Part of Strengthening assurance – independent assessment: summary of guides
Appendices
Appendix A - organisational RACI
| Task | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|
| Collect documentation for each principle to be assessed |
Information security team Information governance (IG) team |
Senior Information Risk Owner (SIRO) Data protection officer (DPO) |
Procurement | Wider organisation |
| Discuss and agree current position of each outcome (Achieved, Partially Achieved, Not Achieved) |
Information security team Information governance team |
SIRO DPO |
Procurement |
Caldicott Guardians Executive directors |
| Agree terms of reference and timelines for the assessment | IG/IT manager |
SIRO DPO |
Information security team Information governance team |
Caldicott Guardians Executive directors |
| Communicate assessment timelines with departments | IG/IT manager |
SIRO DPO |
Wider organisation | |
| Kick-off call | IG/IT manager |
SIRO DPO |
Caldicott Guardians Executive directors |
|
| Arrange fieldwork meetings | IG/IT manager |
SIRO DPO |
Caldicott Guardian | |
| Send documents to assessors |
Information security team Information governance team |
SIRO DPO |
||
| Take part in fieldwork meetings and collate additional documents |
IG/IT manager DPO Caldicott Guardian |
SIRO |
Information security team Information governance team |
|
| Close-out call | IG/IT manager |
SIRO DPO |
Caldicott Guardians Executive directors |
|
| Read and discuss draft report |
IG/IT manager SIRO DPO Caldicott Guardian |
SIRO |
Executive directors |
|
| Agree action owners and timelines |
IG/IT manager SIRO DPO Caldicott Guardian |
SIRO | Executive directors | |
| Provide management responses | IG/IT manager | SIRO |
DPO Caldicott Guardian Executive directors |
|
| Read and agree final report |
IG/IT manager SIRO DPO Caldicott Guardian |
SIRO | Executive directors | |
| Create action plan for remediation of findings |
IG/IT manager SIRO DPO Caldicott Guardian |
SIRO | Executive directors | |
| Add assessors to the toolkit | IG manager | SIRO |
DPO Executive directors |
|
| Submit final report to NHS England (NHSE) | SIRO | SIRO |
DPO Caldicott Guardian Executive directors IT/IG manager |
|
| Present final report to audit committee | SIRO |
DPO Caldicott Guardian Executive directors IT/IG manager |
||
| Ongoing reporting of progress to audit committee | SIRO | SIRO |
DPO Caldicott Guardian Executive directors |
Appendix B – CAF-aligned DSPT Gantt chart
The Gantt chart (available to download below) provides an indicative timeline for the completion of the CAF-aligned DSPT, starting with the preparation of the assessment, and ending with post-assessment activities.
Collation of the documents and discussions around the organisation’s position for each outcome should take place year-round and are therefore listed as 'Prior to week 1' in the chart.
Submitting the final report to NHSE must be done before the 30 June deadline, but this may be farther away than week 9 if the organisation has undertaken their CAF-aligned DSPT early in the year.
Last edited: 3 October 2024 10:31 am