Update on NHS Digital’s information security assurance (IG Toolkit) requirements

Published: 28 Mar 2017

NHS Digital have issued guidance aimed at data processors who currently use its IG Toolkit for data access including NCAPOP providers.  Projects which plan to submit an access to data application to NHS Digital, will need to ensure that all data processors have the appropriate version of IGT according to these guidelines, in order to prevent delays.

The guidance is as follows:

From 1st April 2017 through to end of May 2017 NHS Digital will accept applications through DARS-online under the following three scenarios where the Information Governance Toolkit (IGT) is being provided as the Security assurance:

• with the IGT version 13 reviewed score ‘satisfactory’ so long as IGT Version 14 has been started by the applicant with a condition on their agreement that its submitted by the end of May 2017 and is self-assessed satisfactory (and when reviewed is also satisfactory)
• with IGT version 14 self-assessed score ‘satisfactory’ with a condition on their agreement that when reviewed it is also satisfactory
• with IGT version 14 reviewed score ‘satisfactory’

From 1st June 2017 NHS Digital will accept applications only where applicants have:

• IGT Version 14 self-assessed score ‘satisfactory’ with a condition on their agreement that when reviewed it is also satisfactory.  At this stage the reviewed score is not a requirement for submission of an application.
• IGT version 14 reviewed as ‘satisfactory’

Any IGT which is not self-assessed or reviewed as satisfactory will need to be considered by the NHS Digital DARS team on a case by case basis.

For those projects which plan to submit an application to NHS Digital for access to data, please ensure that all data processors have the appropriate version of the IGT to prevent delays to your application.