About The IG Toolkit

What is Information Governance?

Information Governance is to do with the way organisations ‘process’ or handle information. It covers personal information, ie that relating to patients/service users and employees, and corporate information, eg financial and accounting records.

Information Governance provides a way for employees to deal consistently with the many different rules about how information is handled, including those set out in:

  • The Data Protection Act 1998.
  • The common law duty of confidentiality.
  • The Confidentiality NHS Code of Practice.
  • The NHS Care Record Guarantee for England.
  • The Social Care Record Guarantee for England.
  • The international information security standard: ISO/IEC 27002: 2005.
  • The Information Security NHS Code of Practice.
  • The Records Management NHS Code of Practice.
  • The Freedom of Information Act 2000.
  • The Human Rights Act article 8.
  • The Code of Practice for the Management of Confidential Information (to be published in 2013)

What is the IG Toolkit?

The Information Governance Toolkit is a performance tool produced by the Department of Health (DH) and now hosted by NHS Digital. It draws together the legal rules and central guidance set out above and presents them in one place as a set of information governance requirements. The organisations described below are required to carry out self-assessments of their compliance against the IG requirements.

What are the information governance requirements?

There are different sets of information governance requirements for different organisational types. However all organisations have to assess themselves against requirements for:

  • Management structures and responsibilities (eg assigning responsibility for carrying out the IG assessment, providing staff training, etc).
  • Confidentiality and data protection.
  • Information security.

What is the purpose of the information governance assessment?

The purpose of the assessment is to enable organisations to measure their compliance against the law and central guidance and to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction.

Where partial or non-compliance is revealed, organisations must take appropriate measures, (eg assign responsibility, put in place policies, procedures, processes and guidance for staff), with the aim of making cultural changes and raising information governance standards through year on year improvements.

The ultimate aim is to demonstrate that the organisation can be trusted to maintain the confidentiality and security of personal information. This in-turn increases public confidence that ‘the NHS’ and its partners can be trusted with personal data.

Who has to carry out an information governance assessment?

The IG Toolkit ISB Information Standard

All Health and Social Care service providers, commissioners and suppliers must have regard to the Information Governance Toolkit Standard approved by the Health and Social Care Information Standards Board (ISB). The latest versions of the standard specification and supporting documents can be found on the ISB website http://www.isb.nhs.uk/library/standard/151

IG Assurance Mandate

Sir David Nicholson (Chief Executive of NHS England) confirmed that all organisations that have access to NHS patient data must provide assurances that they are practising good information governance and use the Department of Health’s Information Governance Toolkit to evidence this. Where services are commissioned for NHS patients, the commissioner is required to obtain this assurance from the provider organisation and this requirement should be set out in the commissioner-provider contract.

With changes planned to commissioning structures and with increasingly diverse care providers, Sir David Nicholson, and Christopher Graham, Information Commissioner published a joint letter to ensure that everyone continues to give information governance the priority and attention it needs. The letter signaled the intention of the NHS and the Information Commissioner’s Office to work together in supporting the NHS to deliver good information governance.

The letter was distributed to all Chief Executives of SHAs, NHS Trusts and PCTs.

Joint letter from DH ICO (2).pdf (128KB)

It remains Department of Health policy that all bodies that process NHS patient information for whatever purpose should provide assurance via the IGT.

The Care System

IG Toolkit assessments must be completed and published by all bodies that process the personal confidential data of citizens who access health and adult social care services. These include, but are not limited to:

  • NHS organisations (acute trusts, ambulance trusts, mental health trusts, clinical commissioning groups) including foundation trusts and NHS community health providers
  • NHS England
  • NHS Digital
  • Local Authority Adult Social Care
  • Local Authority Public Health
  • Primary Care providers (community pharmacies / dispensing appliance contractors, dental practices, eye care services, general practices)
  • DH arms’ length bodies that closely support care services (i.e. executive agencies such as the Medicines and Healthcare Products Regulatory Agency; special health authorities such as the NHS Business Services Authority; and non-departmental public bodies such as Public Health England)
  • Bodies commissioned or otherwise contracted to provide services by any of the above

Clinical Commissioning Groups (CCGs): as part of the authorisation process CCGs are required to use the IG Toolkit to assess their capability to meet information governance requirements see page 29 of the guide:


Non-NHS organisations

In addition to the NHS mandate above, other organisations are required to provide IG assurances via the IG Toolkit as part of business/service support processes or contractual terms. That is, for these organisations annual IG Toolkit assessments are required for either or both of two purposes:

  1. To provide IG assurances to the Department of Health or to NHS commissioners of services;
  2. To provide IG assurances to NHS Digital as part of the terms and conditions of using national systems and services including N3, Choose and Book etc.

Depending on the services provided, these organisations are referred to in the IG Toolkit as a ‘Commercial Third Party’, an ‘NHS Business Partner’, an ‘Any Qualified Provider’, a ‘Voluntary Sector Organisation’ or a social enterprise/community interest company acting as a ‘Community Health Provider’. These are examples of typical organisations and there may be other categories now or in the future that are also required to provide IG assurance. These organisations will:

  • have access to NHS patients and/or to their information;
  • provide support services directly to an NHS organisation; and/or
  • have access to national systems and services, including N3, Choose and Book etc.

When does the information governance assessment have to be done?

First assessments

Organisations carrying out their first information governance assessment should complete this in line with the contract of services they are contractual parties to, or as required by the tendering process they are involved in.

Where a first assessment is being carried out as part of an application for national systems and services, the organisation should complete this as soon as they are able as connection will not be granted until an assessment has been published and reviewed by the NHS Digital External IG Delivery team.

Second and subsequent assessments

A second or subsequent assessment can be started at any time after a new version of the IG Toolkit is released (May/June each year) but in all cases the final publication must be made online by 31 March each year.

NHS organisations are also required to complete interim assessments during the year - deadlines for interim submissions are publicised when a new version of the Toolkit is released.

The work necessary to make improvements or to maintain compliance should be an on-going process and not left till the year end.

Final publication assessment scores reported by organisations are used by the Care Quality Commission to risk assess outcome 21 - records (and other standards as appropriate) of Essential standards of quality and safety.

Return to home page

Page Processing Time: 0.05 seconds
Page Render Time:  seconds
Supported By: SOCITM society logo SOCITM Local CIO Council logo Directors of adult social services logo