Using the IG Framework

This information governance IG Framework was structured around "journeys". The current journeys are:

• journey 1: Sharing personal or CPI between health and social care bodies within a ShCR for the individual care of patients or service users
• journey 2: Sharing personal or CPI between health and social care bodies across geographical boundaries for the individual care of patients or service users

A set of requirements at the start of the IG Framework covers both journeys. A specific set of requirements is then set out for each journey. In terms of practical use, a ShCR needs to work out how it will use information and where it will flow between the ShCR members. This then becomes the basis for working through the relevant IG requirements which are set out in this IG Framework.

The requirements are accompanied by assurance checkpoints to assess attainment. An assurance checklist is available at Appendix 3. ShCRs should complete this and submit it to the external IG Assurance Panel as part of the assurance process. The Assurance Panel consists of national IG subject matter experts. ShCRs need to achieve satisfactory assurance on each checkpoint and be fully compliant across all checkpoints for journeys 1 and 2. In the event that satisfactory assurance cannot be met, the ShCR will need to produce an action plan to discuss with the Assurance Panel. 

Many "participating organisations" within the ShCR may already have mature systems, which aid the delivery of IG commitments and requirements. It is anticipated that these local delivery systems will continue, however they must be externally assured. ShCRs must use the assurance checklist to assure themselves and the Assurance Panel that they are compliant with this IG Framework even where they have existing systems in place. Where ShCRs have IG policies or are using systems that do not meet the legal requirements set out in this IG Framework, then these policies or systems must be upgraded to meet the IG Framework requirements. For example, if they are not providing transparency information as required by the UK General Data Protection Regulation (UK GDPR). Where current systems do not meet current good practice, but are legally compliant, we do not expect ShCRs to take immediate action to upgrade systems if this may have disproportionate cost implications. If ShCRs do not have policies or systems that meet IG Framework criteria, then they will need to provide evidence of their plan to upgrade systems as part of the ShCR assurance process.

Finally, the IG Framework includes tools and templates which should reduce unnecessary burden and bureaucracy, refer to Appendix 7.

The IG Framework was developed and overseen by the National ShCR IG Steering Group chaired by NHSX. The ShCR IG leads will be in regular contact with the National ShCR IG Steering Group to raise issues or concerns and highlight best practice. They will meet as a group on a regular basis to discuss operation of the IG Framework and to assist in developing tools, templates, models and share good practice.