19th February 2014

Written by Thomas Hayes

Information Governance (IG) is a process undertaken within the NHS to meet both common law and statutory duties of confidentiality and security with regard to the receipt, storage, processing and dissemination of data. Common Law and some statutes such as the Computer Misuse Act of 1990 preceded the two current major pieces of legislation; the Data Protection Act of 1998 and the Freedom of Information Act of 2000, which imposed further obligations regarding the use and handling of information. IG compliance permeates down to each individual within the organisation.

The challenges of attempting to comply with IG obligations are many. The most challenging are as follows. Firstly re-organisations (which are perennial within the NHS) lead to the need to identify ownership of information. This creates a need to ascertain ownership between the new and old and this is not always simple, due to the myriad ways that information can be stored; paper, databases, spreadsheets, embedded documents in emails and mobile devices, and inattention towards records destruction procedures. Information Management may get overlooked when the huge change management programmes with short time-scales are undertaken together with the need to focus primarily on the human aspects of the re-organisations. Secondly, the onset of technology and the ways that information can be so speedily and universally disseminated poses inherent risks and mandates the need to keep up to date with the speed and implications of technological changes. The third challenge is the existing dependency within the NHS on paper systems and a lack of integration of electronic systems. Together these create the requirement of avoiding duplication, achieving up to date accuracy and also that of ensuring the security of the information held. The final issue is that of the ever greater need to share information with other organisations; Social Services, Local Government, the police and an increasing number of private sector companies, all of which further increases the risks.

Every year each individual NHS organisation is required to provide applicable evidence to prove compliance with IG requirement. This is known as the IGT return. The IGT return consists of 6 sections; IG Management, Confidentiality and Data Protection, Information Security, Clinical Information, Secondary Use, and Corporate Information. This annual exercise is audited and requires the organisation to prove that relevant procedures and policies exist, that they are reviewed and revised under appropriate governance and that the associated dissemination, communication and education of staff is undertaken. Risk Management including auditing and pro-active monitoring is also required. All in all the IGT return plays an important part in ensuring that patients and other engaged stakeholders can be confident that adequate protection is provided to their information. This time of year is the busiest as the final return is required to be electronically submitted by March 31st

Share this blog: