You are here: Home Services & Applications Information Governance (IG) The Information Governance Assurance Programme

The Information Governance Assurance Programme

The Information Governance Assurance Programme (IGAP) was set up to look at the Cabinet Office minimum standards resulting from the data handling review, to review what the NHS was already doing, to identify any gaps and to put measures in place to bridge the gaps. The Programme recommended that an IG Assurance Framework was put in place and extended to all parts of the DH delivery chain. This page details historical information about IGAP and points to updates about the IG Assurance Framework.

Information Governance Assurance Framework

The Information Governance Framework for health and social care is formed by those elements of law and policy from which applicable information governance standards are derived, and the activities and roles which individually and collectively ensure that these standards are clearly defined and met

Please visit Information Governance Assurance Framework.

Information Governance Assurance Programme

Following the data loss, reported by Her Majesty's Revenue and Customs (HMRC) office in November 2007, the Prime Minister asked the Cabinet Secretary to work with security experts to ensure that all Government departments and their agencies check their procedures for the storage and use of personal data and provide formal assurance on personal information for themselves, their agencies and any organisations they were responsible for.

The Interim Report by the Cabinet Office, published on 17 December, summarised action taken across Government, and set out initial directions of reform to strengthen the Government's arrangements.

The final report, published in June 2008, summarised the work conducted in Departments to improve data handling and set out how the Government was improving information security by putting in place:

  • core measures to protect personal data and other information across Government
  • a culture that properly values protects and uses information
  • stronger accountability mechanisms within Departments, and
  • stronger scrutiny of performance.

The measures put in place, which represented a new set of minimum mandatory standards for Departments, include:

  • introducing new rules on the use of protective measures, such as encryption and penetration testing of systems.
  • standardising and enhancing the processes by which Departments understand and manage their information risk, identifying the key individuals responsible for information assets and setting out their responsibilities.
  • requiring quarterly risk assessment within each Department of the confidentiality, integrity and availability of information.
  • introducing mandatory training for all staff involved in handling personal data, with training taking place on appointment and reinforced on an annual basis.
  • requiring the use of Privacy Impact Assessments when introducing new policy or processes that involve the use of personal data.
  • introducing greater scrutiny and monitoring through the inclusion of information risk in Statements on Internal Control, which are scrutinised by the National Audit Office and through spot checks by the Information Commissioner.
  • further enhancing transparency of arrangements, through annual reporting to Parliament on progress and the use of Information Charters which provide clarity to citizens about the use and handling of personal data, and
  • a range of other measures to improve information security across Government.

The report concluded by saying that: "Effective public services depend on information about the people they serve. But in order to command public confidence, that information needs to be safely stored and protected. The Government is determined to take the necessary steps to improve data security. The measures outlined [today] are an important part of that process."

Download Data Handling Procedures in Government: final report (PDF 277Kb).

More information on information assurance can be found at:

Information Governance Assurance Programme initiated by NHS Chief Executive Sir David Nicholson

In line with the Government directive of November 2007 (before the interim Cabinet Office report), the NHS Chief Executive, Sir David Nicholson initiated an urgent, Information Governance Assurance Programme for the NHS. Its remit was firstly to provide assurances regarding the current processing of person identifiable information in line with the requirements of the DHR and secondly to produce an Information Governance Assurance Framework for the healthcare sector to provide continuing assurance that sensitive person identifiable information is managed securely and confidentially.

The Programme recognised that NHS organisations were already providing some forms of assurance through their submission of the Information Governance Toolkit assessment to the Department of Health. This also included reporting to the Healthcare Commission on standards C9 and C13 of the Standards for Better Health.

The Information Governance Assurance Programme: Closure report

The report reviews the programme, and sets out all the actions and activities that have taken place allowing the programme to close. The report is confirmation that:

  • The programme has achieved its objectives.
  • All projects have completed satisfactorily.
  • Any remaining handover or transition activities required have been defined and assigned to relevant business operations.

This document also contains recommendations for the Department of Health, where the programme team and the programme board feel that these are appropriate, in order to ensure that the Department and its constituent organisations can continue to deal effectively with Information Governance issues.

Please read the IG Assurance Programme Closure report (PDF 454 Kb).

Dear colleague letters

In order to clarify new and existing requirements, a series of papers was issued to NHS organisations setting out the organisations' responsibilities for information governance and for providing additional assurances on information governance to each strategic health authority (SHAs), or to Monitor, the Independent Regulator of NHS Foundation Trusts.

Sir David Nicholson letters: December 2007 and January 2008

The first of these papers was a letter from David Nicholson, sent to all Chief Executives in the NHS (and copied to Monitor), which restated the responsibility and accountability framework already in place for securing effective information governance, and the actions already required by organisations as part of the assurance process.

The letter also set out specific requirements for securing data in transfer. Page three of the letter made reference to a checklist of immediate actions to be taken for securing personal data in transit.

The checklist was published by NHS Connecting for Health (NHS CFH) in the form of the Good Practice Guidelines below, which cover the transfer of batched person identifiable data by means of portable electronic media, including:

  • tapes
  • floppy discs
  • removable hard discs
  • laptop & handheld computers
  • optical discs - DVD & CD-ROM
  • solid state memory cards, memory sticks and pen drives

Read David Nicholson's letter of 4 December 2007 (PDF 49Kb)

Download the Good Practice Guidelines: Transfer of batched person-identifiable data (Word 813Kb).

David Nicholson followed his initial communication with a letter to SHA Chief Executive's asking them to take immediate actions to ensure patient data was protected across their patch.

The letter clarified the specific requirements for ensuring personal data was protected in transit, including the suspension of all courier and postal transfers of unencrypted patient data unless the transfer was essential to patient care.

Interim information was provided on the reporting of data losses and security breaches as serious untoward incidents, and the measures being taken centrally to support the NHS.

Read David Nicholson's letter of 15 January 2008 (PDF 49Kb).

Matthew Swindells letters: January and February 2008

In late January 2008, Matthew Swindells, the Department of Health's interim Chief Information Officer wrote a letter to SHA Chief Information Officers (CIOs).

The letter formally confirmed that the movement of unencrypted person identifiable data held in electronic format is not permitted in the NHS unless prevention of movement would adversely affect patient care, additionally, if an organisation decides to store or transfer such data without encryption, a risk assessment must be carried out.

The letter also informed CIOs that technical guidance on encryption was being prepared by NHS Connecting for Health. Read Matthew Swindells' letter of 30 January 2008 (PDF 40Kb).

At the end of February 2008, Chief Executives and SHA CIOs were the recipients of a further letter from Matthew Swindells, regarding the defining and reporting of serious untoward incidents.

The letter contains a document setting out the reporting arrangements and describes the actions that need to be taken in terms of communication and follow-up when a serious untoward incident occurs. Read Matthew Swindells' letter 29 February 2008 (PDF 103Kb).

Sir David Nicholson letters: May and September 2008

In May 2008 David Nicholson wrote to Chief Executives and SHA CIOs, with copies to Directors of Finance and Monitor. The letter set out further actions for SHAs regarding review of IG toolkit scores for PCTs and Trusts and requiring that SHA have access to information governance subject matter experts.

All NHS organisations were required to include information on serious untoward incidents in their annual reports; appoint a board-level Senior Information Risk Owner; and include information assurance in their Statement of Internal Controls.

Organisations were informed of future actions regarding staff training and potential disciplinary measures for breaches of confidentiality.

Annex A of the letter contains information about the reporting of personal data related incidents within annual reports, and Annex B provides guidance on including how risks to information are managed and controlled within the Statement of Internal Controls (SIC). Download David Nicholson's letter 20 May 2008 (PDF 64Kb).

The most recent letter (September 2008) from David Nicholson was written to Chief Executives and copied to SHA CIOs and Monitor.

The letter informed organisations to conduct a review to ensure that the policy to encrypt all removable data has been fully implemented.

The letter draws readers' attention to the report of the Cabinet Office Data Handling Review and asks them to review their internal processes against the recommendations in the report; the recommendations are reproduced in Annex 1 of the letter. It also highlights the data sharing review carried out by Richard Thomas (the Information Commissioner) and Mark Walport (the Director of the Welcome Trust).

Importantly, the letter sets out a number of actions to be carried out by general practices and PCT responsibility for ensuring the actions are performed. Other areas covered are encryption, serious untoward incidents and the secure destruction of optical media - this includes Write Once (e.g. CD-ROM, DVD-R) and Write Many (e.g. CD-RW, DVD-RW).  Read David Nicholson's letter September 2008 (PDF 65Kb).