Wales Accord on the Sharing of
Personal Information
Self Assessment Checklist
This document provides a checklist against which an organisation can assess its level of readiness to
meet the WASPI framework. It is not intended to be a full checklist or replace nationally recognised
standards and guides but it will help each organisation identify gaps which may need to be filled in order to
fulfil its commitments. Please note that organisations do not have to meet all the requirements of this
checklist, prior to signing up to the Accord. Further advice may be sought from the WASPI team.
Section and assessment question
Section 1 – Compliance
1. Do you have an officer with specific
responsibility for the confidentiality and security of
a Service User’s information?
2. Do you have a Data Protection Officer or
someone who carries out an equivalent role?
3. Do you have a Caldicott Guardian (NHS only) or
a Senior Information Risk Officer (SIRO)?
4. Are your systems notified under the Data
Protection Act?
5. If yes, does your notification include the sharing
of Service Users information?
6. If you use third parties to process personal
information on your behalf, do you have data
processing agreements in place?
7. Do you regularly provide or make available fair
processing information to Service Users?
8. Are all your staff, including temporary, agency,
honorary or other non-permanent staff required to
sign a Confidentiality Agreement?
9. Do you have the necessary levels of Criminal
Records Bureau / Independent Safeguarding
Authority clearance for all relevant staff?
10. Is your organisation certified / working within
the controls of ISO 27001 or other industry
standard for IM&T systems and controls?
11. Is your organisation or department certified /
working within the controls of ISO 9000/2 for the
quality and content of policies, procedures and
guidance?
12. Does your organisation regularly consider
whether privacy impact assessments should be
undertaken when developing any new IT systems
or changing the way in which they process
personal information?
Yes (✓)
No (✗)
Detail further action required
Section and assessment question
13. Does your organisation ensure that an adequate
level of protection is in place when transferring data
out of the EEA?
Section 2 – Policies & Procedures
14. Do you have an organisation strategy that
incorporates information security and data
protection requirements and standards?
15. Do you have an IT Security Policy?
16. Do you have a Data Security Policy?
17. Do you have a procedure whereby Service
Users can request access to their information held
by you?
18. Do you have a procedure whereby Service
Users can object to disclosure of their personal
information?
19. Do you have procedures for the collection and
use of Service Users information?
20. Do you have procedures for the retention,
storage and destruction of Service Users
information?
21. Do you have procedures for the disclosure
(sharing) of Service Users information?
22. Do you have an incident reporting procedure?
Section 3 – Training & Awareness
23. Do you have a staff induction process that
includes training about confidentiality and
information security?
24. Do all staff attend the induction process?
25. Do you provide other regular training or
awareness sessions for staff dealing with
confidentiality and information security?
Section 4 – Monitoring
26. Do you have internal control mechanisms to
monitor performance against published or agreed
standards for confidentiality and information
security?
27. Is a breach of confidentiality or information
security subject to disciplinary action?
28. Do you have an audit service that measures
your compliance and performance for confidentiality
and information security?
29. Is your organisation a member of any
association that set standards for confidentiality and
information security?
30. Do you have a Designated Person identified
who has responsibility for implementing and
monitoring your commitments under the WASPI?
Yes (✓)
No (✗)
Detail further action required