IG Support and Data Protection Officer Service to the Norfolk and Waveney GP Practices

Concepts

• data services
• norwich
• dspt
• guidance support service
• data breaches
• data processing
• data protection officer service
• nhs norfolk
• report data breaches
• direct data breach reviews

Location

East Anglia: Norwich

Description

NHS Norfolk and Waveney Integrated Care Board require a Supplier to provide an information governance advice and guidance support service, together with a named Data Protection Officer

Total Quantity or Scope

NHS NWICB invite bids from suitably qualified suppliers to provide information governance advice and guidance support service, together with a named Data Protection Officer. The requirement will include:Data breaches• The provision of advice and/or support to practices on the investigation of possible information security breaches and incidents.• Advice on incident/breach assessment and reporting via the incident reporting tool within the DSPT to NHS England and reporting to the ICO (dependent upon severity of incident).• Advice on assessment and reporting via the incident reporting tool within the DSPT to NHS England and ICO (dependent upon nature and severity of the breach).• Advice on post-incident reviews and recommended actions for practice implementation.To lead or direct data breach reviews and investigations where highly specialist knowledge is required or complex multi–party issues are involved.Service Provider as data processor will:• To take action immediately following a data breach or a near miss, alerting promptly the practice as data controller and with a report made to the senior management within the ICB and the practice within 12 (working) hours of detection.• Report data breaches in line with NHS guidance (using the incident reporting tool within the DSPT) and legal requirements immediately following detection.• Provide a Lessons Learned Report (with relevant action plan as appropriate) to the ICB within 2 weeks of the recorded resolution of the incident.IG Policy Support • Support for the production and maintenance of local information governance policies and procedures for practices. Provision of advice and support to practices on approval, ratification and adoption of the policies for their organisation.Support for the Data Security and Protection Toolkit compliance• Provide advice and guidance to practices on how to complete the DSPT, including the collection and collation of evidence in support of DSPT submissions. Provide practices with evidence required for DSPT where this is held by the ICB or its commissioned IT providers.• Monitor DSPT compliance of practices and provide the ICB with details of any non-compliance with practice action plans.IG consultancy and support• Provision of advice, guidance and support on IG related issues, including existing operational processes and procedures or new business initiatives. Advice and guidance on personal data access (but not extending to legal advice). Data Protection Officer (DPO) SupportProvision of advice, guidance and support on IG related issues including existing operational processes and procedures or new business initiatives to support practice designated Data Protection Officers including existing operational processes and procedures or new business initiatives. To include• Access for Practices during normal service hours to specialist qualified advice on GDPR matters.• Advice on compliance with GDPR obligations• Advice reflecting national guidance on GDPR compliance as it is published.• A review at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security. This may for example be a facilitated workshop at ICB level which would encourage shared learning.A Data Protection Officer will be available (in addition the DPO support service) for practices to designate as their Data Protection Officer. A named Data Protection Officer could be shared between several practices. Note: Practices may choose to make their own DPO arrangements at their own cost.• To act as the practice designated Data Protection Officer, providing:o Specialist qualified advice on UK GDPR matters, obligations and complianceo An annual review of processes which have caused a breach or near miss, or those which have forced staff to use a workaround which compromises data securityo Support practices to improve processes

Renewal Options

Option to extend the contract for up to an additional 24 months

CPV Codes

• 72300000 - Data services
• 72310000 - Data-processing services
• 72322000 - Data management services
• 72222300 - Information technology services
• 79410000 - Business and management consultancy services
• 79400000 - Business and management consultancy and related services

Indicators

• This is a one-off contract (no recurrence)
• Options are available.
• Renewals are not available.

Other Information

** PREVIEW NOTICE, please check Find a Tender for full details. **