Information Governance: a Framework for Handling Personal Information

Lorraine Nicholson MIHM, MRSH, FHRIM

Presentation Overview

This presentation will introduce the audience to the English National Health Service Information Authority's Information Governance Framework, which aims to: " the delivery of high quality care by promoting the effective and appropriate use of information." The presentation will also discuss the drivers for Information Governance, the process by which the Information Governance requirements (standards) contained in the Information Governance Toolkit were developed, and the assessment process associated with the Toolkit.

What Is Information Governance?

Information Governance is defined as "...a framework for handling personal information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service."

It is the information component of Clinical Governance, and it aims to support the provision of high quality care to patients and clients by promoting the effective and appropriate use of personal, sensitive information.

Drivers for Information Governance

In 1998, principles supporting the development of the NHS Care Records Service were presented in the Department of Health's information strategy "Information for Health," which committed the National Health Service (NHS) to provide life-long electronic health records for everyone, with round-the-clock, online access to patient records and information about best clinical practice for all NHS clinicians. "Building the Information Core: Implementing the NHS Plan" was published in January 2001; it outlined the information and IT systems needed to provide the patient-centred care that the NHS Plan promised to deliver.

In April 2002, "The Wanless Report" made a number of key recommendations for development of information technology in the NHS, including

  • Doubling the IT budget and ensuring that IT funding was not used to subsidise other services
  • Stringent, centrally-managed national standards for data and IT
  • Better management of IT implementation in the NHS, including a national programme

"The Wanless Report" was published at the same time as "Delivering the NHS Plan." This set out a vision of a patient-centred service that would empower patients and offer them more choice about where and when they would be treated. In June 2002, the Department of Health published its new strategy for developing IT, "Delivering 21st Century IT Support for the NHS-- National Strategic Programme."   This brought about the establishment of the National Programme for IT (NpfIT). NPfIT aims to transform the experience of patients, NHS professionals, and staff by helping to deliver, value-for-money, patient-centred care through a modern IT infrastructure and service.

Information Governance underpins the National Programme for IT (NPfIT) and the development of both the National Care Records Service (NCRS) and the Electronic Social Care Records Service (ECRS).

By 2010, it is anticipated that every NHS patient in England will have an individual electronic NHS Care Record. A 10-year contract with BT has been established to set up and run the national NHS Care Records Service, which will provide the infrastructure necessary to deliver this revolution in health and care information, and it is worth a total of £620million.

The NHS Care Records Service will provide all 50 million NHS patients with an individual electronic NHS Care Record, which will provide details of key treatments and care within the health service and/or social care. For the first time in the NHS, information about patients will be mobile, as patients are, and therefore, they will not just remain in health records or social care filing rooms within the organisations where treatment or care has been delivered. The NHS Care Records Service will connect more than 30,000 GPs and 270 acute, community, and mental health NHS trusts in a single, secure, national system.

Background of Information Governance

The Information Governance Framework enables NHS organisations in England and individuals working within them to ensure that personal information is dealt with legally, securely, effectively, and efficiently in order to deliver the best possible care to patients and clients. The focus is on setting standards and giving organisations the tools to help them achieve the defined requirements, make appropriate improvements to their service, and ensure that improvement is maintained.

The NHS Information Authority established the Information Governance Service to integrate ways of thinking and working with personal information, to provide clarity between existing initiatives, and to provide unity between ethics, law, and policy. There were also a number of key "drivers" (identified above) of the initiative along with confidentiality objectives and national policy objectives.

The Information Governance Framework addresses a number of different aspects of NHS information handling over a number of key work areas: the Caldicott recommendations on the use of personally identifiable information; the Confidentiality Code of Practice; the Data Protection Act 1998; the Freedom of Information Act 2000; Information Management and Technology Security (ISO 17799 Code of Practice for Information Security Management); Health Records Management; Organisational Records Management; and Information Quality Assurance. It provides a vehicle to develop clear standards and directly link the standards to support and guidance materials and exemplar documentation. It also assists in managing and monitoring change in the NHS.

The Information Governance Framework also allows the NHS in England to manage change by educating staff, developing codes of practice, helping organisations and individuals to understand the requirements of law and ethics in respect of information handling, and the consequent need for changes to systems and processes. Furthermore, it enables the NHS to work in partnership with patients and clients by respecting their preferences and choices and addressing their concerns about the use of sensitive, personal information.

Aims of Information Governance

Information Governance has four fundamental aims:

  • To support the provision of high quality care by promoting the effective and appropriate use of information
  • To encourage responsible staff to work closely together, preventing duplication of effort and enabling more efficient use of resources
  • To develop support arrangements and provide staff with appropriate tools and support to enable them to discharge their responsibilities to consistently high standards
  • To enable organisations to understand their own performance and manage improvement in a systematic and effective way

Development of the Information Governance Toolkit

To ensure consistency of implementation of Information Governance nationally, the NHS Information Authority has developed the Information Governance Toolkit jointly with the Department of Health. It contains the requirements, guidance on the requirements, awareness and educational material, exemplar documentation, hyperlinks to knowledge sources, and performance measurement (assessment) tools together with implementation support. Version one of the Toolkit represented Department of Health Policy as of 31 October 2003.

The Toolkit is a Web-based product available over the NHS intranet (NHSNet). It is available as an online resource, but all the guidance and support materials it provides access to can also be downloaded for local use. It is a dynamic product that will be regularly updated with the latest legislation, guidance, and good practice materials.

The Toolkit is being developed in a phased way. Phase one was developing the requirements for Acute Hospital Trusts and Primary Care Trusts, Mental Health Trusts, and Ambulance Trusts together with advice and guidance for General Practitioners. Phase two will further develop and refine the existing requirements and associated attainment levels and go on to develop additional requirements for Social Care organisations, Strategic Health Authorities, Special Health Authorities, NHS Direct, and the Blood Transfusion Service.

The development process has two integrated functional aspects, that is requirements and performance and performance rating and audit (all of which are linked) together with the underpinning knowledge base (which identifies the derivation of the requirements, examples of good practice, templates and exemplar documentation, specific guidance notes, sample work plans, and underpinning educational standards and requirements). The Toolkit provides improvement and maintenance plans, and it is easy to use with three main navigation routes, which are accessed via the Information Governance home page on the NHS Information Authority's intranet site (nww).   As more requirement sets are developed for a wider range of organisations, access may need to be provided via the Worldwide Web (www).

Developing the Requirements

The Information Governance requirements (standards) were developed using the "HORUS" standards model. HORUS was derived from the following five aspects of information handling:

H olding
O btaining
R ecording
U sing
S haring

To ensure that the model accurately reflected the complexities of information handling and the scope of the associated operational activities a two-dimensional matrix was constructed with the above five aspects of information handling on the horizontal axis and Management, Systems, People, and Processes on the vertical axis.

The requirements developed using the HORUS model have four levels of attainment (0-3) together with improvement plans to ensure progression from one level to the next and also a maintenance plan to prevent slippage from the highest attainment level. The emphasis in the Toolkit is on incremental improvement rather than simply passes or fails. Both the requirements and the attainment levels have been developed in collaboration with the appropriate NHS organisations throughout the process to ensure that they reflect operational reality.

The Development Process

For each of the following areas of work (initiatives) a "lead specialist" was identified:

  • The Data Protection Act 1998
  • The Freedom of Information Act 2000
  • The Confidentiality Code of Practice
  • Information Security Management-BS7799 (ISO 17799)
  • Health Records Management
  • Information Quality Assurance-(Data Accreditation)
  • Controls Assurance-IM&T and Records Management

The lead specialist then comprehensively researched the work area and identified any existing standards. I have responsibility for the Health Records Management work area and my research included the following knowledge sources:

  • Health Service Circulars, for example, HSC 1999/053 "For the Record"
  • British Standards, for example, BS 15498: "Effective Records Management" (Parts 1 and 2)
  • Current legislation, for example, the Data Protection Act 1998, the Freedom of Information Act 2000, current Health and Safety legislation
  • Controls Assurance Standards, for example, Records Management, IM&T
  • Healthcare professional standards, for example, United Kingdom Central Council For Nursing Midwifery and Health Visitors, the General Medical Council, The Royal College of Surgeons, Institute of Health Record and Information Management
  • Professional good practice

Requirements were then drafted and then refined by the lead specialist, Information Governance Team members, and reference groups drawn from appropriate operational areas in the NHS. All of the requirement sets for each area of work were then scrutinised by the NHS Information Authority's Information Governance Service Manager and the Deputy Director of Digital Information at the Department of Health in order to identify areas of duplication. The requirement set was then finalised.

Coverage of the Health Records Management Requirements

The Information Governance Requirements for Health Records Management cover the following types of records:

  • Electronic and paper health records
  • Accident and Emergency (A&E) records and registers
  • Birth, theatre, minor operations registers
  • X-ray and imaging reports
  • Photographs
  • Slides and other images
  • Microform (micro-film and micro-fiche)
  • Audio tapes
  • Video tapes
  • Material intended for short-term or transitory use including notes and spare copies of documents

Scope of the Health Records Management Requirements

In version one of the Toolkit, there were 24 requirements covering the following aspects of health records management:

  • Management of Health Records (10 Requirements)
  • Case notes and their contents (4 Requirements)
  • Security, privacy, and confidentiality (4 Requirements)
  • Training (3 Requirements)
  • Physical facilities and the environment (3 Requirements)

In version two, after elimination of overlap in the areas of Information Security, Freedom of Information, Data Protection, and Organisational Records Management, together with combination of a few requirements, which logically and practically fitted together, the number of requirements for Health Records Management was reduced to 16 covering the following aspects:

  • Management of Health Records (8 Requirements)
  • Case-notes and their contents (3 Requirements)
  • Training (2 Requirements)
  • Physical facilities and the environment (3 Requirements)

In version two, security, privacy, and confidentiality are covered in Information Security and Confidentiality Code of Practice requirements in the Toolkit.

Using the Information Governance Toolkit (IGT)

Anyone with access to the NHS intranet can use the IGT as an information source and, by viewing the Requirements, determine what is required to achieve compliance in the different initiatives.   In addition to navigating through the various requirements screens, users may also access the following additional features of the Toolkit:

  • The Knowledge Base:  The Knowledge Base menu option links to a library of documents and Web links providing an information source on all aspects of Information Governance. Options are provided to list all the documents or to use a search facility that will select related documents. The search, however, does not scan the content of external Web sites.
  • Feedback Mechanism:   This option is provided to allow users to send back any comments about the system, how the site could be improved, or any minor problems requiring resolution.
  • Accesskey Details:  This option provides details of the UK Government's "accesskey system" that provides keyboard shortcuts as an alternative form of Web site navigation. This feature allows users with limited physical capabilities to navigate the organisation's Web site more easily.

Different User Roles

Individuals who are involved in recording an organisation's compliance with the Requirements will have user accounts on the IGT. These registered users can log in and complete an "Assessment Set" to record the organisation's current compliance with the Requirements. An Assessment Set combines all of the Requirements from all the initiatives for which compliance is required. Because of the importance of achieving compliance and the need to have an accurate record of an organisation's attainment level against the requirements, only designated persons are authorised to be involved in the IGT assessment process. At individual the Trust level, there are three levels of access to the Information Governance Toolkit (IGT) that are password protected: IGT Organisation Administrator, IGT Organisation User(s), and IGT Organisation Auditor(s).

IGT Organisation Administrator

This is an individual who has been nominated by the organisation to be responsible for Information Governance and to control the use of the IGT within the organisation. This individual has to be registered with the IGT Registrations Unit at the NHS Information Authority to obtain access to the IGT. There can be only one Organisation Administrator per organisation. Once they have successfully registered, an IGT account will be created and log in information provided. The IGT Organisation Administrator can then create accounts for their IGT Organisation Users (up to six are recommended in each organisation) and IGT Organisation Auditor(s).

The IGT Organisation Administrator is also responsible for starting an Assessment Set when the organisation is ready to start recording their levels of attainment against the requirements.

IGT Organisation User(s)

These are individuals who are responsible for recording the organisation's attainment against each of the requirements of the assessment set. Their IGT log-on accounts are created by the IGT Organisation Administrator.

IGT Organisation Auditor(s)

IGT Organisational Auditors are individuals who are responsible for auditing/checking and confirming the attainment levels recorded by the IGT Organisation Users.

Structure and Content of the Information Governance Toolkit (IGT)

  The Information Governance Toolkit contains the following features.

  • A "Getting Started" page with details on the following aspects of the Toolkit:
    • Background information on Information Governance
    • The Information Governance Toolkit;
    • The Information Governance registration process
    • Guidance on setting up Information Governance Steering Groups
    • Information about navigation around the Information Governance Toolkit
    • The different views (initiatives) of the Information Toolkit;
    • Information about the assessment process and the assessment screens (for authorised users only);
    • Guidance on how to complete the Information Governance assessment
    • Access to local and national reports;
    • Advice on where to go for help
  • A "What's New" page  that contains the latest information on legislation, guidance, and information
  • A "Request for Registration" form for nominated IGT Administrators
  • The "requirements screen" that contains the assessment tool and year-on-year improvement plans to ensure that organisations work toward compliance with the initiatives and standards
  • A "knowledge base" containing the legal, NHS, and Department of Health guidance, exemplar documentation, templates, and hyperlinks to knowledge sources |

Production of Local and National Reports from the Toolkit

The reports contained within the IGT are intended for use at both local and national levels, and they are an automatic by-product of the assessment process. The main report is a RAG (Red, Amber, Green) report that shows an organisation's performance against the various component initiatives and the elements of the HORUS matrix, as a series of percentage scores. This is intended to provide a holistic view of organisational performance against the entire Information Governance agenda. Details on reporting requirements for NHS organisations are published on the Information Governance Web site.

Information Governance Management in an Organisation

There are six aspects that form the basis for establishing an Information Governance Framework within an organisation:

  • Building the team
  • Putting in place appropriate organisational structures
  • Undertaking service and work planning
  • Developing and implementing policies, procedures, and guidance
  • Providing education, training, and awareness
  • Working with the Requirements through the Information Governance Toolkit

Initial steps in establishing this process include:

  • Appointing a senior manager(s) with Board-level responsibilities for Information Governance
  • Establishing an Information Governance Steering Group and nominating an Information Governance lead to take forward operational/practical issues, including:
    • Using the Information Governance Toolkit to baseline an organisation
    • Agreeing and developing a work programme, including improvement planning
    • Developing policy and strategy
    • Undertaking communication and awareness planning

Implementation of the Information Governance Toolkit and Work in Progress

Version one of the Toolkit was released at the end of November 2003, and a series of 12 workshops to launch the Toolkit and educate users were hosted around the country.

In version one, there was some degree of overlap where requirements covered more than one of the initiatives. However, they were mapped against each other, and assessment users therefore only needed to answer an assessment question once. In version two of the Toolkit, these areas of overlap have been eliminated with Requirements residing in just one initiative in the Toolkit.

Using version one of the Toolkit, each Acute Hospital Trust was mandated to submit an Information Governance assessment to the NHS Information Authority, online, by 31 March 2004, and 100 percent compliance was achieved. The NHS Information Authority then collated the results using a tracking database. The assessment scores were subsequently reported to the Audit Commission and the Commission for Health Improvement to assist in the processes of audit and performance monitoring of the NHS in England. Other organisations will be required to self-assess using version two of the Toolkit on 31 st March 2005. In due course, self-assessment will be replaced by an audit process.

The Acute Trust version two is due for release in June 2004, and other versions two for other NHS organisations are due for release in December 2004.

Additional versions of the Information Governance toolkit for a range of other NHS organisations, including Primary Care and Mental Health Trusts, Strategic Health Authorities, Special Health Authorities, Ambulance Trusts, NHS Direct, Social Care organisations, and the Blood Transfusion Service are underway using the development process outlined above and drawing on the experience of implementation of the Toolkit in Acute Trusts. This wider implementation of Information Governance across all NHS and Social Care organisations will ensure the provision of high quality care to patients and clients by promoting the effective and appropriate use of personal, sensitive information.


  1. The National Programme for IT (NPfIT), England.
  2. The NHS Care Record/NHS Care Records Service (NCRS), England.
  3. Electronic Social Care Record, England. SocialCare/FrameworkDocument/FrameworkDocumentArticle/fs/en?CONTENT_ID=4073714&chk=KiQvfc
  4. Patient "Choice of Hospital," England. PressReleases/PressReleasesNotices/fs/en?CONTENT_ID=4062561&chk=uGEJUD
  5. "Information for Health," England. Department of Health, NHS Executive; 01/01/1998
  6. " Securing Our Future Health: Taking a Long-Term View--the Wanless Report," England. Published 01/01/2002; Crown Copyright
  7. "The NHS Plan: A Plan for Reform," England. Department of Health; Published 01/07/2000; Product Code 010481829; Series Number Cm 4818-I; Crown Copyright
  8. "Building the Information Core Implementing the NHS Plan," England. Department of Health; Published 01/01/2001; Crown Copyright
  9. "Delivering the NHS Plan: next steps on investment, next steps on reform", England. Department of Health; Published 18/04/2002; Crown Copyright; ISBN 0 10155 032 4
  10. "Delivering 21st century IT support for the NHS: national strategic programme," England Department of Health; Published 11/06/2002; Crown Copyright
  11. "Delivering the NHS Plan: Taking NHS information technology into the 21st century," England. Published 12/06/02; Reference Number 2002/0270
  12. Information Governance Toolkit, England.

Source: 2004 IFHRO Congress & AHIMA Convention Proceedings, October 2004