NHS Service Providers Stand To Lose By Missing IG Toolkit Submission Deadline, Says IT Governance

25 February 2013

Ely, England, 25 February 2013 – NHS service providers stand to lose out if
they fail to complete the NHS Information Governance (IG) Toolkit by 31st
March, warns IT Governance, the global leader in IT governance, risk
management and compliance expertise.

With the confidentiality of patient data a top priority, the NHS requires
that partner organisations connecting to the NHS N3 wide area computer
network demonstrate annually their adoption of appropriate data security
measures. By completing the online self-assessment IG toolkit, these
businesses can demonstrate their maintenance of appropriate security when
accessing, processing or storing information, including Patient Identifiable
Data.

The IG Toolkit’s requirements apply to both new and existing NHS partners.
However, despite the looming assessment deadline, a large number of NHS
commercial third parties (CTPs) and NHS business partners have yet to act.
According to IT Governance, this failure to act could prove costly, both in
terms of lost business and potential fines.

Alan Calder, Chief Executive of IT Governance, says: “Parties that do not
complete their IG Toolkit submission on an annual basis are considered more
likely to breach data security. In fact, if a breach does occur, the
Information Commissioner’s Office can impose fines of up to £500,000. Those
service providers that comply with the IG Toolkit have a competitive
advantage over organisations that are non-compliant ‒ particularly at
contract tenders.

“All NHS organisations are mandated by the Department of Health to carry out
and publish an IG self-assessment, using the toolkit, by 31st March every
year. Non-NHS organisations that do not publish an assessment are at risk of
having their access to NHS Connecting for Health (CFH) services suspended or
removed. Furthermore, organisations providing services to, or on behalf of,
an NHS organisation are likely to be in breach of their contract if they
don’t publish an assessment.”

To satisfy the requirements of the IG Toolkit, organisations are advised to
employ various methods, from conducting a risk assessment to using some of
the key controls mandated by the NHS when dealing with patient identifiable
data.

Calder says: “Maintaining good data security should be seen as a competitive
advantage, not a cost or a chore. Conducting regular internal audits of your
information security measures will help achieve your commercial objectives,
by bringing a systematic approach to evaluating and improving the
effectiveness of risk management, control and governance processes.”

He adds: “To put your documentation and records in order, it is highly
advisable to use templates to ensure everything is covered and to help you
save time.”
To simplify the challenge of documentation, IT Governance offers an NHS N3
IG v10 Documentation Toolkit (www.itgovernance.co.uk/shop/p-1265.aspx),
which contains all the documents commercial third parties require to
complete the IG Toolkit and achieve compliance.

According to Calder, online staff training is another key ingredient for
success: “The NHS requires evidence that staff awareness training has taken
place. E-learning is the most cost-effective method for CTPs to educate
employees. To meet this requirement, we have introduced a specially designed
N3 and Information Security Staff Awareness e-learning course
(www.itgovernance.co.uk/shop/p-1273.aspx). This training ensures all staff
understand their obligations, so businesses can focus on developing even
more productive relationships with the NHS.”