Part of IG framework for integrated health and care: Shared care records
Appendix 3: Assurance checklist (for completion by the ShCRs)
The assurance checklist is intended to provide assurance to ShCRs that they are following the guidance outlined in the IG Framework. ShCRs should complete a self-assessment by reading each assurance checkpoint and then ticking if they feel there is satisfactory evidence. After the self-assessment is complete and the ShCR feels ready, it can make a submission to the IG Assurance Panel. The papers will include a signed off copy of the Assurance Checklist and the supporting evidence detailed within the checklist.
| Assurance Checkpoint | Relevant section of IG Framework | Evidence Yes or No | ShCR comments |
|---|---|---|---|
| Appointment of a ShCR IG Lead (subject matter expert) | 3.1 The Importance of Good IG Practice for ShCRs | ||
| ShCR IG Lead is a member of the ShCR IG Leads Network | 3.1 The Importance of Good IG Practice for ShCRs | ||
| Structure chart for ShCR IG function (including communication strategy) | 3.1 The Importance of Good IG Practice for ShCRs | ||
| Evidence of IG policies | 3.1 The Importance of Good IG Practice for ShCRs | ||
| Joint controller agreement agreed by all members of the grouping | 3.2 Determining data flows and controllership | ||
| DSA or Protocols (where applicable) | 3.2 Determining data flows and controllership 5. Journey 2 |
||
| Service Level Agreement (where applicable) | 3.2 Determining data flows and controllership | ||
| A processor contract between the grouping and the processor(s) | 3.2 Determining data flows and controllership | ||
| A clear data processing map showing purpose and controller and processor at each stage of the data flow | 3.2 Determining data flows and controllership | ||
| Completed and approved DPIA for each data sharing purpose to be published in participating organisations publication scheme (except for security and storage arrangements) | 3.2 Determining data flows and controllership 3.3 Understanding Legal Requirements 3.7 Demonstrating accountability |
||
| A statement for each organisation involved in the collective sharing setting out the purpose, lawful basis for processing and, CLDC satisfied | 3.3 Understanding Legal Requirements | ||
| Transparency information stating what data is collected, stored, shared and retained and for how long. The transparency Information should include information on patient or service user preferences, where applicable | 3.3 Understanding Legal Requirements 3.3.5 The Duty of Transparency |
||
| An agreed approach across the ShCR for the management of patient or service user objections to share their data for individual care | 3.3 Understanding Legal Requirements 3.5 Patient and Service User Objections to processing 3. |
||
| Evidence of effective Role Based Access Control (RBAC) | 3.3 Understanding Legal Requirements 3.4 Data access controls, SARs, review and retention 5. Journey 2 |
||
| Production of a clear plan, list of communication materials and channels | 3.3.5 The Duty of Transparency | ||
| Publication of information and transparency materials by all participating organisations in the ShCR to the public, patients or service users | 3.3.5 The Duty of Transparency | ||
| Details of a process for managing and updating communications | 3.3.5 The Duty of Transparency | ||
| Evidence of public engagement to gain their view of the approach and test materials | 3.3.5 The Duty of Transparency | ||
| Patients or service users can exercise individual rights in transparency documentation | 3.3.5 The Duty of Transparency | ||
| Policies and procedures for information asset management | 3.3.6 ROPA | ||
| Records of Processing Activity, Production of an Information Asset register, ROPA List | 3.3.6 ROPA | ||
| Compliance with Records Management Code of Practice for Health and Social Care 2021 | 3.4 Data access controls, SARs, review and retention | ||
| Audit of IG policies | 3.4 Data access controls, SARs, review and retention | ||
| A process in place for complying with individual rights where required, for example, rectification, objection, SAR | 3.4 Data access controls, SARs, review and retention | ||
| A ShCR cyber assurance Framework is in place | 3.6 Assuring Security | ||
| A communications route between the ShCR Cyber Security Lead and ShCR IG Lead and; other cyber leads within ShCR participating organisations | 3.6 Assuring Security | ||
| IG considerations in Project Initiation Documentation | 3.7 Demonstrating accountability | ||
| DPIA risks incorporated into (organisation/ShCR) risk register including mitigation and management | 3.7 Demonstrating accountability | ||
| Unmitigated high risks from a DPIA are escalated to the DPO and the ICO is consulted | 3.7 Demonstrating accountability | ||
| Consultation with the public on data sharing for integrated care | 3.7 Demonstrating accountability | ||
| Cross-ShCR information sharing materials that are available to the patient or service user at the point of care | 5. Journey 2 |
Last edited: 31 March 2026 8:34 am