The compliance requirements of the NHS are described in a process known as the IGSoC or Information Governance Statement of Compliance. This raft of documentation includes the completion and submission of an Information Governance Toolkit, an information governance assurance statement and a more technical document known as the logical connection architecture (LCA).
Most companies find completion of the Information Governance Toolkit (IG Toolkit) to be a time consuming, confusing and often unsuccessful process. There is very little help available from the NHS and guidance is often considered to be vague as it has to cover such a wide range of organisation types and sizes.
Hytec, OLM’s specialist information governance and security division, provides services to support NHS N3 Connection, PSN connectivity, IGSoC accreditation and ISO 27001 certification. We recently sat down with Hytec’s Senior IG Consultant, Robin Ingram, to discuss common pitfalls with the Toolkit and the application process. Robin has worked with Hytec for the past 12 years and helped a number of organisations with their IG Toolkit application process.
There are a lot of areas that the accompanying IG Toolkit notes do not address. One of the biggest is that people naturally assume that a high score is good and they should aim for a 3 for each requirement. This isn’t necessarily true and care and attention should be taken when looking at each requirement and its criteria. Unless you have everything already in place, then there is no business benefit to adding extra work to your team for your first submission and aiming for level three. Level 2 is a much more realistic target for the first time submission.
It is very rare for a business to claim level 3 and have absolutely everything they need in place to be at that level. A lot of businesses see the list of questions and feel as though they need to answer them all for fear of being marked down and not achieving a high enough level. An organisation that gives themselves and overall score of 70% will endear more trust than an organisation that scores themselves at 100% as it is more of a realistic score. Organisations need to ask the question, ‘Is there a business benefit to being level 3?, when level 2 is sufficient and more believable.’ By being honest and answering the questions realistically you show that your business is honest and open. Don’t claim to be level 3 when you are not. If you do not have a decent answer for the question, then do not crowbar in something that does not fit, if you don’t know, then you don’t know.
In fact, the first submission is made before the N3 circuit is installed, and it is probable that several documents are being addressed by the organisation for the first time. While it should be possible to meet all requirements to level 2 by having established policies and procedures and made staff aware of them, level 3 is not possible as it relies on reviews and reports, which will not happen until the solution is established as there is nothing to review.
0. You haven’t thought about implementation.
1. You know what you need to do but are awaiting approval.
2. You are currently implementing.
3. You are doing it, reviewing it, reporting on it and taking steps to improve.
The latest verison of the IG Toolkit was released on the 27th May. We will post an update, alongside our solutions for the common pitfalls next week.