Project Initiation Document s1

Directorate / Programme Information Project Anonymisation Governance and Standard Standards Assurance

Document Reference < SCCI 1523 PID> Project Manager (HSCIC) Status Draft Owner Stephen Elgar (IG Version 0.5 Alliance)

Author Vanessa Version issue date 12/06/2015 Kaliapermall (HSCIC) and Stephen Elgar (IG Alliance)

Version Date Summary of Changes 0.1 07.04.2015 Initial Draft Second draft following meeting project start up meeting with Phil Walker, Stephen 0.2 27.04.2015 Elgar and Malcolm Oswald on 14th April 2015 03 28.04.2015 Suggestions for changes, Stephen Elgar and Malcolm Oswald on 27th April 2015 0.4 06.05.2015 Changes after project planning meeting held 28th April 2015 0.5 11.6.15 Changes after project planning meeting held 5th May 2015 Reviewers This document must be reviewed by the following people:

Reviewer name Title / Responsibility Date Version Phil Walker IG SME / IGA 0.2, 0.4, 0.5 0.1, 0.2, 0.3, 0.4, Stephen Elgar IG SME / IGA 0.5

Malcolm Oswald Standard Consultant 0.2, 0.4, 0.5 Expert Reference Group HSCIC IGSA DSCRO Programme Team Project Board 0.1, 0.2, 0.3, 0.4, Project Team HSCIC 0.5

Approved by This document must be approved by the following people: author to indicate approvers

Name Signature Title Date Version Director of Information SRO Peter Hall Governance and Standards Assurance Rob Shaw (HSCIC / IGA) Delivery (funding) Linda Whalley Strategy (funding) Policy Manager - Sponsor Sean Kirwan Information Sharing, Data Protection and Standards

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

Term / Abbreviation What it stands for DPA Data Protection Act DH Department of Health HSCIC Health and Social Care Information Centre FOI Freedom of Information ICO Information Commissioner’s Office IG Information Governance IGA Information Governance Alliance LGA Local Government Association MOJ Ministry of Justice NHS National Health Service

Document Control: The controlled copy of this document is maintained in the HSCIC corporate network. Any copies of this document held outside of that area, in whatever format (e.g. paper, email attachment), are considered to have passed out of control and should be checked for currency and validity.

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

1 Purpose

The Project Initiation Document (PID) is an extension and refinement of the IGA work package definition. The PID gives the direction and scope of the project and forms the ‘contract’ between the project management team, the SRO and Project Board.

2 Project definition and scope

2.1 Project summary

The Information Governance Alliance has been commissioned to develop a standard for the anonymisation of data appropriate for dissemination and publication. The standard will be developed collaboratively with, but not limited to, stakeholders drawn from care provider and commissioning organisations and also with input from IG Subject Matter Experts from HSCIC, Department of Health, NHS England and Public Health England (core member organisations).

It is proposed that, for continuity and consistency, the existing Information Standards Board ‘Anonymisation Standard for Publishing Health and Social Care Data’ (published 25 February 2013) be updated and broadened to include enabling data which cannot be published to be disseminated into a secure environment. The proposed title of the updated standard is ‘Anonymisation Standard for Disseminating Health and Social Care Data’.

This standard would be relevant to HSCIC and all care organisations that are seeking to release data into a secure environment to be used for direct care and non-care/indirect care purposes, either by publication or by dissemination to specific parties.

The products of this project will be:-  Proposal for Change by end May 2015  Series of products as required by the SCCI Framework.  Aim to seek SCCI approval of the standard and implementation guidance no later than 31st March 2016. 2.2 Business requirement Health organisations have a legal duty to use no more than the minimum necessary data about patients, and, wherever identifiable data are used a legal basis must be established. Wherever possible, anonymised data should be used. Whilst a standard was developed in 2012/13 to clarify the circumstances in which data was sufficiently anonymised to enable it to be published, i.e. placed in the public domain, there are circumstances where data that is not safe to publish may still be de- identified in the context in which it is processed so that it does not breach confidentiality law and require the work needed to establish a clear legal basis. In the absence of a standard however, it is difficult for organisations to demonstrate that they are using data that have been anonymised.

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

It is proposed that the Anonymisation Standard for Publishing Health and Social Care Data (ISB1523)1 is revised and extended in scope. The revised standard will define a standard process not only for publication, but also for other forms of data dissemination. It is proposed that it will be renamed as the “Anonymisation Standard for Disseminating Health and Social Care Data”. The standard will apply to all organisations identified in section 250(6) of the Health and Social Care Act 20122. As now, the standard will aim to explain how a dataset can be de-identified, and how to assess whether the resulting dataset is anonymised. The re-development of the anonymisation standard has been initiated by the Information Governance Alliance (IGA) at the request of the Department of Health chaired Information Governance Oversight Group (IGOG). The Information Governance Alliance (IGA) is a group of national health and care organisations that are working together to provide a joined up and consistent approach to information governance.3 The will be developed collaboratively with representatives from within the Information Governance Alliance, and with other stakeholders from other health and social care organisations that will ultimately be end-users of the standard. The revision of the standard is proposed in order to: 1. Learn from, and take account of, experience gained from the implementation of the original ISB1523 standard published in 2013;

2. Provide a greater degree of consistency between the standard and other significant standards and policies, including the Information Commissioners’ Office “Anonymisation Code of Practice” (which was developed in parallel with the original standard4)

3. Provide a standard process for organisations wishing to disseminate (other than by publication) health and social care data in an anonymised form to other organisations.

2.3 Background The Health Select Committee investigation, and the events that led to it, are part of the background to the proposal. The controls that need to be in place within organisations that receive data to ensure that data remains anonymised are extremely important but currently there is no standard to ensure that this is done effectively and consistently. In November 2013 an internal review into the HSCIC use of data pseudonymisation was commissioned by the HSCIC Information & Analytics Directorate. The Review’s scope is the use of pseudonymisation in respect of the data in transmission, received, held and disseminated by the HSCIC. One of the Review’s sub-groups, Standards and Terminology, is expected to recommend that a standard is required to facilitate the use of anonymised person-level data for purposes other than direct care. The IGA agreed with the Standards and Terminology Sub-group that anonymisation means more than just applying pseudonymisation techniques. The revised standard will address, and

1 http://webarchive.nationalarchives.gov.uk/+/http://www.isb.nhs.uk/library/standard/128

2 http://www.legislation.gov.uk/ukpga/2012/7/section/250/enacted

3 For more information on the Information Governance Alliance, see: http://systems.hscic.gov.uk/infogov/iga

4 Although there was co-operation between the ICO and the NHS Information Centre during development, the two documents had different audiences and review processes, and so are inevitably different.

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

Page 6 of 22 Copyright © 2015 Health and Social Care Information Centre V0.5 12/06/2015 go beyond, the work recommended by the sub-group. Other important context for the revision of the standard, and in particular extending it to cover data dissemination includes:

- NHS England’s Integrated Care Pioneer Programme and the Prime Minister’s Challenge Fund pilots5, where new approaches of information sharing across health and social care organisations are being tested, raising important information governance questions; - The HSCIC’s work in 2014 to re-develop, strengthen and unify its contractual arrangements for disseminating person-level data to approved organisations6, and whether the same or similar arrangements should be required of all health and social care organisations disseminating such information; and - The Care Act 2014 and subsequent related proposals to strengthen legislation on health and social care information sharing (“Protecting Health and Care Information”7). - Dame Fiona Caldicott in her 2013 Report also recommended that anonymised data be used to support activity for purposes not directly related to care, but subject to tight controls to prevent deliberate or accidental re-identification of individuals.

The revised standard will take account of these developments, and provide a standard process for judging whether health and social care data to be disseminated are anonymised.

2.4 Commissioning organisation The revision of the Anonymisation Standard has been commissioned by the HSCIC from the Information Governance Alliance (IGA).

2.5 Primary funding organisation The project will be completed as part of business as usual for the HSCIC under the Grant in Aid (GIA) funding from the DH. Funding is secured for 60 days of SME contractor time to author and deliver an approved standard by March 2016. The IGA will oversee the project and will source standard development and project management support from the HSCIC External IG delivery Team. It is assumed that SME input from the participating organisations will be provided as part of their business as usual, including IGA core members (e.g. DH, NHS England, PHE, HSCIC). Testing of the standard will be required and resources requirements will be scoped out during early stages of the project.

5 See: http://www.nhsiq.nhs.uk/7862.aspx and http://www.england.nhs.uk/ourwork/qual-clin-lead/calltoaction/pm-ext-access/ respectively

6 See: http://www.hscic.gov.uk/dars

7 See https://www.gov.uk/government/consultations/protecting-personal-health-and-care-data

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

Page 7 of 22 Copyright © 2015 Health and Social Care Information Centre V0.5 12/06/2015 2.6 Scope 2.6.1 Objectives and deliverables The primary objective and deliverable will be getting the revised standard through the SCCI process and seeking approval of the standard covering the Anonymisation standard for publishing and disseminating health and social care data. The scope of the project includes:  Managing the project and standard development process interface with various stakeholders.  Managing resource, stakeholders, engagement and expectations.  Managing risks and issues to the project.  Producing and maintaining project documentation.  Review of the existing ‘ISB1523 Amd 20/2010 Anonymisation Standard for Publishing Health and Social Care Data’ approved and published documentation. Ensure content is up to date and still valid in the context of the proposed extended standard.  Development and authoring of the new content within standard documentation e.g. Requirements Specification, Change specification, Implementation Guidance etc.  Combine the subject matter content of the anonymisation for publication standard with new content to cover dissemination and form one evolved and updated standard. This could be titled - ‘Anonymisation Standard for the dissemination or publication of health and social care data’. This could go through as a Minor Single Stage or Major Two Stage Change Submission to SCCI dependant on the extent of the proposed changes.  Co-ordinating, participating, collating and responding to consultation feedback on draft standard documentation before submission.  Drafting and seeking sign off for all products/documentation required for each stage of the SCCI process.  Seeking approval from the Project Board for PID, SCCI stage plans and final reviewed submissions.  Testing the standard and co-ordinating User Acceptance Testing.  Taking the standard through Burden Assessment Process.  Delivering all products and evidence documentation to SCCI and ISAAS for review prior to SCCI Board.  Preparing for the publication of the standard.  Preparing for the implementation and communication of the standard.  Planning for post implementation review, benefits realisation, communications, maintenance etc.

The deliverables within the Standard will be updated to include (but not limited to):

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

 Glossary and concept definition to support a common understanding  Identification of data items of relevance  Appropriate methods for data transformation  Way of defining appropriate environments into which pseudonymised / de-identified / anonymous data can be released  Appropriate controls for these environments  Audit approach to demonstrate and improve controls Objectives will include:  Update the existing ISB1523 Amd 20/2010 Anonymisation Standard  Incorporate additional content on Anonymisation of data appropriate for dissemination.  Develop the standard in collaboration with health and social care organisation representation and the IGA core membership stakeholders to ensure it is an informing, meaningful and useful standard.  Develop a standard that directs health and social care organisations to disseminate or publish data within the limitations relevant in information standards and legislation.  Aligning with the ICO Anonymisation Code of Practice.  Aim to seek SCCI approval by the end of the financial year (31st March 2016).

2.6.2 Expected outcome and scale of business change The standard will apply to all organisations identified in section 250(6) of the Health and Social Care Act 20128 (see below) and those organisations subject to the Standard NHS Contract will have regard for the standard. “The following must have regard to an information standard published under this section— (a) the Secretary of State; (b) the Board; (c) any public body which exercises functions in connection with the provision of health services or of adult social care in England; (d) any person (other than a public body) who provides health services, or adult social care in England, pursuant to arrangements made with a public body exercising functions in connection with the provision of such services or care.”

2.6.3 Exclusions from scope There are a number of scope exclusions and at the time of writing these are known to be:

8 http://www.legislation.gov.uk/ukpga/2012/7/section/250/enacted

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

 Costs associated with publication, dissemination and enforcement of the Standard  Cost of implementation of the standard. This cost should be sustained by the local organisations and absorbed as business as usual activity.  Maintenance and update to the standard.  Executing benefits realisation.  Cost of purchasing or procuring services or technical products to support implementation of the standard. This is the responsibility of the local organisations to fund.

2.6.4 Commercial considerations The document will be published by April 2016 and will be subject to © Open Government Licence Copyright © 2015. There may be considerations for adherence to the Standard when it is published – for example by system suppliers – but this is outside the scope of this project.

2.7 Project approach The project will be led by a project manager resourced from the HSCIC External IG Delivery Team. The Standard will be developed using the SCCI Development Framework. Major Two Stage Change Submission

The Standard will reference the format of the equivalent ICO Guide and include HSCIS-related use cases and will also be written in a format as suggested below:  Requirements Specification  Change Specification  Implementation Guidance  SCCI Products and Evidence required for submission (Checklist below and tbc)

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

SCCI Products - Requirement to Full Stage (No EU Consultation needed)

Task Name Resource Names (M) HSCIC Impact Assessment Panel (IAP) Statement of Outcome Dev Supp (M) Evidence Summary Dev Supp (M) Requirements Specification (incl IG, Pt consent, legal status) - Published Submitter (M) Change Specification (only needed if a change to existing ISCE) - Published Submitter (M) Implementation Plan Submitter (M) Implementation Guidance (People, Process and technology) - Published Submitter (M) Approved Business Justification & Funding Statement Submitter (M) Draft Information Standards Notice HSCIC Publication Service (M) Information Governance Statement IG (M) Safety Statement - Clinical Safety Assessment Report Clinical Safety (M) Test Report (End to end testing) Submitter (M) Communication Plan Submitter (M) BAAS Burden Assessment Report issued - Assessment complete (may be BAAS completed during Need to Requirement Stage) (M) Consultation Report Submitter (M) EC98/34 Assessment Form Submitter (M) Maintenance Plan (including financial and functional tolerances) Submitter (M) Risk & Issue Log Dev Supp (M) SRO Statement of Commitment Submitter (M) Sponsor Statement of Commitment Submitter (M) SCCI Services Submission Brief Dev Supp (O) NHS Data Model & Dictionary Position Statement NHS DMDS (O) NHS Data Model & Dictionary Change Request NHS DMDS Messaging Team / NHS (O) XML Schema and Release Notes, if required DMDS (O) Solution Assurance test report and XML Schema Validation Report NHS DMDS (O) SNOMED CT Subsets Clinical Terminology

3 Project organisation

3.1 Sponsor and Senior Responsible Owner (SRO)

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

The Sponsor:- The Project Sponsor is ultimately accountable for the success or failure of the project and has to ensure that the project is focused on achieving its business objectives and delivering the forecast benefits. Sean Kirwan Policy Manager - Information Sharing, Data Protection and Standards Information and Group Operations Directorate Department of Health, Quarry House, LS2 7UE E: [email protected] T: 0113 254 6469

The SRO/Executive:- Peter Hall Director of Information Governance & Standards Assurance Note – there is active discussion of improving positioning of Project Board to include HSCIC and NHS England in terms of “end state” development Health & Social Care Information Centre Tel: 0113 254 2420 Mob: 07818 511463 Email: [email protected]

3.2 Project governance The project will be structured as:

Project Board The project board is responsible for:-  providing the Project Manager with the necessary decisions for the project to proceed and to overcome any problems.  provides direction and management for the project.

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

 Providing the overall authority for the project and is accountable for its success or failure.  Approve all major plans and resources.  Authorise any deviation which exceed stage tolerances  Authorise the start and approve completion of each stage of the standard development project.

Proposed Project Board Representatives:- Peter Hall (HSCIC) – Executive Phil Walker (IGA) – Senior Supplier Dr Alan Hassey – Senior User John Wilshaw – Pseudonymisation Programme DSCRO Team Representative (TBC) - Senior User

3.3 Expert Reference Group The Expert Reference Group will inform, help develop content, quality review and sign of drafts of the standard and all supporting documentation for approval by SCCI. The Group will contribute to making recommendations and option proposals to the Project Board. The Group will advise and assist with responding to SCCI SME reviews and appraisals, particularly on significant issues, and in dealing with project risks and issues. The Group should meet regularly to carry out the above responsibilities or where a meeting is not possible communicate by email via the Project Team. Proposed members:-  Department of Health – Sean Kirwan  IG Alliance – Stephen Elgar  SCCI – Peter Conoulty  HSCIC - Dawn Foster or David Evans  HSCIC – Paul Levi  NHS England - Helen Brown or Karen Thompson  Information Commissioner’s Office - Dawn Monaghan  Public Health England - Robert Kyffin  Monitor Rep.  HRA Confidentiality Advisory Group – Julia Hippisley-Cox  DFI (Doctor Foster) Rep.  Tech UK Rep.  Wally Gowing (Contractors)  IGA Provider Organisation Networks & Reference Groups  Integrated Care Pioneer sites Rep.  DSCRO Team Rep.  HSCIC Pseudonymisation Programme Rep.

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

 Higher Education and Research IG Working Group – Bridget Kenyon (Chair) Head of Information Security University College London

3.4 Project resources and responsibilities

The Senior Project Manager will be responsible for overseeing the entire project, manage the project costs, budget, business objectives, benefits realization, contractor performance and cost management etc.

The Project Manager will:

 be responsible for organising and controlling the standard development process from start to end.  ensure quality of standard development approach, documentation and completion of tasks on time.  draw up the project plans that describe what the project team will actually be doing and when they expect to finish.

Project Support will keep everyone informed, arranging meetings, organising reference group workshops, keeping plans up-to-date, chasing things up, keeping files, etc.

Name Organisation Role Stephen Elgar IGA Senior Project Manager Anna Liddell HSCIC External IG Delivery Project Manager Malcolm Oswald Consultant SME Developer TBC as part of the development HSCIC Test Manager phase TBC as part of the development HSCIC/IGA Implementation Manager phase TBC as part of the development HSCIC Maintenance Manager phase

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

4 Resource plan

Role title Full Time Headcount Internal or Required for the High level purpose Equivalent external project stages SME Consultant 60 days 0 External Yes Prepare the standard Project Executive 0.1 1 Internal Yes Ensure project fits the business need and is delivered to specification Project 0.1 1 Internal Yes To ensure the Manager/Developer delivery of the standard on time, cost and quality. Participants opportunity costs are committed but part of their BAU activities Project Support 0.1 1 Internal Yes Support the development of the standard and all tasks related to stakeholder engagement (including Project Board and Expert Reference Group meetings)

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

3 4  Julia Hippisley-Cox (HRA CAG)  Peter Conoulty (SCCI)  HSCIC ISSA  Robert Kyffin (PHE)  Dawn Foster or David Evans (HSCIC DSCs)  Terry Hill (HSCIC Director of Dissemination)  Peter Counter (HSCIC Chief Technology Officer)  Helen Brown (NHS England)  Sean Kirwan (DH)  Monitor  Dawn Monaghan (ICO) 1 2  IGA Provider Organisation Networks &  Wally Gowing (Contractors) Reference Groups  Doctor Foster  Pioneers  Tech UK  Higher Education and Research IG Working Group Forum

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

6 Initial business case

The initial commission resulted from challenges being faced by Integration Pioneers, pseudonymisation or anonymisation are seen as one of the elements of the solution. The new Standard will deliver benefits as specified in the table below (section 7). 7 Benefits

There are hard benefits to be made from Cash-releasing When is benefit How will benefit be this standard Benefit / Dis-benefit (£)/Non-cash releasing likely to be measured and monitored? description (£) /Societal (£)/ achieved? Qualitative?

 Less or no fines from regulators to Societal benefit Once data is moving Use of these techniques at organisations on data breaches. appropriately and as scale (to be defined)? required

 Standardisation across the health Non-cash releasing Once people use a IG Toolkit? and social care sector of common language techniques/methodology used to and the volume of anonymise, de-identify or queries (to whom?) pseudonymised data for fall dissemination and publication.  Clarification of terminology and Non-cash releasing Once people use a Use of these techniques at technology in this subject matter. common language scale (to be defined)? and the volume of queries (to whom?) fall

 Increase consistency, knowledge Non-cash releasing Once people use a Use of these techniques at and awareness on the subject common language scale (to be defined)? matter across the care sector. and the volume of queries (to whom?) fall

 Increase or no decrease of Societal benefit Once there is a Polling of views of the public organisation reputation for perception of as part of NHS brand securing and maintaining increased trust management? confidentiality of service user data  Support the integration of health Non-cash releasing Once data is moving Use of these techniques at and adult social care information appropriately and as scale (to be defined)? required and this is sharing for non-direct care IG Toolkit? purposes (e.g. Pioneers). no longer identified by project teams as an issue

 Improved and legal business, Non-cash releasing Once data is moving Use of these techniques at research and data flow practice appropriately and as scale (to be defined)? which will benefit both service required and this is delivery and services users across no longer identified England. as an issue

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

8 Project controls

8.1 Reporting 8.1.1 Highlight reporting The project highlight reports will be produced monthly by the project manager and sent to the Project Board.

8.1.2 Checkpoints Checkpoint meetings will be held by the project team in preparation for each stage of the project. This should coincide with Project Board meetings at the start and end of each main project stage. The need for meetings should be assessed and cancelled if there is very little to discuss. Correspondence by email or WebEx may be more convenient or appropriate.

8.2 Tolerances

Tolerances category Tolerance Comments (where applicable) Date of approval of key products Project has amended date to … Tolerance is 4 months with anticipated date for handover to DH before 31/12/15 The project is delivered at no None – if costs are required to Resources are provided via the GIA to additional overall cost to HSCIC and be incurred, this will be referred HSCIC and at the goodwill of external external organisations to the SRO project resources The project will not be liable for the No tolerance has been agreed The scope is as defined in the scope publication and dissemination of the for this area section. Exclusions are defined at the code as there will be a cost to this time of writing. Project Editorial Panel and Document will need to meet IGA and DH External QA quality criteria. Extensive QA is agreed Quality Assurance External Consultation Delivery of a quality Time has been built in to project plan. implementable product relies Project team will monitor progress via on external consultation and highlight reports. acceptance

8.3 Delivery assurance Quality assurance will be provided by the Expert reference group overseen by the Project Board and, in addition, the IGA Editorial Panel. The consultation and editorial processes will provide an additional level of assurance.

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

Page 18 of 22 Copyright © 2015 Health and Social Care Information Centre V0.5 12/06/2015 8.4 Business change strategy A business change strategy is not required for this project as this project will not be responsible for business change related to the publication and dissemination of the new Code. 8.5 Change Control Change control will be monitored through incremental changes to project documentation and the application of version numbers to documentation.

8.6 Information management A project folder will be maintained by HSCIC on MS SharePoint and access will be granted, amended and revoked by project support in consultation with the project manager.

8.7 Quality management Quality assurance will be provided by the adherence to relevant standards and legislation. The project will also have consultation and user acceptance testing with key stakeholders. Documents will be reviewed repeatedly by the Expert Reference Group to ensure quality. Project team will be responsible for collating review feedback and ensuring the standard documentations is of good quality for submission through the SCCI process. Over and above the internal quality assurance there is also the SCCI Process quality assurance stages e.g. SCCI development support team, IAPP and ISAAS. Further details of how, when and by whom QA will be carried out will be documented with project and quality/test plans.

8.8 Benefits management The standard is for system wide processes and benefits of the standard will be accrued and will accrue to the organisations using it. Those benefits that are expected to be realised beyond the closure of this project will be noted in the project closure report.

8.9 Communication and stakeholder engagement See the Communication and stakeholder plan (To Do)

8.10 Initial project plan

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

9.1.1 Assumptions The new Standard will be published on the SCCI website under approved standard 9.1.2 Dependencies Some dependencies identified below but not limited to this list: ICO Anonymisation Code of Practice – Updates EU Data Protection Regulations which drives UK DPA Expert Refernece Group should adequately represent the stakeholder groups which will using the standard. Project team will be continuously available throughout the project delivery timelines through to standard publication. 9.1.3 Constraints The constraint identified to date is that this project is being resourced from business as usual resources and the employing organisations of the resources may change or be subject to external pressures that have an impact on this project. In this instance, issues will be referred to the Board and the SRO for consideration after consideration by the IGA. 10 Risk and issue log

Risks will be highlighted to the project board and dealt with by the project team via correspondence or meeting. Risks that cannot be dealt with locally will be flagged to the IGA via the project manager in the first instance. Risks and Issues identified so far:-

Ite Text Risk / L/M/H Mitigation m Issue 1 EU DP regulations to change in the Risk L The regulations are expected to future and will impact on this take 2 to 3 years to manifest in standard. There is a risk that domestic law. pseudonymised data will be defined DN: PW suggested accepting the as personal data (and thus never risk for now and review in one anonymised). year to assess the impact and what may be done to update the Standard. The impact of this risk may change the scope and title of the standard. 2 Existing commercial providers may be Issue H Ensure we engage with impacted by the introduction of the commercial providers and standard. carefully manage expectations

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

and perceptions. 3 PIP Guidance and Manchester Issue L Ensure the background and Academics Review of the existing previous work done through PIP is standard? referenced and take on board feedback from academics. Invite them to review future drafts of the revised standard. 4 Project reviewers and/or authors and Risk M Difference of opinions to be SCCI reviewers disagree on standard debated in the expert reference content group forum and it would be the project team’s responsibility to seek definitive agreement to progress the standard. Escalation to the Project Board on unresolved issues for decision. 5 Project reviewers fail to review in Risk M Project team to decide whether required timescales to extend the period of consultation or expand the ERG. 6 Project funding is withdrawn Risk L Project team would recommend a series of options for the Project Board to consider. 7 Any member of the project team Issue H Project team would recommend (including the standard developer and remediation to the Project Board Author) becomes unavailable for consideration. 8 Dependency on SCCI process – will Risk M Early meeting with SCCI team and define rate of progress and adjustment of project plan as completion progress develops 9 Dependency on SCCI process and Risk M Early meeting with SCCI team judgement – may not accept as a Standard

11Lessons learned

Lessons learned will be recorded during project progress and will be completed at the closure stage of the project.

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0

12 Acceptance criteria and handover to live service

12.1 Acceptance criteria The acceptance criteria are set out in the IGA commissioning document. Acceptance Criteria and aims agreed at the first kick off meeting held 14th April 2015:- 1. Successfully take the draft standard through the SCCI process and obtain approval for publication. a. A Standard that is usable and will change practice for the better. b. Improved awareness, understanding and knowledge of the subject matter. 2. Provide consistently defined terminology. 3. Good quality standard which is concise and accurate. 4. Gain the confidence of stakeholders in support of transparency and security.

12.2 Publication and Project Closure The revised Standard will be published with an Information Standard Notice from SCCI and on the SCCI website of approved standards. The IGA will promote the published standard and ensure dissemination across the relevant interested parties throughout the Health and Social Care sector. The expected standard owner is the HSCIC and the responsibility for implementation will reside with health and social care organisations, as specified within the standard specification and implementation guidance. The project will be closed down after publication of the standard and closure report issued to the Project Board.

Template author: HSCIC Portfolio Office 09/09/2013 Version 1.0