The NHS Information Governance Toolkit (IGT), with more than seven years effort in refinement and implementation by end user organisations, it would be reasonable to assume that not much more could be done for the development of information governance capability across healthcare. However, the upgrade to version 8 in 2010, and assessment of the return from 158 acute trusts tells a different story.
With version 8 and for the first time in the seven year history of the NHS information governance toolkit, a requirement for trusts to support their capability claims with evidence was introduced. For those on the outside looking in, not a particularly remarkable development, albeit perhaps somewhat surprising to find that this was not already and element built into the formal assessment process.
Despite this, patients and the public with any interest in data protection and information governance, would no doubt have been somewhat reassured by the fact the NHS information governance standard existed, and that for the most part, it provided clear and easy to understand guidance on data protection measures.
Up until now, it would also have been natural for interested parties to assume, on the basis of there being a long-standing and well established annual review process, that trusts reassessed themselves on the basis of evidential qualification of capability.
Whilst this might have been the case, the dramatic effect of imposing the requirement for evidence into the annual return process, has produced some results that will no doubt raise a good deal of patient concern, and some questions from the regulatory authorities.
The v8 IGT Evidential Assessed Outcomes
Then initial and most obvious impact of the evidential requirements of v8, a significant and dramatic downgrading of assessed capability by virtually all of the 158 trusts reviewed, compared to previous year (v7) assessment, and notably previous assessments back to v4 (2006/2007).
The initial first three months of trust review of their overall assessment scores, the final v7 published state (Mar 2010), through to the initial baseline assessment of v8 (Jun 2011), the percentage of trusts that rated themselves with a score of “not satisfactory” rose from 1% to a staggering 97% (see table below).
Whilst the last six months of the v8 assessment period, Oct 2010 to Mar 2011 did see much bigger improvement, with the satisfactory number increasing from the Jun 2010 level of 5% to final Mar 2011 assessment of 35%, the end result however, was that nearly two thirds 65% (103 trusts), were unable to re-establish overall compliance capability sufficiently to return a satisfactory rating.
Delving a Little Deeper
The reduction in capability occurred virtually across 5 of the six NHS information governance toolkit categories (see table below), with the one exception being Corporate Information Assurance, the only category that saw and increase in trusts achieving a satisfactory rating.
Of most concern to patients and the public will be the categories focusing on the management and use of private and confidential information in the delivery of care (clinical Information and secondary use assurance), as the standards and assurance of data quality activities of these elements have the more significant impact on the quality of care at the front line.
Critically nearly 22% (34 hospitals out of the 158 assessed), did not achieve a satisfactory rating for clinical information assurance, and 39% (61 hospitals) failed to achieve the required rating in the secondary use assurance category.
Additional concern will exist with regard to organisation capabilities to ensure that adequate protection and security measures in place addressing privacy and confidentiality. In the information security assurance category the most significant reduction occurred with 54% (86 trusts) falling short of the required standard. The confidentiality and data protection assurance category faired marginally better with 22% (35 trusts) falling short.
Of some lesser importance but at least interesting, is the one area of positive improvement – in the Corporate Information Assurance category. This aspect focusing on how trusts address corporate information and records management as well as legal compliance with Freedom of Information Act, historically the category that stood out in previous year’s assessments to be the one trusts most struggled with.
However, this positive aside, the overall outcome after seven years of the NHS Information Governance standard, was the overall and no doubt unexpected drop in standards across the board, with the fact that there were fifteen NHS trusts that failed to achieve a satisfactory rating in any of the six categories, compared to that of just one trust missing all targets in the previous year.
Wind of Change
It is evident that the v8 requirement for supporting evidence instigated a process of re-assessment beyond anything undertaken in previous years. Resulting consequently in trusts increasing, the availability of resources and thus investment in information governance, especially between Oct 2010 and Mar 2011. This however was clearly not enough, given the fact that very few trusts met the required target, level 2 capabilities for all requirements.
In any assessment of what further investment still needs to be made, trusts should also take into consideration the use of the current returns by Care Quality Commission (CQC) and prospect of future change in the monitoring of this standard. Via the NHS Reform Bill, and proposal within for the assignment of responsibility for maintenance and development of the standard to CQC, the consequence perhaps being a more formally regulated information governance regime.
Paying due respect to the fact that NHS information governance assessment returns are already considered by the CQC in their independent assessment of trusts (essential standards of quality and safety). The CQC assessment (Outcome 21 – Records), contains 62 quality and risk profiles that are based on the current NHS IGT standard and assessment approach. Consequently the mechanism for formal NHS information governance regulation is already largely in place.
Trusts would do well to assume that this is an element of the reform bill likely to secure a good level of support toward being accepted. Especially given the v8 capability assessment results and not least because it would provide the mechanism for addressing a great many of the Information Commissioners concerns regarding NHS failure to implement a consistent and adequately robust approach addressing data protection.
If by any (very) remote chance the NHS information governance standard does not become part of the CQC regulatory function, then trusts should consider the alternative option of the Information Commissioner being granted his request for having a greater range of powers to undertake unannounced inspections, this being the next most likely option to be considered and possibly implemented.
Unquestionably, the reaction of the majority, on seeing the very poor results of the v8 assessments, will initially have been one of great shock, followed quickly by disappointment. There is also likely to be a great deal of concern and frustration with trust Chief Executives, Senior Information Risk Owners and Caldicott Guardians. Concern given these positions are individually accountable for the validation and sign off of information governance and data protection assessments, and frustration born from the need, after all this time, for them to re-focus more of their valuable time and effort towards addressing the gaps in capability, instead of perhaps focusing on the delivery of the austerity measures.
Information Governance Managers on the other hand may actually be smiling, for a great many may now be getting budgets and support to make investment, which until now has been traditionally very hard to obtain.
Equally, the IG Managers compadre’s, the Information Asset Owners, may also now feel that they have the opportunity to secure investment and tools, that can actually help them to deliver on the obligations of this assigned role.
The facts however are clear, that the majority of NHS information governance functions have not been supported adequately with budgets and funding to make any real difference to the level of compliance capability. This is additionally evidenced by how little investment has actually been made in information governance technology solutions, such as those addressing fundamental requirements of:
- Identity and Access Management Assurance
- Access and Compliance Audit
- Policy Management and Dissemination (interactive solutions)
Employing technologies that are readily available and mature in addressing these requirements can transform an organisations compliance capability and ironically, it is possible for organisations to also secure demonstrable cost savings and efficiency gains and delivery of Quality, Innovation, Productivity and Prevention (QIPP) objectives.
Most importantly, it is only through the use of technologies such as these that will enable the NHS to demonstrate a robust, assured and reliable approach being take in addressing data protection requirements, necessary to secure patient confidence and engagement needed going forward.
If the result of this poor outcome, is a re-prioritisation of attention and investment towards addressing this negative position, with senior management obtaining in the process, a better understanding of the wider business and austerity benefits, to be secured from investment, then this will represent a significant turning point in the data protection attitudes.
Consequently 2010, probably was “the year” for Information Governance, unfortunately the real benefit of any increase in resources and / or investment cannot be appreciated fully, until we see the outcomes from the IGT v9 assessments, currently being undertaken.