Information Governance Arrangements

Free Abstract 3D render

Information Governance Arrangements

DHCW is responsible for the Information Governance Framework which helps monitor and improve Information Governance understanding and responsibility in Wales. Without a framework, the challenge of making information available to services providing Health & Care becomes a far more difficult construct.

The framework is key to DHCW’s Information Governance 2023–2026 Strategy, which was approved as part of the set of Clinical Strategies at the Digital Governance and Safety Committee meeting in November 2023. The IG Strategy outlines the team’s vision, mission statement and strategic aims, highlighting any challenges and opportunities and how the team are intending to meet their key aims identified in the Strategy.

DHCW’s Information Governance Strategy outlines the component elements of the IG framework. Updates on these components include:

Framework for Information Sharing

DHCW provides the central support function of the Wales Accord on the Sharing of Personal Information (WASPI) framework. The WASPI framework helps organisations that provide services to the public share information effectively and lawfully. This is achieved through commitment to common principles and standards, and put into practice through template information sharing agreements provided by the framework.

Over the past year, WASPI has progressed work in becoming an Information Commissioner’s Office Code of Conduct and developing a digital system for organisations to digitise their information sharing agreements. Additionally, to strengthen the existing WASPI framework, new national information sharing templates were released during 2024 to support joint data controller and data processor arrangements. 2025 marks an important milestone as it celebrates the 20th anniversary of WASPI and is a fitting time to reflect on the significant impact this initiative has had on service provision and service user care across Wales. Events and promotions will be held throughout the year to mark this occasion.

Framework for Assurance

The Welsh Information Governance Toolkit ("IG Toolkit") is a self-assessment tool enabling organisations to measure their level of compliance against national Information Governance standards and legislation. The annual assessment helps organisations identify areas of improvement which can assist organisations in improving their Information Governance compliance.

All Welsh Health Boards, Trusts, Special Health Authorities, General Medical Practices (GMPs) and Community Pharmacies (CPs) complete the IG Toolkit. The Caforb platform for IG Toolkit is developed by a team of software developers in DHCW, providing improved functionality and implementing changes proposed from a range of stakeholder feedback. Platform and question set developments are continuing to fully implement IG Toolkit requirements for all stakeholders. Future platform developments will enable expansion from those organisations that currently use the existing platform to a wider set of stakeholders who need to provide IG assurance when processing personal data in the provision of NHS Wales services.

Framework for Advice and Guidance

The Data Protection Officer Support Service (“the Service”) provides dedicated advice and assistance to General Medical Practitioners (GMPs) and Community Pharmacies (CPs) on a subscription basis, by providing the functions of the statutory Data Protection Officer role. The Service provides a range of functions including an IG service desk, training and awareness sessions, auditing of the annual IG Toolkit submissions and providing a range of guidance, templates and other documentation to help GMPs meet and improve their compliance with information rights legislation.

84% of GP practices in Wales and 9% of Community Pharmacies are subscribers to this service, with input and feedback from subscribers supporting the development and focus of the service. Through the service, subscribers are supported on all Information Governance and data protection matters, giving them the knowledge and the confidence to keep patient information safe within their organisations. Additionally, the IG Team for Primary Care support DHCW's Primary Care service team and are involved with national projects and programmes within Primary Care Services. These include programmes delivered for general practice, pharmacy, optometry and prison services.

Framework for Accountability

The National Intelligent Integrated Audit Solution (NIIAS) is a proactive monitoring tool which identifies potential inappropriate access to clinical records for many national systems. National systems such as the Welsh Clinical Portal, the Welsh Patient Administration System and the Welsh Demographic Service have large numbers of users accessing information daily.

Whilst health and care staff are aware of their responsibilities not to access any information not relevant to them, NIIAS is in place to identify instances of potential inappropriate use. NIIAS sits behind a number of national systems to flag such instances and alert NHS Wales Health Boards and Trusts with daily notification reports of user access.

Framework for Policy & Governance

A national data policy framework for Wales is critical to the ambitions to make better use of health and care data. Policy in this context means a statement of government intent supported by legislative measures, policy and guidance that helps organisations work towards agreed outcomes. Intent needs to be underpinned by an implementation plan with actions and owners.

DHCW has the experience and knowledge to input into the development of data policy in Wales, but the data policy position needs to be established by Welsh Ministers, via Welsh Government. As such, DHCW’s activities have been supporting, lobbying for action, and raising awareness across the health and care system.

DHCW’s Information Governance responsibilities are monitored by the Digital Governance and Safety Committee via the standing Information Governance Assurance Report.

 
IG Framework components diagram showing five key areas: Sharing, Assurance, Advice, Accountability, and Governance.

DHCW’s Welsh Information Governance Toolkit Submission

DHCW has dual responsibilities for the Welsh Information Governance Toolkit (“IG Toolkit”) in that it is responsible for the development and maintenance of the IG Toolkit, and it is also required to complete and submit the Toolkit annually.

The deadline for submission of the 2023/24 IG Toolkit was 31st March 2024.

The scoring of 2023/24 Toolkit was as follows:

 

DHCW’s scoring shows a high level of compliance. The scoring should only be used as a guide to DHCW’s level of IG compliance. Organisations completing the IG Toolkit are not expected to achieve 100% across all sections, as the self-assessment is intended to be used to identify areas of improvement. Therefore, where DHCW has not scored 100% in some sections, this does not indicate that the organisation does not meet the legal requirements for these sections; more so, it identifies areas which can be improved.

Following submission of the IG Toolkit, actions were identified to improve DHCW’s compliance with legislation, standards and good practice in preparation for its next submission (2024/25). These are set out in an action plan, with updates on key actions provided to the Committee as part of the Information Governance Assurance Report.

The 2024/25 IG Toolkit was submitted on 31st March 2025, with the outcome and action plan presented to the Digital Governance and Safety Committee.

Linked Strategies and Programmes

DHCW’s responsibilities have expanded over time to support information sharing and assurance for its own internal strategies and programmes, as well as those being delivered by other organisations. These include:

  • Single Patient Record
  • National Data Resource (NDR)
  • Data Promise
  • Digital Services for Patients and the Public (DSPP)
  • Strategic Programme for Primary Care
  • Medicines Management
  • Welsh Community Care Information System
Diagram illustrating the data governance relationships between DHCW’s linked strategies and programmes.
Diagram showing the relationship between DHCW’s data governance and the linked strategies and programmes.

Counter Fraud

In line with the NHS Protect Fraud, Bribery and Corruption Standards for NHS Bodies (Wales), the Local Counter Fraud Specialist (LCFS) and Executive Director of Finance agreed a work plan for 2024/25 at the beginning of the financial year. This plan was approved by the Audit and Assurance Committee in April 2024.

Updates on progress against this work plan have been reported to the Audit and Assurance Committee throughout 2024/25.

Compliance with Equality, Diversity, and Human Rights Legislation

Equality, Diversity and Inclusion

DHCW is committed to putting people at the centre of everything it does. As an organisation, we are guided by our core values, which shape how we work and interact with others.

Our ambition is to celebrate DHCW as a place where people thrive, innovate, and achieve great things. We believe our values are integral to everything we do and are embedded in our approach to equality, diversity, and inclusion.

Modern Slavery Act 2015 – Transparency in Supply Chains

The Welsh Government’s Code of Practice: Ethical Employment in Supply Chains highlights the need to ensure good employment practices at every stage of the supply chain, both in the UK and overseas.

DHCW is committed to embedding the principles of this Code and the Modern Slavery Act 2015, reflecting our responsibilities as a public sector employer to eradicate unlawful and unethical employment practices such as:

  • Inequality
  • Modern slavery and human rights abuses
  • False self-employment
  • Unfair use of umbrella schemes and zero-hours contracts
  • Failure to pay the Living Wage

During 2024/25, DHCW took the following actions:

  • Paid the government’s Living Wage as the minimum salary (entry point now Agenda for Change Band 3; Bands 1 and 2 no longer used for recruitment).
  • Maintained a Raising Concerns (Whistleblowing) Policy enabling staff, suppliers, or contractors to report malpractice with protection against detriment.
  • Implemented robust IR35 processes to prevent unfair use of false self-employment or umbrella arrangements, ensuring fair pay, employment rights, and tax compliance.
  • Did not engage staff or workers on zero-hour contracts.
  • Operated an open and fair Recruitment and Selection Policy, supporting equality through inclusive advertising and reporting progress via the Strategic Equality Plan (SEP).
  • Worked in partnership with trade unions, the employee assistance provider and wider networks, including co-facilitated anti-bullying and harassment sessions.
  • Upheld its Digital Inclusion Charter commitment, receiving “exemplary” accreditation in January 2024.
  • Implemented a revised Equality, Diversity and Inclusion Policy covering pay, employment rights, training, and development opportunities.
  • Submitted a Gender Pay Report to the DHCW Board in March 2025.

Pension Scheme

As an employer with staff entitled to membership of the NHS Pension Scheme, DHCW has control measures in place to ensure all employer obligations within the scheme regulations are met. This includes ensuring that:

  • Deductions from salary, employer contributions, and payments into the scheme are made in accordance with the scheme rules.
  • Pension scheme records for members are updated accurately and within regulatory timescales.

Welsh Risk Pool

The Welsh Risk Pool Services (WRPS) is a risk-sharing mechanism, similar to an insurance arrangement, which provides indemnity to NHS Wales organisations against negligence claims and losses. Each organisation is responsible for the first £25,000 of a claim or loss, acting as an excess.

The DHCW Board uses a combination of internal and external sources of assurance—including internal audit (provided by NHS Shared Services), external audit, regulators, and inspectors—to inform its development and strengthen governance. The outcomes of these assessments are used to shape planning and improve organisational responsibilities.

Carbon Reduction Delivery Plan

In March 2025, the DHCW Board approved the revised Decarbonisation Delivery Plan (DAP) 2025–2028. This plan reassesses decarbonisation priorities across buildings, energy, procurement, travel, and other emissions sources. It also includes a roadmap of actions leading to 2030.

The plan incorporates ongoing work to assess the environmental impact of AI technologies and their influence on software and programme design. DHCW’s DAP supports the ambitions of the NHS Wales Decarbonisation Strategic Delivery Plan and aligns with the Wellbeing of Future Generations (Wales) Act 2015, addressing challenges such as poverty, inequality, and climate change.

DHCW made significant progress in decarbonising its estate in 2024/25 but recognises that continued efforts are required.

Climate Change Act and Adaptation

DHCW has conducted required risk assessments under the Climate Change Act and reviewed the HSC risk and opportunities toolkit. Actions will be monitored, and future assessments will be implemented as they arise.

We maintain a Legislation Register, reviewed regularly to monitor compliance. Our Environmental Aspects Register helps assess environmental impacts and ensures we meet obligations under the Act.

As of 31 March 2025, DHCW is in full compliance with both the Climate Change Act and Adaptation Reporting requirements.

Data Breaches

Incidents involving data breaches are reported in line with statutory requirements and DHCW’s Standard Operating Procedure for Personal Data Breach Reporting. Under Data Protection legislation, breaches refer to any unauthorised or unlawful access, alteration, or destruction of personal data.

Each incident is risk-assessed to determine its impact on individuals’ rights and freedoms. Where risk is likely, the breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours. Individuals must also be informed if their rights are at high risk.

All data breaches are investigated by our Information Governance team. When appropriate, Welsh Government is notified under the “no surprises” reporting process.

In 2024/25, there were 14 IG incidents recorded. None were deemed reportable to the ICO.

Ministerial Directions

While Ministerial Directions are issued to NHS Wales organisations, they are not always applicable to DHCW. A full list of issued directions can be found on the Welsh Government website.

Details of the directions received and their applicability to DHCW as at year-end 31 March 2025 are provided in Appendix 4

Planning Arrangements

The IMTP was submitted to the SHA Board and finally Welsh Government at the end of March 2024. The plan was subsequently confirmed as satisfactory by the Minister for Health and Social Services via an accountability letter in August 2024.

DHCW accountability conditions can be found below:

General

The Board is accountable for Governance, Risk Management and Internal Control. As Chief Executive of the Board, I have responsibility for maintaining appropriate governance structures and procedures as well as a sound system of internal control that supports the achievement of the organisation's policies, aims and objectives, whilst safeguarding the public funds and the organisation's assets for which I am personally responsible. These are carried out in accordance with the responsibilities assigned by the Accountable Officer of NHS Wales.

The ‘Five Ways of Working’ and the Well-being of Future Generations Act must be central to the health board’s approach. It is essential that your organisation continues to build on the progress made to utilise the five ways of working and sustainable development principles to deliver your plan. The organisation should ensure its well-being objectives are consistent with and continue to be supported by its planning arrangements.

The Duty of Quality and Duty of Candour, effective from April 2023, must underpin your operational models, and demonstration of this will be required in discussions at regular IQPD meetings and other governance arrangements.

Strong but compassionate leadership will be needed to demonstrate commitment to staff and the need to adopt new ways of working. This should encourage staff of all grades to learn lessons from the pandemic.

Demand and capacity and the financial risks pose significant challenges across the system. Difficult choices will need to be taken at all levels, and decisions must be robust and in line with the organisation’s governance arrangements.

Climate change is a global risk. As anchor institutions, all organisations across NHS in Wales should ensure that planning arrangements and decision-making consider the risks of the choices made on climate change (across both decarbonisation and adaptation planning objectives). NHS Wales is committed to the ambition for a collectively net zero public sector by 2030 and to ensuring resilience to climate impacts.

Reporting must be submitted quarterly to provide an update on progress against the plan. There should be reporting against the key milestones associated with that quarter, any slippage against the plan, next milestones, and the mitigation of any new or emerging risks. A copy of your Board report should be submitted on a quarterly basis to HSS-PlanningTeam@gov.wales.

Organisations should refresh their Minimum Data Set (MDS) on a quarterly basis as part of their internal review of plans. Please submit your quarter two MDS returns to HSS-PlanningTeam@gov.wales by 27th October 2023.

Finance and Efficiency

Provide monthly reports to Welsh Government, outlining delivery against savings plans outlined in the Accountable Officer letter, with clear remedial actions where needed, and assurance clearly provided to the DHCW Board with associated mitigations.

Ensure benefits frameworks and methodology are established, and that all business case proposals include a clear benefits case. Benefits frameworks must be in place, and the delivery of benefits tracked.

Support the development of new funding models and strengthened analysis around allocative efficiency across portfolios. This includes national SLAs and services to inform a national funding model for 2023/24, with greater transparency around SLA costs for all partners.

Governance and Engagement

Develop an enhanced portfolio management and governance framework that aligns with and is integrated into the wider NHS system and governance developments. This will enable delivery and proportionate reporting to DHCW Boards, Welsh Government, and NHS Executive boards and teams.

Review SLA arrangements with health boards and associated services to ensure that, during the year, all health boards understand the detail of services being provided or planned to be provided by DHCW nationally, with clear service catalogues for all health boards.

Delivery

Develop a clear plan and roadmap for an integrated and interoperable National Architecture to enable a singular view of the patient across all ages and care settings — including children and young people. This includes drawing together in a single portfolio the work on WICCS/WCP/WNCR, the NDR, NHS App, and Primary Care EPR developments. It should also optimise architectural and deployment resources and ensure the national architecture is open to all health boards to support local health and care planning, improved care, population health management, and the development of Clinical Data Repositories.

Establish a digital diagnostics portfolio to optimise the use of resources across that portfolio’s programmes.

DHCW must work closely with all NHS and Social Care partners regarding the overarching Information Governance Strategy and Toolkits, ensuring support for effective and safe delivery at scale within health and social care settings.

It is vital that your Board demonstrates system leadership on key digital and data issues — particularly Cyber and Data Security.

Complete the development of all priority functionality within the Cancer Information System required to deliver patient care.

Workforce

Strengthen the plan, in collaboration with HEIW, to develop the digital skills and experience of the NHS Wales GDaD workforce — with clear measures to assess impact.

Review of Effectiveness

As Accountable Officer, I have responsibility for reviewing the effectiveness of the system of internal control. My review is informed by the work of the internal auditors, executive officers responsible for maintaining the internal control framework, and comments made by external auditors in their audit letters and reports.

The Board and its Committees rely on several sources of internal and external assurances which demonstrate the effectiveness of the Special Health Authority’s system of internal control and advise where there are areas of improvement. These elements are detailed above in the diagram of the DHCW Board Control Framework.

The processes in place to maintain and review the effectiveness of the system of internal control include:

  • Board and Committee oversight of internal and external assurances, and holding to account Executive Directors and Senior Managers
  • Executive Directors and Senior Managers responsible for developing, implementing and maintaining the internal control framework, and driving continuous improvement
  • Oversight of operational risk through the Board and its Committees
  • Oversight of fraud risk through the Cardiff and Vale Local Counter Fraud team
  • Monitoring implementation of recommendations via the audit tracker, overseen by the Audit and Assurance Committee
  • Audit and Assurance Committee oversight of audit, risk management and assurance arrangements
  • All Committees of the Board submitting annual reports to the March 2025 Board, detailing their work and key decisions during the year

I am satisfied that, overall, the mechanisms in place to assess the effectiveness of the system of internal control are working well. The Special Health Authority has the appropriate balance of assurance from Executive Directors, the Board and its Committees, and DHCW Internal Audit Services.

Internal Audit including Head of Internal Audit Conclusion

Internal Audit provides me, as Accountable Officer, and the Board, through the Audit and Assurance Committee, with a flow of assurance on the system of internal control. I have commissioned a programme of audit work which has been delivered in accordance with Public Sector Internal Audit Standards by NHS Wales Shared Services Partnership. The scope of this work is agreed with the Audit and Assurance Committee and is focussed on significant risk areas and local improvement priorities.

The overall opinion by the Head of Internal Audit on governance, risk management and control is a function of this risk-based audit programme and contributes to the broader assurance available to the Board in reviewing effectiveness and supporting our drive for continuous improvement.

The programme has been delivered substantially in accordance with the agreed schedule. Any changes required during the year were approved by the Audit and Assurance Committee, and regular audit progress reports have been submitted to the Committee.

Although minor amendments were made to the plan during the year, the Head of Internal Audit is satisfied that sufficient internal audit coverage has been achieved during the reporting period to provide the Head of Internal Audit Annual Opinion.

In forming the Opinion, the Head of Internal Audit has considered the impact of all the audits carried out during the period, summarised in the table below:

 

The Head of Internal Audit has concluded

Reasonable Assurance – The Board can take reasonable assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. Some matters require management attention in control design or compliance with low to moderate impact on residual risk exposure until resolved.

In reaching this opinion, the Head of Internal Audit has identified that the majority of reviews during the year concluded positively with robust control arrangements operating in some areas. The 2024/25 Internal Audit Plan included audits over key operational objectives, digital deliverables and associated risks.

From the opinions issued during the year:

  • 2 were allocated Substantial Assurance
  • 9 were allocated Reasonable Assurance
  • 0 reports were allocated a Limited or No Assurance opinion
  • 1 advisory report was issued and considered in the opinion

There were five further reports issued before the year end that have been taken into account for the opinion but will be reported to the Audit and Assurance Committee during 2025/2026. These include:

  • 4 allocated Reasonable Assurance
  • 1 allocated Limited Assurance

Audit Wales Structured Assessment

The aim of this work is designed to help discharge the Auditor General’s statutory requirement to be satisfied that DHCW has made proper arrangements to secure economy, efficiency, and effectiveness in its use of resources under section 61 of the Public Audit (Wales) Act 2004.

The work specifically focussed on DHCW’s arrangements in relation to governance; strategic planning; financial management; and managing the workforce, digital assets, the estate and other physical assets.

The overall Structured Assessment 2024 conclusion found: “DHCW’s corporate arrangements support good governance and the efficient, effective, and economical use of resources. However, it now needs to use its new long-term strategy to demonstrate its value and consolidate its position as a digital system leader and enabler in the NHS.”

The recommendations from Audit Wales, together with management’s response, are recorded and received at every Audit and Assurance Committee meeting.

Data Quality

The quality and effectiveness of the information and data provided to the Board is continually reviewed at each meeting of the Board. Some revisions have been made to the Performance Report during the year to provide further clarity. The Board finds the Performance Report acceptable in making its assessment of the organisation.

Conclusion

As indicated throughout this statement and the Annual Report, there are no control issues or significant governance issues that have arisen in 2024/25. However, financial pressures on public services continue across the board. In addition, as reliance on digital and data continues to increase year on year, the cyber threat continues to be a high risk for DHCW to manage. I will ensure our Governance Framework considers and responds to this need.

Signed by: Helen Thomas
Chief Executive

Date: 26 June 2025