National Health Service (NHS) Information Governance (IG) Toolkit

NHS IG Toolkit overview

The National Health Service (NHS) is the national health system for England, and provides most of the healthcare for the citizens of England, covering all healthcare practice areas. Founded in 1948, the NHS was the world’s first single-payer health system. It is also the world’s largest health system, employing over 1.5 million people with a 2016 budget of £116.4 billion.

The NHS manages the health data of more than 64 million NHS patients. The collection, storage, and processing of NHS patient data are subject to multiple laws and regulations, including the Data Protection Act of 1998 and the Confidentiality NHS Code of Practice.

The NHS commissioned the Health and Social Care Information Centre (HSCIC) to develop and maintain a single standard that governs the collection, storage, and processing of patient data, the Information Governance (IG) Toolkit. The IG Toolkit is designed to encourage and guide organizations that are interested in hosting personal health data through the process of complying with the guidelines.

All organizations that have access to NHS patient data are required to provide evidence, by using the NHS IG Toolkit, that they are taking adequate measures to protect patient data.

Also, organizations such as Microsoft that provide a platform for healthcare providers use the toolkit to conduct a self-assessment on their security and privacy controls against NHS information governance, security, and privacy requirements.

Adherence with the NHS IG Toolkit helps protect the integrity and confidentiality of patient data against unauthorized access, loss, damage, and destruction. Appropriate mitigating steps must be taken to remediate any noncompliance issues identified during the assessment process.

The NHS IG Toolkit is intended to:

  • Provide a standard to address common customer concerns about the security and confidentiality of NHS patient data and the impact on business
  • Demonstrate measurable compliance and provide visibility into potential risks to patient data
  • Promote trust and public confidence in NHS and partner organizations

Microsoft and NHS IG Toolkit

As a commercial third party, Microsoft Azure has completed level 2 of the NHS IG Toolkit assessment. Interim assessments are also expected to be completed during the year when a new version of the NHS IG Toolkit is released.

Microsoft in-scope cloud services

  • Azure and Azure Government
  • Intune
  • Power BI: cloud service either as a standalone service or as included in an Office 365 branded plan or suite

Audits, reports, and certificates

The Azure assessment is renewed annually: Microsoft Azure IG Toolkit Assessment Report

Frequently asked questions

Who can take advantage of the Azure NHS IG Toolkit assessment?

Organizations that want to use Microsoft Azure as a platform to host NHS patient data can build on Microsoft’s assessment report to launch their own NHS IG Toolkit assessment, keeping in mind that they also must address any additional controls, especially those not under the responsibility of the Cloud Service Provider.

Where do I start with my organization’s own compliance effort?

Organizations that are interested in hosting NHS patient data are encouraged to become familiar with the governing requirements by reviewing the NHS IG Toolkit guidelines to determine the scope and controls that they must have in place.

What are the IG Toolkit attainment levels?

IG Toolkit attainment levels are from 0 to 3:

  • There is insufficient evidence to attain level 1
  • The organization has begun to plan the policies, procedures, and/or processes that are necessary to become compliant
  • There are approved and implemented IG policies and procedures in place that have been made available to all relevant staff
  • Staff compliance and the effectiveness of the policies and procedures are monitored and assured


Download the offering backgrounder

Do you need the backgrounder document for this offering? Download the PDF.