Information governance requirements for NHS organisations require a rethink

Confidential-dataThe Information Governance Toolkit, a scheme developed by the NHS and the Department of Health (DH) that allows NHS organisations, partners and suppliers to assess themselves against the requirements of the DH, has recently come under review.

The Health and Social Care Information Centre (HSCIC), which is tasked with maintaining the IG Toolkit, conducted a survey with 1,417 participating suppliers and partner organisations to better understand what users think about the IG Toolkit and to establish how the Toolkit can be improved.

Although the Toolkit is usually updated every year, it seems the updates have failed to meet user requirements and that the Toolkit requires a facelift.

A total of 960 small and 457 large organisations participated in the survey.

Toolkit doesn’t meet users’ requirements

The survey report reveals that more than half of respondents found that the current IG Toolkit doesn’t meet their needs. A large majority wanted to see the IG Toolkit modernised and wanted better guidance. The report also highlights that the IG Toolkit falls short in facilitating consent management and implementing the Caldicott 2 recommendations (changes introduced regarding sharing of information in response to the Caldicott 2 report).

Some of the survey findings of large organisations (consisting predominantly of local authorities and acute or mental health trusts) showed that the IG Toolkit needs a fair deal of reworking:

  • 58% said that completing the IG Toolkit feels like a box-ticking exercise
  • 63% said the IG Toolkit can be too prescriptive
  • 58% said it improves information security
  • 51% said it improves confidentiality management
  • 65% felt the IG Toolkit’s look and feel needs updating
  • 50% said they should be assessed on outcomes – e.g. number of incidents, percentage of staff trained, percentage of records available when needed – rather than process

On the whole, the responses submitted by smaller organisations (such as general practices, commercial third parties and dental practices) were similar to those submitted by the larger organisations, with a few exceptions:

  • Smaller organisations were less positive about the impact of the IG Toolkit and were more concerned with managing confidentiality than larger organisations.
  • Significantly fewer users within small organisations (37%) felt that they should be assessed on outcomes compared with 50% of large organisations.

Only 25% of small organisations complete the toolkit to help improve information governance

In response to a question asking small organisations why they completed the IG Toolkit, over half completed the IG Toolkit as a result of contractual obligations set by commissioners, while only 25% completed the IG Toolkit to help improve their information governance.

Some of the participants said that the IG Toolkit’s requirements were outdated, ambiguous and open to misinterpretation, that there was a lack of good-practice examples such as templates, and, worryingly, that senior managers “produce just enough to be able to upload something that gives ‘assurance’ of compliance”.

IG Toolkit to consider ISO 27001 as an important framework

There were several comments about the benefits of ISO 27001 certification:

  • One council said “(it) has achieved ISO27001 accreditation so the IG Toolkit brings us nothing more and in fact creates a lot of work.”
  • Another said “I think that organisations that currently have ISO 27001:2013 certifications should be exempt from a number of the IGSoC requirements that map directly.”
  • Yet another comment said “Evidence for 27001, 20000 certification covers a great deal of the IG Toolkit sections and perhaps these could be aligned.”

The good news is that the HSCIC has been very forthcoming with the survey results and admitting the weaknesses of the IG Toolkit. It has also drawn up an action plan to review the effectiveness of the IG Toolkit and IG training, and to improve the IG Toolkit.

Cyber security to be introduced

The HSCIC report also touched on cyber security, which is a critical component of information governance. “Cyber security and confidentiality are important to you. We will build specific sections of our new product dedicated to these important topics.”

As specialists in information security and ISO 27001, IT Governance offers several products and services to help organisations tackle the challenges of meeting IG Toolkit requirements and can help companies achieve full compliance with the IG Toolkit.

Start on the path to IG Toolkit compliance by contacting us for a quote today on  (0)845 070 1750 or email


Share now…

Share on Twitter Share on Facebook Share on LinkedIn