Our new website is easier to navigate and find information. Click here to visit and give us your feedback.

Confidentiality Advisory Group (CAG) – Security review arrangements

It is Department of Health policy for all bodies that process NHS patient information to provide security assurance through annual completion and publication of an Information Governance (IG) Toolkit.

The Department now wishes to seek this assurance from bodies that obtain NHS patient information in circumstances approved under Section 251 NHS Act 2006 and supporting Regulations. A requirement within the Regulations is to ensure that appropriate technical and organisational measures are taken to prevent unauthorised processing of that information. Assurance over this aspect is now provided through a satisfactory IG Toolkit submission. For new applications there are no changes to the assessment of the main application, as security review has always been a separate process that can be carried out in parallel to CAG consideration.

Instead of providing a system level security policy document, applicants should now provide a relevant IG Toolkit submission. The IG Toolkit process document sets out what is required when completing a Toolkit submission. Queries over this document should be directed to Exeter.Helpdesk@nhs.net.

The FAQ document sets out responses to common queries for new and existing applicants.