Does the NHS information governance toolkit – create a false sense for information security?

Variation between the requirements of data protection law and provision of guidance on information governance contained within the NHS Information Governance Toolkit, is having a counter productive effect that undermines the value and benefit that should be derived from the application of good information governance and data protection practice.

Lock OpenThe NHS Information Governance Toolkit represents the Department of Health method of providing guidance on data protection and means of assessing information governance compliance capability of healthcare organisations, defined by a broad set of requirements:

  • Data Protection Act (1998).
  • Common Law Duty of Confidentiality.
  • Confidentiality NHS Code of Practice.
  • NHS Care Record Guarantee for England.
  • Social Care Record Guarantee for England.
  • International information security standard: ISO/IEC 27002: 2005.
  • Information Security NHS Code of Practice.
  • Records Management NHS Code of Practice.
  • Freedom of Information Act (2000).

The stated purpose of the NHS Information Governance Toolkit:

“The purpose of the assessment is to enable organisations to measure their compliance against the law and central guidance and to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction.”

For a Primary Care Trust (PCT), the information governance obligations are described by forty one requirements broken down into six key themes:

  • Information Governance Management
  • Confidentiality and Data Protection Assurance
  • Information Security Assurance
  • Clinical Information Assurance
  • Secondary Use assurance
  • Corporate Information Assurance

(NHS Information Governance Requirements for different organisation types can be viewed here)

For smaller organisations supported by PCT’s such as General Practices, the information governance obligations are described by thirteen requirements broken down into just three key themes:

  • Information Governance Management
  • Confidentiality and Data Protection Assurance
  • Information Security Assurance

Line GraphThis variation is somewhat inexplicable; and importantly highlights that the NHS Information Governance Toolkit is not addressing entirely the statutory obligations defined by the acts of law! For example PCT requirements 110, 111, 112, 206, 300, 301, 305, 309, 310, 311, 313, 314, 323 and 406 make explicit reference to Data Protection legislation principle 7 as being a requirement origin:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Yet in the NHS Information Governance Toolkit version for general practice these requirements are not present. There are in fact thirteen requirements in the PCT version specifically identifying Data Protection legislation principle 7 as an origin, yet in the general practice version there are only seven, not a single one of any of the NHS Information Governance Toolkit requirements founded on principle 7 in either set, is the same for both organisations.

The shortcomings of the general practice requirements are not limited to just principle 7 of the Data Protection legislation, other PCT requirements make explicit references to other Data Protection legislation principles, 3, 4, 5 and 6, when the general practice requirements do not.

These shortcomings and variations in the guidance and measures allocated between organisations are not limited to those highlighted here; they occur between secondary care, health and social care and third party requirements too.

A Negative Outcome

Face FrownThe fact is the majority of healthcare organisations, since the inception of the NHS Information Governance Toolkit in 2002/03, have focused on implementing and maintaining compliance in accordance with these requirements, not surprisingly since that is what they have been targeted to do. Consequently, healthcare (and allied) organisations utilising the NHS Information Governance Toolkit as the only guide, will not be fully compliant from the perspective of law, in accordance with the Data Protection legislation.

The implication of on-going shortcomings in addressing adequately data protection, are far reaching. Beyond organisational failure to appreciate the value of investment in improving capability, and consequence of operating at a unsustainable level of risk that is periodically rewarded with a failure, and occasional fine and or sanction from the regulatory authorities (neither of which presently, commentators suggest is sufficient to instigate the required change in attitude, and appreciation in the need for better information governance and data protection).

The wider and more far reaching consequence of inadequate data protection, is the undermining and consequently “more costly to achieve” impact, this has on the important and valuable effort and investment in increasing patient and public confidence, with the objective of securing their more effective involvement. A fundamental and necessary deliverable required for the reform of the NHS.

A Positive Solution

face-smileMature and proven technologies addressing information governance requirements, that enable organisations to easily bridge the gap between the NHS Information Governance Toolkit and Data Protection legislation requirements are available, these same technologies used accordingly, deliver additional strategic support to business decision making on information capability investment, addressing the aims of effective patient and public involvement and underpin delivery of the “information revolution” requirements. At the core of the requirements for information governance compliance, there are three fundamental elements that must be addressed, these are:

  • Identity and Access Management (WHO), staff, their roles and relationships, functions, activities, locations of work, and place in the organisation’s hierarchy. Without this level of information on all staff (permanent and temporary) readily accessible (beyond organisational boundaries), then almost every aspect of the information governance process will be undermined on a regular basis.
  • Policy Management (HOW), data and service quality is founded on standards; policy is the method by which these standards are conveyed to staff. Unfortunately traditional methods of policy production and management are not dynamic or interactive enough to meet the modern day demands of busy environments dealing with critical needs. Policy and document management and workflow technology radically transforms static policy and standards systems, into an interactive and pro-active organisation development tool. Staff can be updated instantly on policy changes and new standards and organisations can track acceptance and validate implementation. Delivering consequently a much more assured process in the development of working practices and staff culture in standards and quality.
  • Audit (WHAT and WHEN), validating staff activities, both operationally and in an informatics context is vital, for both the delivery of the information governance and data protection assurance requirements, as well as providing data to support the prioritisation of investments in digital information capability.The validation of the use of information assets provides intelligence on what is not being used to the fullest of its capabilities, consequently helping to identify gaps in informatics capability and data quality that are undermining measures of productivity and assessment of service quality, and subsequently opportunities to identify and implement cost savings and efficiency gains.

eGovernmentThe right application of information governance solutions employed in the Who, What, When and How, provides a solid foundation upon which the strategic aims and objectives of the information revolution are better addressed, supporting the creation of improved measure of quality of service and operational performance, and an improved informatics capability with patient and public engagement.

Positive Outcomes

There are a significant range of business benefits to be gained from addressing these three fundamental elements of the information governance requirements. Benefits that are not just concerned with compliance to data protection law, but that also serve to support organisational efforts to improve operational capability and service quality:

  • Robust and assured approach in addressing requirements of the NHS Information Governance Toolkit and Data Protection Act, significantly reduced risks and likelihood of incurring a fine and consequential costs of a breach or failure in the governance process.
  • Significant cost savings and efficiency gains from existing information governance compliance management and administration activities.
  • Greatly improved ability to engage business managers and department heads and information asset owners in supporting the implementation of assured and robust information governance practices.
  • Significantly improved assurance on the reliability, timeliness and robustness of the information governance processes and procedures.
  • Ability to hand decision control to the better placed information asset owners and departmental management resources, delivering consequently QIPP cost savings and efficiency gains through reduction in the dependency and need to engage high cost back office technical resources.
  • Release of specialist technical resources from mundane administration and management tasks permitting reassignment to better support efforts to secure increased cost savings and efficiency gains though better use of technology.
  • Increased ability to support staff in meeting their individual compliance obligations with improved ability to develop and maintain information governance culture and awareness.
  • Increased ability to validate existing investment in digital information capability and prioritise / focus future investment at areas of most need / benefit.
  • Increase confidence and assurance on collaborate and data share activities within the organisation and between partners.
  • Ability to demonstrate a robust approach to privacy and confidentiality to secure confidence and increased patient and the public involvement in service delivery.

The Conclusion

The NHS whitepaper, “Liberating the NHS: An Information Revolution” promotes the need for further investment in technology and that information as key to the success of NHS reforms, and in particular, a critical element in ensuring the NHS can achieve £20bn of cost savings and efficiency gains in the coming years.

There are few that disagree with the need for a reformed NHS founded on the principles of choice, responsiveness and equity that designs and delivers health services around the needs of patients. Fewer still that would argue against greater patient and public engagement, it is imperative therefore, for all concerned to recognise the important and somewhat fundamental contribution of information governance.

Citizen CentricHowever, despite the increased support available to information governance managers. From the likes of board members assigned Caldicott Guardian and Senior Information Risk Owner roles, with the CEO or equivalent retaining final sign off responsibility of information governance assessments, the lack of any budget and commitment to exploit the advances in information governance technology, have the potential to make the strategic aims of a reformed NHS remain unreachable, or if not at least a more costly goal.

1 thought on “Does the NHS information governance toolkit – create a false sense for information security?”

  1. This is a really thorough view of the relationship between the NHS IG Toolkit and actual practice.

    Our view is that in order to change what’s actually happening – patient outcomes, data breaches, cost-savings – IGs need to find and promote easy-to-use alternatives to systems that have the potential to compromise sensitive data.

    These systems – secure data transfer, secure virtual conferencing – also have the benefit of increasing responsiveness without compromising data protection.

    If anyone wants more information, we have just published a whitepaper that outlines how secure data in motion solutions can work toward NHS IG aims. It’s free to download.

Leave a Reply

Your email address will not be published.