Other control framework elements
The maintenance and integrity of the Digital Health and Care Wales Special Health Authority website is the responsibility of the Accounting Officer. The work carried out by auditors does not involve consideration of these matters and accordingly auditors accept no responsibility for any changes that may have occurred to the financial statements since they were initially presented on the website.
Other control framework elements
Quality and Duty of Candour
The new Duty of Quality and the new Duty of Candour are due to come into legal force in April 2023, in line with the Health and Social Care (Quality and Engagement) (Wales)(Act) 2020. The new Duties will require the Special Health Authority to report annually on compliance with those duties and to publish their reports in the annual accounts and performance report. These new reporting requirements will therefore be captured in the reporting period 2023/24.
In 2022/23 we have contributed to Welsh Government led workstream 2 for quality reporting requirements, Duties of Candour and Quality Implementation Board and Duty of Quality Implementation group, the latter has developed a roadmap in conjunction with Welsh Government.
This roadmap has formed the basis of the DHCW Duty of Quality Implementation plan, this plan covers all aspects of the roadmap with specific inferences for DHCW requirements under the duty. Included as part of this plan, DHCW held a board development session in 2022-23 in partnership with Welsh Government colleagues to provide the board with an understanding of the requirements of the duty. In the meantime, quality reporting requirements are embedded in the Performance Section of this Annual Report, specifically in the ‘Quality’ section.
In addition, in 2022/23 there has been a non-statutory implementation period during the Autumn/Winter 2022 regarding the Duty of Candour. This has allowed NHS bodies, including primary care providers to prepare for the new reporting requirements under the Duty of Candour and to also undertake and roll out training and awareness sessions.
Information Governance Arrangements
DHCW is responsible for the Information Governance Framework (see fig 14), which helps monitor and improve Information Governance understanding and responsibility in Wales. Without a framework, the challenge of making information available to services providing Health & Care becomes far more difficult construct.
The framework is key to DHCW’s Information Governance Strategy, which is in the process of being updated to reflect the progress, achievements and developments to the framework. The framework is highlighted by five core elements:
DHCW provides the central support function of the Wales Accord on the Sharing of Personal Information (WASPI) framework. The WASPI framework helps organisations, that provide services to the public, share information effectively and lawfully through 'sign-up to the Accord’ and information sharing agreement templates. An overview of WASPI is provided below (see fig 14 below). Over the past year, WASPI has focused on creating a WASPI Code of Conduct, which cumulated in a Welsh Government promoted consultation, from February 2023 to the end of April 2023.
The Welsh Information Governance Toolkit (IG Toolkit) is a self-assessment tool enabling organisations to measure their level of compliance against national Information Governance standards and legislation. The annual assessment helps organisations identify areas of improvement which can assist in organisations Information Governance improvement and action plans. All Welsh Health Boards, Trusts, Special Health Authorities and GMPs complete the IG Toolkit, including DHCW (see Welsh Information Governance Toolkit section below). A new technical platform for the IG Toolkit is being implemented for the financial year 2023/2024. The new platform will allow DHCW to expand from those organisations that currently use the existing platform to a wider set of stakeholders who need to provide IG assurance.
The Data Protection Officer Support Service (“the Service”) provides dedicated advice and assistance to General Medical Practitioners on a subscription basis, by providing the functions of the statutory role, the Data Protection Officer. The Service provides a range of functions including training and awareness raising, auditing of the annual IG Toolkit submissions and providing a range of guidance, templates and other documentation. 84.77% of GP practices in Wales are subscribers to this service. Through the service, subscribers are supported on all Information Governance and data protection matters, giving them the knowledge and the confidence to keep patient information safe within their practice.
The National Intelligent Integrated Audit Solution (NIIAS) is a proactive monitoring tool, which identifies potentially inappropriate access to clinical records for many national systems. National systems such as the Welsh Clinical Portal, the Welsh Patient Administration System and the Welsh Demographic Service have large amounts of users accessing information on a daily basis. Whilst health and care staff are aware of their responsibilities not to access any information not relevant to them, NIIAS is in place to identify instances of potential inappropriate use. NIIAS sits behind a number of national systems to flag instances of potential inappropriate access to alert NHS Wales Health Boards and Trusts with daily notification reports of user access.
The UK GDPR outlines seven key principles that should be considered when processing personal data. The seventh principle, Accountability requires organisations to take responsibility for what they do with personal data and how to comply with the other principles. Organisations must have appropriate measures and records in place to be able to demonstrate compliance. One way of achieving this is ensuring that all staff processing personal data understand the confidentiality of personal information and their roles and responsibilities regarding Information Governance. All NHS Wales staff must complete statutory and mandatory Information Governance training on employment and every two years thereafter. This training has recently been reviewed.
DHCW’s Information Governance responsibilities are monitored by the Digital Governance and Safety Committee via the standing Information Governance Assurance Report.
IG Framework components
WASPI - Current Position and Growth
750+ Organisations committed to WASPI
34 Health Boards & Local Authorities
270 GP Practices
11 Police and Fire services
218 Education Providers
145 Charities and Voluntary organisations
34 Housing organisations
42 Other partners
WASPI Growth since last funding review
750 organisations now signing up to the Accord
250+ Approved Information Sharing Protocols are now published on the WASPI website.
Introduction of 5 regional quality assurance groups, which are all now supported by the WASPI Team and have their own Chair appointed.
WASPI’s importance as the information sharing framework in Wales, recognised by Welsh Government and other stakeholders, following work and support in particular areas including during the pandemic and as part of the Ukrainian Refuree Scheme
No equivalent framework in UK.
Welsh Information Governance Toolkit
DHCW has dual responsibilities for the The Welsh Information Governance Toolkit (IG Toolkit), in that it is responsible for the development and maintenance of the IG Toolkit and is required to complete and submit annually.
The deadline for the 2021/22 submission of the IG Toolkit was 31st March 2022. This was the first IG Toolkit year measuring DHCW’s compliance (the previous submissions were before NHS Wales Informatics Service transitioned to DHCW on 1st April 2022). DHCW achieved a 98% score in the 2021/22 submission, which was up 4% from 2020/21.
DHCW’s submission scored a high level of compliance. Please note, the IG Toolkit only recognises that there has been an input of evidence, it does not recognise the quality of the evidence provided. Therefore, scoring should only be used as a guide of the organisations Information Governance compliance. Organisations are not expected to attain 100% compliance, and DHCW scoring does not indicate that the organisation does not meet the legal requirements, more so, it identifies where these areas can be improved.
An Information Governance action plan was established, which also took into consideration the Information Commissioner’s Office (ICO) Accountability Toolkit. Key actions from the plan were shared and monitored through the Digitial Governance and Safety Committee.
Work is underway to complete the 2022/23 IG Toolkit by the submission date of 30th June 2023. This is the first year on the new technical platform and contains a revised question set, which has been compared to NHS England’s English Data Security and Protection Toolkit.
Linked Strategies and Programmes
DHCW responsibilities have expanded over time to support information sharing and assurance for its own internal strategies and programmes as well as those being delivered by other organisations – These include:
Data Governance
- Data Privacy
- Data Stewardship
- Data Quality
- Metadata Management
- Master & Reference Data Management
- Data Security Management
- Information Lifecycle Governanace
Counter Fraud
In line with the NHS Protect Fraud, Bribery and Corruption Standards for NHS Bodies (Wales), the Local Counter Fraud Specialist (LCFS) and Executive Director of Finance agreed at the beginning of the financial year a work plan for 2022/23 which was approved by the Audit and Assurance Committee in May 2022. Updates on delivering against this work plan have been provided to the Audit and Assurance Committee during 2022/23.
Compliance with equality, diversity, and human rights legislation
DHCW is committed to putting people at the centre of everything it does. The vision is to create an accessible and inclusive organisational culture and environment for everyone that complies with the provision of the Equality Act 2010. Our Equality and Diversity policy is published on our website and is based on the following guiding principles:
- Digital Health and Care Wales will seek to employ a workforce that is representative of all sections of society within the communities from which it is provides its services.
- Every employee should feel respected and able to be their authentic self and give their best to their roles.
- Employees will be supported and encouraged to develop their full potential and their talents and resources of the workforce will be fully utilised to maximise the efficiency of the organisation. Individual differences will be recognised and valued and no form of intimidation, bullying or harassment will be tolerated.
- Staff will be supported where they feel they are being unfairly treated and encouraged to report any incidents of hate crimes against them or people around them.
- All of the Digital Health and Care Wales employment policies and practices and service developments will be equality impact assessed to avoid discrimination and to ensure mitigation where protected groups could be adversely affected under the Equality Act 2010.
An overview of actions in relation to equality and diversity can be seen in our Staff Remuneration Report
In addition, the Board approved DHCW’s Strategic Equality Plan which in 2022-23 which is now being implemented across the organisation.
Modern Slavery Act 2015 – Transparency in Supply Chains
The Welsh Government’s Code of Practice: Ethical Employment in Supply Chains was introduced to highlight the need, at every stage of the supply chain, to ensure good employment practices exist for all employees, both in the United Kingdom and overseas.
DHCW is committed to embedding the principles and requirements of the Code and the Modern Slavery Act 2015.
In doing so it is demonstrating the commitment to our role as a public sector employer, to eradicate unlawful and unethical employment practices, such as:
- Inequality
- Modern Slavery and Human rights abuses
- False self-employment
- Unfair use of umbrella schemes and zero hours contracts; and
- Not paying the Living Wage
During 2022/23 took the following actions:
- It paid the government's living wage rate on its lowest pay scale, which is at Agenda for Change pay band 3 and no longer recruits to bands 1 or 2 as band 3 is now our entry grade
- It has a Raising Concerns (Whistleblowing) Policy, which provides the workforce with a fair and transparent process to empower and enable them to raise suspicions of any form of malpractice, by staff, suppliers, or contractors working on DHCW premises and supports the no detriment is regards to anyone raising a concern
- It has robust IR35 processes, which ensure that there is no unfair use of false self-employed workers or workers being engaged under umbrella schemes. These processes also ensure the fair and appropriate engagement of all workers and prevent individuals from avoiding paying Tax and National Insurance contributions. It also ensures that no worker is unduly disadvantaged in terms of pay, rights, or substantive employment opportunities
- It does not engage or employ staff or workers on zero-hour contracts
- It has an open and robust Recruitment and Selection Policy and Procedure, which ensures a fair and transparent process. Specific commitments to support equality are to: advertise opportunities to join the organization in wider and diverse communities. The organization has developed and implemented new values, a new strategic equality plan, anti-racism, and anti-bullying plan. A new equality, diversity, and inclusion (EDI) network commences in April 2023
- It has a target in place to pay our suppliers within 30 days of receipt of a valid invoice
- Has worked closely in partnership with the trade unions, employee assistance provider, and wider networks to support employees
- Supporting digital inclusion through a variety of commitments
- The organisation has an Equality and Diversity Policy, which ensures that no potential applicant, employee or worker engaged by DHCW is in any way unduly disadvantaged. This relates to pay, employment rights, employment, training and development or career opportunities. A gender pay report was provided to the DHCW Board in March 2023.
- In accordance with the Transfer of Undertaking (Protection of Employment) Regulations, any DHCW staff that may be required to transfer to a third-party organization will retain their NHS pay and Terms and Conditions of Service
Pension scheme
As an employer with staff entitled to membership of the NHS pension scheme, control measures are in place to ensure all employer obligations contained within the scheme regulations are complied with. This includes ensuring that deductions from salary, employer’s contributions and payments into the scheme are in accordance with the scheme rules, and that member pension scheme records are accurately updated in accordance with the timescales detailed in the regulations.
Welsh Risk Pool
The Welsh Risk Pool Services (WRPS) is a risk sharing mechanism, akin to an insurance arrangement, which provides indemnity to NHS Wales’s organisations against negligence claims and losses. Individual NHS organisations must meet the first £25,000 of a claim or loss, which is similar to an insurance policy excess charge.
The Board along with its internal sources of assurance, which includes its internal audit function provided by NHS Shared Services, also uses sources of external assurance and reviews from auditors, regulators and inspectors to inform and guide our development. The outcomes of these assessments are being used by the Board to further inform our planning and the embedding of good governance across a range of the organisation’s responsibilities.
Cardon reduction delivery plan
The DHCW Board approved the Decarbonisation Strategic Delivery Plan 2021-2030 at the March 2022 Board, details on the delivery plan can be found in the Performance Report. The plan has been developed to support the ambitions set out within the NHS Wales Decarbonisation Strategic Delivery Plan which outlines how NHS Wales can contribute to the recovery and its commitment to the Wellbeing of Future Generations (Wales) Act 2015, which addresses long-term persistent challenges such as poverty, health inequity, and climate change. DHCW have made significant progress in decarbonising our estate in 2022/23 However, we recognise there is more to do.
Data Breaches
Incidents resulting in a data breach are reported in accordance with DHCWs statutory requirements and documented Standard Operating Procedure on Personal Data Breach Reporting Management. Under Data Protection legislation, personal data breaches (as defined by the act) are considered a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Personal data breaches are required to be risk assessed to determine the likelihood of the risk to the individuals’ affected rights and freedoms. If a risk is likely, under Data Protection, the breach must be reported to the Information Commissioners Office (ICO) within 72 hours. Failure to report could lead to financial or reputational loss. Additionally, those individuals concerned directly may need to be informed where the breach is likely to result in a high risk to the rights and freedoms of individuals.
All data breaches are appropriately investigated by our Information Governance team and are reported to the Digital Governance and Safety Committee. Where appropriate or mandated, Welsh Government are informed as part of a no surprises report.
During 2022/23, we recorded a total of 5 incidents on the Datix system which resulted in potential personal data breaches. Of these incidents, none met the assessment criteria for reporting to the ICO.
Ministerial directions
Whilst Ministerial Directions are received by NHS Wales organisations, these are not always applicable to DHCW. Ministerial Directions issued throughout the year are listed on the Welsh Government website Health and social care. Details of the ministerial direction received and their applicability to DHCW as at year end 31 March 2023 are included at Appendix 4.
Planning Arrangements
The Welsh Government planning framework guidance was published in Nov 2021. The requirement reverted back to a three year Integrated Medium Term Plan (IMTP) rather than the annual plan arrangement of the previous year. The original proposed deadline of end Jan 2022, was further extended (on 21 Dec 2021) to end Mar 2022, again due to uncertainty and pressures felt by the service in recovering from the Covid-19 pandemic.
The IMTP was submitted to the SHA Board and finally Welsh Government at the end of March 2022. The plan was subsequently accepted and noted by the Minister for Health and Social Services in July 2022 and feedback was provided by the Welsh Government as requirements and accountability conditions. These included quarterly reporting requirements.
Accountability conditions were called out around the delivery of the Cancer system, capital investment, workforce, digital priorities and collaboration.
DHCW Accountability conditions, topic, requirement and DHCW plans can be found below:
- 5 Ways of Working / Wellbeing of Future Generations
- Public Plan on Public Website
- Quarterly Plan Reporting
- Minimum Data Set
- Digital Priorities
- Centre for Digital Public Services
- Cancer
- Capital Investment
- Workforce
- Collaboration
Review of Effectiveness
As Accountable Officer, I have responsibility for reviewing the effectiveness of the system of internal control. My review of the system of internal control is informed by the work of the internal auditors, and the executive officers within the organisation who have responsibility for the development and maintenance of the internal control framework, and comments made by external auditors in their audit letter and other reports.
The Board and its Committees rely on several sources of internal and external assurances which demonstrate the effectiveness of the Special Health Authority’s system of internal control and advise where there are areas of improvement. These elements are detailed above in the diagram of the DHCW Board Control Framework.
The processes in place to maintain and review the effectiveness of the system of internal control include:
- Board and committee oversight of internal and external sources of assurance and holding to account Executive Directors and Senior Managers
- Executive Directors and Senior Managers who have responsibility for development, implementation, and maintenance of the internal control framework and the continuing improvement in effectiveness within the organization
- The oversight of operational risk through the Board and its Committees
- Oversight of fraud risk through the Cardiff and Vale Local Counter Fraud team
- The monitoring of the implementation of recommendations through the audit tracker overseen by the Audit and Assurance Committee
- Audit and Assurance Committee oversight of audit, risk management, and assurance arrangements
All Committees of the Board provided an annual report to the March 2023 Board detailing the work undertaken by the relevant Committee within the year and the key decisions taken.
I am satisfied that generally the mechanisms in place to assess the effectiveness of the system of internal control are working well and that the Special Health Authority has the right balance between the level of assurance I receive from my Executives, Board and Board Committee arrangements and DHCW Internal Audit Services.
Internal Audit including head of internal audit conclusion
Internal Audit provide me as Accountable Officer and the Board through the Audit and Assurance Committee with a flow of assurance on the system of internal control. I have commissioned a programme of audit work which has been delivered in accordance with public sector internal audit standards by the NHS Wales Shared Services Partnership. The scope of this work is agreed with the Audit and Assurance Committee and is focussed on significant risk areas and local improvement priorities.
The overall opinion by the Head of Internal Audit on governance, risk management and control is a function of this risk-based audit programme and contributes to the picture of assurance available to the Board in reviewing effectiveness and supporting our drive for continuous improvement.
The programme has been delivered substantially in accordance with the agreed schedule and changes required during the year have been approved by the Audit & Assurance Committee, in addition, regular audit progress reports have been submitted to the Committee.
Although minor changes have been made to the plan during the year, the Head of Internal Audit is satisfied that there has been sufficient internal audit coverage during the reporting period in order to provide the Head of Internal Audit Annual Opinion. In forming the Opinion, the Head of Internal Audit has considered the impact of all the audits carried out, summarised in the table below:
Engagement Strategy 14/02/2023 Reasonable
The Head of Internal Audit has concluded:
Reasonable Assurance - The Board can take reasonable assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. Some matters require management attention in control design or compliance with low to moderate impact on residual risk exposure until resolved.
In reaching this opinion the Head of Internal Audit has identified that the majority of reviews during the year concluded positively with robust control arrangement operating in some areas.
From the opinions issued during the year, five were allocated Substantial Assurance, eleven were allocated Reasonable Assurance. No reports were allocated a ‘no assurance’ opinion.
Audit Wales Structured Assessment
The aim of this work is designed to help discharge the Auditor General’s statutory requirement to be satisfied that DHCW has made proper arrangements to secure economy, efficiency, and effectiveness in its use of resources under section 61 of the Public Audit (Wales) Act 2004.
The work specifically focussed on DHCW’s arrangements in relation to governance; strategic planning; financial management; and managing the workforce, digital assets, the estate and other physical assets, The overall Structured Assessment 2022 conclusion found: “DHCW is embedding good governance arrangements, and must now seek to further develop its role as a trusted digital partner to exploit digitally enabled service opportunities across Wales’’
The recommendations from Audit Wales together with management’s response are recorded and this will be received at every Audit and Assurance Committee meeting along with a Structured Assessment Opportunities for Learning report.
Audit Wales Primary Care GMS Digital Programme Board Governance and Financial Management
Review
During 2022-23, Audit Wales undertook a local piece of work reviewing DHCW’s General Medical Services (GMS) Programme Board Governance Arrangements, which oversees new and existing digital services to GP Practices alongside financial expenditure and service management to support existing operational services and new programmes of work. At the time of writing this report, the report had not been finalised and submitted to the Audit and Assurance Committee.
Data Quality
The quality and effectiveness of the information and data provided to the Board is continually reviewed at each meeting of the Board and some revisions have been made to the Integrated Performance Report during the year to provide further clarity.
Conclusion
As indicated throughout this statement and the Annual Report the need to plan and respond to the COVID-19 pandemic, along with other competing priorities has had an ongoing impact on the organisation, wider NHS and society as a whole. This has required a dynamic response which has presented several opportunities in addition to a number of risks. I will continue to ensure our Governance Framework considers and responds as required.
During the period 1 April 2022–31 March 2023 there have been no significant internal control or governance issues identified. This is due to the establishment and going development of sound systems of internal control that are in place. It is important we communicate widely with staff on an ongoing basis to further embed these arrangements.
One area that I felt required additional exploration related to the governance arrangements for DHCW Nationally Hosted Programmes, an Independent Review was commissioned working with Welsh Government and the recommendations will be considered and taken forward between DHCW and Welsh Government.
Signed by Helen Thomas
Date: June 2023