Information governance statement of compliance (IGSoC) – important message for practices

We have previously issued guidance in October 2008 and March 2009 about IGSoC. We thought it would be helpful to remind practices about the need for compliance or for making good progress towards compliance.

IGSoC was developed by NHS Connecting for Health (CfH) as an information governance tool to support its own responsibility as data controller of the national programme for IT. IGSoC includes a number of progressive levels of compliance. Practices need to achieve a minimum of Level 2 which confirms compliance with the Data Protection Act, Human Rights Act, Freedom of Information Act and the other linked legislation.

All GPs have the responsibility to register with the Information Commissioner’s office as data controllers and GPs are liable to fines if they knowingly put information at risk or fail to take action to mitigate a known risk.

CfH developed a tool kit to enable practices to assess their readiness for compliance and complete and make the submission.

Once an IGSoC has been submitted there is no requirement to re-submit on an annual basis. However, there is a need to submit an IG toolkit annually.

All practices have to be signed up by the end of March 2010 or PCTs could be liable.

Some useful links are:

• FAQ advice issued by CfH
  
• An introduction to IGSOC
  
• LMC guidance (October 2008)
  
• LMC guidance (March 2009)
  
• Latest IGSoC updates on the CfH website
  

Below is a message from Nick Murphy-O'Kane, Head of Information Governance/Deputy Caldicott Guardian and Deputy Information Governance Manager, NHS London.

Dear General Practitioner

As we reminded you in the December 2009 LMC Bulletin, the Information Governance Toolkit v7 is due to be completed and submitted by 31 March 2010.

I am happy to report that we have noted an increase in the number of toolkits that have been started, and thank you for doing so. But there is still a large number that have not even started the process.

Your PCT is now receiving weekly reports and follow up emails as part of the Strategic Health Authority assurance performance checking, but to really achieve the 100% return within the next 5.5 weeks, we need your support and action.

A couple of key points that have arisen since my last report are

1. Requirement 118 – this is the statement of compliance
    for your N3 connection.

a. Some practices are claiming a level 2 when
    they do not have ALL the relevant
    requirements at the minimum level.
    Remember the checklist shows the other 7
    requirements that MUST be level 2

b. Some GP Practices are claiming a Level 3 for
    this requirement – this would mean that you
    have received an Internal Audit of your
    evidence for the v7 requirements.

2. Action Plans

a. For those practices that really are unable to
    achieve the improvement, I suggest you
    agree an action plan for improvement. The
    new toolkit for the next financial year will be
    seeking a minimum of level 2 compliance
    across all the IGT elements.

As always, on behalf of the PCTs in London – your local IG teams are more than willing to help with this work, and in most cases have already been working closely with you to improve your overall scores and standards. I hope this continues and we can work closely together during this time.

Nick Murphy-O'Kane

Head of Information Governance / Deputy Caldicott Guardian
Deputy Information Governance Manager, NHS London