mental Health, Wellbeing and Stress Management Policy

POL-CG-011 Suspect Packages & Bomb Threats Policy

DHCW-POL-7 Use of Welsh Language Internally Policy

TBCPOL-WFOD-025 Study Leave Policy, Procedure & Guidelines

POL-CG-010 Display Screen Equipment

PO-CG-013 Control of Substances Hazardous to Health

POL-CF-014 Safe Manual Handling

PO-CG-008 Incident Reporting and Investigating

POL-CG-19 Standards of Behaviour

POL-WFOD-023 Shared Parental Leave Policy

The command structure was not utilised during 2023/24.

Business continuity

The NHS needs to plan for and respond to a wide range of emergency incidences that could affect health or patient care. Although DHCW is not formally named in the Civil Contingencies Act 2004, as a categorised “responder” under the Act, the Welsh Government has recognised the importance of DHCW in emergency and business continuity planning on a Pan Wales basis. To this end, the Welsh Government has formally included DHCW within the new Wales Resilience Framework and has instructed DHCW to act as a Category 1 responder until such time as DHCW can be legally included into the Civil Contingencies Act as it applies to Wales.

Extract from the Wales Resilience Framework reads:

“Category 1 and/or Category 2 Responders 1.10
As defined by the Civil Contingencies Act 2004, including Digital Health and Care Wales, who have been directed by Welsh Government to undertake the duties of a Category 1 responder, even though it is not formally identified as a Category 1 responder under the Civil Contingencies Act 2004.”

The Welsh Government has previously instructed Digital Health Care Wales (DHCW) to continue engagement and participation in emergency and contingency planning for Wales. As such, DHCW was formally directed (under the powers of the NHS Wales Act 2006) to continue to carry out a number of activities aligned to the Civil Contingencies Act, hence DHCW has much already in place to satisfy the Civil Contingencies Act and will work with its multi-agency partners to further build resilience processes and response plans that fully satisfy the Civil Contingencies Act. DHCW is now also working toward the ISO 22301 Business Continuity International Standard.

DHCW has continued its collaborative approach to business continuity and emergency planning through active membership of planning groups:

The Welsh Health Emergency Planning Advisory Group.

Welsh Health and Social Services System Resilience and Planning Group.

The DHCW Emergency Planning Lead now represents the organisation on the four Welsh Local Resilience Forums. This will aid in satisfying the requirement to collaborate, plan, share information, and jointly exercise resilience plans on a multi-agency basis.

The role of the Board

The Board has been constituted to comply with the Digital Health and Care Wales (Membership and Procedure) Regulations 2020. In addition to responsibilities and accountabilities set out in terms and conditions of appointment, Independent Members have worked with the Chair to agree their Board Champion roles. A detailed Board Champion Annual Report was shared at our Board Meeting in January 2024.

The Board is made up of Independent Members and Executive Directors.

During 2023/24, Board development and briefing sessions took place that included a focus on the following elements of governance:

Programme Governance Independent Review

Radiology Information Systems Procurement Full Business Case

Stakeholder Engagement Management

Communications Strategy

Primary Care Strategy

Welsh Government Health and Care Digital Strategy

DHCW Long Term Strategy x 5

IMTP 2024-25 Plan

Stakeholder Messaging

DHCW Role in Care

Duty of Quality

IMTP 2025-27 x 2

Draft Accounts 2022-24

Cyber Awareness

Digital Services for Patients and the Public

Eyecare Digitisation Programme

Joint International Board learning session with UMASS Memorial Health

Structured Assessment 2023

IMTP Financial Context 2024/25

DHCW continued its partnership with Deloitte as our Board Development partner during 2023-24, and the Board held the following workshops with Deloitte during the period:

Good Governance

Board Skills Matrix

Strategy Workshop

Board Organisational Development Conclusion

We are looking forward to taking the learnings and opportunities from this work forward in 2024-25. Full membership of the Board is outlined in Appendix 1. Below is a summary of the Board and Committee structure. This is reflective of the proposed structure in the DHCW model standing orders.

During 2023-24, the DHCW, with the support of Welsh Government, commissioned an independent review into Programme Governance Arrangements. The main recommendation from the report was to simplify governance arrangements to include streamlining lines of accountability, ensuring greater clarity on roles and responsibilities, allowing DHCW-hosted programmes to operate in an open and transparent manner.

The DHCW Chair and Chief Executive Officer agreed to establish a sub-committee of the DHCW Board, the Programmes Delivery Committee, to provide assurance and scrutiny on the delivery of major DHCW-hosted programmes in an open and transparent manner. This was approved by the SHA Board in November 2023.

The Board provides leadership and direction to the organisation and has a key role in ensuring the organisation has sound governance arrangements in place. The Board also seeks to ensure the organisation has an open culture and high standards when conducting its work. Together, Board members share corporate responsibility for all decisions and play a key role in monitoring the performance of the organisation. All Board meetings during 2023/24 were appropriately constituted with a quorum. The key business and risk matters considered by the Board during 2023/24 are outlined in this statement and further information can be obtained from meeting papers available on our website.

Role of the Committees

The Board has four committees, the Audit and Assurance Committee, Remuneration and Terms of Service Committee, Digital Governance and Safety Committee, and the Programmes Delivery Committee. These committees are chaired by the Chair or Independent Members of the Board and have key roles in relation to the system of governance and assurance, decision-making, scrutiny, and in assessing current risks. The committees provide assurance and key issue reports to each Board meeting to contribute to the Board’s assessment of assurance and to provide scrutiny on the delivery of objectives.

The Board is responsible for keeping the committee structure under review and reviews its standing orders on an annual basis. The Board will consider whether any changes are needed during 2024/25 in line with the Board’s governance framework and priorities of the Integrated Medium-Term Plan. DHCW is committed to openness and transparency with regard to the way in which it conducts its committee business. The DHCW Board and its committees aim to undertake the minimum of their business in closed sessions and ensure wherever possible business is considered in public with open session papers published on DHCW’s website. Information received in closed session meetings is undertaken because of the confidential nature of the business. Such confidential issues may include commercially sensitive issues, matters relating to personal issues, or discussing plans in their formative stages. In addition, the Annual Committee and Advisory Group Annual Reports give an overview of the activity undertaken across the year and can be found here:

Audit and Assurance Committee

Digital Governance and Safety Committee

Remuneration & Terms of Service Committee

Local Partnership Forum

There is no Programmes Delivery Committee Annual Report for 2023-24 as the Committee was established during the later part of the financial year with only two meetings held, therefore the first annual report for the Committee will be produced in 2024-25.

Audit and Assurance Committee

An important Committee of the Board in relation to this Annual Governance Statement is the Audit and Assurance Committee. The Committee keeps under review the design and adequacy of DHCW’s governance and assurance arrangements and its system of internal control. During 2023/24, key issues considered by the Audit and Assurance Committee relating to the overall governance of the organisation included:

Revisiting its terms of reference, which will be kept under regular review

Approving the Internal Audit Plan for 2023/24 and keeping under review the resulting Internal Audit Reports. Noting key areas of risk and tracking the management responses made to improve systems and organisational policies

Ensuring effective financial systems and controls procedures are in place

Monitoring the risk management systems

Monitoring standards of behaviour, including declarations of interests, gifts, hospitality and sponsorship

Developing arrangements to work with Audit Wales (AW), and considering the 2023 Structured Assessment and Audit Wales’s 2023-24 Audit Plan

Monitoring progress on the development of the Welsh Language Scheme for DHCW

Approving and reviewing DHCW’s Legislative Assurance Framework

Developing and endorsing new policies, strategies and framework in support of good governance and appropriate control

Remuneration and Terms of Service Committee

The Remuneration and Terms of Service Committee considers and recommends salaries, pay awards, and terms and conditions of employment for the Executive Team and other key senior staff. During 2023/24, key issues considered by the Remuneration and Terms of Service Committee included:

Performance of Executive Directors against individual objectives

Executive Team structure

Ratification of Executive Team posts

Review of DHCW leavers data

Digital Governance and Safety Committee

The Digital Governance and Safety Committee advises and assures the Board with regard to the quality and integrity, safety, security, and appropriate use of information and data to support health and care delivery and service improvement and the provision of high-quality digital health and care. Key issues considered by the Committee in 23/24 relating to their remit included:

Revisiting its terms of reference, which will be kept under regular review

Cyber Security arrangements

Incident review and organisational learning

Information Governance

Information Services Assurance

Informatics Assurance

Research and Innovation Assurance

Programmes Delivery Committee

The Programmes Delivery Committee advises and assures the Board with regard to how programmes are delivered, in particular that they have regular and proper governance, have robust control processes and reporting, and are demonstrating good planning, management and delivery.

The Committee will also provide assurance to the Board on the delivery of programmes as a portfolio, prioritised allocation of resources, programmes' impact on wider DHCW delivery, and transition of programmes' activity to live services which are sustainable in the longer term. Key issues considered by the Committee in 23/24 relating to their remit included:

Refining and agreeing the Committee terms of reference which will be kept under regular review

Programmes Assurance

Portfolio Assurance

Governance (including reviewing which programmes are in scope of the Committee)

Effectiveness Self-Assessment

The Board and Committees of the Board undertook a self-assessment for 2023/24 between January and March 2024, and the findings were discussed at the relevant committee meeting and reported to the SHA Board. There was no Programmes Delivery Committee self-effectiveness survey for 2023/24 as the Committee was established during the later part of the financial year with only two meetings held, therefore the first Committee self-assessment will be undertaken in 2024-25.

The Audit and Assurance Committee questionnaire was based on the Audit Committee Handbook and circulated to Committee members and attendees.

The SHA Board, Digital Governance and Safety Committee, Remuneration and Terms of Service Committee, and Local Partnership Forum questionnaires were based on the composition, establishment, and duties, then Board, Committee, and Advisory Group leadership and support questions of the Audit and Assurance Committee.

Membership of the Board and its Committees

Appendix 1 outlines the membership and attendance of the Board and its Committees for the period 1 April 2023 to 31 March 2024. Members undertake a range of other activities on behalf of the Board including Board Development and Briefing Sessions, and a range of internal and external meetings.

Any proposed changes to the structure and membership of Board committees requires Board approval. The Audit and Assurance Committee and Digital Governance and Safety Committee together with the Programmes Delivery Committee, has considered its own terms of reference and recommended changes to the Board. The Board will ensure that terms of reference for each committee are reviewed annually to ensure the work of committees clearly reflects any governance requirements, changes to delegation arrangements or areas of responsibility.

All committees and advisory groups of the Board have developed annual reports of their business and activities which were received and noted in March 2024. The lead officers are included in Appendix 2 and the schedule of Board and Committee meetings 23/24 is included at table Appendix 3.

Local Partnership Forum

The DHCW Local Partnership Forum (LPF) provides the formal mechanism for social partnership within DHCW as well as providing a vehicle for engagement, consultation, negotiation and communication between trade unions and DHCW management. During 2023/24, the LPF has met quarterly and focussed on both strategic and practical issues including culture, values & behaviours, staff recognition, wellbeing, new ways of working & welfare, organisational development, employment policies and equality and diversity.

The purpose of the system of Internal Control

DHCW’s Board system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risks; this has been articulated in DHCW’s risk appetite statement. It can therefore only provide reasonable and not absolute assurances of effectiveness.

The system of internal control is based on an ongoing process designed to identify and prioritise risks to the achievement of the policies, aims, and objectives. It also evaluates the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively, and economically. The system of internal control has been in place for the year ended 31 March 2024 and up to the date of approval of the annual report and accounts.

The Board Assurance Framework was reviewed and approved by the Board in May 2023. The Board Assurance Framework identifies all the key controls and lines of assurance to be reported to the Board. Our Board Assurance Framework annual reporting cycle can be seen below.

We use the BAF system and process to monitor, seek assurance, and ensure that shortfalls are addressed through the scrutiny of the Board and its Committees. Oversight of our Corporate Risk Register system is provided through the scrutiny and monitoring of the Board and its Committees.

Key controls are defined as those controls and systems in place to assist in securing the delivery of the Board’s strategic objectives. The effectiveness of the system of internal control is assessed by our internal and external auditors.

Capacity to handle risk

The Chief Executive/Accountable Officer has overall responsibility for the management of risk, but the SHA’s lead for risk is the Board Secretary. This means leading on the design, development, and implementation of the Risk Management and Board Assurance Framework Strategy and Board Assurance Framework

DHCW’s risk appetite statement, set out below, describes DHCW’s approach to risk management and the risks it is prepared to accept or tolerate in the pursuit of its strategic goals:

DHCW must take risks to achieve its strategic aims and deliver beneficial outcomes to stakeholders.

Risks will be taken in a considered and controlled manner.

Exposure to risks will be kept to a level of impact deemed acceptable by the Board.

The acceptable level may vary from time to time and will therefore be subject to at least annual review and revision.

Any risk outside our agreed appetite may be accepted and will be subject to a governance process to ensure visibility and management.

Some particular risks above the agreed risk appetite may be accepted because:

• the likelihood of them occurring is deemed to be sufficiently low

• they have the potential to enable realisation of considerable reward/benefit

• they are considered too costly to control given other priorities

• the cost of controlling them would be greater than the cost of the impact should they materialise

• there is only a short period of exposure to them

• mitigating action is required by an external party

DHCW’s risk appetite considers its capacity for risk, which is the amount of risk it is willing to accept in pursuit of its objectives having regard to its financial and other resources, before a breach in statutory obligations and duties occurs.

The risk tolerance gives guidance regarding escalation for risks across its activities, the below infographic provides details on the risk domains identified and agreed by the DHCW Board, associate appetite, tolerance levels and sets the expectation of the Board regarding the number of key controls when reviewing Corporate Risks in those categories in the Board Assurance Report.

None

Hungry

Risk with rating 25 of above are escalated for consideration to report to the Board
Development of Services

Open

Risk with rating 20 of above are escalated for consideration to report to the Board
Corporate Social Responsibility

Moderate

Risk with rating 15 of above are escalated for consideration to report to the Board
Financial, Reputational Safety and Wellbeing, Service Delivery Reputational, Information - Access and Sharing

Cautious

Risk with rating 12 of above are escalated for consideration to report to the Board
Compliance, Information - Storing and Maintaining, Citizen Safety

Adverse

Risk with rating 9 of above are escalated for consideration to report to the Board

All risks will be clearly linked to organisational objectives with a line of sight to the Board Assurance Framework. Our Board Assurance Framework has five principal risks, these were discussed in detail with the Board and approved in May 2023. In addition, in July 2022, the Board approved DHCW’s risk appetite for each principal risk. Work was undertaken by the Board throughout the year to define the principal risks to the strategic objectives.

Current principal risks against our strategic missions

During 2023/24 due to the economic crisis the financial risk profile of DHCW has seen a significant increase in risks identified that have the potential to impact our achievement of objectives and deliverables across the last year and potential to impact greatly on our achievement of objectives in the next financial period. These range from investment for digital developments to staffing levels.

A competitive workplace market along with evolving hybrid working options have also posed a risk to the organisation across the last 12 months and will continue to do so for the foreseeable future. Our People and Organisational Development team have provided mitigation to this by increasing their network of resources and adapting our hybrid working policy to enable engagement with resources outside of our immediate community, further work is required to ensure we have a rich and diverse knowledge and skillset amongst our workforce and continue to develop the talent pool currently in place.

During 2023-24 there has been an increased risk and threat of Cyber-attack. As an organisation we recognise this will be a long-term risk and emerging threats will continue to increase in intensity and intelligence; we have as an organisation undertaken extensive evaluation of our current risks, key controls and assurances to identify a significant Service Improvement Plan offering assurance and protection to both our organisation and also the wider NHS Wales Domain.

Risk management framework

The Board sees active and integrated risk management as key elements of all aspects of our functions and responsibilities to support the successful delivery of our business. The Board and its Committees identify and monitor risks within the organisation.

Corporate Risk Register Review Flow Chart

Risks are escalated to the Board as appropriate. At an operational level Executive Directors are responsible for regularly reviewing their Directorate Risk Registers and for ensuring that effective controls and action plans are in place and monitoring progress.

The framework includes strategy to operational tools and provides the working context for the staff in the organisation with regard to the management of risk from identification and scoring through to monitoring.

Embedding effective risk management

Members of DHCW’s corporate governance team provide risk management training, support and advice to the organisation. Full training is also provided on our Risk Information Management System before access is granted, to ensure a consistent approach to writing risks, mitigation action plans and mapping of dependencies:

Introduction to Risk Management

This training provides an overview of how to identify, score, write, monitor, and escalate a risk.

Risk Management for risk owners and handlers

This training provides detailed information regarding how to use the organisations risk management system and re-validates the risk assessment and management process with a focus on the control and assurance elements of risk.

Risk and Board Assurance Framework

This training targets expanding the knowledge of strategic risk and the approach outlined in the Risk and Board Assurance Framework Strategy.

It focuses on the difference between the BAF and the Corporate Risk Register.

Overall risk performance has met expectations over the last 12 months with our risk management policy becoming embedded across the organisation and aligned with our Board Assurance Framework.

Ongoing progress has been made in embedding the Risk Management and Board Assurance Framework Strategy (the ‘Strategy’) during 2023/24.

The Strategy, policy, and associate policies and procedures have been communicated across the organisation with training provided. New processes have been rolled out to all staff and data cleansing activities have greatly improved data quality regarding our risk profile position.

We have an internal risk management page to assist staff in positive risk management, quick guides are available alongside the policies and procedures to enable staff to be more pragmatic in scoring and proactive with the management of their risks in accordance with policy. Staff are more empowered to identify risks in a clear and consistent manner and escalate where appropriate for decision making and mitigation. Risk registers and a live Risk Dashboard are available to staff through this secure mechanism for openness, transparency and allowing a collaborative approach to risk identification and management.

All risks are fully aligned to our strategic missions and clearly mapped against their primary risk domain and dependencies. In depth risk reviews have assisted in the identification of risks that are not DHCW’s to own or mitigate and work has been underway through the Governance structures and Clinical risk reviews to identify and share these risks for correct ownership and accountability. As a direct result of this DHCW’s risk profile is now becoming more streamlined and accurate allowing the focus on critical risks and identification of emerging risks to the organisation.

Upon the establishment of the Programmes Delivery Committee in November 2023, work was undertaken on Committee assignment, to transfer a number of risks from the Digital Governance and Safety Committee to the Programmes Delivery Committee for scrutiny and oversight.

To ensure appropriate focus is provided on our corporate level risks (March 2024), our Board Committees periodically undertake deep dives into specific areas. During 2023/24, the following deep dives were held:

An analysis of corporate risks including the movement in corporate risks since the establishment of DHCW, from October 2022 to September 2023, was undertaken during the year and presented to our Board in November 2023.

The control framework

NHS Wales organisations are not required to comply with all elements of the corporate governance code for central government departments.

The information provided in this governance statement provides an assessment of how we comply with the main principles of the code as they relate to DHCW as an NHS public sector organisation. DHCW is following the spirit of the code to good effect and is conducting its business openly and in line with the code. The Board recognises that not all reporting elements of the code are outlined in this governance statement but are reported more fully in the organisation’s wider annual report. There have been no reported departures from the corporate governance code.

DHCW’s risk management framework complies materially with the Orange Book Management of Risk principles taking into account the organisation’s size, structure and needs.

There have been no reported departures from the Orange Book. The Orange Book can be accessed here.

Other control framework elements

DHCW came under the Duty of Quality and Duty of Candour Act in April 2023, in line with the Health and Social Care (Quality and Engagement) (Wales) (Act) 2020. In line with the Duties, DHCW have produced its first Duty of Quality Annual Report and Duty of Candour Annual Report on compliance with the duties.

The Board also held a Briefing session on the Duty of Quality during 2023/24 to discuss what Quality means for DHCW in addition to hear progress on the implementation of the Duty.

DHCW is responsible for the Information Governance Framework which helps monitor and improve Information Governance understanding and responsibility in Wales. Without a framework, the challenge of making information available to services providing Health & Care becomes far more difficult construct.

The framework is key to DHCW’s Information Governance 2023-2026 Strategy, which was approved as part of the set of Clinical Strategies at the Digital Governance and Safety Committee meeting in November 2023. The IG Strategy outlines the team’s vision, mission statement and strategic aims, highlighting any challenges and opportunities and how the team are intending to meet their key aims identified in the Strategy.

DHCW’s Information Governance Strategy outlines the component elements of the IG framework. Updates on these components include:

Framework for Sharing – DHCW provides the central support function of the Wales Accord on the Sharing of Personal Information (WASPI) framework. The WASPI framework helps organisations that provide services to the public share information effectively and lawfully. This is achieved through commitment to common principles and standards, and put in practice through template information sharing agreement provided by the framework. Over the past year, WASPI has progressed work in becoming an Information Commissioner’s Office Code of Conduct. This has included a public consultation campaign, with results published in a Code of Conduct consultation report. WASPI are now to progress through the accreditation of the Code through ICO processes, building on their other achievements from the last year, including being shortlisted for “Privacy Team of the Year” and “Governance Team of the Year” at the GRC World Forums Risk awards, work to digitise templates and processes and being referenced by the Information Commissioner’s Office in events, publications and guidance (including the 2023 Data Protection Practitioners' Conference, public webinars and an article on safeguarding).

Framework for Assurance – The Welsh Information Governance Toolkit ("IG Toolkit") is a self-assessment tool enabling organisations to measure their level of compliance against national Information Governance standards and legislation. The annual assessment helps organisations identify areas of improvement which can assist in organisations Information Governance improvement and action plans. All Welsh Health Boards, Trusts, Special Health Authorities, General Medical Practices (GMPs) and Community Pharmacies (CPs) complete the IG Toolkit. The new Caforb platform for IG Toolkit replaces an existing application and has been developed by a team of software developers in DHCW, providing improved functionality implementing changes proposed from a range of stakeholder feedback. Platform developments are continuing to fully implement IG Toolkit requirements for all stakeholders. The further platform developments will enable expansion from those organisations that currently use the existing platform to a wider set of stakeholders who need to provide IG assurance when processing personal data in the provision of NHS Wales services.

Framework for Advice – The Data Protection Officer Support Service (“the Service”) provides dedicated advice and assistance to General Medical Practitioners (GMPs) on a subscription basis, by providing the functions of the statutory Data Protection Officer role. The Service provides a range of functions including an IG service desk, training and awareness sessions, auditing of the annual IG Toolkit submissions and providing a range of guidance, templates and other documentation to help GMPs meet and improve their compliance with information rights legislation. 83% of GP practices in Wales are subscribers to this service, with input and feedback from subscribers supporting the development and focus of the service. Through the service, subscribers are supported on all Information Governance and data protection matters, giving them the knowledge and the confidence to keep patient information safe within their practice.

Framework for Access – The National Intelligent Integrated Audit Solution (NIIAS) is a proactive monitoring tool, which identifies potentially inappropriate access to clinical records for many national systems. National systems such as the Welsh Clinical Portal, the Welsh Patient Administration System and the Welsh Demographic Service have large amounts of users accessing information on a daily basis. Whilst health and care staff are aware of their responsibilities not to access any information not relevant to them, NIIAS is in place to identify instances of potential inappropriate use. NIIAS sits behind a number of national systems to flag instances of potential inappropriate access to alert NHS Wales Health Boards and Trusts with daily notification reports of user access.

DHCW’s Information Governance responsibilities are monitored by the Digital Governance and Safety Committee via the standing Information Governance Assurance Report.

DHCW have dual responsibilities for the The Welsh Information Governance Toolkit (“IG Toolkit”), in that it is responsible for the development and maintenance of the IG Toolkit and is required to complete and submit annually.

The deadline for submission of the 2022/23 IG Toolkit was 31st June 2023. This was the first IG Toolkit on the new technical platform, and therefore this was used as a pilot for Welsh Health Boards, Trusts and Special Health Authorities.

The scoring of 2022/23 Toolkit was as follows:

DHCW’s scoring shows a high level of compliance. The scoring should only be used as a guide to DHCW’s level of IG compliance. Organisations completing the IG Toolkit are not expected to achieve 100% across all sections as the self-assessment is intended to be used to identify areas of improvement. Therefore, where DHCW has not scored 100% in some sections, this does not indicate that the organisation does not meet the legal requirements for these sections, more so, it identifies areas which can be improved.

Within each section of the IG Toolkit, organisations answer questions to meet “Minimum Expectations.” Meeting all “Minimum Expectations” allows organisations to demonstrate exceeding expectations in that topic area through an additional set of questions known as the “Expectations Exceeded” question set.

Please note, the new technical platform changed the way in which the IG Toolkit was measured. Therefore, it is difficult to compare this scoring against previous submissions. However, a comparison against previous year’s submissions evidences DHCW’s continued high level of IG compliance, providing confidence that processes, safeguards and documentation are in place to ensure that personal information is managed appropriately within DHCW.

An Information Governance action plan, incorporating feedback from DHCW’s internal audit on UK General Data Protection Regulation (UK GDPR) compliance (referenced in the “Internal Audit including head of internal audit conclusion” section), was established. Key actions from the plan were shared and monitored through the Digital Governance and Safety Committee.

The 2023/24 IG Toolkit was submitted on 31st March 2024, with outcomes and the action plan to be presented to the Digital Governance and Safety Committee.

DHCW's responsibilities have expanded to include supporting information sharing and assurance for its internal strategies and programmes, as well as those delivered by other organisations. These responsibilities encompass:

Single Patient Record

National Data Resource (NDR)

Data Promise

Digital Services for Patients and the Public (DSPP)

Strategic Programme for Primary Care

Medicines Management

Welsh Community Care Information System

Counter Fraud

In line with the NHS Protect Fraud, Bribery and Corruption Standards for NHS Bodies (Wales), the Local Counter Fraud Specialist (LCFS) and Executive Director of Finance agreed at the beginning of the financial year a work plan for 2023/24 which was approved by the Audit and Assurance Committee in April 2023. Updates on delivering against this work plan have been provided to the Audit and Assurance Committee during 2023/24.

Equality Diversity and Inclusion DHCW is committed to putting people at the centre of everything it does and as an organisation, we are guided by our core values. Our ambition is to celebrate our organisation as a place where people thrive, innovate and achieve great things. We believe our values are integral to everything we do.

The Welsh Government’s Code of Practice: Ethical Employment in Supply Chains was introduced to highlight the need, at every stage of the supply chain, to ensure good employment practices exist for all employees, both in the United Kingdom and overseas.

DHCW is committed to embedding the principles and requirements of the Code and the Modern Slavery Act 2015.

In doing so it is demonstrating the commitment to our role as a public sector employer, to eradicate unlawful and unethical employment practices, such as:

inequality

modern Slavery and Human rights abuses

false self-employment

unfair use of umbrella schemes and zero hours contracts

not paying the Living Wage

During 2023/24 took the following actions:

It paid the government's living wage rate on its lowest pay scale, which is at Agenda for Change pay band 3 and no longer recruits to bands 1 or 2 as band 3 is now our entry grade

It has a Raising Concerns (Whistleblowing) Policy, which provides the workforce with a fair and transparent process, to empower and enable them to raise suspicions of any form of malpractice, by staff, suppliers or contractors working on DHCW premises and supports the no detriment in regards to anyone raising a concern.

It has robust IR35 processes, which ensure that there is no unfair use of false self-employed workers or workers being engaged under umbrella schemes. These processes also ensure the fair and appropriate engagement of all workers and prevent individuals from avoiding paying Tax and National Insurance contributions. It also ensures that no worker is unduly disadvantaged in terms of pay, rights or substantive employment opportunities.

It does not engage or employ staff or workers on zero-hour contracts

It has an open and robust Recruitment and Selection Policy and Procedure, which ensures a fair and transparent process. Specific commitments to support equality include: advertising opportunities to join the organisation in wider and diverse communities. The organisation has published its Strategic Equality Plan (SEP) in April 2023 which aligns with the commitments outlined in the organisation’s People and Organisation Strategy.

Has worked closely in partnership with trade unions, employee assistance providers, and wider networks to support employees

Commitment to the Digital Inclusion Charter - DHCW described as ‘exemplary’ after being awarded Digital Inclusion Charter Accreditation in January 2024

The organisation has an Equality and Diversity Policy, which ensures that no potential applicant, employee or worker engaged by DHCW is in any way unduly disadvantaged. This relates to pay, employment rights, employment, training and development or career opportunities. A gender pay report was provided to the DHCW Board in March 2024.

As an employer with staff entitled to membership of the NHS pension scheme, control measures are in place to ensure all employer obligations contained within the scheme regulations are complied with. This includes ensuring that deductions from salary, employer’s contributions and payments into the scheme are in accordance with the scheme rules, and that member pension scheme records are accurately updated in accordance with the timescales detailed in the regulations.

The Welsh Risk Pool Services (WRPS) is a risk sharing mechanism, akin to an insurance arrangement, which provides indemnity to NHS Wales’s organisations against negligence claims and losses. Individual NHS organisations must meet the first £25,000 of a claim or loss, which is similar to an insurance policy excess charge. The Board along with its internal sources of assurance, which includes its internal audit function provided by NHS Shared Services, also uses sources of external assurance and reviews from auditors, regulators and inspectors to inform and guide our development. The outcomes of these assessments are being used by the Board to further inform our planning and the embedding of good governance across a range of the organisation’s responsibilities.

In March 2024 DHCW Board approved a revised Decarbonisation Delivery Plan (DAP) 2024-2027, which takes a fresh look at our building, energy, procurement and travel needs, as well as other sources of emissions, and features a roadmap with actions up to 2030. The plan has been developed to support the ambitions set out within the NHS Wales Decarbonisation Strategic Delivery Plan which outlines how NHS Wales can contribute to the recovery and its commitment to the Wellbeing of Future Generations (Wales) Act 2015, which addresses long-term persistent challenges such as poverty, health inequity, and climate change. DHCW have made significant progress in decarbonising our estate in 2023/24, however, we recognise there is more to do.

DHCW has undertaken the required risk assessments in accordance with our obligations under the Climate Change Act. We have reviewed the Local Partnerships Climate Adaptation Toolkit with accompanying Risk Assessments and will continue to comply with further assessments as they become available to us.

We maintain a Legislation Register, which is reviewed regularly to ensure that we are providing the required assurance and fulfilling our compliance obligations. We have an Environmental Aspects Register, which is used to risk assess environmental impacts and allows us to comply with the Climate Change Act.

We will continue to ensure that DHCW’s obligations under the Adaptation Reporting requirements are complied with. We are in the process of collaborating with other NHS bodies on an NHS Wales specific adaptation risk assessment toolkit. This is due to be shared with us in early 2024/25.

At this time, we can confirm that we are in compliance with the requirements of the Climate Change Act and the Adaptation Reporting. We remain committed to maintaining compliance in this area and will take all necessary steps to ensure that we continue to meet these important obligations.

Incidents resulting in a data breach are reported in accordance with DHCWs statutory requirements and documented Standard Operating Procedure on Personal Data Breach Reporting Management. Under Data Protection legislation, personal data breaches are considered a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Personal data breaches are required to be risk assessed to determine the likelihood of the risk to the individuals’ affected rights and freedoms. If a risk is likely, under Data Protection, the breach must be reported to the Information Commissioners Office (ICO) within 72 hours. Failure to report could lead to financial or reputational loss. Additionally, those individuals concerned directly may need to be informed where the breach is likely to result in a high risk to the rights and freedoms of individuals.

All data breaches are appropriately investigated by our Information Governance team and are reported to the Digital Governance and Safety Committee. Where appropriate or mandated, Welsh Government are informed as part of a no surprises report.

During 2023/24, we recorded a total of 3 incidents on the Datix system which resulted in potential personal data breaches. Of these incidents, none met the assessment criteria for reporting to the ICO.

The UK GDPR internal audit (referenced in the “Internal Audit including head of internal audit conclusion” section) made one low priority recommendation on promoting awareness within DHCW of personal data breaches. A layered approach to communication and awareness to DHCW staff is planned.

Whilst Ministerial Directions are received by NHS Wales organisations, these are not always applicable to DHCW. Ministerial Directions issued throughout the year are listed on the Welsh Government website. Details of the ministerial direction received and their applicability to DHCW as at year end 31 March 2024 are included at Appendix 4.

Planning Arrangements

The IMTP was submitted to the SHA Board and finally Welsh Government at the end of March 2023. The plan was subsequently acknowledged by the Minister for Health and Social Services via an accountability letter in October 2023.

DHCW accountability conditions can be found below:

General

The ’Five Ways of Working’ and the Well-being of Future Generations Act must be central to the health board’s approach. It is essential that your organisation continues to build on the progress made to utilise the five ways of working, sustainable development principles, to deliver your plan. The organisation should ensure its well-being objectives are consistent with and continue to be supported by its planning arrangements.

The Duty of Quality and Duty of Candour, effective from April 2023, must underpin your operational models and demonstration of this will be required in discussions at regular IQPD meetings and other governance arrangements.

Strong but compassionate leadership will be needed to demonstrate commitment to staff of the need to adopt new ways of working. This should encourage staff of all grades to learn lessons from the pandemic.

Demand and capacity and the financial risks pose significant challenge across the system. Difficult choices will need to be taken at all levels and decisions must be robust and be in line with the organisation’s governance arrangements.

Climate change is a global risk. As anchor institutions, all organisations across NHS in Wales should ensure that planning arrangements and decision making considers the risks of the choices made on climate change (across both decarbonisation and adaptation planning objectives). NHS Wales is committed to the ambition for a collectively net zero public sector by 2030 and to ensuring resilience to climate impacts.

Reporting must be submitted quarterly to provide an update on progress against the plan. There should be reporting against the key milestones associated with that quarter, any slippage against the plan, next milestones and the mitigation of any new/emerging risks. A copy of your Board report should be submitted on a quarterly basis to HSS-PlanningTeam@gov.wales.

Organisations should refresh their Minimum Data Set (MDS) on a quarterly basis as part of their internal review of plans. Please submit your quarter two MDS returns to HSS-PlanningTeam@gov.wales by 27th October 2023.

Finance and Efficiency

Provide monthly reports to Welsh Government, outlining delivery against savings plans outlined in Accountable Officer letter, with clear remedial action of planned profile, and assurance is clearly provided to the DHCW Board with associated mitigations.

Ensure Benefit frameworks and methodology are established and ensure all business case proposals have a clear benefits case, benefits frameworks are in place, and delivery of benefits tracked.

Support the development of new funding models, strengthened analysis around allocative efficiency across portfolios, and national SLAs and services to inform national funding model for 23/24, this will include greater transparency around SLA costs for all partners.

Governance and Engagement

Develop an enhanced portfolio management and governance framework, that aligns and is integrated to wider NHS System and governance development, to enable delivery and proportionate reporting to DHCW boards and Welsh Government and NHS Executive boards and teams.

Review SLA arrangements with health boards and associated services to ensure during year all Health boards understands detail of services being provided, or to be provided by DHCW nationally, with clear service catalogues for all health boards.

Delivery

Develop a clear plan and roadmap for integrated and interoperable National Architecture to enable a singular view of the patient across all ages and care settings, including children and young people – drawing together in single portfolio work on WICCS/WCP/WNCR and NDR, NHS App and Primary Care EPR developments, optimising architectural and deployment resource, and ensuring national architecture is open to all health boards to utilise to support local health and care planning and improved care, population health management and development of Clinical Data repositories

Establish a digital diagnostics portfolio to optimise the use of resources across that portfolio’s programmes.

DHCW to work closely with all NHS and Social Care partners with regard to overarching Information Governance Strategy and Toolkits, such that it supports effective and safe delivery at scale within Health and Social Care settings.

Evidence that your Board demonstrates System Leadership on key digital and data issues, in particular Cyber and Data Security is vital.

Complete the development of all priority functionality within the Cancer Information System required to deliver patient care.

Workforce

Strengthened the plan, in collaboration with HEIW, to develop digital skills and experience of NHS Wales DDaT workforce with clear measures to assess impact.

Review of Effectiveness

As Accountable Officer, I have responsibility for reviewing the effectiveness of the system of internal control. My review of the system of internal control is informed by the work of the internal auditors, and the executive officers within the organisation who have responsibility for the development and maintenance of the internal control framework, and comments made by external auditors in their audit letter and other reports.

The Board and its Committees rely on several sources of internal and external assurances which demonstrate the effectiveness of the Special Health Authority’s system of internal control and advise where there are areas of improvement. These elements are detailed above in the diagram of the DHCW Board Control Framework.

The processes in place to maintain and review the effectiveness of the system of internal control include:

Board and committee oversight of internal and external sources of assurance and holding to account Executive Directors and Senior Managers

Executive Directors and Senior Managers who have responsibility for development, implementation and maintenance of the internal control framework and the continuing improvement in effectiveness within the organisation

The oversight of operational risk through the Board and its Committees

Oversight of fraud risk through the Cardiff and Vale Local Counter Fraud team

The monitoring of the implementation of recommendations through the audit tracker overseen by the Audit and Assurance Committee

Audit and Assurance Committee oversight of audit, risk management and assurance arrangements

All Committees of the Board provided an annual report to the March 2024 Board detailing the work undertaken by the relevant Committee within the year and the key decisions taken.

I am satisfied that generally the mechanisms in place to assess the effectiveness of the system of internal control are working well and that the Special Health Authority has the right balance between the level of assurance I receive from my Executives, Board and Board Committee arrangements and DHCW Internal Audit Services.

Internal Audit including head of internal audit conclusion

Internal Audit provide me as Accountable Officer and the Board through the Audit and Assurance Committee with a flow of assurance on the system of internal control. I have commissioned a programme of audit work which has been delivered in accordance with public sector internal audit standards by the NHS Wales Shared Services Partnership. The scope of this work is agreed with the Audit and Assurance Committee and is focussed on significant risk areas and local improvement priorities.

The overall opinion by the Head of Internal Audit on governance, risk management and control is a function of this risk-based audit programme and contributes to the picture of assurance available to the Board in reviewing effectiveness and supporting our drive for continuous improvement.

The programme has been delivered substantially in accordance with the agreed schedule and changes required during the year have been approved by the Audit & Assurance Committee, in addition, regular audit progress reports have been submitted to the Committee. Although minor changes have been made to the plan during the year, the Head of Internal Audit is satisfied that there has been sufficient internal audit coverage during the reporting period in order to provide the Head of Internal Audit Annual Opinion. In forming the Opinion, the Head of Internal Audit has considered the impact of all the audits carried out, summarised in the table below:

The Head of Internal Audit has concluded:

Reasonable Assurance - The Board can take reasonable assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. Some matters require management attention in control design or compliance with low to moderate impact on residual risk exposure until resolved.

In reaching this opinion the Head of Internal Audit has identified that the majority of reviews during the year concluded positively with robust control arrangements operating in some areas. The 2023/24 Internal Audit Plan included audits over key operational deliverables and associated risks, with previous plans incorporating risks associated with the establishment of the Special Health Authority.

From the opinions issued during the year, seven were allocated Substantial Assurance, four were allocated Reasonable Assurance and no reports were allocated a ‘limited’ or ‘no assurance’ opinion. We also issued one advisory report during the year, which has been considered when reaching our opinion.

The aim of this work is designed to help discharge the Auditor General’s statutory requirement to be satisfied that DHCW has made proper arrangements to secure economy, efficiency, and effectiveness in its use of resources under section 61 of the Public Audit (Wales) Act 2004.

The work specifically focused on DHCW’s arrangements in relation to governance; strategic planning; financial management; and managing the workforce, digital assets, the estate and other physical assets.

The overall Structured Assessment 2023 conclusion found: “DHCW is embedding good governance arrangements, and must now seek to further develop its role as a trusted digital partner to exploit digitally enabled service opportunities across Wales”.

The recommendations from Audit Wales together with management’s response are recorded and this will be received at every Audit and Assurance Committee meeting.

The quality and effectiveness of the information and data provided to the Board is continually reviewed at each meeting of the Board and some revisions have been made to the Integrated Performance Report during the year to provide further clarity.

As indicated throughout this statement and the Annual Report, there are no control issues or significant governance issues that have arisen in 2023/24, however, financial pressures on public services continue across the board in addition as reliance on digital and data continues to increase year on year the cyber threat continues to be a high risk for DHCW to continue to manage. I will ensure our Governance Framework considers and responds to this need.

Signed by Helen Thomas

Date: 9th July 2024

Welsh

ANNUAL GOVERNANCE STATEMENT

Scope of responsibilities

setting the strategic direction

the governance framework

organisational tone and culture

steering the risk appetite and overseeing strategic risks

developing strong relationships with key stakeholders and partners

the successful creation and delivery of the organisation's Long Term Strategy