Specimen supporting statement for A1.b Roles and responsibilities

Outcome achievement level: This organisation believes it can justify an achievement level of Achieved for DSPT outcome A1.b Roles and responsibilities. 

Signed off by: Joe Bloggs - outcome owner

Confirmed by: Check and challenge session at the May 2025 Information Governance Committee (minutes uploaded as 2024-05-28 IGC minutes) 

Reported to: Risk and Audit Committee (minutes uploaded as 2024-06-18 RAC minutes), the Board with delegated responsibility for cyber security and Information Governance.

The Data Security Policy (uploaded as 2024-01-09 NHS Masham FT Data Security Policy) and the Data Protection Policy (uploaded as 2024-01-09 NHS Masham FT Data Security Policy) set out the key roles responsibilities and the key groups for cyber security and information governance. These polices were reviewed and agreed in January 2024 (Board minutes uploaded as 2024-01-09 NHS Masham FT Board minutes).

The overall framework for cyber security and information governance is set out in the cyber and IG framework initially published in 2022. It was reviewed and updated in May 2024, and agreed by the Audit and Risk committee (uploaded as 2024-05-28 Cyber and IG Framework and ARC minute uploaded as 2024-05-28 ARC minutes).

The organisation published its cyber security strategy in July 2024 and is available at [Add a link to the relevant organisation's strategy]

The key roles in the trust are:

Senior Information Risk Owner (SIRO) (Job description uploaded as 2023-09-12 SIRO JD). Director of Finance and IT and Member of Audit and Risk Committee. Chairs IT Change management Board.

Caldicott Guardian (Job description uploaded as 2022-06-12 CG JD). Chairs Information Governance Committee. Completed Caldicott Guardian training September 2023 and member of UK Caldicott Guardian council. (Training certificate uploaded as 2023-09-28 CG Training Certificate) 

Data Protection Officer (DPO) (Job description uploaded as 2023-09-12 DPO JD). Experienced DPO with five year NHS experience, BCS Data protection practitioner 2023
2024 PDR Objectives cover information governance.

IG lead (Job description uploaded as 2024-01-02 DPO JD). 2024 PDR Objectives cover information governance

Head of Cyber Security (Job description uploaded as 2024-04-19 Cyber lead JD). Experienced cyber lead across a number of sectors. Chair of Cyber Working group, member of IT Operations Group, IG committee and IT Change Board. 2024 PDR Objectives cover cyber security.

Deputy Head of Cyber Security (Job description uploaded as 2024-04-19 Deputy Cyber lead JD). Deputy Chair of Cyber Working group, member of IT Operations Group. 2024 PDR Objectives cover cyber security.

IT manager (Job description uploaded as 2024-02-13 DPO JD). 2024 PDR Objectives cover cyber security. Deputy Chair of IT Change management board.

Deputy IT Manager (Job description uploaded as 2024-04-19 Deputy IT Manager JD). Network Manager (Job description uploaded as 2022-06-11 IT Network Manager JD).

Information Asset Owners and Information Asset Assistants (Addendum to Job description uploaded as 2024-04-19 AO and IAA JD addendum).

The Risk and Audit Committee (terms of reference uploaded as 2024-01-02 RAAC TOR) are the Board with delegated responsibility and overall accountability for cyber security and Information Governance. Other key groups in place are Cyber Working Group (terms of reference uploaded as 2024-04-02 RAAC TOR). Minutes from June 2023 and January 2024 are uploaded as 2023-06-29 CWG Minutes and 2024-01-22 SWG Minutes.

Information Governance Committee (terms of reference uploaded as 2024-03-09 IG Committee TOR). Minutes from September 2023 and March 2024 are uploaded as 2023-06-29 IGC Minutes and 2024-03-12 IGC Minutes and 2024-03-17 IGC minutes.

IT Change Management Board (terms of reference uploaded as 2024-03-09 ITCMB TOR). Minutes from the March 2024 and July 2024 meeting are uploaded as 2024-03-27 ITCMB minutes and 2024-07-12 ITCMB Minutes.

IT Operations Group (Terms of reference uploaded as 2024-03-09 ITOG TOR). Notes uploaded from June 2024 meeting (uploaded as 2024-06-28 ITOPs notes).

All staff have a standard section covering information governance and cyber included in their contracts (uploaded as 2022-06-23 Standard staff contract extract cover IG and cyber).

Staff on voluntary contracts, secondments or working on honorary contracts have a standard section covering information governance and cyber included in their contracts. (uploaded as 2022-08-13 non-standard contract extract cover IG and cyber).