BOD 38 /2012
BOARD OF DIRECTORS – 14 MARCH 2012
Information Governance Toolkit return 2011/12
EXECUTIVE SUMMARY
By 31 March 2012 the trust is required to submit evidence to DH of performance against
this year’s Information Governance Toolkit. This report advises the board of the
anticipated toolkit score against each of the 45 standards. The anticipated overall score is
78%, which is a significant increase from the 54% score in 2011. It is anticipated that by
end of March 2012, the required minimum standard (level 2) will have been attained in all
45 standards with level 3 being achieved in 20 of these.
REGULATORY FRAMEWORK
This report addresses:
- Compliance with the NHS Information Governance Toolkit
- Controls over information risk under Monitor’s compliance framework
- Quality risk management with reference to CQC monitoring standards
- Compliance with information law including the Data Protection Act 1998 and the Freedom
of Information Act 2000
THE BOARD IS ASKED TO
Note this report for information.
RESPONSIBLE DIRECTOR: John Vaughan, Director of Strategic Development and
Community Services
DATE: 7 March 2012
Information Governance Toolkit Return 2011/12
1.
Introduction
1.1
Every year all trusts are required to complete a major audit of information governance
status. We must measure ourselves against a range of 45 requirements set by the Department of
Health covering information security, legal compliance, data quality and information management.
This audit is called the Information Governance Toolkit (IGT).
1.2
Completion of the IGT is a requirement of the Monitor Compliance Framework.
Performance in key areas is additionally referenced in our CQC Quality Risk Profile and is
becoming increasingly important to healthcare commissioners when distinguishing between
competing providers.
1.3
Each year the expectations of the standards within the toolkit become more demanding.
This year’s IGT was highly prescriptive. In order to meet these standards many documents/policies
were created, approved by the trust’s IG Programme Board, implemented and uploaded to the IGT
website (Department of Health / Connecting for Health).
1.4
This year’s Toolkit has proved hugely demanding for the whole NHS. CNWL’s IGT overall
score for 2011/12 is provisionally 78%. This score is a considerable improvement from last year’s
score of 54%. In previous years, the expectation was that trusts achieve a minimum of level 2 in a
subset of ‘key’ standards. This year there are no key standards and all are seen as equally
important. Trusts therefore need to achieve at least level 2 (out of 3) for all 45 requirements for it
to be considered “satisfactory”. Many NHS organisations will be “not satisfactory” due to the
difficulty of achieving level 2 in all requirements.
2.
CNWL’s Information Governance Toolkit return
2.1
The following table is an extract from the DH/Connecting for Health web based tool
indicating CNWL’s current progress against the toolkit for each of the standards (as at 1 March
2012)
Req No
Description
Status
Attainment
Level
Information Governance Management
9-101 There is an adequate Information Governance Management
Reviewed And Updated
Level 3
Framework to support the current and evolving Information
Governance agenda
9-105 There are approved and comprehensive Information
Reviewed And Updated
Level 3
Governance Policies with associated strategies and/or
improvement plans
9-110 Formal contractual arrangements that include compliance with
Reviewed And Updated
Level 2
information governance requirements, are in place with all
contractors and support organisations
9-111 Employment contracts which include compliance with
Reviewed And Updated
Level 3
information governance standards are in place for all individuals
carrying out work on behalf of the organisation
9-112 Information Governance awareness and mandatory training
procedures are in place and all staff are appropriately trained
Reviewed And Updated
Level 3
2
Information Governance Toolkit 2011/12
Confidentiality and Data Protection Assurance
9-200 The Information Governance agenda is supported by adequate
Reviewed And Updated
Level 3
confidentiality and data protection skills, knowledge and
experience which meet the organisation’s assessed needs
9-201 Staff are provided with clear guidance on keeping personal
Reviewed And Updated
Level 2
information secure and on respecting the confidentiality of
service users
9-202 Personal information is only used in ways that do not directly
Reviewed And Updated
Level 2
contribute to the delivery of care services where there is a lawful
basis to do so and objections to the disclosure of confidential
personal information are appropriately respected
9-203 Individuals are informed about the proposed uses of their
Reviewed And Updated
Level 2
personal information
9-205 There are appropriate procedures for recognising and
Reviewed And Updated
Level 3
responding to individuals’ requests for access to their personal
data
9-206 There are appropriate confidentiality audit procedures to monitor Reviewed And Updated
access to confidential personal information
9-207 Where required, protocols governing the routine sharing of
Level 2
Reviewed And Updated
Level 2
personal information have been agreed with other organisations
9-209 All person identifiable data processed outside of the UK
Reviewed And Updated
Level 3
complies with the Data Protection Act 1998 and Department of
Health guidelines
9-210 All new processes, services, information systems, and other
Reviewed And Updated
Level 3
relevant information assets are developed and implemented in a
secure and structured manner, and comply with IG security
accreditation, information quality and confidentiality and data
protection requirements
Information Security Assurance
9-300 The Information Governance agenda is supported by adequate
Reviewed And Updated
Level 3
information security skills, knowledge and experience which
meet the organisation’s assessed needs
9-301 A formal information security risk assessment and management Reviewed And Updated
programme for key Information Assets has been documented,
implemented and reviewed
9-302 There are documented information security incident / event
Reviewed And Updated
Level 3
reporting and management procedures that are accessible to all
staff
9-303 There are established business processes and procedures that
Reviewed And Updated
9-304 Monitoring and enforcement processes are in place to ensure
Reviewed And Updated
Level 2
satisfy the organisation’s obligations as a Registration Authority
Level 2
NHS national application Smartcard users comply with the
terms and conditions of use
9-305 Operating and application information systems (under the
Reviewed And Updated
9-307 An effectively supported Senior Information Risk Owner takes
Reviewed And Updated
9-308 All transfers of hardcopy and digital person identifiable and
Reviewed And Updated
Level 3
organisation’s control) support appropriate access control
functionality and documented and managed access rights are in
place for all users of these systems
Level 2
ownership of the organisation’s information risk policy and
information risk management strategy
sensitive information have been identified, mapped and risk
assessed; technical and organisational measures adequately
secure these transfers
Level 3
Level 2
3
Information Governance Toolkit 2011/12
9-309 Business continuity plans are up to date and tested for all critical Not Reviewed
information assets (data processing facilities, communications
services and data) and service - specific measures are in place
9-310 Procedures are in place to prevent information processing being Reviewed And Updated
interrupted or disrupted through equipment failure,
environmental hazard or human error
9-311 Information Assets with computer components are capable of
Level 2
Reviewed And Updated
Level 2
Communication Technology (ICT) networks operate securely
9-314 Policy and procedures ensure that mobile computing and
Level 2
Reviewed And Updated
the rapid detection, isolation and removal of malicious code and
unauthorised mobile code
9-313 Policy and procedures are in place to ensure that Information
Level 2
Reviewed And Updated
Level 2
teleworking are secure
9-323 All information assets that hold, or are, personal data are
Reviewed And Updated
Level 2
protected by appropriate organisational and technical measures
9-324 The confidentiality of service user information is protected
Reviewed
through use of pseudonymisation and anonymisation
techniques where appropriate
Clinical Information Assurance
9-400 The Information Governance agenda is supported by adequate
Reviewed And Updated
Level 3
information quality and records management skills, knowledge
and experience
9-401 There is consistent and comprehensive use of the NHS Number Reviewed And Updated
in line with National Patient Safety Agency requirements
9-402 Procedures are in place to ensure the accuracy of service user
Reviewed And Updated
Level 3
information on all systems and /or records that support the
provision of care
9-404 A multi-professional audit of clinical records across all
Level 2
Reviewed And Updated
Level 3
specialties has been undertaken
9-406 Procedures are in place for monitoring the availability of paper
Reviewed And Updated
Level 3
health/care records and tracing missing records
Secondary Use Assurance
9-501 National data definitions, standards, values and validation
Reviewed And Updated
Level 2
programmes are incorporated within key systems and local
documentation is updated as standards develop
9-502 External data quality reports are used for monitoring and
Reviewed And Updated
Level 3
improving data quality
9-504 Documented procedures are in place for using both local and
Reviewed And Updated
Level 2
national benchmarking to identify data quality issues and
analyse trends in information over time, ensuring that large
changes are investigated and explained
9-506 A documented procedure and a regular audit cycle for accuracy Reviewed And Updated
checks on service user data is in place
9-507 The Completeness and Validity check for data has been
Level 2
Reviewed And Updated
Level 3
completed and passed
9-508 Clinical/care staff are involved in validating information derived
Reviewed And Updated
Level 2
from the recording of clinical/care activity
9-514 An audit of clinical coding, based on national standards, has
Reviewed And Updated
Level 2
been undertaken by a member of staff from the NHS
Connecting for Health list of registered clinical coding auditors
within the last 12 months
9-516 Training programmes for clinical coding staff entering coded
Reviewed
clinical data are comprehensive and conform to national
4
Information Governance Toolkit 2011/12
standards
Corporate Information Assurance
9-601 Documented and implemented procedures are in place for the
Reviewed And Updated
Level 3
effective management of corporate records
9-603 Documented and publicly available procedures are in place to
Reviewed And Updated
Level 3
ensure compliance with the Freedom of Information Act 2000
9-604 As part of the information lifecycle management strategy, an
Reviewed
audit of corporate records has been undertaken
There are 3 standards, 324 – Pseudonymisation, 516 – Clinical Coding and 604 – Corporate
Records, where all evidence has not yet been submitted. The outstanding evidence for these 3
areas will be considered for approval at the IG Programme Board on 9th March and it is anticipated
that the required evidence for these remaining standards can then be submitted to achieve level 2
status.
3.
Performance at HM Prison Feltham and Holloway
3.1
The Trust was also required to support prison health services at Feltham and Holloway
through their own Toolkit returns. Prison health services have a discrete version of the Toolkit that
they must complete annually. Evidence is supplied by their host NHS organisation (in this case
CNWL) but is submitted and approved by the local PCT (NHS Hounslow) for Feltham and directly
by Holloway (not through the PCT in this case). Feltham met all its mandatory requirements at
Level 2 and the return was signed off by NHS Hounslow as required. Holloway is submitting a
toolkit for the first time this year and has in place a comprehensive working plan to achieve all
necessary standards.
4.
Forward plans for 2012/13
4.1
Our next Toolkit return is due at the end of March 2013, and a work programme will begin
in May 2012 to ensure level 2/3 compliance with all requirements.
5.
Conclusion
The IG Toolkit standards become more demanding each year. In previous years, level 2
compliance was required in only a subset of ‘key’ requirements. This year level 2 compliance is
required in all 45 standards. Acquisition of Camden and Hillingdon Community Services has
added to the complexity of this year’s submission although it should be noted that Camden has
historically performed well above average in previous toolkit submissions. The trust is now also
responsible for toolkit submissions in both Feltham and Holloway.
In spite of the increased demands of this year’s toolkit we expect to be reaching the required level
of compliance in all standards.
The Board is asked to note both the improved performance in compliance with IG Toolkit standards
and the anticipated toolkit submission, which meets the required DH/Connecting for Health
standard.
Dr. A. Garboggini
Head of Information Governance
5
Information Governance Toolkit 2011/12