Information Governance (Research)

Information Governance (IG) and DS&P (IG) Toolkit

What is Information Governance? | Why is IG / NHS Digital Toolkit an issue? | The College and the Toolkit | What is the DS&P (IG) Toolkit? | About these web pages | Key Documents and References | Key Responsibilities | Contact

The EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018 alongside the UK Data Protection Act (DPA18). Guidance resources are shown below.

The "IG Toolkit" is now the "Data Security & Protection Toolkit".
The NHS Digital IG Toolkit was redeveloped and renamed the 'Data Security & Protection Toolkit' during 2018.

The College DS&P Toolkit submission for 2018-19 was submitted to schedule in March 2019.

If you are or have entered into an NHS Digital Data Sharing Agreement you need to read the HSCIC DSA Information Security Policy, and consult with your Departmental Manager.  Advice also available from

What is Information Governance?

IG Image (jpg)

back to top
Information Governance is to do with the way organisations ‘process’ or handle information. It covers personal information, i.e. that relating to patients/service users and employees, and corporate information, e.g. financial and accounting records.

Information Governance provides a way for employees to deal consistently with the many different rules about how information is handled, including those set out in:

A host of relevant information and advice regarding handling/management of data is available at our Research Data Management website.

Why is IG / NHS Digital Toolkit an issue?

back to top

In September 2011 the NHS England Chief Executive and Information Commissioner confirmed that all organisations that have access to NHS patient data must provide assurances that they are practising good information governance and use the Information Governance Toolkit (now Data Security & Protection Toolkit) to evidence this. Where services are commissioned for NHS patients, the commissioner is required to obtain this assurance from the provider organisation and this requirement should be set out in the commissioner-provider contract.

Letter from NHS England Chief Executive and Information Commissioner

It remains Department of Health policy that all bodies that process NHS patient information for whatever purpose should provide assurance via the IGT, now DS&P Toolkit.

The 2014 Partridge Review - "Steps to guarantee greater openness and reassurance to the public, stricter controls over data use and better clarity for data users" - has placed greater emphasis on appropriate data management and resulted in tighter processes and greater institutional and researcher assurance requirements (See Partridge Review and Summary).

What is the DS&P (IG) Toolkit?

back to top

The Information Governance Toolkit was a Department of Health (DH) Policy delivery vehicle that, what is now, NHS Digital (NHSD) was commissioned to develop and maintain. It drew together the legal rules and central guidance set out by DH policy and presented them in in a single standard as a set of information governance requirements. The organisations in scope of this are required to carry out self-assessments of their compliance against the IG requirements.

An assessment of compliance with requirements, within the NHS Digital Information Governance Toolkit (IGT), was undertaken each year to March 2018, when the IGT was replaced by the new Data Security & Protection Toolkit.

The College and IGT

back to top

We provided to NHS Digital (formerly 'HSCIC') College IGT submissions for 2015-16, 2016-17, and 2017-18 which were at least Satisfactory against all requirements.

During the period to 31st March 2018 (final submission date for the IGT) a College IGT Working Group developed an IGT submission for the College as a whole.

This provided a range of University and College level evidence and support for departmental, research group, or trial/project level IGT submissions.The College was registered as what was termed as a “Hosted Secondary Use Team/Project” and had to provide evidence against the following requirements:



Information Governance Management


Responsibility for Information Governance has been assigned to an appropriate member, or members, of staff


There is an information governance policy that addresses the overall requirements of information governance


All contracts (staff, contractor and third party) contain clauses that clearly identify information governance responsibilities.


All staff members are provided with appropriate training on information governance requirements.

Confidentiality and Data Protection Assurance


Personal information is only used in ways that do not directly contribute to the delivery of care services where there is a lawful basis to do so and objections to the disclosure of confidential personal information are appropriately respected


There are appropriate confidentiality audit procedures to monitor access to confidential personal information


All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines


All transfers of personal and sensitive information are conducted in a secure and confidential manner

Information Security Assurance


Policy and procedures ensure that mobile computing and teleworking are secure


There is an information asset register that includes all key information, software, hardware and services


Unauthorised access to the premises, equipment, records and other assets is prevented


There are documented incident management and reporting procedures


The confidentiality of service user information is protected through use of Pseudonymisation and anonymisation techniques where appropriate


There are adequate safeguards in place to ensure that all patient/client information is collected and used within a secure data processing environment (safe haven) distinct from other areas of organisational activity

In March 2019 there was the first College of Life Sciences DS&P Toolkit submission. The Toolkit, for this submission comprised 131 questions (rather than the previous 14 standards).

back to top

About this Website

This website will be used as the focal point for communication regarding IG and the Toolkit for the College.  Content will change significantly and often so please check the site regularly.

Key Documents and References

GDPR Guidance:

Key Responsibilities

  • The University Registrar, Dave Hall is the Senior Information Risk Owner (SIRO)
  • CLS IG Strategy Group - Chaired by Elizabeth Draper
  • CLS IG Academic Lead - Elizabeth Draper
  • University Deputy SIRO & IG Lead (Research) - Andrew Burnham
  • IG Representatives (who act as the College Toolkit Working Group, alongside Information Assurance, IT Services, Records Management and other colleagues) – Andrew Burnham (IG Lead), Jitin Liladhar (College IT Manager), Julie Faulkes and Martin Perkins (Departmental Representatives), Yasmin Godhania (Research Governance)



Share this page: