Commercial Third Party (CTP) Organisations Providing Health Care or Support Services to, or on behalf of National Health Service (NHS) Establishments

Guidance on Completing an Information Governance Assessment to Support Applications for N3 Connection (Statement of Compliance)

All organisations gather and hold information, much of which needs to be handled in a sensitive and confidential manner. The NHS, by the very nature of its business, has an increased duty of care to safeguard the information it holds, particularly about the users of its services and needs to ensure that any third party it contracts with exercises the same duty of care in handling or dealing with sensitive information.

Third parties can be any individuals or organisations contracting or doing business with, but not directly employed by, the NHS. They can range from large-scale, complex organisations to small businesses or individuals providing bespoke services.

Whether large or small, simple or complex, all third parties wishing to access NHS Connecting for Health(CFH) provided infrastructure and services (via N3 connection)are expected to provide assurance to Connecting for Health that they have robust and effective systems in place for handling information securely and confidentially.

Third parties are asked to provide this assurance through use of a modified version of the existing NHS Information Governance Toolkit.

The toolkit is a self-assessment process based around 16 standards or requirements for good practice covering management, security and confidentiality of information. To complete the assessment, usersareaskedto rate themselves at one of 4 levels of compliance with each of the standards;0 being the lowest and 3 the highest.

All third parties are required to reach a minimum compliance level of 2 on each of the standards before they can sign offthe Statement of Compliance - an essential part of the application process for N3 connection. For more details of the application process see:

Where compliance falls below the required levelthe NHS CfHsupport team will contact the third party to advise them of this and to discussany action required to improve systems before their application for N3 connection can proceed.

Third parties will be asked to complete the IG toolkit self-assessment as part of their Statement of Compliance application. As soon as the initial application is received by NHS CfH, staff from the Information Governance policy support team willcontact the third partyby telephone, to provide them with details of the organisation code (otherwise known as the NACs code), login and a default password needed to carry out an assessment using the IG Toolkit. The Support Team will also be able to provide detailed help and advice on the assessment process, which is summarised below:

Completing the Information Governance Assessment

The IG Toolkit can be accessed at

Please log in to the toolkit by entering the organisation code, login and password provided by the IG Policy Team.

Once logged in successfully to the toolkit your name, or the name of your organisation, shouldappear on the horizontal toolbar next to the login details.

Navigation through the toolkit is though the menu options seen on the left hand side of the screen.

Using the menu options, you will need to carry out steps 1 to 4 below:

Step 1:Change your default password.

Select “My Password”and enter details in the required fields.

Step 2:Set up your assessment

Select the “Assessments” button on the menu and enter some meaningful text in the text box, e.g. IG Assessment for Somewhere Company 2007 / 2008.

Click the “Create new assessment” button and the screen will change to a status screen similar that below.Your account will enable you to create, complete and save the assessment on-line.

Step 3:Complete your assessment

IMPORTANT NOTE: Before starting the assessment, you are strongly advised to look at the Printable Version of each requirement and the supporting Guidance Document. This provides advice on how to assess levels of compliance in terms of the evidence available to support it and also gives examples of standards of good practice that should be in place.

Clickthe “View requirements” linkfrom your created assessment or select“Assessments”fromthe menu. Complete the assessment by clicking on each of the 16 requirements in turn and assess the current level of compliance reached. Additionally enter a target level, i.e. the level you are aiming to reach within the year.(See below)

Step 4:Submit your assessment

Select the “Submit” button on the assessment. You will also need to send a confirmatory email to the NHS CfH Policy Support teamthat submission is complete.Failure to submit or confirm submission could result in unnecessary delays in the process.

NHS CFH Support Team contacts:

or 01392 251289

The Support team will review the assessments and advise you of the outcomes, including any action required where your compliance is lower than level 2 on one or more requirements.

Once connected, you will be required, as a user of NHS CfH services, to maintain an acceptable level of compliance with the Information Governance Standards. As such, you will be required to complete an annual assessment using the NHS IG Toolkit.

Next steps: Creating an Implementation Plan

Log into the toolkit as usual and select “Assessments” from the menu. The Assessment screen with a table similar to that in Figure 4 will be displayed. Click on the blue text that reads “Implementation Plan”.

Figure 4

This automatically generates an implementation plan, similar to Figure 5, for each requirement, based on the current ratings and target ratings you entered whilst scoring the requirements.