Get documents about "Management Reporting Structures
Description
Management Reporting Structures document sample
Document Sample
Change control notice: Version 7 IG Toolkit
This spreadsheet contains details about the updates and clarifications made to the IG Toolkit to
produce version 7.
In view of the new reporting process for the major NHS organisations (i.e. acute trusts, ambulance
trusts, mental health trusts, primary care trusts, foundation trusts and strategic health authorities),
changes have been kept to a minimum. Most of the changes affect the Information Security
Assurance requirement set and are in relation to the roles of the Senior Information Risk Owner and
Organisations should note that requirement 108 has been updated to align the IGSoC requirements
with the Information Governance Assurance Framework requirements and the "key requirements"
Acute Trusts should be aware that requirement 401 has been completely revised to reflect the new
ISB (Information Standards Board) standard on the NHS Number. The NHS Number team is
NHS Business Partners and Commercial Third Parties should note that additional requirements
have been added to incorporate the recommendations of the data handling review.
Number of requirements per organisation type
Acute: 62
Ambulance Trust: 47
Mental Health Trusts: 62
Primary Care Trusts: 54
Strategic Health Authorities: 36
NHS Business Services Authority: 50
NHS Direct: 52
General Practice: 14
NHS Business Partners: 27
Social care organisations: 51
Commercial Third Parties: 17
IGT SoC Initiative Description Impact of Change to: Change to: Change to: Type of
Req Change Requirement Guidance Checklist Change
101 P IG Does the Trust have adequate No change n/a n/a n/a n/a
Management governance in place to support the
current and evolving Information
Governance agenda?
102 P IG How would you assess your Trust's Minor Supporting evidence n/a n/a Clarification /
Management ability to access expertise across the materials made update
Confidentiality & Data Protection incremental. Addition
Assurance agenda? of Job Descriptions
for Conf & Data
Protection
operational lead as
evidence
103 P IG How would you assess your Trust's Minor Supporting evidence Updated to include Aligned to match Update
Management ability to access expertise across the materials made reference to IAO evidential
Information Security agenda? incremental SIRO roles, updated requirements for
professional each score level
qualifications.
Additional link to
Risk Management
GPG
104 IG How would you assess your Trust's Minor Supporting evidence link to Records Aligned to match Update
Management ability to access expertise across the materials made Management evidential
Information Quality and Records incremental Advisory Group requirements for
Management Agenda? removed. No longer each score level
in existence.
105 IG Does the Trust have in place No change n/a n/a n/a n/a
Management comprehensive IG Policy and
associated Strategy and Improvement
Plans all signed off by the Board?
106 IG Does the Trust have up to date and Minor Supporting evidential Updated guidance n/a Update
Management tested business continuity plans for all requirements made materials
critical infrastructure components and incremental.
core information systems? Updated to include
reference to IAO and
SIRO roles.
Attainment levels
strengthened.
107 P IG Does the Trust have a comprehensive No change n/a n/a n/a n/a
Management Board endorsed Information Lifecycle
Management Policy/Strategy and
implementation plan?
108 P IG Has the Trust implemented its Major Attainment levels Table updated with 6 n/a Update
Management Information Governance management updated to reference new key red's: 108,
arrangements to ensure the NHS CFH 25 key requirements, 121, 203, 209, 210
Statement of Compliance (SoC) is previously 20 401. Removal of
satisfied? requirement 206
109 P IG Does the Trust ensure that staff and Minor n/a Updated to reflect New checklist Update
Management those working on behalf of the Trust move to use of created
comply with the terms and conditions electronic RA01 form
set out on the RA01 form?
110 P IG Does the Trust ensure that it has Minor Updated to include Updated to include n/a Update
Management formal contractual arrangements that reference to reference to IAO
include compliance with information SIRO/IAO roles and SIRO roles, wording
governance requirements, with all likely duties amended to clarify
contractors and support organisations? associated. relevance to
Evidential legislation e.g. DPA
requirements made 1998
incremental.
111 P IG Does the Trust ensure that all Minor Minor wording Updated to include Additional checklist Update
Management individuals carrying out work on behalf amendments. link to new Risk items included
of the Trust have employment Evidential Management GPG
contracts which require compliance requirements made guidance document
with information governance incremental
standards?
112 IG Does the Trust’s induction procedures No change n/a n/a n/a n/a
Management effectively raise the awareness of
Information Governance?
113 P IG Does the Trust assess staff training Minor Plan tasks given n/a Additional checklist Update
Management needs and ensure job/role specific "should" statements. items included
information governance training is Evidential
provided to all staff? requirements made
incremental
120 IG Does the Trust ensure that its No change n/a n/a n/a n/a
Management registration authority (RA) managers,
agents and sponsors have sufficient
knowledge and skills (including latest
software, operational process
guidance and its integration into Trust
policies and procedures) to discharge
its RA responsibilities?
121 P IG Does the Trust have a Board level Minor n/a New paragraph New checklist Update
Management Senior Information Risk Owner (SIRO) outlining role of IAO created
who takes ownership of the Trust’s
information risk policy, acts as
advocate for information risk on the
board and provides written advice to
the accounting officer on the content of
their Statement of Internal Control in
regard to information risk?
201 P Confidentiality Does the Trust have a confidentiality Minor Wording updated to Reference to n/a Update
and Data code of conduct that provides staff include examples of Commitment 3
Protection with clear guidance on the disclosure how staff should be updated
of patient personal information? informed about the
code.
202 P Confidentiality Does the Trust ensure that patients are Minor n/a Updated references n/a Update
and Data generally asked before their personal to legislation - e.g.
information is used in ways that do not section 251 NHS act
Protection
directly contribute to, or support the 2006. References to
delivery of, their care and that patients'
commitments 4 and
decisions to restrict the disclosure of their
personal information are appropriately 6 updated. Updated
respected? guidance and
reference materials.
203 P Confidentiality Does the Trust ensure that patients Minor n/a Updated references n/a Update
and Data are informed about the proposed uses to commitments 4
Protection of their personal information and the and 6. Wording
importance of providing accurate amended.
information to NHS staff?
204 Confidentiality Does the Trust have effective Minor n/a Clarification re: n/a Clarification /
and Data procedures for ensuring that detailed PALS, all trusts update
Protection questions, raised by patients about should have them
how their information may be used, now. Correction of
can be answered? error, Commitment 4
should have read
Commitment 7, also
text updated. KB
references
205 Confidentiality Does the Trust have appropriate Minor n/a Commitment 1 n/a Clarification /
and Data procedures for recognising and updated to include update
Protection responding to patient requests for reference to
access to their health records? applicable SAR fees.
Updated references
to knowledgebase
materials
206 Confidentiality Has the Trust established appropriate Minor n/a Updated text within n/a Update
and Data confidentiality audit procedures to Commitment 12
Protection monitor access to confidential patient reference
information?
207 Confidentiality Has the Trust agreed protocols Minor n/a Clarification - n/a Update
and Data governing the sharing of patient- addition of s251 to
Protection identifiable information with other s60 reference and
organisations where this is required? also research.
Commitments 2 and
3 updated. Link to
Medical research
council included
within KB references
208 P Confidentiality Has the Trust put in place safe-haven Minor n/a Para altered: n/a Clarification
and Data procedures for all routine flows of Examples of
Protection patient personal information to the methods by which
organisation? information flows
209 P Confidentiality Does the Trust comply with data Minor n/a New KB links n/a Update
and Data protection requirements in respect of
Protection transfers of personal data about
patients or staff to countries outside of
the EEA?
210 P Confidentiality Does the Trust ensure that all new No change n/a n/a n/a n/a
and Data processes, software and hardware,
Protection comply with confidentiality and data
protection requirements?
301 P Information Does the Trust have a formal Minor Updated wording of Updated to include additional checklist Update
Security information security risk assessment requirement levels reference to SIRO & entries for level 1
Management and management programme that is IAO reporting attainment
implemented and regularly reviewed? structures, additional
guidance text
included.
302 P Information Does the Trust have documented and Minor Updated wording of Wording updated to n/a Update
Security accessible information security event requirement levels include reference to
Management reporting, investigation and resolution SIRO/IAO roles &
procedures in place that are explained responsibilities
to all staff?
303 P Information Has the Trust established business Minor n/a Updated to reflect Additional entries for Update
Security processes that ensure all staff integration of ESR attainment levels
Management smartcards and access profiles issued and SUD into RA
are appropriate and satisfy their processes.
obligations as RAs?
305 P Information Does the Trust ensure that operating Minor Updated text within Updated with n/a Update
Security and application information systems attainment levels reference to
Management under its control support appropriate reflecting duties Information Assets
access control functionality? associated with role and SLSP
of IAO/SIRO and
links to Information
Risk Policy
306 Information Are there defined, documented and Minor n/a Knowledge base n/a Update
Security agreed access rights for all users of links updated
Management Trust information systems and
services?
307 P Information Has the Trust established a register of Minor n/a Updated with n/a Update
Security all its major information assets and reference to duties
Management assigned responsibility or ‘ownership’ associated with the
for each? role of IAO/SIRO
308 P Information Does the Trust ensure that digital Minor Updated with Updated with n/a Update
Security information shared with other reference to duties reference to
Management Organisation's is secured in transit? associated with the Information risk
role of IAO/SIRO assessments, and
portable and
electronic storage
media use, updated
knowledgebase and
reference materials
309 Information Does the Trust have adequate Minor Updated reference minor wording n/a Update
Security procedures in place to ensure the to Information changes, links to
Management availability of information processing Assets and duties new guidance
facilities, communications services and associated with the materials.
data? role of IAO/SIRO
310 Information Does the Trust have procedures in Minor Updated to include Updated wording n/a Update
Security place to prevent information reference to relating to use of 3rd
Management processing being interrupted or SIRO/IAO roles and party contractors for
disrupted through equipment failure, likely duties secure disposal of
environmental hazard or human error? associated. media, links to new
Evidential guidance materials.
requirements made
incremental.
311 Information Does the Trust ensure that its Minor Greater controls Updated with n/a Update
Security information systems are capable of the described within reference to
Management rapid detection, isolation and removal attainment level contractors
of malicious code and unauthorised texts. Duties responsibilities, new
mobile code? associated with the knowledgebase and
roles of IAO/SIRO reference materials
defined.
312 Information Does the Trust have in place Minor Updated to reflect Updated with n/a Clarification /
Security appropriate procedures for ensuring inclusion of IG reference to IG update
Management that the development and introduction accreditation accreditation
of any new local information systems, documentation. documentation. New
software, IT projects and, more Improvement plan section of guidance
generally, IT support activities are text amended to included, links to
conducted in a secure and structured reflect associated new knowledgebase
manner? duties of role of materials.
IAO/SIRO
313 P Information Does the Trust have appropriate Minor n/a Updated reference n/a Update
Security procedures in place to ensure that to security
Management communication networks under the requirements within
Trust's control operate in a secure contracts and
manner? network services
agreements. Links to
new knowledgebase
materials
314 P Information Does the Trust have appropriate Minor n/a Updated wording n/a Update
Security procedures for ensuring that mobile regarding data
Management computing and teleworking are backup of mobile
conducted in a secure manner? devices, additional
links to new
knowledge base
materials
322 Information Does the Trust ensure that Minor n/a Re written guidance New checklist Update
Security Registration Authority equipment document outlining created
Management (hardware and software) and processes and new
consumables meet current websites
specifications, is adequately
maintained and securely stored
401 P Clinical Does the Trust have a strategy to Major NEW Standard: Has Re-written Re-written Update
Information ensure the correct NHS Number is the Trust
Assurance recorded for each active patient and implemented the
ensure that it is used routinely in Operational
clinical communications? Information Standard
- NHS Number
Standard for
Secondary Care
(England)?
402 Clinical Does the Trust have documented and Minor n/a minor wording n/a Update
Information implemented procedures for the amendment
Assurance identification and resolution of
duplicate or confused patient records
(i.e. where two or more patients share
a record)?
403 Clinical Does the Trust have Trust-wide, multi- Minor n/a Updated links and n/a Update
Information professional audit of clinical record guidance materials
Assurance standard, including accuracy, for all
professional groups in all specialities?
404 Clinical Does the Trust have paper health Minor n/a Updated links and n/a Update
Information records of a standard design within the guidance materials
Assurance Trust, combined with a locally agreed
standard format for filing within the
health record?
405 Clinical Does the Trust have robust No change n/a n/a n/a n/a
Information procedures and processes for
Assurance monitoring all data collection activities
across the Trust?
406 Clinical Does the Trust have processes and Minor n/a Updated links and n/a Update
Information procedures in place to enable it to guidance materials
Assurance regularly monitor, measure and trace
paper health records?
407 Clinical Does the Trust ensure that Accident Minor n/a Updated links and n/a Update
Information and Emergency records are contained guidance materials
Assurance within the main record for patients who
are subsequently admitted and is there
a system to ensure that the GP is sent
a copy of the A&E record?
408 Clinical Does the Trust have procedures in No change n/a n/a n/a n/a
Information place to ensure that when new
Assurance services are provided, or where
changes within the system are made,
that these do not adversely impact on
information quality?
501 Secondary Does the Trust ensure that NHS No change n/a n/a n/a n/a
Use Assurance standard definitions, values and
validation programmes are
incorporated within key systems and
that local documentation is updated as
standards develop?
502 Secondary Does the Trust use external data No change n/a n/a n/a n/a
Use Assurance quality reports for monitoring and
improving quality?
503 Secondary Does the Trust have procedures to No change n/a n/a n/a n/a
Use Assurance ensure that staff routinely check
information about patients with the
source so that corrections are made
as necessary to appropriate records
and does the Trust routinely undertake
activity reconciliations between the
patient record and data on PAS?
504 Secondary Does the Trust have documented No change n/a n/a n/a n/a
Use Assurance procedures for using both local and
national benchmarking to identify
possible data quality issues and to
analyse trends in information over time
to ensure that large changes are
investigated and explained?
505 Secondary Does the Trust have in place a robust Minor Minor wording Updated with ref to Additional text within Update
Use Assurance programme of internal and external amendments. section 251 NHS act level 1 items
data quality/clinical coding audit in line 2006
with the requirements of the Audit
Commission and NHS Connecting for
Health?
506 Secondary Does the Trust have a documented Minor n/a Dates incremented n/a Update
Use Assurance procedure and a regular audit cycle for to relate to pertinent
accuracy checks on patient data? financial year
507 Secondary Has the Trust completed and passed Minor n/a Dates incremented n/a Update
Use Assurance the Completeness and Validity check to relate to pertinent
for data as detailed in the guidance financial year
documents?
508 Secondary Is the Trust involving clinical staff in No change n/a n/a n/a n/a
Use Assurance validating information derived from the
recording of clinical activity?
509 Secondary Does the Trust have (or access) a No change n/a n/a n/a n/a
Use Assurance formal, targeted training programme
for all staff involved in the collection
and management of patient-related
data covering the operation of key
systems?
510 Secondary Does the Trust use training No change n/a n/a n/a n/a
Use Assurance programmes for clinical coding staff
entering coded clinical data that are
comprehensive and conform to
National Standards?
511 Secondary Does the Trust have sufficient Minor n/a Updated KB link n/a Update
Use Assurance governance processes in place to
ensure adherence to the principles
enshrined in the Code of Conduct for
Payment by Results?
601 Corporate Does the Trust have documented and No change n/a n/a n/a n/a
Information implemented procedures for the
Assurance creation and filing of electronic
corporate records to enable efficient
retrieval and effective records
management?
602 Corporate Does the Trust have documented and No change n/a n/a n/a n/a
Information implemented procedures for the
Assurance creation, filing and tracking/tracing of
paper corporate records to enable
efficient retrieval and effective records
management?
603 Corporate Does the Trust have publicly available, Minor n/a New links included n/a Update
Information documented and implemented
Assurance procedures to ensure compliance with
the Freedom of Information Act 2000?
604 Corporate Has the Trust carried out an audit of its Minor n/a Inventory changed to n/a Update
Information corporate records and information as audit
Assurance part of the records lifecycle
management strategy?
Reason for and Details of Change
n/a
To clarify responsibilities; to align
requirement and guidance document
improvement plans
To reflect role of SIRO/IAO; to add
new KB link to Risk Management
GPG
To add information about "key
systems"; to align requirement and
guidance document improvement
plans
n/a
To reflect SIRO /IAO
n/a
To align the requirements of the
IGSoC with the IG Assurance
Framework requirements and the
key requirements referred to in the
NHS Operating Framework
To include electronic system/forms
To reflect SIRO /IAO and clarify the
relevance of the Data Protection Act
to the requirement
To add new KB link to Risk
Management GPG; To bring
evidence requirements into line with
IGT format.
n/a
To bring evidence requirements and
plan tasks into line with IGT format.
n/a
To reflect role of IAO, to add new
links to IG training tool and KB docs
To reflect revision of CRG. To reflect
new bodies - ECC, NIGB and Care
Quality Commission.
To reflect revision of CRG. To reflect
new bodies - ECC, NIGB and Care
Quality Commission.
To reflect revision of CRG. To reflect
new bodies - ECC, NIGB and Care
Quality Commission.
To reflect that all trusts should have
PALS. Correction of error re: CRG
Commitments and revision of CRG.
To reflect new bodies - ECC, NIGB
and Care Quality Commission.
To clarify date for compliance with
SAR. To reflect revision of CRG. To
reflect new bodies - ECC, NIGB and
Care Quality Commission.
To reflect revision of CRG. To reflect
new body - Care Quality
Commission.
To reflect that s251 NHS Act 2006
has replaced s60 reference. To
reflect revision of CRG. To reflect
new body - Care Quality
Commission.
To tidy up text relating to examples
of methods by which information
flows
To update KB links to new Europa
website.
n/a
To reflect role of SIRO/IAO and
other changes in terminology
To reflect role of SIRO/IAO
To reflect changes in RA processes
To reflect role of SIRO/IAO
To update KB links to GPGs
To reflect role of SIRO/IAO
To reflect role of SIRO/IAO and
wording changes to digital media
To reflect role of SIRO/IAO
To reflect role of SIRO/IAO and to
include contractors
To reflect role of SIRO/IAO
To reflect role of SIRO/IAO and to
clarify ambiguous wording and
To reflect recent changes
To reflect RM and role of SIRO/IAO
and amend ambiguous wording
To reflect RA developments and
changes to websites
To incorporate new formal ISB
standard on NHS number requiring
complete revision of requirement,
guidance sheet and checklist.
To update KB links to IQAP
documents
To update KB links to NHSLA and
RCP documents
To update KB links to NHSLA and
RCP documents
n/a
To update KB links to NHSLA
documents
To update KB links to NHSLA
documents
n/a
n/a
n/a
n/a
n/a
To incorporate change in legislation.
To update link to Audit Commission
payment by results.
To change date to current financial
year.
To change date to current financial
year.
n/a
n/a
n/a
To update link to Audit Commission
Payment by results.
n/a
n/a
To update link to FOI pages.
To align guidance document with
requirement question - no change to
work required to complete the
requirement.
IGT SoC Initiative Description Impact of Change to:
Req Change Requirement
101 P IG Management Does the AMT have adequate No change n/a
governance in place to support the
current and evolving Information
Governance agenda?
102 P IG Management How would you assess your AMT's Minor Supporting evidence
ability to access expertise across the materials made
Confidentiality & Data Protection incremental. Addition
Assurance agenda? of Job Descriptions
for Conf & Data
Protection
operational lead as
evidence
103 P IG Management How would you assess your AMT's Minor Supporting evidence
ability to access expertise across the materials made
Information Security agenda? incremental
104 IG Management How would you assess your AMT's Minor Supporting evidence
ability to access expertise across the materials made
Information Quality and Records incremental
Management Agenda?
105 IG Management Does the AMT have in place No change n/a
comprehensive IG Policy and
associated Strategy and Improvement
Plans all signed off by the Board?
106 IG Management Does the AMT have up to date and Minor Supporting evidential
tested business continuity plans for all requirements made
critical infrastructure components and incremental.
core information systems? Updated to include
reference to IAO and
SIRO roles.
Attainment levels
strengthened.
107 P IG Management Does the AMT have a comprehensive No change n/a
Board endorsed Information Lifecycle
Management Policy/Strategy and
implementation plan?
108 P IG Management Has the AMT implemented its Major Updated with 5 new
Information Governance management key requirements.
arrangements to ensure the NHS CFH Now 25 key
Statement of Compliance (SoC) is requirements,
satisfied? previously only 20
109 P IG Management Does the AMT ensure that staff and Minor n/a
those working on behalf of the AMT
comply with the terms and conditions
set out on the RA01 form?
110 P IG Management Does the AMT ensure that it has Minor Updated to include
formal contractual arrangements that reference to
include compliance with information SIRO/IAO roles and
governance requirements, with all likely duties
contractors and support organisations? associated.
Evidential
requirements made
incremental.
111 P IG Management Does the AMT ensure that all Minor Minor wording
individuals carrying out work on behalf amendments.
of the AMT have employment Evidential
contracts which require compliance requirements made
with information governance incremental
standards?
112 IG Management Does the AMT’s induction procedures No change n/a
effectively raise the awareness of
Information Governance?
113 P IG Management Does the AMT assess staff training Minor Plan tasks given
needs and ensure job/role specific "should" statements.
information governance training is Evidential
provided to all staff? requirements made
incremental
120 IG Management Does the AMT ensure that its No change n/a
registration authority (RA) managers,
agents and sponsors have sufficient
knowledge and skills (including latest
software, operational process
guidance and its integration into AMT
policies and procedures) to discharge
its RA responsibilities?
121 P IG Management Does the AMT have a Board level Minor n/a
Senior Information Risk Owner (SIRO)
who takes ownership of the AMT’s
information risk policy, acts as
advocate for information risk on the
board and provides written advice to
the accounting officer on the content of
their Statement of Internal Control in
regard to information risk?
201 P Confidentiality Does the AMT have a confidentiality Minor Wording updated to
and Data code of conduct that provides staff with include examples of
Protection clear guidance on the disclosure of how staff should be
patient personal information? informed about the
code.
202 P Confidentiality Does the AMT ensure that patients are Minor n/a
and Data generally asked before their personal
information is used in ways that do not
Protection
directly contribute to, or support the
delivery of, their care and that patients'
decisions to restrict the disclosure of their
personal information are appropriately
respected?
203 P Confidentiality Does the AMT ensure that patients are Minor n/a
and Data informed about the proposed uses of
Protection their personal information and the
importance of providing accurate
information to NHS staff?
204 Confidentiality Does the AMT have effective Minor n/a
and Data procedures for ensuring that detailed
Protection questions, raised by patients about
how their information may be used,
can be answered?
205 Confidentiality Does the AMT have appropriate Minor n/a
and Data procedures for recognising and
Protection responding to patient requests for
access to their health records?
206 Confidentiality Has the AMT established appropriate Minor n/a
and Data confidentiality audit procedures to
Protection monitor access to confidential patient
information?
208 P Confidentiality Has the AMT put in place safe-haven Minor n/a
and Data procedures for all routine flows of
Protection patient personal information to the
organisation?
209 P Confidentiality Does the AMT comply with data Minor n/a
and Data protection requirements in respect of
Protection transfers of personal data about
patients or staff to countries outside of
the EEA?
210 P Confidentiality Does the AMT ensure that all new No change n/a
and Data processes, software and hardware,
Protection comply with confidentiality and data
protection requirements?
301 P Information Does the AMT have a formal Minor Updated wording of
Security information security risk assessment requirement levels
Management and management programme that is
implemented and regularly reviewed?
302 P Information Does the AMT have documented and Minor Updated wording of
Security accessible information security event requirement levels
Management reporting, investigation and resolution
procedures in place that are explained
to all staff?
303 P Information Has the AMT established business Minor n/a
Security processes that ensure all staff
Management smartcards and access profiles issued
are appropriate and satisfy their
obligations as RAs?
305 P Information Does the AMT ensure that operating Minor Updated text within
Security and application information systems attainment levels
Management under its control support appropriate reflecting duties
access control functionality? associated with role
of IAO/SIRO and
links to Information
Risk Policy
306 Information Are there defined, documented and Minor n/a
Security agreed access rights for all users of
Management AMT information systems and
services?
307 P Information Has the AMT established a register of Minor n/a
Security all its major information assets and
Management assigned responsibility or ‘ownership’
for each?
308 P Information Does the AMT ensure that digital Minor Updated with
Security information shared with other reference to duties
Management Organisation's is secured in transit? associated with the
role of IAO/SIRO
309 Information Does the AMT have adequate Minor Updated reference to
Security procedures in place to ensure the Information Assets
Management availability of information processing and duties
facilities, communications services and associated with the
data? role of IAO/SIRO
310 Information Does the AMT have procedures in Minor Updated to include
Security place to prevent information reference to
Management processing being interrupted or SIRO/IAO roles and
disrupted through equipment failure, likely duties
environmental hazard or human error? associated.
Evidential
requirements made
incremental.
311 Information Does the AMT ensure that its Minor Greater controls
Security information systems are capable of the described within
Management rapid detection, isolation and removal attainment level
of malicious code and unauthorised texts. Duties
mobile code? associated with the
roles of IAO/SIRO
defined.
312 Information Does the AMT have in place Minor Updated to reflect
Security appropriate procedures for ensuring inclusion of IG
Management that the development and introduction accreditation
of any new local information systems, documentation.
software, IT projects and, more Improvement plan
generally, IT support activities are text amended to
conducted in a secure and structured reflect associated
manner? duties of role of
IAO/SIRO
313 P Information Does the AMT have appropriate minor n/a
Security procedures in place to ensure that
Management communication networks under the
AMT's control operate in a secure
manner?
314 P Information Does the AMT have appropriate Minor n/a
Security procedures for ensuring that mobile
Management computing and teleworking are
conducted in a secure manner?
315 Information Does the AMT satisfy its security Minor n/a
Security management requirements to protect
Management the Airwave communications service?
322 Information Does the AMT ensure that Registration Minor n/a
Security Authority equipment (hardware and
Management software) and consumables meet
current specifications, is adequately
maintained and securely stored
401 P Clinical Does the AMT have a strategy to No change n/a
Information ensure the correct NHS Number is
Assurance recorded for each active patient and
ensure that it is used routinely in
clinical communications?
403 Clinical Does the AMT have AMT-wide, multi- Minor n/a
Information professional audit of clinical record
Assurance standard, including accuracy, for all
professional groups in all specialities?
405 Clinical Does the AMT have robust procedures No change n/a
Information and processes for monitoring all data
Assurance collection activities across the AMT?
408 Clinical Does the AMT have procedures in No change n/a
Information place to ensure that when new
Assurance services are provided, or where
changes within the system are made,
that these do not adversely impact on
information quality?
601 Corporate Does the AMT have documented and No change n/a
Information implemented procedures for the
Assurance creation and filing of electronic
corporate records to enable efficient
retrieval and effective records
management?
602 Corporate Does the AMT have documented and No change n/a
Information implemented procedures for the
Assurance creation, filing and tracking/tracing of
paper corporate records to enable
efficient retrieval and effective records
management?
603 Corporate Does the AMT have publicly available, Minor n/a
Information documented and implemented
Assurance procedures to ensure compliance with
the Freedom of Information Act 2000?
604 Corporate Has the AMT carried out an audit of its Minor n/a
Information corporate records and information as
Assurance part of the records lifecycle
management strategy?
Change to: Change to: Type of Reason for and Details of Change
Guidance Checklist Change
n/a n/a n/a n/a
n/a n/a Clarification / To clarify responsibilities; to align
update requirement and guidance document
improvement plans
Updated to include Aligned to match Update To reflect role of SIRO/IAO; to add
reference to IAO evidential new KB link to Risk Management
SIRO roles, updated requirements for GPG
professional each score level
qualifications.
Additional link to
Risk Management
GPG
link to Records Aligned to match Update To add information about "key
Management evidential systems"; to align requirement and
Advisory Group requirements for guidance document improvement
removed. No longer each score level plans
in existence.
n/a n/a n/a n/a
Updated guidance n/a Update To reflect SIRO /IAO
materials
n/a n/a n/a n/a
Table updated with n/a Update To align the requirements of the
new key req's: 108, IGSoC with the IG Assurance
121, 203, 209, 210 Framework requirements and the
401. Removal of key requirements referred to in the
requirement 206 NHS Operating Framework
Updated to reflect New checklist Update To include electronic system/forms
move to use of created
electronic RA01 form
Updated to include n/a Update To reflect SIRO /IAO and clarify the
reference to IAO relevance of the Data Protection Act
SIRO roles, wording to the requirement
amended to clarify
relevance to
legislation e.g. DPA
1998
Updated to include Additional checklist Update To add new KB link to Risk
link to new Risk items included Management GPG; To bring
Management GPG evidence requirements into line with
guidance document IGT format.
n/a n/a n/a n/a
n/a Additional checklist Update To bring evidence requirements and
items included plan tasks into line with IGT format.
n/a n/a n/a n/a
New paragraph New checklist Update To reflect role of IAO, to add new
outlining role of IAO created links to IG training tool and KB docs
Reference to n/a Update To reflect revision of CRG. To reflect
Commitment 3 new bodies - ECC, NIGB and Care
updated Quality Commission.
Updated references n/a Update To reflect revision of CRG. To reflect
to legislation - e.g. new bodies - ECC, NIGB and Care
section 251 NHS act Quality Commission.
2006. References to
commitments 4 and
6 updated. Updated
guidance and
reference materials.
Updated references n/a Update To reflect revision of CRG. To reflect
to commitments 4 new bodies - ECC, NIGB and Care
and 6. Wording Quality Commission.
amended.
Clarification re: n/a Clarification / To reflect that all trusts should have
PALS, all trusts update PALS. Correction of error re: CRG
should have them Commitments and revision of CRG.
now. Correction of To reflect new bodies - ECC, NIGB
error, Commitment 4 and Care Quality Commission.
should have read
Commitment 7, also
text updated. KB
references
Commitment 1 n/a Clarification / To clarify date for compliance with
updated to include update SAR. To reflect revision of CRG. To
reference to reflect new bodies - ECC, NIGB and
applicable SAR fees. Care Quality Commission.
Updated references
to knowledgebase
materials
Updated text within n/a Update To reflect revision of CRG. To reflect
Commitment 12 new body - Care Quality
reference Commission.
Para altered: n/a Clarification To tidy up text relating to examples
Examples of of methods by which information
methods by which flows
information flows
New KB links n/a Update To update KB links to new Europa
website.
n/a n/a n/a n/a
Updated to include additional checklist Update To reflect role of SIRO/IAO and
reference to SIRO & entries for level 1 other changes in terminology
IAO reporting attainment
structures, additional
guidance text
included.
Wording updated to n/a Update To reflect role of SIRO/IAO
include reference to
SIRO/IAO roles &
responsibilities
Updated to reflect Additional entries for Update To reflect changes in RA processes
integration of ESR attainment levels
and SUD into RA
processes.
Updated with n/a Update To reflect role of SIRO/IAO
reference to
Information Assets
and SLSP
Knowledge base n/a Update To update KB links to GPGs
links updated
Updated with n/a Update To reflect role of SIRO/IAO
reference to duties
associated with the
role of IAO/SIRO
Updated with n/a Update To reflect role of SIRO/IAO and
reference to wording changes to digital media
Information risk
assessments, and
portable and
electronic storage
media use, updated
knowledgebase and
reference materials
minor wording n/a Update To reflect role of SIRO/IAO
changes, links to
new guidance
materials.
Updated wording n/a Update To reflect role of SIRO/IAO and to
relating to use of 3rd include contractors
party contractors for
secure disposal of
media, links to new
guidance materials.
Updated with n/a Update To reflect role of SIRO/IAO
reference to
contractors
responsibilities, new
knowledgebase and
reference materials
Updated with n/a Clarification / To reflect role of SIRO/IAO and to
reference to IG update clarify ambiguous wording and
accreditation
documentation. New
section of guidance
included, links to
new knowledgebase
materials.
Updated reference to n/a Update To reflect recent changes
security
requirements within
contracts and
network services
agreements. Links to
new knowledgebase
materials
Updated wording n/a Update To reflect RM and role of SIRO/IAO
regarding data and amend ambiguous wording
backup of mobile
devices, additional
links to new
knowledge base
materials
New KB docs n/a Update To add new KB docs re risk
management
Re written guidance New checklist Update To reflect RA developments and
document outlining created changes to websites
processes and new
websites
n/a n/a n/a n/a
Updated links and n/a Update To update KB links to NHSLA and
guidance materials RCP documents
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
New links included n/a Update To update link to FOI pages.
Inventory changed to n/a Update To align guidance document with
audit requirement question - no change to
work required to complete the
requirement.
IGT SoC Initiative Description Impact of Change to:
Req Change Requirement
101 P IG Management Does the MHT have adequate No change n/a
governance in place to support the
current and evolving Information
Governance agenda?
102 P IG Management How would you assess your MHT's Minor Supporting evidence
ability to access expertise across the materials made
Confidentiality & Data Protection incremental. Addition
Assurance agenda? of Job Descriptions
for Conf & Data
Protection
operational lead as
evidence
103 P IG Management How would you assess your MHT's Minor Supporting evidence
ability to access expertise across the materials made
Information Security agenda? incremental
104 IG Management How would you assess your MHT's Minor Supporting evidence
ability to access expertise across the materials made
Information Quality and Records incremental
Management Agenda?
105 IG Management Does the MHT have in place No change n/a
comprehensive IG Policy and
associated Strategy and Improvement
Plans all signed off by the Board?
106 IG Management Does the MHT have up to date and Minor Supporting evidential
tested business continuity plans for all requirements made
critical infrastructure components and incremental.
core information systems? Updated to include
reference to IAO and
SIRO roles.
Attainment levels
strengthened.
107 P IG Management Does the MHT have a comprehensive No change n/a
Board endorsed Information Lifecycle
Management Policy/Strategy and
implementation plan?
108 P IG Management Has the MHT implemented its Major Updated with 5 new
Information Governance management key requirements.
arrangements to ensure the NHS CFH Now 25 key
Statement of Compliance (SoC) is requirements,
satisfied? previously only 20
109 P IG Management Does the MHT ensure that staff and Minor n/a
those working on behalf of the MHT
comply with the terms and conditions
set out on the RA01 form?
110 P IG Management Does the MHT ensure that it has Minor Updated to include
formal contractual arrangements that reference to
include compliance with information SIRO/IAO roles and
governance requirements, with all likely duties
contractors and support organisations? associated.
Evidential
requirements made
incremental.
111 P IG Management Does the MHT ensure that all Minor Minor wording
individuals carrying out work on behalf amendments.
of the MHT have employment Evidential
contracts which require compliance requirements made
with information governance incremental
standards?
112 IG Management Does the MHT’s induction procedures No change n/a
effectively raise the awareness of
Information Governance?
113 P IG Management Does the MHT assess staff training Minor Plan tasks given
needs and ensure job/role specific "should" statements.
information governance training is Evidential
provided to all staff? requirements made
incremental
120 IG Management Does the MHT ensure that its No change n/a
registration authority (RA) managers,
agents and sponsors have sufficient
knowledge and skills (including latest
software, operational process
guidance and its integration into MHT
policies and procedures) to discharge
its RA responsibilities?
121 P IG Management Does the MHT have a Board level Minor n/a
Senior Information Risk Owner (SIRO)
who takes ownership of the MHT’s
information risk policy, acts as
advocate for information risk on the
board and provides written advice to
the accounting officer on the content of
their Statement of Internal Control in
regard to information risk?
201 P Confidentiality Does the MHT have a confidentiality Minor Wording updated to
and Data code of conduct that provides staff include examples of
Protection with clear guidance on the disclosure how staff should be
of patient personal information? informed about the
code.
202 P Confidentiality Does the MHT ensure that patients are Minor n/a
and Data generally asked before their personal
Protection information is used in ways that do not
directly contribute to, or support the
delivery of, their care and that patients'
decisions to restrict the disclosure of their
personal information are appropriately
respected?
203 P Confidentiality Does the MHT ensure that patients are Minor n/a
and Data informed about the proposed uses of
Protection their personal information and the
importance of providing accurate
information to NHS staff?
204 Confidentiality Does the MHT have effective Minor n/a
and Data procedures for ensuring that detailed
Protection questions, raised by patients about
how their information may be used,
can be answered?
205 Confidentiality Does the MHT have appropriate Minor n/a
and Data procedures for recognising and
Protection responding to patient requests for
access to their health records?
206 Confidentiality Has the MHT established appropriate Minor n/a
and Data confidentiality audit procedures to
Protection monitor access to confidential patient
information?
207 Confidentiality Has the MHT agreed protocols Minor n/a
and Data governing the sharing of patient-
Protection identifiable information with other
organisations where this is required?
208 P Confidentiality Has the MHT put in place safe-haven Minor n/a
and Data procedures for all routine flows of
Protection patient personal information to the
organisation?
209 P Confidentiality Does the MHT comply with data Minor n/a
and Data protection requirements in respect of
Protection transfers of personal data about
patients or staff to countries outside of
the EEA?
210 P Confidentiality Does the MHT ensure that all new No change n/a
and Data processes, software and hardware,
Protection comply with confidentiality and data
protection requirements?
301 P Information Does the MHT have a formal Minor Updated wording of
Security information security risk assessment requirement levels
Management and management programme that is
implemented and regularly reviewed?
302 P Information Does the MHT have documented and Minor Updated wording of
Security accessible information security event requirement levels
Management reporting, investigation and resolution
procedures in place that are explained
to all staff?
303 P Information Has the MHT established business Minor n/a
Security processes that ensure all staff
Management smartcards and access profiles issued
are appropriate and satisfy their
obligations as RAs?
305 P Information Does the MHT ensure that operating Minor Updated text within
Security and application information systems attainment levels
Management under its control support appropriate reflecting duties
access control functionality? associated with role
of IAO/SIRO and
links to Information
Risk Policy
306 Information Are there defined, documented and Minor n/a
Security agreed access rights for all users of
Management MHT information systems and
services?
307 P Information Has the MHT established a register of Minor n/a
Security all its major information assets and
Management assigned responsibility or ‘ownership’
for each?
308 P Information Does the MHT ensure that digital Minor Updated with
Security information shared with other reference to duties
Management Organisation's is secured in transit? associated with the
role of IAO/SIRO
309 Information Does the MHT have adequate Minor Updated reference to
Security procedures in place to ensure the Information Assets
Management availability of information processing and duties
facilities, communications services and associated with the
data? role of IAO/SIRO
310 Information Does the MHT have procedures in Minor Updated to include
Security place to prevent information reference to
Management processing being interrupted or SIRO/IAO roles and
disrupted through equipment failure, likely duties
environmental hazard or human error? associated.
Evidential
requirements made
incremental.
311 Information Does the MHT ensure that its Minor Greater controls
Security information systems are capable of the described within
Management rapid detection, isolation and removal attainment level
of malicious code and unauthorised texts. Duties
mobile code? associated with the
roles of IAO/SIRO
defined.
312 Information Does the MHT have in place Minor Updated to reflect
Security appropriate procedures for ensuring inclusion of IG
Management that the development and introduction accreditation
of any new local information systems, documentation.
software, IT projects and, more Improvement plan
generally, IT support activities are text amended to
conducted in a secure and structured reflect associated
manner? duties of role of
IAO/SIRO
313 P Information Does the MHT have appropriate minor n/a
Security procedures in place to ensure that
Management communication networks under the
MHT's control operate in a secure
manner?
314 P Information Does the MHT have appropriate Minor n/a
Security procedures for ensuring that mobile
Management computing and teleworking are
conducted in a secure manner?
322 Information Does the MHT ensure that Minor n/a
Security Registration Authority equipment
Management (hardware and software) and
consumables meet current
specifications, is adequately
maintained and securely stored
401 P Clinical Does the MHT have a strategy to No change n/a
Information ensure the correct NHS Number is
Assurance recorded for each active patient and
ensure that it is used routinely in
clinical communications?
402 Clinical Does the MHT have documented and Minor n/a
Information implemented procedures for the
Assurance identification and resolution of
duplicate or confused patient records
(i.e. where two or more patients share
a record)?
403 Clinical Does the MHT have MHT-wide, multi- Minor n/a
Information professional audit of clinical record
Assurance standard, including accuracy, for all
professional groups in all specialities?
404 Clinical Does the MHT have paper health Minor n/a
Information records of a standard design within the
Assurance MHT, combined with a locally agreed
standard format for filing within the
health record?
405 Clinical Does the MHT have robust procedures No change n/a
Information and processes for monitoring all data
Assurance collection activities across the MHT?
406 Clinical Does the MHT have processes and Minor n/a
Information procedures in place to enable it to
Assurance regularly monitor, measure and trace
paper health records?
407 Clinical Does the MHT ensure that Accident Minor n/a
Information and Emergency records are contained
Assurance within the main record for patients who
are subsequently admitted and is there
a system to ensure that the GP is sent
a copy of the A&E record?
408 Clinical Does the MHT have procedures in No change n/a
Information place to ensure that when new
Assurance services are provided, or where
changes within the system are made,
that these do not adversely impact on
information quality?
501 Secondary Does the MHT ensure that NHS No change n/a
Use Assurance standard definitions, values and
validation programmes are
incorporated within key systems and
that local documentation is updated as
standards develop?
502 Secondary Does the MHT use external data No change n/a
Use Assurance quality reports for monitoring and
improving quality?
503 Secondary Does the MHT have procedures to No change n/a
Use Assurance ensure that staff routinely check
information about patients with the
source so that corrections are made as
necessary to appropriate records and
does the MHT routinely undertake
activity reconciliations between the
patient record and data on PAS?
504 Secondary Does the MHT have documented No change n/a
Use Assurance procedures for using both local and
national benchmarking to identify
possible data quality issues and to
analyse trends in information over time
to ensure that large changes are
investigated and explained?
505 Secondary Does the MHT have in place a robust Minor Minor wording
Use Assurance programme of internal and external amendments.
data quality/clinical coding audit in line
with the requirements of the Audit
Commission and NHS Connecting for
Health?
506 Secondary Does the MHT have a documented Minor n/a
Use Assurance procedure and a regular audit cycle for
accuracy checks on patient data?
507 Secondary Has the MHT completed and passed Minor n/a
Use Assurance the Completeness and Validity check
for data as detailed in the guidance
documents?
508 Secondary Is the MHT involving clinical staff in No change n/a
Use Assurance validating information derived from the
recording of clinical activity?
509 Secondary Does the MHT have (or access) a No change n/a
Use Assurance formal, targeted training programme
for all staff involved in the collection
and management of patient-related
data covering the operation of key
systems?
510 Secondary Does the MHT use training No change n/a
Use Assurance programmes for clinical coding staff
entering coded clinical data that are
comprehensive and conform to
National Standards?
511 Secondary Does the MHT have sufficient Minor n/a
Use Assurance governance processes in place to
ensure adherence to the principles
enshrined in the Code of Conduct for
Payment by Results?
601 Corporate Does the MHT have documented and No change n/a
Information implemented procedures for the
Assurance creation and filing of electronic
corporate records to enable efficient
retrieval and effective records
management?
602 Corporate Does the MHT have documented and No change n/a
Information implemented procedures for the
Assurance creation, filing and tracking/tracing of
paper corporate records to enable
efficient retrieval and effective records
management?
603 Corporate Does the MHT have publicly available, Minor n/a
Information documented and implemented
Assurance procedures to ensure compliance with
the Freedom of Information Act 2000?
604 Corporate Has the MHT carried out an audit of its Minor n/a
Information corporate records and information as
Assurance part of the records lifecycle
management strategy?
Change to: Change to: Type of Reason for and Details of Change
Guidance Checklist Change
n/a n/a n/a n/a
n/a n/a Clarification / To clarify responsibilities; to align
update requirement and guidance document
improvement plans
Updated to include Aligned to match Update To reflect role of SIRO/IAO; to add
reference to IAO evidential new KB link to Risk Management
SIRO roles, updated requirements for GPG
professional each score level
qualifications.
Additional link to
Risk Management
GPG
link to Records Aligned to match Update To add information about "key
Management evidential systems"; to align requirement and
Advisory Group requirements for guidance document improvement
removed. No longer each score level plans
in existence.
n/a n/a n/a n/a
Updated guidance n/a Update To reflect SIRO /IAO
materials
n/a n/a n/a n/a
Table updated with n/a Update To align the requirements of the
new key req's: 108, IGSoC with the IG Assurance
121, 203, 209, 210 Framework requirements and the
401. Removal of key requirements referred to in the
requirement 206 NHS Operating Framework
Updated to reflect New checklist Update To include electronic system/forms
move to use of created
electronic RA01 form
Updated to include n/a Update To reflect SIRO /IAO and clarify the
reference to IAO relevance of the Data Protection Act
SIRO roles, wording to the requirement
amended to clarify
relevance to
legislation e.g. DPA
1998
Updated to include Additional checklist Update To add new KB link to Risk
link to new Risk items included Management GPG; To bring
Management GPG evidence requirements into line with
guidance document IGT format.
n/a n/a n/a n/a
n/a Additional checklist Update To bring evidence requirements and
items included plan tasks into line with IGT format.
n/a n/a n/a n/a
New paragraph New checklist Update To reflect role of IAO, to add new
outlining role of IAO created links to IG training tool and KB docs
Reference to n/a Update To reflect revision of CRG. To reflect
Commitment 3 new bodies - ECC, NIGB and Care
updated Quality Commission.
Updated references n/a Update To reflect revision of CRG. To reflect
to legislation - e.g. new bodies - ECC, NIGB and Care
section 251 NHS act Quality Commission.
2006. References to
commitments 4 and
6 updated. Updated
guidance and
reference materials.
Updated references n/a Update To reflect revision of CRG. To reflect
to commitments 4 new bodies - ECC, NIGB and Care
and 6. Wording Quality Commission.
amended.
Clarification re: n/a Clarification / To reflect that all trusts should have
PALS, all trusts update PALS. Correction of error re: CRG
should have them Commitments and revision of CRG.
now. Correction of To reflect new bodies - ECC, NIGB
error, Commitment 4 and Care Quality Commission.
should have read
Commitment 7, also
text updated. KB
references
Commitment 1 n/a Clarification / To clarify date for compliance with
updated to include update SAR. To reflect revision of CRG. To
reference to reflect new bodies - ECC, NIGB and
applicable SAR fees. Care Quality Commission.
Updated references
to knowledgebase
materials
Updated text within n/a Update To reflect revision of CRG. To reflect
Commitment 12 new body - Care Quality
reference Commission.
Clarification - n/a Update To reflect that s251 NHS Act 2006
addition of s251 to has replaced s60 reference. To
s60 reference and reflect revision of CRG. To reflect
also research. new body - Care Quality
Commitments 2 and Commission.
3 updated. Link to
Medical research
council included
within KB references
Para altered: n/a Clarification To tidy up text relating to examples
Examples of of methods by which information
methods by which flows
information flows
New KB links n/a Update To update KB links to new Europa
website.
n/a n/a n/a n/a
Updated to include additional checklist Update To reflect role of SIRO/IAO and
reference to SIRO & entries for level 1 other changes in terminology
IAO reporting attainment
structures, additional
guidance text
included.
Wording updated to n/a Update To reflect role of SIRO/IAO
include reference to
SIRO/IAO roles &
responsibilities
Updated to reflect Additional entries for Update To reflect changes in RA processes
integration of ESR attainment levels
and SUD into RA
processes.
Updated with n/a Update To reflect role of SIRO/IAO
reference to
Information Assets
and SLSP
Knowledge base n/a Update To update KB links to GPGs
links updated
Updated with n/a Update To reflect role of SIRO/IAO
reference to duties
associated with the
role of IAO/SIRO
Updated with n/a Update To reflect role of SIRO/IAO and
reference to wording changes to digital media
Information risk
assessments, and
portable and
electronic storage
media use, updated
knowledgebase and
reference materials
minor wording n/a Update To reflect role of SIRO/IAO
changes, links to
new guidance
materials.
Updated wording n/a Update To reflect role of SIRO/IAO and to
relating to use of 3rd include contractors
party contractors for
secure disposal of
media, links to new
guidance materials.
Updated with n/a Update To reflect role of SIRO/IAO
reference to
contractors
responsibilities, new
knowledgebase and
reference materials
Updated with n/a Clarification / To reflect role of SIRO/IAO and to
reference to IG update clarify ambiguous wording and
accreditation
documentation. New
section of guidance
included, links to
new knowledgebase
materials.
Updated reference to n/a Update To reflect recent changes
security
requirements within
contracts and
network services
agreements. Links to
new knowledgebase
materials
Updated wording n/a Update To reflect RM and role of SIRO/IAO
regarding data and amend ambiguous wording
backup of mobile
devices, additional
links to new
knowledge base
materials
Re written guidance New checklist Update To reflect RA developments and
document outlining created changes to websites
processes and new
websites
n/a n/a n/a n/a
minor wording n/a Update To update KB links to IQAP
amendment documents
Updated links and n/a Update To update KB links to NHSLA and
guidance materials RCP documents
Updated links and n/a Update To update KB links to NHSLA and
guidance materials RCP documents
n/a n/a n/a n/a
Updated links and n/a Update To update KB links to NHSLA
guidance materials documents
Updated links and n/a Update To update KB links to NHSLA
guidance materials documents
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
Updated with ref to Additional text within Update To incorporate change in legislation.
section 251 NHS act level 1 items To update link to Audit Commission
2006 payment by results.
Dates incremented n/a Update To change date to current financial
to relate to pertinent year.
financial year
Dates incremented n/a Update To change date to current financial
to relate to pertinent year.
financial year
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
Updated KB link n/a Update To update link to Audit Commission
Payment by results.
n/a n/a n/a n/a
n/a n/a n/a n/a
New links included n/a Update To update link to FOI pages.
Wording change n/a Update To align guidance document with
requirement question - no change to
work required to complete the
requirement.
IGT SoC Initiative Description Impact of
Req Change
101 P IG Management Does the PCT have adequate governance No change
in place to support the current and evolving
Information Governance agenda?
102 P IG Management How would you assess your PCT's ability to Minor
access expertise across the Confidentiality
& Data Protection Assurance agenda?
103 P IG Management How would you assess your PCT's ability to Minor
access expertise across the Information
Security agenda?
104 IG Management How would you assess your PCT's ability to Minor
access expertise across the Information
Quality and Records Management Agenda?
105 IG Management Does the PCT have in place No change
comprehensive IG Policy and associated
Strategy and Improvement Plans all signed
off by the Board?
106 IG Management Does the PCT have up to date and tested Minor
business continuity plans for all critical
infrastructure components and core
information systems?
107 P IG Management Does the PCT have a comprehensive No change
Board endorsed Information Lifecycle
Management Policy/Strategy and
implementation plan?
108 P IG Management Has the PCT implemented its Information Major
Governance management arrangements to
ensure the NHS CFH Statement of
Compliance (SoC) is satisfied?
109 P IG Management Does the PCT ensure that staff and those Minor
working on behalf of the PCT comply with
the terms and conditions set out on the
RA01 form?
110 P IG Management Does the PCT ensure that it has formal Minor
contractual arrangements that include
compliance with information governance
requirements, with all contractors and
support organisations?
111 P IG Management Does the PCT ensure that all individuals Minor
carrying out work on behalf of the PCT
have employment contracts which require
compliance with information governance
standards?
112 IG Management Does the PCT’s induction procedures No change
effectively raise the awareness of
Information Governance?
113 P IG Management Does the PCT assess staff training needs Minor
and ensure job/role specific information
governance training is provided to all staff?
120 IG Management Does the PCT ensure that its registration No change
authority (RA) managers, agents and
sponsors have sufficient knowledge and
skills (including latest software, operational
process guidance and its integration into
PCT policies and procedures) to discharge
its RA responsibilities?
121 P IG Management Does the PCT have a Board level Senior Minor
Information Risk Owner (SIRO) who takes
ownership of the PCT’s information risk
policy, acts as advocate for information risk
on the board and provides written advice to
the accounting officer on the content of
their Statement of Internal Control in regard
to information risk?
201 P Confidentiality Does the PCT have a confidentiality code Minor
and Data of conduct that provides staff with clear
Protection guidance on the disclosure of patient
personal information?
202 P Confidentiality Does the PCT ensure that patients are generally Minor
and Data asked before their personal information is used
Protection in ways that do not directly contribute to, or
support the delivery of, their care and that
patients' decisions to restrict the disclosure of
their personal information are appropriately
respected?
203 P Confidentiality Does the PCT ensure that patients are Minor
and Data informed about the proposed uses of their
Protection personal information and the importance of
providing accurate information to NHS
staff?
204 Confidentiality Does the PCT have effective procedures Minor
and Data for ensuring that detailed questions, raised
Protection by patients about how their information may
be used, can be answered?
205 Confidentiality Does the PCT have appropriate Minor
and Data procedures for recognising and responding
Protection to patient requests for access to their
health records?
206 Confidentiality Has the PCT established appropriate Minor
and Data confidentiality audit procedures to monitor
Protection access to confidential patient information?
207 Confidentiality Has the PCT agreed protocols governing Minor
and Data the sharing of patient-identifiable
Protection information with other organisations where
this is required?
208 P Confidentiality Has the PCT put in place safe-haven Minor
and Data procedures for all routine flows of patient
Protection personal information to the organisation?
209 P Confidentiality Does the PCT comply with data protection Minor
and Data requirements in respect of transfers of
Protection personal data about patients or staff to
countries outside of the EEA?
210 P Confidentiality Does the PCT ensure that all new No change
and Data processes, software and hardware, comply
Protection with confidentiality and data protection
requirements?
301 P Information Does the PCT have a formal information Minor
Security security risk assessment and management
Management programme that is implemented and
regularly reviewed?
302 P Information Does the PCT have documented and Minor
Security accessible information security event
Management reporting, investigation and resolution
procedures in place that are explained to all
staff?
303 P Information Has the PCT established business Minor
Security processes that ensure all staff smartcards
Management and access profiles issued are appropriate
and satisfy their obligations as RAs?
305 P Information Does the PCT ensure that operating and Minor
Security application information systems under its
Management control support appropriate access control
functionality?
306 Information Are there defined, documented and agreed Minor
Security access rights for all users of PCT
Management information systems and services?
307 P Information Has the PCT established a register of all its Minor
Security major information assets and assigned
Management responsibility or ‘ownership’ for each?
308 P Information Does the PCT ensure that digital Minor
Security information shared with other
Management Organisation's is secured in transit?
309 Information Does the PCT have adequate procedures Minor
Security in place to ensure the availability of
Management information processing facilities,
communications services and data?
310 Information Does the PCT have procedures in place to Minor
Security prevent information processing being
Management interrupted or disrupted through equipment
failure, environmental hazard or human
error?
311 Information Does the PCT ensure that its information Minor
Security systems are capable of the rapid detection,
Management isolation and removal of malicious code
and unauthorised mobile code?
312 Information Does the PCT have in place appropriate Minor
Security procedures for ensuring that the
Management development and introduction of any new
local information systems, software, IT
projects and, more generally, IT support
activities are conducted in a secure and
structured manner?
313 P Information Does the PCT have appropriate minor
Security procedures in place to ensure that
Management communication networks under the PCT's
control operate in a secure manner?
314 P Information Does the PCT have appropriate Minor
Security procedures for ensuring that mobile
Management computing and teleworking are conducted
in a secure manner?
322 Information Does the PCT ensure that Registration Minor
Security Authority equipment (hardware and
Management software) and consumables meet current
specifications, is adequately maintained
and securely stored
401 P Clinical Does the PCT have a strategy to ensure No change
Information the correct NHS Number is recorded for
Assurance each active patient and ensure that it is
used routinely in clinical communications?
403 Clinical Does the PCT have PCT-wide, multi- Minor
Information professional audit of clinical record
Assurance standard, including accuracy, for all
professional groups in all specialities?
405 Clinical Does the PCT have robust procedures and No change
Information processes for monitoring all data collection
Assurance activities across the PCT?
408 Clinical Does the PCT have procedures in place to No change
Information ensure that when new services are
Assurance provided, or where changes within the
system are made, that these do not
adversely impact on information quality?
501 Secondary Use Does the PCT ensure that NHS standard No change
Assurance definitions, values and validation
programmes are incorporated within key
systems and that local documentation is
updated as standards develop?
502 Secondary Use Does the PCT use external data quality No change
Assurance reports for monitoring and improving
quality?
504 Secondary Use Does the PCT have documented No change
Assurance procedures for using both local and
national benchmarking to identify possible
data quality issues and to analyse trends in
information over time to ensure that large
changes are investigated and explained?
509 Secondary Use Does the PCT have (or access) a formal, No change
Assurance targeted training programme for all staff
involved in the collection and management
of patient-related data covering the
operation of key systems?
511 Secondary Use Does the PCT have sufficient governance No change
Assurance processes in place to ensure adherence to
the principles enshrined in the Code of
Conduct for Payment by Results?
512 Secondary Use Has the PCT established working Minor
Assurance arrangements with its main commissioning
partners to develop processes to assure
itself of the validity of the PCT's data?
513 Secondary Use Has the PCT engaged fully with Audit Minor
Assurance Commission’s Payment by Results (PbR)
data assurance framework, in accordance
with the requirements of the Audit
Commission and NHS Connecting for
Health
601 Corporate Does the PCT have documented and No change
Information implemented procedures for the creation
Assurance and filing of electronic corporate records to
enable efficient retrieval and effective
records management?
602 Corporate Does the PCT have documented and No change
Information implemented procedures for the creation,
Assurance filing and tracking/tracing of paper
corporate records to enable efficient
retrieval and effective records
management?
603 Corporate Does the PCT have publicly available, Minor
Information documented and implemented procedures
Assurance to ensure compliance with the Freedom of
Information Act 2000?
604 Corporate Has the PCT carried out an audit of its Minor
Information corporate records and information as part
Assurance of the records lifecycle management
strategy?
Change to: Change to: Change to: Type of
Requirement Guidance Checklist Change
n/a n/a n/a n/a
Supporting evidence n/a n/a Clarification /
materials made update
incremental. Addition
of Job Descriptions
for Conf & Data
Protection
operational lead as
evidence
Supporting evidence Updated to include Aligned to match Update
materials made reference to IAO evidential
incremental SIRO roles, updated requirements for
professional each score level
qualifications.
Additional link to
Risk Management
GPG
Supporting evidence link to Records Aligned to match Update
materials made Management evidential
incremental Advisory Group requirements for
removed. No longer each score level
in existence.
n/a n/a n/a n/a
Supporting evidential Updated guidance n/a Update
requirements made materials
incremental.
Updated to include
reference to IAO and
SIRO roles.
Attainment levels
strengthened.
n/a n/a n/a n/a
Updated with 5 new Table updated with n/a Update
key requirements. new key req's: 108,
Now 25 key 121, 203, 209, 210
requirements, 401. Removal of
previously only 20 requirement 206
n/a Updated to reflect New checklist Update
move to use of created
electronic RA01 form
Updated to include Updated to include n/a Update
reference to reference to IAO
SIRO/IAO roles and SIRO roles, wording
likely duties amended to clarify
associated. relevance to
Evidential legislation e.g. DPA
requirements made 1998
incremental.
Minor wording Updated to include Additional checklist Update
amendments. link to new Risk items included
Evidential Management GPG
requirements made guidance document
incremental
n/a n/a n/a n/a
Plan tasks given n/a Additional checklist Update
"should" statements. items included
Evidential
requirements made
incremental
n/a n/a n/a n/a
n/a New paragraph New checklist Update
outlining role of IAO created
Wording updated to Reference to n/a Update
include examples of Commitment 3
how staff should be updated
informed about the
code.
n/a Updated references n/a Update
to legislation - e.g.
section 251 NHS act
2006. References to
commitments 4 and
6 updated. Updated
guidance and
reference materials.
n/a Updated references n/a Update
to commitments 4
and 6. Wording
amended.
n/a Clarification re: n/a Clarification /
PALS, all trusts update
should have them
now. Correction of
error, Commitment 4
should have read
Commitment 7, also
text updated. KB
references
n/a Commitment 1 n/a Clarification /
updated to include update
reference to
applicable SAR fees.
Updated references
to knowledgebase
materials
n/a Updated text within n/a Update
Commitment 12
reference
n/a Clarification - n/a Update
addition of s251 to
s60 reference and
also research.
Commitments 2 and
3 updated. Link to
Medical research
council included
within KB references
n/a Para altered: n/a Clarification
Examples of
methods by which
information flows
n/a New KB links n/a Update
n/a n/a n/a n/a
Updated wording of Updated to include additional checklist Update
requirement levels reference to SIRO & entries for level 1
IAO reporting attainment
structures, additional
guidance text
included.
Updated wording of Wording updated to n/a Update
requirement levels include reference to
SIRO/IAO roles &
responsibilities
n/a Updated to reflect Additional entries for Update
integration of ESR attainment levels
and SUD into RA
processes.
Updated text within Updated with n/a Update
attainment levels reference to
reflecting duties Information Assets
associated with role and SLSP
of IAO/SIRO and
links to Information
Risk Policy
n/a Knowledge base n/a Update
links updated
n/a Updated with n/a Update
reference to duties
associated with the
role of IAO/SIRO
Updated with Updated with n/a Update
reference to duties reference to
associated with the Information risk
role of IAO/SIRO assessments, and
portable and
electronic storage
media use, updated
knowledgebase and
reference materials
Updated reference to minor wording n/a Update
Information Assets changes, links to
and duties new guidance
associated with the materials.
role of IAO/SIRO
Updated to include Updated wording n/a Update
reference to relating to use of 3rd
SIRO/IAO roles and party contractors for
likely duties secure disposal of
associated. media, links to new
Evidential guidance materials.
requirements made
incremental.
Greater controls Updated with n/a Update
described within reference to
attainment level contractors
texts. Duties responsibilities, new
associated with the knowledgebase and
roles of IAO/SIRO reference materials
defined.
Updated to reflect Updated with n/a Clarification /
inclusion of IG reference to IG update
accreditation accreditation
documentation. documentation. New
Improvement plan section of guidance
text amended to included, links to
reflect associated new knowledgebase
duties of role of materials.
IAO/SIRO
n/a Updated reference to n/a Update
security
requirements within
contracts and
network services
agreements. Links to
new knowledgebase
materials
n/a Updated wording n/a Update
regarding data
backup of mobile
devices, additional
links to new
knowledge base
materials
n/a Re written guidance New checklist Update
document outlining created
processes and new
websites
n/a n/a n/a n/a
n/a Updated links and n/a Update
guidance materials
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a Updated KB link n/a Update
n/a Updated KB link n/a Update
n/a Updated KB link n/a Update
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a New links included n/a Update
n/a Inventory changed to n/a Update
audit
Reason for and Details of Change
n/a
To clarify responsibilities; to align
requirement and guidance document
improvement plans
To reflect role of SIRO/IAO; to add
new KB link to Risk Management
GPG
To add information about "key
systems"; to align requirement and
guidance document improvement
plans
n/a
To reflect SIRO /IAO
n/a
To align the requirements of the
IGSoC with the IG Assurance
Framework requirements and the
key requirements referred to in the
NHS Operating Framework
To include electronic system/forms
To reflect SIRO /IAO and clarify the
relevance of the Data Protection Act
to the requirement
To add new KB link to Risk
Management GPG; To bring
evidence requirements into line with
IGT format.
n/a
To bring evidence requirements and
plan tasks into line with IGT format.
n/a
To reflect role of IAO, to add new
links to IG training tool and KB docs
To reflect revision of CRG. To reflect
new bodies - ECC, NIGB and Care
Quality Commission.
To reflect revision of CRG. To reflect
new bodies - ECC, NIGB and Care
Quality Commission.
To reflect revision of CRG. To reflect
new bodies - ECC, NIGB and Care
Quality Commission.
To reflect that all trusts should have
PALS. Correction of error re: CRG
Commitments and revision of CRG.
To reflect new bodies - ECC, NIGB
and Care Quality Commission.
To clarify date for compliance with
SAR. To reflect revision of CRG. To
reflect new bodies - ECC, NIGB and
Care Quality Commission.
To reflect revision of CRG. To reflect
new body - Care Quality
Commission.
To reflect that s251 NHS Act 2006
has replaced s60 reference. To
reflect revision of CRG. To reflect
new body - Care Quality
Commission.
To tidy up text relating to examples
of methods by which information
flows
To update KB links to new Europa
website.
n/a
To reflect role of SIRO/IAO and
other changes in terminology
To reflect role of SIRO/IAO
To reflect changes in RA processes
To reflect role of SIRO/IAO
To update KB links to GPGs
To reflect role of SIRO/IAO
To reflect role of SIRO/IAO and
wording changes to digital media
To reflect role of SIRO/IAO
To reflect role of SIRO/IAO and to
include contractors
To reflect role of SIRO/IAO
To reflect role of SIRO/IAO and to
clarify ambiguous wording and
To reflect recent changes
To reflect RM and role of SIRO/IAO
and amend ambiguous wording
To reflect RA developments and
changes to websites
n/a
To update KB links to NHSLA and
RCP documents
n/a
n/a
n/a
n/a
n/a
n/a
To update link to Audit Commission
Payment by results.
To update link to Audit Commission
Payment by results.
To update link to Audit Commission
Payment by results.
n/a
n/a
To update link to FOI pages.
To align guidance document with
requirement question - no change to
work required to complete the
requirement.
IGT SoC Initiative Description Impact of Change to:
Req Change Requirement
101 P IG Management Does the SHA have adequate No change n/a
governance in place to support the
current and evolving Information
Governance agenda?
102 P IG Management How would you assess your SHA's Minor Supporting evidence
ability to access expertise across the materials made
Confidentiality & Data Protection incremental. Addition
Assurance agenda? of Job Descriptions
for Conf & Data
Protection
operational lead as
evidence
103 P IG Management How would you assess your SHA's Minor Supporting evidence
ability to access expertise across the materials made
Information Security agenda? incremental
104 IG Management How would you assess your SHA's Minor Supporting evidence
ability to access expertise across the materials made
Information Quality and Records incremental
Management Agenda?
105 IG Management Does the SHA have in place No change n/a
comprehensive IG Policy and
associated Strategy and Improvement
Plans all signed off by the Board?
106 IG Management Does the SHA have up to date and Minor Supporting evidential
tested business continuity plans for all requirements made
critical infrastructure components and incremental.
core information systems? Updated to include
reference to IAO and
SIRO roles.
Attainment levels
strengthened.
107 P IG Management Does the SHA have a comprehensive No change n/a
Board endorsed Information Lifecycle
Management Policy/Strategy and
implementation plan?
108 P IG Management Has the SHA implemented its Major Updated with 5 new
Information Governance management key requirements.
arrangements to ensure the NHS CFH Now 25 key
Statement of Compliance (SoC) is requirements,
satisfied? previously only 20
109 P IG Management Does the SHA ensure that staff and Minor n/a
those working on behalf of the SHA
comply with the terms and conditions
set out on the RA01 form?
110 P IG Management Does the SHA ensure that it has Minor Updated to include
formal contractual arrangements that reference to
include compliance with information SIRO/IAO roles and
governance requirements, with all likely duties
contractors and support organisations? associated.
Evidential
requirements made
incremental.
111 P IG Management Does the SHA ensure that all Minor Minor wording
individuals carrying out work on behalf amendments.
of the SHA have employment Evidential
contracts which require compliance requirements made
with information governance incremental
standards?
112 IG Management Does the SHA’s induction procedures No change n/a
effectively raise the awareness of
Information Governance?
113 P IG Management Does the SHA assess staff training Minor Plan tasks given
needs and ensure job/role specific "should" statements.
information governance training is Evidential
provided to all staff? requirements made
incremental
120 IG Management Does the SHA ensure that its No change n/a
registration authority (RA) managers,
agents and sponsors have sufficient
knowledge and skills (including latest
software, operational process
guidance and its integration into SHA
policies and procedures) to discharge
its RA responsibilities?
121 P IG Management Does the SHA have a Board level Minor n/a
Senior Information Risk Owner (SIRO)
who takes ownership of the SHA’s
information risk policy, acts as
advocate for information risk on the
board and provides written advice to
the accounting officer on the content of
their Statement of Internal Control in
regard to information risk?
201 P Confidentiality Does the SHA have a confidentiality Minor Wording updated to
and Data code of conduct that provides staff include examples of
Protection with clear guidance on the disclosure how staff should be
of patient personal information? informed about the
code.
208 P Confidentiality Has the SHA put in place safe-haven Minor n/a
and Data procedures for all routine flows of
Protection patient personal information to the
organisation?
209 P Confidentiality Does the SHA comply with data Minor n/a
and Data protection requirements in respect of
Protection transfers of personal data about
patients or staff to countries outside of
the EEA?
301 P Information Does the SHA have a formal Minor Updated wording of
Security information security risk assessment requirement levels
Management and management programme that is
implemented and regularly reviewed?
302 P Information Does the SHA have documented and Minor Updated wording of
Security accessible information security event requirement levels
Management reporting, investigation and resolution
procedures in place that are explained
to all staff?
303 P Information Has the SHA established business Minor n/a
Security processes that ensure all staff
Management smartcards and access profiles issued
are appropriate and satisfy their
obligations as RAs?
305 P Information Does the SHA ensure that operating Minor Updated text within
Security and application information systems attainment levels
Management under its control support appropriate reflecting duties
access control functionality? associated with role
of IAO/SIRO and
links to Information
Risk Policy
306 Information Are there defined, documented and Minor n/a
Security agreed access rights for all users of
Management SHA information systems and
services?
307 P Information Has the SHA established a register of Minor n/a
Security all its major information assets and
Management assigned responsibility or ‘ownership’
for each?
308 P Information Does the SHA ensure that digital Minor Updated with
Security information shared with other reference to duties
Management Organisation's is secured in transit? associated with the
role of IAO/SIRO
309 Information Does the SHA have adequate Minor Updated reference to
Security procedures in place to ensure the Information Assets
Management availability of information processing and duties
facilities, communications services and associated with the
data? role of IAO/SIRO
310 Information Does the SHA have procedures in Minor Updated to include
Security place to prevent information reference to
Management processing being interrupted or SIRO/IAO roles and
disrupted through equipment failure, likely duties
environmental hazard or human error? associated.
Evidential
requirements made
incremental.
311 Information Does the SHA ensure that its Minor Greater controls
Security information systems are capable of the described within
Management rapid detection, isolation and removal attainment level
of malicious code and unauthorised texts. Duties
mobile code? associated with the
roles of IAO/SIRO
defined.
312 Information Does the SHA have in place Minor Updated to reflect
Security appropriate procedures for ensuring inclusion of IG
Management that the development and introduction accreditation
of any new local information systems, documentation.
software, IT projects and, more Improvement plan
generally, IT support activities are text amended to
conducted in a secure and structured reflect associated
manner? duties of role of
IAO/SIRO
313 P Information Does the SHA have appropriate minor n/a
Security procedures in place to ensure that
Management communication networks under the
SHA's control operate in a secure
manner?
314 P Information Does the SHA have appropriate Minor n/a
Security procedures for ensuring that mobile
Management computing and teleworking are
conducted in a secure manner?
322 Information Does the SHA ensure that Registration Minor n/a
Security Authority equipment (hardware and
Management software) and consumables meet
current specifications, is adequately
maintained and securely stored
601 Corporate Does the SHA have documented and No change n/a
Information implemented procedures for the
Assurance creation and filing of electronic
corporate records to enable efficient
retrieval and effective records
management?
602 Corporate Does the SHA have documented and No change n/a
Information implemented procedures for the
Assurance creation, filing and tracking/tracing of
paper corporate records to enable
efficient retrieval and effective records
management?
603 Corporate Does the SHA have publicly available, Minor n/a
Information documented and implemented
Assurance procedures to ensure compliance with
the Freedom of Information Act 2000?
604 Corporate Has the SHA carried out an audit of its Minor n/a
Information corporate records and information as
Assurance part of the records lifecycle
management strategy?
Change to: Change to: Type of Reason for and Details of Change
Guidance Checklist Change
n/a n/a n/a n/a
n/a n/a Clarification / To clarify responsibilities; to align
update requirement and guidance document
improvement plans
Updated to include Aligned to match Update To reflect role of SIRO/IAO; to add
reference to IAO evidential new KB link to Risk Management
SIRO roles, updated requirements for GPG
professional each score level
qualifications.
Additional link to
Risk Management
GPG
Link to Records Aligned to match Update To add information about "key
Management evidential systems"; to align requirement and
Advisory Group requirements for guidance document improvement
removed. No longer each score level plans
in existence.
n/a n/a n/a n/a
Updated guidance n/a Update To reflect SIRO /IAO
materials
n/a n/a n/a n/a
Table updated with n/a Update To align the requirements of the
new key req's: 108, IGSoC with the IG Assurance
121, 203, 209, 210 Framework requirements and the
401. Removal of key requirements referred to in the
requirement 206 NHS Operating Framework
Updated to reflect New checklist Update To include electronic system/forms
move to use of created
electronic RA01 form
Updated to include n/a Update To reflect SIRO /IAO and clarify the
reference to IAO relevance of the Data Protection Act
SIRO roles, wording to the requirement
amended to clarify
relevance to
legislation e.g. DPA
1998
Updated to include Additional checklist Update To add new KB link to Risk
link to new Risk items included Management GPG; To bring
Management GPG evidence requirements into line with
guidance document IGT format.
n/a n/a n/a n/a
n/a Additional checklist Update To bring evidence requirements and
items included plan tasks into line with IGT format.
n/a n/a n/a n/a
New paragraph New checklist Update To reflect role of IAO, to add new
outlining role of IAO created links to IG training tool and KB docs
Reference to n/a Update To reflect revision of CRG. To reflect
Commitment 3 new bodies - ECC, NIGB and Care
updated Quality Commission.
Para altered: n/a Clarification To tidy up text relating to examples
Examples of of methods by which information
methods by which flows
information flows
New KB links n/a Update To update KB links to new Europa
website.
Updated to include additional checklist Update To reflect role of SIRO/IAO and
reference to SIRO & entries for level 1 other changes in terminology
IAO reporting attainment
structures, additional
guidance text
included.
Wording updated to n/a Update To reflect role of SIRO/IAO
include reference to
SIRO/IAO roles &
responsibilities
Updated to reflect Additional entries for Update To reflect changes in RA processes
integration of ESR attainment levels
and SUD into RA
processes.
Updated with n/a Update To reflect role of SIRO/IAO
reference to
Information Assets
and SLSP
Knowledge base n/a Update To update KB links to GPGs
links updated
Updated with n/a Update To reflect role of SIRO/IAO
reference to duties
associated with the
role of IAO/SIRO
Updated with n/a Update To reflect role of SIRO/IAO and
reference to wording changes to digital media
Information risk
assessments, and
portable and
electronic storage
media use, updated
knowledgebase and
reference materials
minor wording n/a Update To reflect role of SIRO/IAO
changes, links to
new guidance
materials.
Updated wording n/a Update To reflect role of SIRO/IAO and to
relating to use of 3rd include contractors
party contractors for
secure disposal of
media, links to new
guidance materials.
Updated with n/a Update To reflect role of SIRO/IAO
reference to
contractors
responsibilities, new
knowledgebase and
reference materials
Updated with n/a Clarification / To reflect role of SIRO/IAO and to
reference to IG update clarify ambiguous wording and
accreditation
documentation. New
section of guidance
included, links to
new knowledgebase
materials.
Updated reference to n/a Update To reflect recent changes
security
requirements within
contracts and
network services
agreements. Links to
new knowledgebase
materials
Updated wording n/a Update To reflect RM and role of SIRO/IAO
regarding data and amend ambiguous wording
backup of mobile
devices, additional
links to new
knowledge base
materials
Re written guidance New checklist Update To reflect RA developments and
document outlining created changes to websites
processes and new
websites
n/a n/a n/a n/a
n/a n/a n/a n/a
New links included n/a Update To update link to FOI pages.
Inventory changed to n/a Update To align guidance document with
audit requirement question - no change to
work required to complete the
requirement.
IGT SoC Initiative Description Impact of Change to:
Req Change Requirement
101 P IG Management Does the NHSBSA have adequate No change n/a
governance in place to support the
current and evolving Information
Governance agenda?
102 P IG Management How would you assess the NHSBSA's Minor Supporting evidence
ability to access expertise across the materials made
Confidentiality & Data Protection incremental. Addition
Assurance agenda? of Job Descriptions
for Conf & Data
Protection
operational lead as
evidence
103 P IG Management How would you assess the NHSBSA's Minor Supporting evidence
ability to access expertise across the materials made
Information Security agenda? incremental
104 IG Management How would you assess the NHSBSA's Minor Supporting evidence
ability to access expertise across the materials made
Information Quality and Records incremental
Management Agenda?
105 IG Management Does the NHSBSA have in place No change n/a
comprehensive IG Policy and
associated Strategy and Improvement
Plans all signed off by the Board?
106 IG Management Does the NHSBSA have up to date Minor Supporting evidential
and tested business continuity plans requirements made
for all critical infrastructure incremental.
components and core information Updated to include
systems? reference to IAO and
SIRO roles.
Attainment levels
strengthened.
107 P IG Management Does the NHSBSA have a No change n/a
comprehensive Board endorsed
Information Lifecycle Management
Policy/Strategy and implementation
plan?
108 P IG Management Has the NHSBSA implemented its Major Updated with 5 new
Information Governance management key requirements.
arrangements to ensure the NHS CFH Now 25 key
Statement of Compliance (SoC) is requirements,
satisfied? previously only 20
109 P IG Management Does the NHSBSA ensure that staff Minor n/a
and those working on behalf of the
NHSBSA comply with the terms and
conditions set out on the RA01 form?
110 P IG Management Does the NHSBSA ensure that it has Minor Updated to include
formal contractual arrangements that reference to
include compliance with information SIRO/IAO roles and
governance requirements, with all likely duties
contractors and support organisations? associated.
Evidential
requirements made
incremental.
111 P IG Management Does the NHSBSA ensure that all Minor Minor wording
individuals carrying out work on behalf amendments.
of the NHSBSA have employment Evidential
contracts which require compliance requirements made
with information governance incremental
standards?
112 IG Management Does the NHSBSA’s induction No change n/a
procedures effectively raise the
awareness of Information Governance?
113 P IG Management Does the NHSBSA assess staff Minor Plan tasks given
training needs and ensure job/role "should" statements.
specific information governance Evidential
training is provided to all staff? requirements made
incremental
120 IG Management Does the NHSBSA ensure that its No change n/a
registration authority (RA) managers,
agents and sponsors have sufficient
knowledge and skills (including latest
software, operational process
guidance and its integration into
NHSBSA policies and procedures) to
discharge its RA responsibilities?
121 P IG Management Does the NHSBSA have a Board level Minor n/a
Senior Information Risk Owner (SIRO)
who takes ownership of the NHSBSA’s
information risk policy, acts as
advocate for information risk on the
board and provides written advice to
the accounting officer on the content of
their Statement of Internal Control in
regard to information risk?
201 P Confidentiality Does the NHSBSA have a Minor Wording updated to
and Data confidentiality code of conduct that include examples of
Protection provides staff with clear guidance on how staff should be
the disclosure of patient personal informed about the
information? code.
202 P Confidentiality Does the NHSBSA ensure that patients are Minor n/a
and Data generally asked before their personal
Protection information is used in ways that do not
directly contribute to, or support the
delivery of, their care and that patients'
decisions to restrict the disclosure of their
personal information are appropriately
respected?
203 P Confidentiality Does the NHSBSA ensure that Minor n/a
and Data patients are informed about the
Protection proposed uses of their personal
information and the importance of
providing accurate information to NHS
staff?
204 Confidentiality Does the NHSBSA have effective Minor n/a
and Data procedures for ensuring that detailed
Protection questions, raised by patients about
how their information may be used,
can be answered?
206 Confidentiality Has the NHSBSA established Minor n/a
and Data appropriate confidentiality audit
Protection procedures to monitor access to
confidential patient information?
207 Confidentiality Has the NHSBSA agreed protocols Minor n/a
and Data governing the sharing of patient-
Protection identifiable information with other
organisations where this is required?
208 P Confidentiality Has the NHSBSA put in place safe- Minor n/a
and Data haven procedures for all routine flows
Protection of patient personal information to the
organisation?
209 P Confidentiality Does the NHSBSA comply with data Minor n/a
and Data protection requirements in respect of
Protection transfers of personal data about
patients or staff to countries outside of
the EEA?
210 P Confidentiality Does the NHSBSA ensure that all new No change n/a
and Data processes, software and hardware,
Protection comply with confidentiality and data
protection requirements?
301 P Information Does the NHSBSA have a formal Minor Updated wording of
Security information security risk assessment requirement levels
Management and management programme that is
implemented and regularly reviewed?
302 P Information Does the NHSBSA have documented Minor Updated wording of
Security and accessible information security requirement levels
Management event reporting, investigation and
resolution procedures in place that are
explained to all staff?
303 P Information Has the NHSBSA established Minor n/a
Security business processes that ensure all
Management staff smartcards and access profiles
issued are appropriate and satisfy their
obligations as RAs?
305 P Information Does the NHSBSA ensure that Minor Updated text within
Security operating and application information attainment levels
Management systems under its control support reflecting duties
appropriate access control associated with role
functionality? of IAO/SIRO and
links to Information
Risk Policy
306 Information Are there defined, documented and Minor n/a
Security agreed access rights for all users of
Management NHSBSA information systems and
services?
307 P Information Has the NHSBSA established a Minor n/a
Security register of all its major information
Management assets and assigned responsibility or
‘ownership’ for each?
308 P Information Does the NHSBSA ensure that digital Minor Updated with
Security information shared with other reference to duties
Management Organisation's is secured in transit? associated with the
role of IAO/SIRO
309 Information Does the NHSBSA have adequate Minor Updated reference to
Security procedures in place to ensure the Information Assets
Management availability of information processing and duties
facilities, communications services and associated with the
data? role of IAO/SIRO
310 Information Does the NHSBSA have procedures in Minor Updated to include
Security place to prevent information reference to
Management processing being interrupted or SIRO/IAO roles and
disrupted through equipment failure, likely duties
environmental hazard or human error? associated.
Evidential
requirements made
incremental.
311 Information Does the NHSBSA ensure that its Minor Greater controls
Security information systems are capable of the described within
Management rapid detection, isolation and removal attainment level
of malicious code and unauthorised texts. Duties
mobile code? associated with the
roles of IAO/SIRO
defined.
312 Information Does the NHSBSA have in place Minor Updated to reflect
Security appropriate procedures for ensuring inclusion of IG
Management that the development and introduction accreditation
of any new local information systems, documentation.
software, IT projects and, more Improvement plan
generally, IT support activities are text amended to
conducted in a secure and structured reflect associated
manner? duties of role of
IAO/SIRO
313 P Information Does the NHSBSA have appropriate minor n/a
Security procedures in place to ensure that
Management communication networks under the
NHSBSA's control operate in a secure
manner?
314 P Information Does the NHSBSA have appropriate Minor n/a
Security procedures for ensuring that mobile
Management computing and teleworking are
conducted in a secure manner?
317 Information Does the NHSBSA prevent No change n/a
Security unauthorised access to its premises,
Management equipment, records and other assets?
322 Information Does the NHSBSA ensure that Minor n/a
Security Registration Authority equipment
Management (hardware and software) and
consumables meet current
specifications, is adequately
maintained and securely stored
402 Clinical Does the NHSBSA have documented Minor n/a
Information and implemented procedures for the
Assurance identification and resolution of
duplicate or confused patient records
(i.e. where two or more patients share
a record)?
405 Clinical Does the NHSBSA have robust No change n/a
Information procedures and processes for
Assurance monitoring all data collection activities
across the NHSBSA?
408 Clinical Does the NHSBSA have procedures in No change n/a
Information place to ensure that when new
Assurance services are provided, or where
changes within the system are made,
that these do not adversely impact on
information quality?
501 Secondary Does the NHSBSA ensure that NHS No change n/a
Use Assurance standard definitions, values and
validation programmes are
incorporated within key systems and
that local documentation is updated as
standards develop?
502 Secondary Does the NHSBSA use external data No change n/a
Use Assurance quality reports for monitoring and
improving quality?
505 Secondary Does the NHSBSA have in place a Minor Minor wording
Use Assurance robust programme of internal and amendments.
external data quality/clinical coding
audit in line with the requirements of
the Audit Commission and NHS
Connecting for Health?
509 Secondary Does the NHSBSA have (or access) a No change n/a
Use Assurance formal, targeted training programme
for all staff involved in the collection
and management of patient-related
data covering the operation of key
systems?
601 Corporate Does the NHSBSA have documented No change n/a
Information and implemented procedures for the
Assurance creation and filing of electronic
corporate records to enable efficient
retrieval and effective records
management?
602 Corporate Does the NHSBSA have documented No change n/a
Information and implemented procedures for the
Assurance creation, filing and tracking/tracing of
paper corporate records to enable
efficient retrieval and effective records
management?
603 Corporate Does the NHSBSA have publicly Minor n/a
Information available, documented and
Assurance implemented procedures to ensure
compliance with the Freedom of
604 Corporate Information Act 2000?
Has the NHSBSA carried out an audit Minor n/a
Information of its corporate records and
Assurance information as part of the records
lifecycle management strategy?
Change to: Change to: Type of Reason for and Details of Change
Guidance Checklist Change
n/a n/a n/a n/a
n/a n/a Clarification / To clarify responsibilities; to align
update requirement and guidance document
improvement plans
Updated to include Aligned to match Update To reflect role of SIRO/IAO; to add
reference to IAO evidential new KB link to Risk Management
SIRO roles, updated requirements for GPG
professional each score level
qualifications.
Additional link to
Risk Management
GPG
link to Records Aligned to match Update To add information about "key
Management evidential systems"; to align requirement and
Advisory Group requirements for guidance document improvement
removed. No longer each score level plans
in existence.
n/a n/a n/a n/a
Updated guidance n/a Update To reflect SIRO /IAO
materials
n/a n/a n/a n/a
Table updated with n/a Update To align the requirements of the
new key req's: 108, IGSoC with the IG Assurance
121, 203, 209, 210 Framework requirements and the
401. Removal of key requirements referred to in the
requirement 206 NHS Operating Framework
Updated to reflect New checklist Update To include electronic system/forms
move to use of created
electronic RA01 form
Updated to include n/a Update To reflect SIRO /IAO and clarify the
reference to IAO relevance of the Data Protection Act
SIRO roles, wording to the requirement
amended to clarify
relevance to
legislation e.g. DPA
1998
Updated to include Additional checklist Update To add new KB link to Risk
link to new Risk items included Management GPG; To bring
Management GPG evidence requirements into line with
guidance document IGT format.
n/a n/a n/a n/a
n/a Additional checklist Update To bring evidence requirements and
items included plan tasks into line with IGT format.
n/a n/a n/a n/a
New paragraph New checklist Update To reflect role of IAO, to add new
outlining role of IAO created links to IG training tool and KB docs
Reference to n/a Update To reflect revision of CRG. To reflect
Commitment 3 new bodies - ECC, NIGB and Care
updated Quality Commission.
Updated references n/a Update To reflect revision of CRG. To reflect
to legislation - e.g. new bodies - ECC, NIGB and Care
section 251 NHS act Quality Commission.
2006. References to
commitments 4 and
6 updated. Updated
guidance and
reference materials.
Updated references n/a Update To reflect revision of CRG. To reflect
to commitments 4 new bodies - ECC, NIGB and Care
and 6. Wording Quality Commission.
amended.
Clarification re: n/a Clarification / To reflect that all trusts should have
PALS, all trusts update PALS. Correction of error re: CRG
should have them Commitments and revision of CRG.
now. Correction of To reflect new bodies - ECC, NIGB
error, Commitment 4 and Care Quality Commission.
should have read
Commitment 7, also
text updated. KB
references
Updated text within n/a Update To reflect revision of CRG. To reflect
Commitment 12 new body - Care Quality
reference Commission.
Clarification - n/a Update To reflect that s251 NHS Act 2006
addition of s251 to has replaced s60 reference. To
s60 reference and reflect revision of CRG. To reflect
also research. new body - Care Quality
Commitments 2 and Commission.
3 updated. Link to
Medical research
council included
within KB references
Para altered: n/a Clarification To tidy up text relating to examples
Examples of of methods by which information
methods by which flows
information flows
New KB links n/a Update To update KB links to new Europa
website.
n/a n/a n/a n/a
Updated to include additional checklist Update To reflect role of SIRO/IAO and
reference to SIRO & entries for level 1 other changes in terminology
IAO reporting attainment
structures, additional
guidance text
included.
Wording updated to n/a Update To reflect role of SIRO/IAO
include reference to
SIRO/IAO roles &
responsibilities
Updated to reflect Additional entries for Update To reflect changes in RA processes
integration of ESR attainment levels
and SUD into RA
processes.
Updated with n/a Update To reflect role of SIRO/IAO
reference to
Information Assets
and SLSP
Knowledge base n/a Update To update KB links to GPGs
links updated
Updated with n/a Update To reflect role of SIRO/IAO
reference to duties
associated with the
role of IAO/SIRO
Updated with n/a Update To reflect role of SIRO/IAO and
reference to wording changes to digital media
Information risk
assessments, and
portable and
electronic storage
media use, updated
knowledgebase and
reference materials
minor wording n/a Update To reflect role of SIRO/IAO
changes, links to
new guidance
materials.
Updated wording n/a Update To reflect role of SIRO/IAO and to
relating to use of 3rd include contractors
party contractors for
secure disposal of
media, links to new
guidance materials.
Updated with n/a Update To reflect role of SIRO/IAO
reference to
contractors
responsibilities, new
knowledgebase and
reference materials
Updated with n/a Clarification / To reflect role of SIRO/IAO and to
reference to IG update clarify ambiguous wording and
accreditation
documentation. New
section of guidance
included, links to
new knowledgebase
materials.
Updated reference to n/a Update To reflect recent changes
security
requirements within
contracts and
network services
agreements. Links to
new knowledgebase
materials
Updated wording n/a Update To reflect RM and role of SIRO/IAO
regarding data and amend ambiguous wording
backup of mobile
devices, additional
links to new
knowledge base
materials
n/a n/a n/a n/a
Re written guidance New checklist Update To reflect RA developments and
document outlining created changes to websites
processes and new
websites
minor wording n/a Update To update KB links to IQAP
amendment documents
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
Updated with ref to Additional text within Update To incorporate change in legislation.
section 251 NHS act level 1 items To update link to Audit Commission
2006 payment by results.
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
New links included n/a Update To update link to FOI pages.
Inventory changed to n/a Update To align guidance document with
audit requirement question - no change to
work required to complete the
requirement.
IGT SoC Initiative Description Impact of Change to:
Req Change Requirement
101 P IG Management Does NHSD have adequate No change n/a
governance in place to support the
current and evolving Information
Governance agenda?
102 P IG Management How would you assess NHSD's ability Minor Supporting evidence
to access expertise across the materials made
Confidentiality & Data Protection incremental. Addition
Assurance agenda? of Job Descriptions
for Conf & Data
Protection
operational lead as
evidence
103 P IG Management How would you assess NHSD's ability Minor Supporting evidence
to access expertise across the materials made
Information Security agenda? incremental
104 IG Management How would you assess NHSD's ability Minor Supporting evidence
to access expertise across the materials made
Information Quality and Records incremental
Management Agenda?
105 IG Management Does NHSD have in place No change n/a
comprehensive IG Policy and
associated Strategy and Improvement
Plans all signed off by the Board?
106 IG Management Does NHSD have up to date and Minor Supporting evidential
tested business continuity plans for all requirements made
critical infrastructure components and incremental.
core information systems? Updated to include
reference to IAO and
SIRO roles.
Attainment levels
strengthened.
107 P IG Management Does NHSD have a comprehensive No change n/a
Board endorsed Information Lifecycle
Management Policy/Strategy and
implementation plan?
108 P IG Management Has NHSD implemented its Major Updated with 5 new
Information Governance management key requirements.
arrangements to ensure the NHS CFH Now 25 key
Statement of Compliance (SoC) is requirements,
satisfied? previously only 20
109 P IG Management Does NHSD ensure that staff and Minor n/a
those working on behalf of NHSD
comply with the terms and conditions
set out on the RA01 form?
110 P IG Management Does NHSD ensure that it has formal Minor Updated to include
contractual arrangements that include reference to
compliance with information SIRO/IAO roles and
governance requirements, with all likely duties
contractors and support organisations? associated.
Evidential
requirements made
incremental.
111 P IG Management Does NHSD ensure that all individuals Minor Minor wording
carrying out work on behalf of NHSD amendments.
have employment contracts which Evidential
require compliance with information requirements made
governance standards? incremental
112 IG Management Does NHSD’s induction procedures No change n/a
effectively raise the awareness of
Information Governance?
113 P IG Management Does NHSD assess staff training Minor Minor wording
needs and ensure job/role specific amendments.
information governance training is Evidential
provided to all staff? requirements made
incremental
120 IG Management Does NHSD ensure that its registration No change n/a
authority (RA) managers, agents and
sponsors have sufficient knowledge
and skills (including latest software,
operational process guidance and its
integration into NHSD policies and
procedures) to discharge its RA
responsibilities?
121 P IG Management Does NHSD have a Board level Senior Minor n/a
Information Risk Owner (SIRO) who
takes ownership of NHSD’s
information risk policy, acts as
advocate for information risk on the
board and provides written advice to
the accounting officer on the content of
their Statement of Internal Control in
regard to information risk?
201 P Confidentiality Does NHSD have a confidentiality Minor Wording updated to
and Data code of conduct that provides staff include examples of
Protection with clear guidance on the disclosure how staff should be
of patient personal information? informed about the
code.
202 P Confidentiality Does NHSD ensure that patients are Minor n/a
and Data generally asked before their personal
Protection information is used in ways that do not
directly contribute to, or support the
delivery of, their care and that patients'
decisions to restrict the disclosure of their
personal information are appropriately
respected?
203 P Confidentiality Does NHSD ensure that patients are Minor n/a
and Data informed about the proposed uses of
Protection their personal information and the
importance of providing accurate
information to NHS staff?
204 Confidentiality Does NHSD have effective procedures Minor n/a
and Data for ensuring that detailed questions,
Protection raised by patients about how their
information may be used, can be
answered?
205 Confidentiality Does NHSD have appropriate Minor n/a
and Data procedures for recognising and
Protection responding to patient requests for
access to their health records?
206 Confidentiality Has NHSD established appropriate Minor n/a
and Data confidentiality audit procedures to
Protection monitor access to confidential patient
information?
207 Confidentiality Has NHSD agreed protocols Minor n/a
and Data governing the sharing of patient-
Protection identifiable information with other
organisations where this is required?
208 P Confidentiality Has NHSD put in place safe-haven Minor n/a
and Data procedures for all routine flows of
Protection patient personal information to the
organisation?
209 P Confidentiality Does NHSD comply with data Minor n/a
and Data protection requirements in respect of
Protection transfers of personal data about
patients or staff to countries outside of
the EEA?
210 P Confidentiality Does NHSD ensure that all new No change n/a
and Data processes, software and hardware,
Protection comply with confidentiality and data
protection requirements?
301 P Information Does NHSD have a formal information Minor Updated wording of
Security security risk assessment and requirement levels
Management management programme that is
implemented and regularly reviewed?
302 P Information Does NHSD have documented and Minor Updated wording of
Security accessible information security event requirement levels
Management reporting, investigation and resolution
procedures in place that are explained
to all staff?
303 P Information Has NHSD established business Minor n/a
Security processes that ensure all staff
Management smartcards and access profiles issued
are appropriate and satisfy their
obligations as RAs?
305 P Information Does NHSD ensure that operating and Minor Updated text within
Security application information systems under attainment levels
Management its control support appropriate access reflecting duties
control functionality? associated with role
of IAO/SIRO and
links to Information
Risk Policy
306 Information Are there defined, documented and Minor n/a
Security agreed access rights for all users of
Management NHSD information systems and
services?
307 P Information Has NHSD established a register of all Minor n/a
Security its major information assets and
Management assigned responsibility or ‘ownership’
for each?
308 P Information Does NHSD ensure that digital Minor Updated with
Security information shared with other reference to duties
Management Organisation's is secured in transit? associated with the
role of IAO/SIRO
309 Information Does NHSD have adequate Minor Updated reference to
Security procedures in place to ensure the Information Assets
Management availability of information processing and duties
facilities, communications services and associated with the
data? role of IAO/SIRO
310 Information Does NHSD have procedures in place Minor Updated to include
Security to prevent information processing reference to
Management being interrupted or disrupted through SIRO/IAO roles and
equipment failure, environmental likely duties
hazard or human error? associated.
Evidential
requirements made
incremental.
311 Information Does NHSD ensure that its information Minor Greater controls
Security systems are capable of the rapid described within
Management detection, isolation and removal of attainment level
malicious code and unauthorised texts. Duties
mobile code? associated with the
roles of IAO/SIRO
defined.
312 Information Does NHSD have in place appropriate Minor Updated to reflect
Security procedures for ensuring that the inclusion of IG
Management development and introduction of any accreditation
new local information systems, documentation.
software, IT projects and, more Improvement plan
generally, IT support activities are text amended to
conducted in a secure and structured reflect associated
manner? duties of role of
IAO/SIRO
313 P Information Does NHSD have appropriate minor n/a
Security procedures in place to ensure that
Management communication networks under
NHSD's control operate in a secure
manner?
314 P Information Does NHSD have appropriate Minor n/a
Security procedures for ensuring that mobile
Management computing and teleworking are
conducted in a secure manner?
322 Information Does NHSD ensure that Registration Minor n/a
Security Authority equipment (hardware and
Management software) and consumables meet
current specifications, is adequately
maintained and securely stored
401 P Clinical Does NHSD have a strategy to ensure No change n/a
Information the correct NHS Number is recorded
Assurance for each active patient and ensure that
it is used routinely in clinical
communications?
402 Clinical Does NHSD have documented and Minor n/a
Information implemented procedures for the
Assurance identification and resolution of
duplicate or confused patient records
(i.e. where two or more patients share
a record)?
403 Clinical Does NHSD have NHSD-wide, multi- Minor n/a
Information professional audit of clinical record
Assurance standard, including accuracy, for all
professional groups in all specialities?
404 Clinical Does NHSD have paper health Minor n/a
Information records of a standard design within
Assurance NHSD, combined with a locally agreed
standard format for filing within the
health record?
405 Clinical Does NHSD have robust procedures No change n/a
Information and processes for monitoring all data
Assurance collection activities across NHSD?
408 Clinical Does NHSD have procedures in place No change n/a
Information to ensure that when new services are
Assurance provided, or where changes within the
system are made, that these do not
adversely impact on information
quality?
501 Secondary Does NHSD ensure that NHS No change n/a
Use Assurance standard definitions, values and
validation programmes are
incorporated within key systems and
that local documentation is updated as
standards develop?
502 Secondary Does NHSD use external data quality No change n/a
Use Assurance reports for monitoring and improving
quality?
509 Secondary Does NHSD have (or access) a No change n/a
Use Assurance formal, targeted training programme
for all staff involved in the collection
and management of patient-related
data covering the operation of key
systems?
601 Corporate Does NHSD have documented and No change n/a
Information implemented procedures for the
Assurance creation and filing of electronic
corporate records to enable efficient
retrieval and effective records
management?
602 Corporate Does NHSD have documented and No change n/a
Information implemented procedures for the
Assurance creation, filing and tracking/tracing of
paper corporate records to enable
efficient retrieval and effective records
management?
603 Corporate Does NHSD have publicly available, Minor n/a
Information documented and implemented
Assurance procedures to ensure compliance with
the Freedom of Information Act 2000?
604 Corporate Has NHSD carried out an audit of its Minor n/a
Information corporate records and information as
Assurance part of the records lifecycle
management strategy?
Change to: Change to: Type of Reason for and Details of Change
Guidance Checklist Change
n/a n/a n/a n/a
n/a n/a Clarification To clarify responsibilities; to align
/ update requirement and guidance document
improvement plans
Updated to include Aligned to match Update To reflect role of SIRO/IAO; to add
reference to IAO evidential new KB link to Risk Management
SIRO roles, updated requirements for GPG
professional each score level
qualifications.
Additional link to
Risk Management
GPG
link to Records Aligned to match Update To add information about "key
Management evidential systems"; to align requirement and
Advisory Group requirements for guidance document improvement
removed. No longer each score level plans
in existence.
n/a n/a n/a n/a
Updated guidance n/a Update To reflect SIRO /IAO
materials
n/a n/a n/a n/a
Table updated with n/a Update To align the requirements of the
new key req's: 108, IGSoC with the IG Assurance
121, 203, 209, 210 Framework requirements and the
401. Removal of key requirements referred to in the
requirement 206 NHS Operating Framework
Updated to reflect New checklist Update To include electronic system/forms
move to use of created
electronic RA01 form
Updated to include n/a Update To reflect SIRO /IAO and clarify the
reference to IAO relevance of the Data Protection Act
SIRO roles, wording to the requirement
amended to clarify
relevance to
legislation e.g. DPA
1998
Updated to include Additional checklist Update To add new KB link to Risk
link to new Risk items included Management GPG; To bring
Management GPG evidence requirements into line with
guidance document IGT format.
n/a n/a n/a n/a
n/a Additional checklist Update To bring evidence requirements and
items included plan tasks into line with IGT format.
n/a n/a n/a n/a
New paragraph New checklist Update To reflect role of IAO, to add new
outlining role of IAO created links to IG training tool and KB docs
Reference to n/a Update To reflect revision of CRG. To reflect
Commitment 3 new bodies - ECC, NIGB and Care
updated Quality Commission.
Updated references n/a Update To reflect revision of CRG. To reflect
to legislation - e.g. new bodies - ECC, NIGB and Care
section 251 NHS act Quality Commission.
2006. References to
commitments 4 and
6 updated. Updated
guidance and
reference materials.
Updated references n/a Update To reflect revision of CRG. To reflect
to commitments 4 new bodies - ECC, NIGB and Care
and 6. Wording Quality Commission.
amended.
Clarification re: n/a Clarification To reflect that all trusts should have
PALS, all trusts / update PALS. Correction of error re: CRG
should have them Commitments and revision of CRG.
now. Correction of To reflect new bodies - ECC, NIGB
error, Commitment 4 and Care Quality Commission.
should have read
Commitment 7, also
text updated. KB
references
Commitment 1 n/a Clarification To clarify date for compliance with
updated to include / update SAR. To reflect revision of CRG. To
reference to reflect new bodies - ECC, NIGB and
applicable SAR fees. Care Quality Commission.
Updated references
to knowledgebase
materials
Updated text within n/a Update To reflect revision of CRG. To reflect
Commitment 12 new body - Care Quality
reference Commission.
Clarification - n/a Update To reflect that s251 NHS Act 2006
addition of s251 to has replaced s60 reference. To
s60 reference and reflect revision of CRG. To reflect
also research. new body - Care Quality
Commitments 2 and Commission.
3 updated. Link to
Medical research
council included
within KB references
Para altered: n/a Clarification To tidy up text relating to examples
Examples of of methods by which information
methods by which flows
information flows
New KB links n/a Update To update KB links to new Europa
website.
n/a n/a n/a n/a
Updated to include additional checklist Update To reflect role of SIRO/IAO and
reference to SIRO & entries for level 1 other changes in terminology
IAO reporting attainment
structures, additional
guidance text
included.
Wording updated to n/a Update To reflect role of SIRO/IAO
include reference to
SIRO/IAO roles &
responsibilities
Updated to reflect Additional entries for Update To reflect changes in RA processes
integration of ESR attainment levels
and SUD into RA
processes.
Updated with n/a Update To reflect role of SIRO/IAO
reference to
Information Assets
and SLSP
Knowledge base n/a Update To update KB links to GPGs
links updated
Updated with n/a Update To reflect role of SIRO/IAO
reference to duties
associated with the
role of IAO/SIRO
Updated with n/a Update To reflect role of SIRO/IAO and
reference to wording changes to digital media
Information risk
assessments, and
portable and
electronic storage
media use, updated
knowledgebase and
reference materials
minor wording n/a Update To reflect role of SIRO/IAO
changes, links to
new guidance
materials.
Updated wording n/a Update To reflect role of SIRO/IAO and to
relating to use of 3rd include contractors
party contractors for
secure disposal of
media, links to new
guidance materials.
Updated with n/a Update To reflect role of SIRO/IAO
reference to
contractors
responsibilities, new
knowledgebase and
reference materials
Updated with n/a Clarification To reflect role of SIRO/IAO and to
reference to IG / update clarify ambiguous wording and
accreditation
documentation. New
section of guidance
included, links to
new knowledgebase
materials.
Updated reference to n/a Update To reflect recent changes
security
requirements within
contracts and
network services
agreements. Links to
new knowledgebase
materials
Updated wording n/a Update To reflect RM and role of SIRO/IAO
regarding data and amend ambiguous wording
backup of mobile
devices, additional
links to new
knowledge base
materials
Re written guidance New checklist Update To reflect RA developments and
document outlining created changes to websites
processes and new
websites
n/a n/a n/a n/a
minor wording n/a Update To update KB links to IQAP
amendment documents
Updated links and n/a Update To update KB links to NHSLA and
guidance materials RCP documents
Updated links and n/a Update To update KB links to NHSLA and
guidance materials RCP documents
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a n/a
n/a n/a n/a
n/a n/a n/a
New links included n/a Update To update link to FOI pages.
Inventory changed to n/a Update To align guidance document with
audit requirement question - no change to
work required to complete the
requirement.
IGT Req SoC Initiative Description Impact of Change to:
Change Requirement
114 P IG Management Has the Practice assigned responsibility for Minor n/a
Information Governance to an appropriate
member, or members, of the practice team?
115 IG Management Does the Practice have an Information No change n/a
Governance policy that addresses the
overall requirements of information quality,
security and confidentiality?
116 P IG Management Do all contracts (staff, contractor and third Minor n/a
party) contain clauses that clearly identify
responsibilities for confidentiality, data
protection and security?
117 P IG Management Does the Practice ensure that staff Minor n/a
members are provided with awareness and
training across the Information Governance
agenda?
118 P IG Management Has the Practice implemented its IG No change n/a
management arrangements to ensure that
NHS CFH Statement of Compliance (SoC)
is satisfied?
119 P IG Management Does the Practice ensure that staff and No change n/a
those working on behalf of the organisation
comply with the terms and conditions set
out on the RA01 form?
211 P Confidentiality Does the Practice ensure that all Minor n/a
and Data correspondences, faxes, e-mail, telephone
Protection messages, transfer of patient records and
other communications are conducted in a
secure and confidential manner?
212 P Confidentiality Does the Practice ensure that patients are No change n/a
and Data generally asked before their personal
Protection information is used in ways that do not directly
contribute to, or support the delivery of, their
care and that patients' decisions to restrict the
disclosure of their personal information are
appropriately respected?
213 Confidentiality Does the Practice have a publicly available No change n/a
and Data and easy to understand patient information
Protection leaflet that informs patients how their
information is used, who may have access
to that information, and their own right to
see and obtain copies of their records?
316 Information Does the Practice have an information Minor Attainment
Security asset register, encompassing information, levels amended
Management software, hardware and services?
317 P Information Does the Practice prevent unauthorised Minor n/a
Security access to the Practice premises,
Management equipment, records and other assets?
318 Information Does the Practice control, monitor and Minor n/a
Security audit the use of mobile computing systems
Management to ensure their correct operation and to
prevent unauthorised access?
319 Information Does the Practice have documented plans Minor n/a
Security and procedures to support business
Management continuity in the event of power failures,
system failures, natural disasters and other
disruptions?
320 P Information Does the Practice have documented Minor n/a
Security incident management and reporting
Management procedures?
Change to: Change to: Type of Change Reason for and
Guidance Checklist Details of
Change
Updated to n/a Update To update to
include include role of
reference to SIRO and RM
SIRO roles GPG
n/a n/a n/a n/a
Text added n/a Update To include new
about IG clause NHS employers
IG clause
Reference to n/a Update To add text about
IGTT added IGTT and delete
and removal of of old training
other training material
links to
archives to
avoid confusion n/a
n/a n/a n/a
n/a n/a n/a n/a
Information on n/a Update To add current
encryption and info on encryption
new KB links and links to
relevant GPGs
n/a n/a n/a n/a
n/a n/a n/a n/a
Attainment n/a Update To reflect
levels amended material in risk
management
GPG as a result
of data handling
review
RM GPG n/a Update To incorporate
included recommendations
of the data
handling review
To include info n/a Update To incorporate
on encryption, recommendations
SUI reporting of the data
guidance and handling review
NHSmail AUP
To include RM n/a Update To incorporate
GPG ISO recommendations
standards of the data
handling review
To include RM n/a Update To incorporate
GPG, ISO recommendations
standards and of the data
SUIs handling review
IGT SoC Initiative Description Impact of Change to:
Req Change Requirement
101 P IG Management Does the NHSBP have adequate No change n/a
governance in place to support the
current and evolving Information
Governance agenda?
102 P IG Management How would you assess your NHSBP's Minor Supporting evidence
ability to access expertise across the materials made
Confidentiality & Data Protection incremental. Addition
Assurance agenda? of Job Descriptions
for Conf & Data
Protection
operational lead as
evidence
103 P IG Management How would you assess your NHSBP's Minor Supporting evidence
ability to access expertise across the materials made
Information Security agenda? incremental
107 P IG Management Does the NHSBP have a No change n/a
comprehensive Board endorsed
Information Lifecycle Management
Policy/Strategy and implementation
plan?
108 P IG Management Has the NHSBP implemented its Major Updated with 5 new
Information Governance management key requirements.
arrangements to ensure the NHS CFH Now 25 key
Statement of Compliance (SoC) is requirements,
satisfied? previously only 20
109 P IG Management Does the NHSBP ensure that staff and Minor n/a
those working on behalf of the NHSBP
comply with the terms and conditions
set out on the RA01 form?
110 P IG Management Does the NHSBP ensure that it has Minor Updated to include
formal contractual arrangements that reference to
include compliance with information SIRO/IAO roles and
governance requirements, with all likely duties
contractors and support organisations? associated.
Evidential
requirements made
incremental.
111 P IG Management Does the NHSBP ensure that all Minor Minor wording
individuals carrying out work on behalf amendments.
of the NHSBP have employment Evidential
contracts which require compliance requirements made
with information governance incremental
standards?
113 P IG Management Does the NHSBP assess staff training Minor Plan tasks given
needs and ensure job/role specific "should" statements.
information governance training is Evidential
provided to all staff? requirements made
incremental
120 IG Management Does the NHSBP ensure that its No change n/a
registration authority (RA) managers,
agents and sponsors have sufficient
knowledge and skills (including latest
software, operational process
guidance and its integration into
NHSBP policies and procedures) to
discharge its RA responsibilities?
121 P IG Management Does the NHSBP have a Board level Minor n/a
Senior Information Risk Owner (SIRO)
who takes ownership of the NHSBP’s
information risk policy, acts as
advocate for information risk on the
board and provides written advice to
the accounting officer on the content of
their Statement of Internal Control in
regard to information risk?
201 P Confidentiality Does the NHSBP have a confidentiality Minor Wording updated to
and Data code of conduct that provides staff with include examples of
Protection clear guidance on the disclosure of how staff should be
patient personal information? informed about the
code.
202 P Confidentiality Does the NHSBP ensure that patients are Minor n/a
and Data generally asked before their personal
information is used in ways that do not
Protection
directly contribute to, or support the
delivery of, their care and that patients'
decisions to restrict the disclosure of their
personal information are appropriately
respected?
203 P Confidentiality Does the NHSBP ensure that patients Minor n/a
and Data are informed about the proposed uses
Protection of their personal information and the
importance of providing accurate
information to NHS staff?
208 P Confidentiality Has the NHSBP put in place safe- Minor n/a
and Data haven procedures for all routine flows
Protection of patient personal information to the
organisation?
209 P Confidentiality Does the NHSBP comply with data Minor n/a
and Data protection requirements in respect of
Protection transfers of personal data about
patients or staff to countries outside of
the EEA?
210 P Confidentiality Does the NHSBP ensure that all new No change n/a
and Data processes, software and hardware,
Protection comply with confidentiality and data
protection requirements?
301 P Information Does the NHSBP have a formal Minor Updated wording of
Security information security risk assessment requirement levels
Management and management programme that is
implemented and regularly reviewed?
302 P Information Does the NHSBP have documented Minor Updated wording of
Security and accessible information security requirement levels
Management event reporting, investigation and
resolution procedures in place that are
explained to all staff?
303 P Information Has the NHSBP established business Minor n/a
Security processes that ensure all staff
Management smartcards and access profiles issued
are appropriate and satisfy their
obligations as RAs?
305 P Information Does the NHSBP ensure that Minor Updated text within
Security operating and application information attainment levels
Management systems under its control support reflecting duties
appropriate access control associated with role
functionality? of IAO/SIRO and
links to Information
Risk Policy
307 P Information Has the NHSBP established a register Minor n/a
Security of all its major information assets and
Management assigned responsibility or ‘ownership’
for each?
308 P Information Does the NHSBP ensure that digital Minor Updated with
Security information shared with other reference to duties
Management Organisation's is secured in transit? associated with the
role of IAO/SIRO
313 P Information Does the NHSBP have appropriate Minor n/a
Security procedures in place to ensure that
Management communication networks under the
NHSBP's control operate in a secure
manner?
314 P Information Does the NHSBP have appropriate Minor n/a
Security procedures for ensuring that mobile
Management computing and teleworking are
conducted in a secure manner?
322 Information Does the NHSBP ensure that Minor n/a
Security Registration Authority equipment
Management (hardware and software) and
consumables meet current
specifications, is adequately
maintained and securely stored
401 P Clinical Does the NHSBP have a strategy to No change n/a
Information ensure the correct NHS Number is
Assurance recorded for each active patient and
ensure that it is used routinely in
clinical communications?
Change to: Change to: Type of Reason for and Details of Change
Guidance Checklist Change
n/a n/a n/a n/a
n/a n/a Clarification / To clarify responsibilities; to align
update requirement and guidance document
improvement plans
Updated to include Aligned to match Update To reflect role of SIRO/IAO; to add
reference to IAO evidential new KB link to Risk Management
SIRO roles, updated requirements for GPG
professional each score level
qualifications.
Additional link to
Risk Management
GPG
n/a n/a n/a n/a
Table updated with n/a Update To align the requirements of the
new key req's: 108, IGSoC with the IG Assurance
121, 203, 209, 210 Framework requirements and the
401. Removal of key requirements referred to in the
requirement 206 NHS Operating Framework
Updated to reflect New checklist Update To include electronic system/forms
move to use of created
electronic RA01 form
Updated to include n/a Update To reflect SIRO /IAO and clarify the
reference to IAO relevance of the Data Protection Act
SIRO roles, wording to the requirement
amended to clarify
relevance to
legislation e.g. DPA
1998
Updated to include Additional checklist Update To add new KB link to Risk
link to new Risk items included Management GPG; To bring
Management GPG evidence requirements into line with
guidance document IGT format.
n/a Additional checklist Update To bring evidence requirements and
items included plan tasks into line with IGT format.
n/a n/a n/a n/a
New paragraph New checklist Update To reflect role of IAO, to add new
outlining role of IAO created links to IG training tool and KB docs
Reference to n/a Update To reflect revision of CRG. To reflect
Commitment 3 new bodies - ECC, NIGB and Care
updated Quality Commission.
Updated references n/a Update To reflect revision of CRG. To reflect
to legislation - e.g. new bodies - ECC, NIGB and Care
section 251 NHS act Quality Commission.
2006. References to
commitments 4 and
6 updated. Updated
guidance and
reference materials.
Updated references n/a Update To reflect revision of CRG. To reflect
to commitments 4 new bodies - ECC, NIGB and Care
and 6. Wording Quality Commission.
amended.
Para altered: n/a Clarification To tidy up text relating to examples
Examples of of methods by which information
methods by which flows
information flows
New KB links n/a Update To update KB links to new Europa
website.
n/a n/a n/a n/a
Updated to include additional checklist Update To reflect role of SIRO/IAO and
reference to SIRO & entries for level 1 other changes in terminology
IAO reporting attainment
structures, additional
guidance text
included.
Wording updated to n/a Update To reflect role of SIRO/IAO
include reference to
SIRO/IAO roles &
responsibilities
Updated to reflect Additional entries for Update To reflect changes in RA processes
integration of ESR attainment levels
and SUD into RA
processes.
Updated with n/a Update To reflect role of SIRO/IAO
reference to
Information Assets
and SLSP
Updated with n/a Update To reflect role of SIRO/IAO
reference to duties
associated with the
role of IAO/SIRO
Updated with n/a Update To reflect role of SIRO/IAO and
reference to wording changes to digital media
Information risk
assessments, and
portable and
electronic storage
media use, updated
knowledgebase and
reference materials
Updated reference to n/a Update To reflect recent changes
security
requirements within
contracts and
network services
agreements. Links to
new knowledgebase
materials
Updated wording n/a Update To reflect RM and role of SIRO/IAO
regarding data and amend ambiguous wording
backup of mobile
devices, additional
links to new
knowledge base
materials
Re written guidance New checklist Update To reflect RA developments and
document outlining created changes to websites
processes and new
websites
n/a n/a n/a n/a
IGT SoC Initiative Description Impact of Change to:
Req Change Requirement
101 P IG Does the social care organisation No change n/a
Management have adequate governance in place to
support the current and evolving
Information Governance agenda?
102 P IG How would you assess your social Minor Supporting evidence
Management care organisation's ability to access materials made
expertise across the Confidentiality & incremental.
Data Protection Assurance agenda? Addition of Job
Descriptions for
Conf & Data
Protection
operational lead as
evidence
103 P IG How would you assess your social Minor Supporting evidence
Management care organisation's ability to access materials made
expertise across the Information incremental
Security agenda?
104 IG How would you assess your social Minor n/a
Management care organisation's ability to access
expertise across the Information
Quality and Records Management
Agenda?
105 IG Does the social care organisation No change n/a
Management have in place comprehensive IG
Policy and associated Strategy and
Improvement Plans all signed off by
the Board?
106 IG Does the social care organisation Minor n/a
Management have up to date and tested business
continuity plans for all critical
infrastructure components and core
information systems?
107 P IG Does the social care organisation No change n/a
Management have a comprehensive Board
endorsed Information Lifecycle
Management Policy/Strategy and
implementation plan?
108 P IG Has the social care organisation Major Updated as now 22
Management implemented its Information key requirements,
Governance management previously only 17
arrangements to ensure the NHS CFH
Statement of Compliance (SoC) is
satisfied?
110 P IG Does the social care organisation Minor n/a
Management ensure that it has formal contractual
arrangements that include compliance
with information governance
requirements, with all contractors and
support organisations?
111 P IG Does the social care organisation Minor n/a
Management ensure that all individuals carrying out
work on behalf of the organisation
have employment contracts which
require compliance with information
governance standards?
112 IG Does the social care organisation’s Minor n/a
Management induction procedures effectively raise
the awareness of Information
Governance?
113 P IG Does the social care organisation Minor Improvement plans
Management assess staff training needs and ensure given "should"
job/role specific information statements.
governance training is provided to all
staff?
201 P Confidentiality Does the social care organisation Minor Wording updated to
and Data have a confidentiality code of conduct include examples of
Protection that provides staff with clear guidance how staff should be
on the disclosure of patient personal informed about the
information? code.
202 P Confidentiality Does the social care organisation ensure Minor n/a
and Data that patients are generally asked before
Protection their personal information is used in ways
that do not directly contribute to, or support
the delivery of, their care and that patients'
decisions to restrict the disclosure of their
personal information are appropriately
respected?
203 P Confidentiality Does the social care organisation Minor n/a
and Data ensure that patients are informed
Protection about the proposed uses of their
personal information and the
importance of providing accurate
information to NHS staff?
204 Confidentiality Does the social care organisation Minor n/a
and Data have effective procedures for ensuring
Protection that detailed questions, raised by
patients about how their information
may be used, can be answered?
205 Confidentiality Does the social care organisation Minor n/a
and Data have appropriate procedures for
Protection recognising and responding to patient
requests for access to their health
records?
207 Confidentiality Has the social care organisation Minor n/a
and Data agreed protocols governing the
Protection sharing of patient-identifiable
information with other organisations
where this is required?
208 P Confidentiality Has the social care organisation put in Minor n/a
and Data place safe-haven procedures for all
Protection routine flows of patient personal
information to the organisation?
209 P Confidentiality Does the social care organisation Minor n/a
and Data comply with data protection
Protection requirements in respect of transfers of
personal data about patients or staff to
countries outside of the EEA?
210 P Confidentiality Does the social care organisation Minor n/a
and Data ensure that all new processes,
Protection software and hardware, comply with
confidentiality and data protection
requirements?
301 P Information Does the social care organisation Minor Updated wording of
Security have a formal information security risk requirement levels
Management assessment and management
programme that is implemented and
regularly reviewed?
302 P Information Does the social care organisation Minor Updated wording of
Security have documented and accessible requirement levels
Management information security event reporting,
investigation and resolution
procedures in place that are explained
to all staff?
305 P Information Does the social care organisation Minor Updated wording of
Security ensure that operating and application requirement levels
Management information systems under its control
support appropriate access control
functionality?
306 Information Are there defined, documented and Minor Updated wording of
Security agreed access rights for all users of requirement levels
Management social care organisation information
systems and services?
307 P Information Has the social care organisation Minor Updated wording of
Security established a register of all its major requirement levels
Management information assets and assigned
responsibility or ‘ownership’ for each?
308 P Information Does the social care organisation Minor Updated wording of
Security ensure that digital information shared requirement levels
Management with other Organisation's is secured in
transit?
309 Information Does the social care organisation Minor Updated wording of
Security have adequate procedures in place to requirement levels
Management ensure the availability of information
processing facilities, communications
services and data?
310 Information Does the social care organisation Minor Updated wording of
Security have procedures in place to prevent requirement levels
Management information processing being
interrupted or disrupted through
equipment failure, environmental
hazard or human error?
311 Information Does the social care organisation Minor Greater controls
Security ensure that its information systems described within
Management are capable of the rapid detection, attainment level
isolation and removal of malicious texts.
code and unauthorised mobile code?
312 Information Does the social care organisation Minor Updated to reflect
Security have in place appropriate procedures inclusion of IG
Management for ensuring that the development and accreditation
introduction of any new local documentation.
information systems, software, IT Improvement plan
projects and, more generally, IT text amended to
support activities are conducted in a reflect new guidance.
secure and structured manner?
313 P Information Does the social care organisation minor Plan tasks
Security have appropriate procedures in place
Management to ensure that communication
networks under the social care
organisation's control operate in a
secure manner?
314 P Information Does the social care organisation Minor n/a
Security have appropriate procedures for
Management ensuring that mobile computing and
teleworking are conducted in a secure
manner?
401 P Care Records Does the social care organisation Minor n/a
Assurance have a procedure to collect and check
an NHS Number?
402 Clinical Does the social care organisation Minor n/a
Information have documented and implemented
Assurance procedures for the identification and
resolution of duplicate or confused
service user records (i.e. where two or
more service users share a record)?
403 Clinical Does the social care organisation Minor n/a
Information have social care organisation-wide,
Assurance multi-professional audit of clinical
record standard, including accuracy,
for all professional groups in all
specialities?
405 Clinical Does the social care organisation Minor n/a
Information have robust procedures and
Assurance processes for monitoring all data
collection activities across the social
care organisation?
406 Clinical Does the social care organisation Minor n/a
Information have processes and procedures in
Assurance place to enable it to regularly monitor,
measure and trace paper health
records?
408 Clinical Does the social care organisation Minor n/a
Information have procedures in place to ensure
Assurance that when new services are provided,
or where changes within the system
are made, that these do not adversely
impact on information quality?
501 Secondary Does the social care organisation Minor n/a
Use Assurance ensure that NHS standard definitions,
values and validation programmes are
incorporated within key systems and
that local documentation is updated as
standards develop?
502 Secondary Does the social care organisation use No change n/a
Use Assurance external data quality reports for
monitoring and improving quality?
503 Secondary Does the social care organisation No change n/a
Use Assurance have procedures to ensure that staff
routinely check information about
patients with the source so that
corrections are made as necessary to
appropriate records and does the
social care organisation routinely
undertake activity reconciliations
504 Secondary between the patient record and data
Does the social care organisation Minor n/a
Use Assurance have documented procedures for
using both local and national
benchmarking to identify possible data
quality issues and to analyse trends in
information over time to ensure that
large changes are investigated and
explained?
505 Secondary Does the social care organisation No change n/a
Use Assurance have in place a robust programme of
internal and external data
quality/clinical coding audit in line with
the requirements of the Audit
Commission and NHS Connecting for
Health?
508 Secondary Is the social care organisation No change n/a
Use Assurance involving clinical staff in validating
information derived from the recording
of clinical activity?
509 Secondary Does the social care organisation No change n/a
Use Assurance have (or access) a formal, targeted
training programme for all staff
involved in the collection and
management of patient-related data
covering the operation of key systems?
510 Secondary Does the social care organisation use No change n/a
Use Assurance training programmes for clinical coding
staff entering coded clinical data that
are comprehensive and conform to
National Standards?
601 Corporate Does the social care organisation Minor n/a
Information have documented and implemented
Assurance procedures for the creation and filing
of electronic corporate records to
enable efficient retrieval and effective
records management?
602 Corporate Does the social care organisation Minor n/a
Information have documented and implemented
Assurance procedures for the creation, filing and
tracking/tracing of paper corporate
records to enable efficient retrieval
and effective records management?
603 Corporate Does the social care organisation Minor n/a
Information have publicly available, documented
Assurance and implemented procedures to
ensure compliance with the Freedom
604 Corporate of Information Act 2000?
Has the social care organisation Minor n/a
Information carried out an audit of its corporate
Assurance records and information as part of the
records lifecycle management
strategy?
Change to: Type of Reason for and Details of Change
Guidance Change
n/a n/a n/a
Improvement plan 3 Update To bring guidance document into
given "should" line with IGT format. New guidance
statements. on evidence that will prove
attainment.
Updated to include Update Word amendments to reflect role of
reference to IAO SIRO/IAO or equivalent. To bring
SIRO roles or guidance document into line with
equivalent. IGT format.
Improvement plans
given "should"
statements.
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements.
n/a n/a n/a
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements.
n/a n/a n/a
Table updated with 5 Update IG SoC table updated to align the
new key req's: 108, requirements of the IGSoC with the
203, 209, 210, 401. IG Assurance Framework
requirements and the key
requirements referred to in the NHS
Operating Framework
Improvement plans Update To bring guidance document into
given "should" line with IGT format. To advise more
statements. comprehensive clauses are added
Additional bullet to third party contracts.
point added to "Key
content of contracts"
- specific reference
to other relevant
legislation, e.g.
Common Law Duty
of Confidentiality,
Computer Misuse
Act 1990
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements.
Updated KB link Update Link to IG leaflet updated
Improvement plans Update To bring requirement and guidance
given "should" document into line with IGT format.
statements.
Improvement plans Update To bring requirement into line with
given "should" guidance document and to bring
statements. guidance document into line with
IGT format.
Updated reference Update To reflect new legislation and
to section 60 H&SC process regarding section 60
Act 2001 - now applications
section 251 NHS Act
2006. New KB link to
ECC. Improvement
plans given "should"
statements.
KB reference to Update KB reference added to NIGB
NIGB added
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements.
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements.
Improvement plans Update To bring guidance document into
given "should" line with IGT format. Legislative
statements. Updated reference updated.
reference to section
60 H&SC Act 2001 -
now section 251
NHS Act 2006.
Para altered: Clarification Tidying up of text. Para altered:
Examples of Examples of methods by which
methods by which information flows
information flows
New KB links Update KB links updated to reflect new
Europa website.
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements.
Updated to include Update To refelct reporting structures.
reference to Senior
Management Team
reporting structures.
Wording updated to Update To reflect role of Senior
include reference to Management Teams
Senior Management
Team roles &
responsibilities
Updated with Update To reflect role of Senior
reference to Management Teams
Information Assets
and Senior
Management Team
responsibilities.
Updated with Update To reflect role of Senior
reference to links to Management Teams, and HR depts
HR processes
Updated with Update To reflect role of Senior
reference to duties Management Teams
associated with the
role of Senior
Management Teams
Updated with Update To reflect role of Senior
reference to duties Management Teams
associated with the
role of Senior
Management Teams
Updated with Update To reflect role of Senior
reference to duties Management Teams
associated with the
role of Senior
Management Teams
Updated with Update To reflect role of Senior
reference to duties Management Teams
associated with the
role of Senior
Management Teams
Updated with Update To bring guidance document into
reference to line with IGT format.
contractors
responsibilities.
Updated with Update To incorporate new measure for
reference to IG information risk management.
accreditation
documentation.
Updated reference Update To align requirement and guidance
to security document.
requirements within
contracts and
network services
agreements.
Updated wording Update To amend ambiguous wording
regarding data
backup of mobile
devices,
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements.
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements.
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements. Text
from improvement
plan 3 moved to
main body of
guidance document.
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements.
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements.
Improvement plans Update To bring guidance document into
given "should" line with IGT format.
statements.
Updated KB link Update Link to social care electronic record
document updated.
n/a n/a n/a
n/a n/a n/a
Removal of Clarification To ensure relevance to social care.
reference to "Trust"
n/a n/a n/a
n/a n/a n/a
n/a n/a n/a
n/a n/a n/a
Improvement plans Update To bring guidance document into
given "should" line with IGT format. Link to Ministry
statements. Updated of Justice FOI pages updated.
KB link
Improvement plans Update To bring guidance document into
given "should" line with IGT format. Link to Ministry
statements. Updated of Justice FOI pages updated.
KB link
Improvement plans Update To bring guidance document into
given "should" line with IGT format. Link to Ministry
statements. Updated of Justice FOI pages updated.
KB link
Wording change. Update Inventory changed to audit to match
Improvement plans requirement question - no change to
given "should" work required to complete the
statements. Updated requirement. To bring guidance
KB link document into line with IGT format.
Link to Ministry of Justice FOI pages
updated.
IGT SoC Initiative Description Impact of Change to:
Req Change Requirement
1 P IG Management Does the CTP have adequate arrangements in Minor Attainment levels
place to ensure safe and secure handling of amended in line with
information (e.g. policies and procedures and guidance document
access to expert advice on Information
Governance)?
2 P IG Management Does the CTP have up to date and tested No change n/a
business continuity plans for all critical
infrastructure components and core information
systems?
3 P IG Management Has the CTP implemented adequate No change n/a
arrangements for the management of
information to ensure the NHS Connecting for
Health (NHS CFH) Statement of Compliance
(SoC) is satisfied?
4 P IG Management Does the CTP ensure that it complies with the Minor Attainment levels
terms and conditions set out on the Registration amended in line with
Authority (RA01) form? guidance document
5 P IG Management Do the CTP's contractual arrangements with, No change n/a
and policies for staff, contractors and external
parties include compliance with information
governance requirements?
6 P IG Management Does the CTP assess staff training needs and No change n/a
ensure job/role specific information governance
training is provided to all staff?
7 P Confidentiality Does the CTP ensure that personal information No change n/a
and Data is not used in a way that does not directly
Protection contribute to, or support, the delivery of,
contracts with NHS organisations and is not
disclosed without permission or other applicable
legal justification?
8 P Confidentiality Does the CTP audit the effectiveness of it's Minor Attainment level 3
and Data controls over confidentiality? amended in line with
Protection guidance document
9 P Confidentiality Does the CTP ensure that all correspondences, Minor Attainment level 3
and Data faxes, e-mail, telephone messages, transfer of amended in line with
Protection patient records and other communications are guidance document
conducted in a secure and confidential manner?
10 P Information Has the CTP taken measures to prevent No change n/a
Security unauthorised access to its premises,
Management equipment, records and other assets?
11 P Information Does the CTP have documented procedures for Minor Attainment levels
Security reporting, investigating and managing amended in line with
Management information security events or incidents? guidance document
12 P Information Does the CTP have an information asset Minor
Security register, encompassing information, software,
Management hardware and services?
13 P Information Does the CTP have appropriate procedures in Minor
Security place to ensure that communication networks
Management under its control operate in a secure manner?
14 P Information Does the CTP control and monitor the use of Minor
Security mobile computing and teleworking to ensure
Management they are conducted in a secure manner?
15 Clinical Does the CTP ensure that the NHS Number is Minor DELETED
Information used routinely on all active NHS patient records
Assurance and communications about those patients?
16 P Information Does the CTP ensure that operating and Minor
Security application information systems under its
Management control support appropriate access control
functionality?
17 P Confidentiality Has the CTP ensured that all person identifiable Major New requirement
and Data data processed outside of the UK complies with
Protection the Data Protection Act 1998 and Department
of Heath guidelines?
18 P Confidentiality Does the CTP ensure that all new processes, Major New requirement
and Data software and hardware, comply with
Protection confidentiality and data protection requirements?
Change to: Type of Change Reason for and
Guidance Details of Change
Updated guidance Update To amalgamate
and attainment guidance for simple
levels due to change and complex CTPs.
from two CTP views To clarify and
into one. Further incorporate into
definition of terms improvement plans
and changes to the the need to have an
wording of the operational lead for
improvement plans IG.
to incorporate the
need to have an
operational lead for
IG
n/a n/a n/a
n/a n/a n/a
Statement included Clarification To clarify relevance
to clarify that the of smartcards and
standard will only RA01 resps to the
apply to CTPs using CTP environment.
smartcards. Further
clarification on
attainment levels 2
to include
awareness of
responsibilities for
complying with RA01
terms and conditions
n/a n/a n/a
n/a n/a n/a
n/a n/a n/a
Further definition of Clarification To clarify the types of
evidence and levels confidentiality
in guidance and controls CTPs
attainment sheets to should have in place.
include staff
knowledge and
update to wording in
level 3 improvement
plan to emphasise
the need for policies
to be reviewed and
updated accordingly.
Additional guidance Update To reflect
on monitoring of requirements of data
emails and handling review.
legislation
supporting this along
with further definition
of attainment level 3
to include reviews of
procedures and new
ways of working.
n/a n/a n/a
Updated guidance Update and To reflect
and attainment clarification requirements of data
levels due to change handling review.
from two CTP views
into one. Additional
guidance included
on Serious
Untoward Incidents,
reporting processes
and training
awareness.
More information Update To reflect
added on what requirements of data
information assets handling review
are and the benefits
of having an
information asset
register
Additional points on Update To reflect
security features - requirements of data
malicious code handling review
detection, access
approval.
Updated information Update To reflect
on malicious code requirements of data
and the importance handling review
of data back ups.
DELETED DELETED To reflect the
position that the
majority of CTPs are
unable to validate an
NHS Number
Statement added to Update To amalgamate
clarify the types of guidance for simple
operating systems and complex CTPs.
that the requirement To reflect
encompasses. requirements of data
Additional points on handling review
access control
functionality to
include standard
user access profiles
for common job
roles within the CTP.
New guidance Update To ensure
document compliance with legal
requirements and to
enable CTPs to
provide assurances
relating to the
security of patient
identifiable data
New guidance Update To ensure
document compliance with legal
requirements and to
enable CTPs to
provide assurances
relating to the
security of patient
identifiable data
Related docs
Other docs by qww43042
Managementul Sigurantei Alimentare Modulul 1 PROIECTE DE CERCETARE DEZVOLTARE
Views: 80 | Downloads: 0
Compliance Audit Program For Retail Stores Created by Mike Woitas CFE email mwoitas slga gov sk ca S
Views: 50 | Downloads: 1
