NHS trusts undergo an independent mandatory audit each year because they handle patients’ health data. The Data Security and Protection Toolkit (DSPT) is a self assessment tool used to measure performance against national data security standards. We must therefore demonstrate compliance with NHS data protection requirements, data security standards, and recognised good practice. An Information Governance (IG) audit provides independent assurance and strengthens the credibility of our DSPT submission.
Impact of Good IG Governance
Good IG governance strengthens every aspect of our work. It protects our staff, patients, and service users by ensuring their information is handled safely and lawfully, giving them confidence in how their data is managed. Strong governance improves data security, reduces the risk of breaches, and supports operational efficiency. It also enables innovation and promotes better, more effective use of data across the organisation.
Why is this being carried out?
All organisations must be able to demonstrate compliance with information governance and data protection legislation. These audits help us proactively assess whether our processes, policies and IT security measures meet national standards. They also provide insight into how information is currently handled and protected and identify any areas where improvements may be needed.
How will this be carried out?
The IG team will visit sites in person to complete the audit. Each visit will take approximately 1–2 hours and will involve walking around the premises to conduct checks. The audit will cover staff awareness, records management, and both physical and IT security. A small number of colleagues may also be invited to take part in short interviews to assess their IG knowledge and understanding. Some IG audits will be carried out virtually via MS teams to accommodate hybrid colleagues.
When will this take place?
Phase one will begin in March 2026, focusing initially on non-clinical services. This will include a combination of site visits and some virtual audits.
Can I prepare for this?
Yes. An information pack will be sent to teams ahead of their scheduled visit. This will include a checklist, along with helpful hints and tips to support colleagues in preparing. Further details will be included in the pack.
Hints and Tips:
- Complete any outstanding IG training
- Check records you managed are stored securely (electronically and physically)
- Use a strong passphrase for your password
- Understand the Trust’s process for reporting an IG breach
- Take a look at Information Governance and Records pages on YourSpace.
- Familiarise with Cyber Security best practices on YourSpace
If you have any further queries, please email: IG