National guidelines for healthcare organizations wishing to use cloud services or data offshoring to store patient information. – All employees undergo appropriate annual data security training and pass a mandatory test provided by the revised Information Governance Toolkit. An overview of information governance (IM) processes and support to health and care organizations. Q: I work for a commercial third party who are currently assessing the toolkit and providing services to the NHS. How can I access the training and who needs to do it? Dame Fiona Caldicott provides independent advice on the use of confidential health and care information. Click on the link below and fill out the online form to request access. A member of the e-LfH support team will contact you to discuss your needs: Our Data Security Center supports health and care in the security of patient information and IT systems. All organisations that have access to NHS patient data and systems – including NHS trusts, primary and social service providers and commercial third parties – must complete the toolkit to ensure that they practice good data security and that personal data is processed properly. The information that needs to be recorded is the products and services they provide, their contact details and the duration of the contract, as in the example below: NHS Digital provides guidance on how to protect data and handle information securely. Our guidelines are designed to help health and care organizations meet the standards required for handling care information. If you require further information on the content of each module, please contact the NHS Digital Contact Centre: enquiries@nhsdigital.nhs.uk Please note that the mere posting of personal or confidential information will always be classified as processing. – All employees understand their responsibilities under National Data Guardian`s data security standards, including their commitment to handling information responsibly and their personal liability for intentional or preventable breach For more information and access to the Data Security and Protection Toolkit, See: digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/data-security-and-protection-toolkit It is important to note that the level of due diligence required depends on the level of risk of the service provided by the provider, as well as your company`s willingness to take risks. However, where an organisation is engaged through the NHS standard contract, the provider must complete and publish an annual information governance assessment in accordance with the NHS Data Protection and Security Toolkit, as is the case for the provider`s services and type of organisation.

(21.2 General Responsibilities). You need to know what contracts you have with suppliers who process personal data and suppliers who provide IT services. This includes, for example, catering services when processing personal data containing patient names and dietary requirements, and providers who may not be primarily IT-based but whose service includes an IT component. However, providers may affect the provision of your services, which in turn may affect the rights and freedoms of individuals. Therefore, you need to extend your risk management process to vendors involved in networks and information systems. This can be considered a supply chain issue or a data processing issue under the UK GDPR. Regardless, your risk management processes need to consider the risks on your supplier side. For more information, check out our list of helpful resources for each chapter of this guide.

It replaces the previous RIIS reporting tool, which was part of the former Information Governance Toolbox. The new incident reporting tool reflects the new reporting requirements of the General Data Protection Regulation (GDPR) and, for affected organizations, the Network and Information Systems (NIS) rules. For more information about the report approval process, see: Each vendor, data processor, and joint controller of the handling of personal or confidential information associated with your organization must have completed a data security and privacy toolkit. It is your responsibility to verify that they have done so. If not, they should be able to demonstrate an equal or higher standard. NDG`s data standards requirements for employees are listed below: Confidential information has been defined as both personal data and sensitive company and company information. The National Data Guardian (NDG) review requires all NHS staff to undergo adequate annual data security training and pass a mandatory test.