Information Governance (Research)

Information Governance (IG) and DS&P (IG) Toolkit

What is Information Governance? | Why is IG / NHS Digital Toolkit an issue? | The College and the Toolkit | What is the DS&P (IG) Toolkit? | About these web pages | Key Documents and References | Key Responsibilities | Contact


What is Information Governance?

IG Image (jpg)

back to top
Information Governance is to do with the way organisations ‘process’ or handle information. It covers personal information, i.e. that relating to patients/service users and employees, and corporate information, e.g. financial and accounting records.

When is Information Governance considered?
Although data management should be a concern throughout research activity there is a particular role in providing advice and support a) during approvals processes (University Ethics, and NHS REC), b) within research proposal development (including IRAS forms), and c) developing and reviewing contracts and agreements.

In all cases IG should be considered 'as early as possible'. A key reason for this is that IG commonly links or interfaces with various areas of the University including the Data Protection Officer, Information Assurance Services, IT Services, College IT, RED Contracts and Pre-Award, Research Governance, and Records Management.

Tools to provide IG assurance include:

  • Data Risk Assessment Form (with Exemplar and Heightened Risk versions available to provide information)
  • Data Management protocol template.

Information Governance provides a way to deal consistently with the many different rules about how information is handled, including those set out in:

The EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018 alongside the UK Data Protection Act (DPA18). Guidance resources are shown below.

The "IG Toolkit" is now the "Data Security & Protection Toolkit".
The NHS Digital IG Toolkit was redeveloped and renamed the 'Data Security & Protection Toolkit' during 2018.

If you are or have entered into an NHS Digital Data Sharing Agreement you need to read the HSCIC DSA Information Security Policy, and consult with your Departmental Manager.  Advice also available from

A host of relevant information and advice regarding handling/management of data is available at our Research Data Management website.

Why is the IG / NHS Digital Toolkit an issue?

back to top

In September 2011 the NHS England Chief Executive and Information Commissioner confirmed that all organisations that have access to NHS patient data must provide assurances that they are practising good information governance and use the Information Governance Toolkit (now Data Security & Protection Toolkit) to evidence this. Where services are commissioned for NHS patients, the commissioner is required to obtain this assurance from the provider organisation and this requirement should be set out in the commissioner-provider contract.

Letter from NHS England Chief Executive and Information Commissioner

It remains Department of Health policy that all bodies that process NHS patient information for whatever purpose should provide assurance via the IGT, now DS&P Toolkit.

The 2014 Partridge Review - "Steps to guarantee greater openness and reassurance to the public, stricter controls over data use and better clarity for data users" - placed greater emphasis on appropriate data management and resulted in tighter processes and greater institutional and researcher assurance requirements (See Partridge Review and Summary).

What is the DS&P (IG) Toolkit?

back to top

The Information Governance Toolkit was a Department of Health (DH) Policy delivery vehicle that, what is now, NHS Digital (NHSD) was commissioned to develop and maintain. It drew together the legal rules and central guidance set out by DH policy and presented them in in a single standard as a set of information governance requirements. The organisations in scope of this are required to carry out self-assessments of their compliance against the IG requirements.

An assessment of compliance with requirements, within the NHS Digital Information Governance Toolkit (IGT), was undertaken each year to March 2018, when the IGT was replaced by the new Data Security & Protection (DS&P) Toolkit.

The College and the Toolkit

back to top

The College completed a DS&P Toolkit submission for 2018-19, and provided to NHS Digital IGT submissions for 2015-16, 2016-17, and 2017-18 which were at least Satisfactory against all requirements.

The Toolkit is generally completed in March each year, and provides assurance for the following 12 months.

The First DS&P Toolkit - for 2018-19 - was submitted in March 2019:

  • Following changes through the year the final version of the Toolkit included 131 questions, largely requiring Yes/No responses or dates of decision or completion of activity.
  • In contrast under the IGT (as a ‘Hosted Secondary Use Team/Project’ registration) there were 14 ‘Standards’ to complete requiring ‘adequate’ Level 2 compliance for all standards (with possible compliance levels 0, 1, 2, and 3).
  • 71 of the 131 questions are ‘Mandatory’ - the equivalent of previous required ‘adequate Level 2’.
  • DSPT questions reflect the National Data Guardian’s new Data Standards
  • Toolkit questions clearly state the standards expected of the College and research activity within it.

The IG Toolkit:

During the period to 31st March 2018 (final submission date for the IGT) the final College IGT submission was completed.

This provided a range of University and College level evidence and support for departmental, research group, or trial/project level IGT submissions.The College was registered as what was termed as a “Hosted Secondary Use Team/Project” and had to provide evidence against the following requirements:



Information Governance Management


Responsibility for Information Governance has been assigned to an appropriate member, or members, of staff


There is an information governance policy that addresses the overall requirements of information governance


All contracts (staff, contractor and third party) contain clauses that clearly identify information governance responsibilities.


All staff members are provided with appropriate training on information governance requirements.

Confidentiality and Data Protection Assurance


Personal information is only used in ways that do not directly contribute to the delivery of care services where there is a lawful basis to do so and objections to the disclosure of confidential personal information are appropriately respected


There are appropriate confidentiality audit procedures to monitor access to confidential personal information


All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines


All transfers of personal and sensitive information are conducted in a secure and confidential manner

Information Security Assurance


Policy and procedures ensure that mobile computing and teleworking are secure


There is an information asset register that includes all key information, software, hardware and services


Unauthorised access to the premises, equipment, records and other assets is prevented


There are documented incident management and reporting procedures


The confidentiality of service user information is protected through use of Pseudonymisation and anonymisation techniques where appropriate


There are adequate safeguards in place to ensure that all patient/client information is collected and used within a secure data processing environment (safe haven) distinct from other areas of organisational activity

In March 2019 there was the first College of Life Sciences DS&P Toolkit submission. The Toolkit, for this submission comprised 131 questions (rather than the previous 14 standards).

back to top

About this Website

This website will be used as the focal point for communication regarding IG and the Toolkit for the College.  Content will change significantly and often so please check the site regularly.

Key Documents and References

GDPR Guidance:

Key Responsibilities

  • The University Registrar, Dave Hall is the Senior Information Risk Owner (SIRO)
  • CLS IG Strategy Group - Chaired by Elizabeth Draper
  • CLS IG Academic Lead - Elizabeth Draper
  • University Deputy SIRO & IG Lead (Research) - Andrew Burnham
  • IG Representatives (who act as the College Toolkit Working Group, alongside Information Assurance, IT Services, Records Management and other colleagues) – Andrew Burnham (IG Lead), Jitin Liladhar (College IT Manager), Julie Faulkes and Martin Perkins (Departmental Representatives), Yasmin Godhania (Research Governance)



Share this page: