NHS service providers stand to lose out if they fail to complete the NHS Information Governance (IG) Toolkit by 31st March, warns IT Governance, the IT governance, risk management and compliance company.
With the confidentiality of patient data a top priority, the NHS requires that partner organisations connecting to the NHS N3 wide area computer network demonstrate annually their adoption of appropriate data security measures. By completing the online self-assessment IG toolkit, these businesses can demonstrate their maintenance of appropriate security when accessing, processing or storing information, including Patient Identifiable Data.
The IG Toolkit's requirements apply to both new and existing NHS partners. However, despite the looming assessment deadline, a large number of NHS commercial third parties (CTPs) and NHS business partners have yet to act. According to IT Governance, this failure to act could prove costly, both in terms of lost business and potential fines.
Alan Calder, Chief Executive of IT Governance, says: "Parties that do not complete their IG Toolkit submission on an annual basis are considered more likely to breach data security. In fact, if a breach does occur, the Information Commissioner's Office can impose fines of up to £500,000. Those service providers that comply with the IG Toolkit have a competitive advantage over organisations that are non-compliant ‒ particularly at contract tenders.
"All NHS organisations are mandated by the Department of Health to carry out and publish an IG self-assessment, using the toolkit, by 31st March every year. Non-NHS organisations that do not publish an assessment are at risk of having their access to NHS Connecting for Health (CFH) services suspended or removed. Furthermore, organisations providing services to, or on behalf of, an NHS organisation are likely to be in breach of their contract if they don't publish an assessment."
To satisfy the requirements of the IG Toolkit, organisations are advised to employ various methods, from conducting a risk assessment to using some of the key controls mandated by the NHS when dealing with patient identifiable data.
Calder says: "Maintaining good data security should be seen as a competitive advantage, not a cost or a chore. Conducting regular internal audits of your information security measures will help achieve your commercial objectives, by bringing a systematic approach to evaluating and improving the effectiveness of risk management, control and governance processes."
He adds: "To put your documentation and records in order, it is highly advisable to use templates to ensure everything is covered and to help you save time."
To simplify the challenge of documentation, IT Governance offers an NHS N3 IG v10 Documentation Toolkit (www.itgovernance.co.uk/shop/p-1265.aspx), which contains all the documents commercial third parties require to complete the IG Toolkit and achieve compliance.
According to Calder, online staff training is another key ingredient for success: "The NHS requires evidence that staff awareness training has taken place. E-learning is the most cost-effective method for CTPs to educate employees. To meet this requirement, we have introduced a specially designed N3 and Information Security Staff Awareness e-learning course (www.itgovernance.co.uk/shop/p-1273.aspx). This training ensures all staff understand their obligations, so businesses can focus on developing even more productive relationships with the NHS."