Common IG Toolkit Pitfalls Part 2

Is the question relevant?

There are different revisions of the toolkit for different organisations such as commercial 3rd party organisations and NHS business partners. Each organisation will have different requirements as to what they do and will also vary in size. This is why it is absolutely essential that you interpret the toolkit for your organisation. Identify requirements that aren’t appropriate, and if you can provide a clear justification and state why it is not applicable, request an exemption. Exemptions can be requested via the Exeter Helpdesk.

  • Pitfall

Trying to create comments and evidence to meet level 2 (or worse; level 3) when the requirement is not applicable.

Is your answer comprehensive?

Behind every requirement there is a set of guidance notes that describe the expectations. You should read these and ensure that you address all that are relevant to you. Some elements of guidance notes may not be relevant to your organisation, or the services you provide; if this is the case, these can be ignored. The comment you provide in the IGT response should show that you have read and understood the requirement and guidance notes and give a BRIEF outline of how you address the specific criterion.

  • Pitfalls

The most common problem I see is that the comment bears no relation to the question. Read and understand the question and guidance notes, answer the question and describe the expected evidence – no more, no less.

Inconsistency; often caused by the IGT being completed by a number of different people each addressing their own specific subjects. All you have to do to avoid this is read through all your comments and make sure there are no inconsistencies or contradictions.

Submitting the toolkit

The online IT Toolkit can be completed by entering a comment for each criteria. Comments must answer the question and provide a clear description of the supporting evidence. You can submit evidence to go along with your comment but this is not necessary. Non NHS organisations may be asked to provide some items of referenced evidence when the IGT is reviewed by HSCIC, but they do not need to submit it.

At the bottom of each requirement page, there is a box for Target level. Many organisations enter a 3 and include a target date; the target date is only needed if you haven’t met level 2 – if you have met level 2, set target level to 2.

Once you are happy with your submission you will need to get your Chief Executive or equivalent to accept the Assurance Statement; if you look at the FAQs for the IGT, you will see that this should be accepted by the person legally responsible for the organisation.

  • Pitfalls

Not completing the Toolkit before submission. Just ticking the boxes is not enough.

Trying too hard – this is not an exam; a higher score is not better, just less believable especially if you submit your first IG Toolkit with a score of 100%.

Maintaining the toolkit

You must submit an annual IT Toolkit on the anniversary of publishing your first toolkit and continue to do so each year by the same date, or at the latest by 31st March.

Version 14

Was released at the end of May. Rather than being a complete relaunch as expected, it has turned into a minor update, with a relaunch expected next year. The main point to note from version 14 is that in the Local Authority view of the IG Toolkit, the number of requirements where the PSN Compliance Certificate would be accepted has been cut by half to seven.

For more information regarding the range of N3 Hosting and Information Governance services that Hytec can offer your company, please visit our website today and contact us to arrange an appointment.