NHS Information Risk Management guidelines

This guidance is aimed at those responsible for managing information risk within NHS organisations. It reflects Government guidelines and is consistent with the Cabinet Office report on ‘Data Handling Procedures within Government’. The key requirement is for information risk to be managed in a robust way within work areas and not be seen as something that is the sole responsibility of IT or IG staff. Assurances need to be provided in a consistent manner. To achieve this, a structured approach is needed, building upon the existing information governance framework within which many parts of the NHS are already working. This structured approach relies upon the identification of information assets and assigning ‘ownership’ of assets to senior accountable staff. These Information Asset Owners (IAOs) are likely to be supported within larger organisations by Information Asset Administrators (IAAs), or equivalents, who are operational staff with day to day responsibility for managing risks to their information assets. The IAOs are responsible for ensuring that information risk is managed appropriately and for providing assurances to a Board level lead termed a Senior Information Risk Owner (SIRO). The SIRO in turn provides assurances to an organisation’s Accounting Officer, normally the Chief Executive. The following diagram illustrates this information risk management structure.

[document url=”http://systems.hscic.gov.uk/infogov/security/risk/inforiskmgtgpg.pdf” width=”600″ height=”820″]

You might also like