[DAYS_LEFT] days left of your Medeconomics free trial

Subscribe now

Your free trial has expired

Subscribe now to access Medeconomics

Advice on completing the Information Governance Toolkit

A guide to what practices need to include when completing the Information Governance Toolkit each year.

Practice managers must fill out the Information Governance Toolkit every year to show compliance with information governance standards.  

Each requirement consists of four levels ranging from 0 (no compliance or no evidence to support compliance) to 3 (full compliance with supporting evidence). To be considered fully compliant, practices must be at least Level 2 across all requirements.

If a practice is unable to demonstrate full compliance, they must put in place a action plan to demonstrate the actions required.

Below is a short guide to what you need to include when you are filling this out.

Responsibility for information governance has been assigned to an appropriate member, or members, of staff.
Every practice must have a Caldicott Guardian. This is defined as ‘a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing’.

Ensure that there are defined roles and responsibilities and clear lines of accountability. It is good practice to make sure everyone sees information governance as part of their role as well as a having a named senior person, usually one of the GPs and the practice manager.  

Everyone should have a confidentiality clause in their contract and undertake the annual refresher training.

There is an information governance policy that addresses the overall requirements of information governance.
Your policy should include the following (this list is not exhaustive there may be other points you want to cover):

  • A summary of the Caldicott principles
  • Physical security: how records are stored and transported, retention of records – time frames, confidential waste.
  • Communication channels and protections in place (post, fax, email, verbal)
  • Use of smartcards, how these are issued and staff rights being deactivated when staff leave
  • Computerised records (use of passwords, levels of access, firewalls, encryption and virus protection)
  • Patient consent – how it is obtained and recorded
  • How information is shared with other organisations both health and non health, what checks are done to ensure that the request is legitimate, how is patient consent obtained etc
  • Subject access requests from insurance companies
  • Patient requests to access their records or those of relatives
  • How patients are made aware of how their data is used – use of fair processing notices
  • The instances where patient data can be shared without consent
  • Confidentiality clauses and agreements and how any breaches of information governance are dealt with
  • Staff training on information governance
  • Authorised use of internet, business server etc
  • Mobile working policy if applicable – working from home
  • Use of email
  • Audits (examples of audits you could look are:
    • who has access to the system and periodically ensuring that all employees who have left have had their rights removed.   
    • if you have staff who are patients at your practice make sure they are not accessing their records or their families records inappropriately)
  • All contracts (staff, contractor and third party) contain clauses that clearly identify information governance responsibilities

All staff contracts should have a standard confidentiality clause that protects both patient identifiable and any commercially sensitive material. 
It’s also a good idea to have a confidentiality agreement for any third parties and visitors to the practice who may also have access to confidential information.

All staff members are provided with appropriate training on information governance requirements.
The standard Information Governance training can be found here.

The current training toolkit is under development but there is a workbook and test available in the meantime. Alternatively if your practice subscribes to an online training provider they will probably also have information governance training available as a module.

All transfers of personal and sensitive information are conducted in a secure and confidential manner.
Do a physical check of your premises, can patients be overheard at reception, are there notes left in a clinical room when the door is unlocked? Keep a record that you have done this.

Make sure that staff are aware of how to transfer patient identifiable information securely by bringing it up on an ad hoc basis at staff meetings.

Consent is appropriately sought before personal information is used in ways that do not directly contribute to the delivery of care services and objections to the disclosure of confidential personal information are appropriately respected.
Have a clear policy on obtaining consent. Ensure that staff processing subject access requests and insurance reports are clear on what information they can and cannot share.  

Make sure that any patient preferences to not share their data are recorded in the same way by everybody and that they are clearly displayed on the patient record.

There is a publicly-available and easy-to-understand information leaflet that informs patients/service users how their information is used, who may have access to that information, and their own rights to see and obtain copies of their records

There is a useful patient leaflet in the Information Governance Toolkit resources section, which you can download here.  It needs to be updated to remove SHAs and PCTs but is a good template to start with.

You also need to think about including information about any data sharing agreements your practice has signed up to if your CCG or a local group of practices share data, for extended hours or inter practice referrals.

Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use.
Ensure that all new staff are given the RA1 conditions.  Ensure that an RA3 form is filled out when staff leave and add this to the exit procedure.  

When temporary staff join, ensure that you fill out the date section of the smartcard form.  Run random audits to ensure that your smartcard user list is up to date

There is an information asset register that includes all key information, software, hardware and services.
This is a big task to tackle if you don’t already have an information asset register. Make a list of all computers, printers, faxes, servers etc and make a note of make, model, serial number and location. Make a list of all the software you own and keep the discs, barcodes and keys in one place and make a note of these electronically also.

Keep a log of contact with your IT service desk, if a printer is broken and they replace it you need to make sure that the asset register is regularly updated, which can be hard to do if you are not full time or it happens when you are away. Try to ensure that it is not just you who is aware of the asset register and how to update it and do an annual or six monthly check of all the equipment at the practice

Unauthorised access to the premises, equipment, records and other assets is prevented.
This should be a given for all practices, but it is worth having the odd check that security doors between patient and non-patient sections are closed and that the premises are alarmed each evening.  

Paper records should not be stored anywhere a patient could come across them. Also check that people are locking their computers and taking their smartcards out if they are not at their desks.

The use of mobile computing systems is controlled, monitored and audited to ensure their correct operation and to prevent unauthorised access.
If staff can work from home make sure that there is a clear policy on use of laptops or VPN software. Machines and portable hard disks should be encrypted. Staff should sign an agreement to ensure that they will not allow family, friends or visitors to their home inadvertent access to patient identifiable information

There are documented plans and procedures to support business continuity in the event of power failures, system failures, natural disasters and other disruptions
Make sure you know what to do if there is a power failure, a computer virus or fire. There is more on this here.

There are documented incident management and reporting procedures.
This can be your significant event policy. Make sure that staff know to report any breaches, for example fax sent to wrong number, doors left unlocked etc.  

It is good practice to also report ‘near misses’ so that you can take steps to ensure that an actual breach does not occur. There is a useful policy and risk assessment form on the Information Governance Toolkit resources section as a template.

Ensure that everyone is vigilant about protecting confidentiality. There are large fines for non-compliance so it is really important that steps are put in place to ensure patient data is kept safe.

  • Fionnuala O'Donnell is a practice manager in Ealing, West London, and a CCG board member

Other useful resources on Medeconomics

Have you registered with us yet?

Register now to enjoy more articles
and free email bulletins.

Sign up now
Already registered?
Sign in

Would you like to post a comment?

Please Sign in or register.

Database of GP Fees




Latest Jobs