The National Information Governance Board has closed. This website is no longer being updated. Please refer to the home page for further information.

skip to content | Skip to navigation

You are here: Home Section 251 Section 251 security review

Section 251 security review

Security assurance process

It is Department of Health policy for all bodies that process NHS patient information to provide assurance over the security of this information through annual completion and publication of an information governance performance assessment using the Information Governance (IG) Toolkit.  The Department now wishes to extend this requirement and in particular seek this assurance from bodies that obtain NHS patient information in circumstances approved under section 251 NHS Act 2006 and supporting Regulations through application to the NIGB Ethics and Confidentiality Committee (ECC).

Approval is provided in line with the Health Service (Control of Patient Information) Regulations 2002. A requirement within the Regulations is to ensure that appropriate technical and organisational measures are taken to prevent unauthorised processing of that information. Assurance over this aspect is now provided through satisfactory IG Toolkit submission.

For new applications there are no changes to the assessment of the main application as security review has always been a separate process that can be carried out in parallel to the ECC consideration. Instead of providing a system level security policy document, applicants should now provide a relevant IG Toolkit submission. The ‘IG Toolkit process’ document sets out what is required when completing a Toolkit submission. Queries over this document should be directed to The FAQ document sets out responses to common queries for new and existing applicants on the effect of this change.