Specimen supporting statement for B1.a Policy, process and procedure development

Outcome achievement level: This organisation believes it can justify an achievement level of Partially Achieved for DSPT outcome B1.a Policy, process and procedure development. 

Signed off by: Sally Smith - outcome owner

Confirmed by: Check and challenge session at the May 2025 Information Governance Committee (minutes uploaded as 2024-05-28 IGC minutes) 

Reported to: Risk and Audit Committee (minutes uploaded as 2024-06-18 RAC minutes), the Board with delegated responsibility for cyber security and Information Governance.

We conducted a review of our policies and procedures (uploaded as IG and Cyber Policy and Procedure review 24-25 October 2024.pdf), to assess how comprehensively they documented our approach towards criteria outlined in PA#1. The analysis was conducted by the IG Manager and Cyber Security Manager. The sources we mapped our policies and procedures against were:

1. The 24-25 DSPT indicators of good practice (see IG and Cyber Policy and Procedure review 24-25 October 2024.pdf)
2. The relevant risks on our risk register (see IG and Cyber Policy and Procedure review 24-25 October 2024.pdf) 
3. NHS England IG guidance (see IG and Cyber Policy and Procedure review 24-25 October 2024.pdf) 
4. NHS England Cyber Security guidance website (see IG and Cyber Policy and Procedure review 24-25 October 2024.pdf)  

Points a. and c. provided assurance of PA#3, as well as discussions that took place with IG colleagues at the local SIGN meeting to support peer review (Minutes uploaded as SIGN November 2024 minutes.pdf).

Following our review, a number of policies and procedures were updated and approved (reflected in NHS Masham FT Policy Schedule.pdf) including:

Confidentiality and Data Protection Policy 

Information Sharing Policy 

Records Management Policy

Acceptable Use Policy 

Password Policy 

Patch management Policy 

Logging Policy

Backup Policy

Network Security Policy 

Data Quality Policy

Freedom of Information Policy

Change Management Process

Access control procedure

Remote Working Guidance

Disposal Guidance

The current policies for staff are available. Technical polices are available on our IT SharePoint site (access can be arranged). 

Examples of policies and procedures which have been updated following incidents (details available on request) are: 

Disposal Guidance following INC112345

Password Policy following INC113684 

Information Sharing policy following INC 1139675 and INC 114023. 

We believe that our policy review schedule goes beyond PA#2 and aligns us with A#4 and A#5. A copy of the policy schedule including details of approval dates, last review, approving committee, and individuals responsible has been uploaded (NHS Masham FT Policy Schedule.pdf).