NHS Information Risk Management
This page contains guidance aimed at those responsible for managing information risk within NHS organisations
Checklist for Reporting, Managing and Investigating Information Governance Serious Untoward Incidents
The checklist should be used in conjunction with the previously provided national guidance (Matthew Swindells letter 29 February 2008 PDF 103Kb) on the management of Serious Untoward Incidents (SUIs) and any local guidance on SUIs provided by your SHA. Please download the checklist PDF 111Kb
NHS Information Risk Management: Good Practice Guidance
The establishment of the role of a Senior Information Risk Owner (SIRO) in each Government Department is one of several measures implemented to strengthen controls around information security following the Cabinet Office report - Data Handling Procedures within Government PDF 278Kb.
David Nicholson, Chief Executive of the NHS, in his letter of 20 May 2008 PDF 64Kb set an action that all NHS organisations also identify a Senior Information Risk Owner.
The nominated person should be an Executive or Senior Manager on the Board who is familiar with information risks and the organisation’s response to risk. The role of the SIRO is to take ownership of the organisation's information risk policy, act as an advocate for information risk on the Board and provide written advice to the Accounting Officer on the content of their Statement of Internal Control in regard to information risk.
The guidance on this page is aimed at those responsible for managing information risk within NHS organisations, including SIROs and Information Asset Owners (IAOs). It reflects Government guidelines and is consistent with the Cabinet Office data handling report.
Content of the guidance
- Appendix 1: Detailed guidance on the SIRO and IAO roles
- Appendix 2: Guidance on the development of an Information Risk Policy
- Appendix 3: Guidance on the development of a Forensic Readiness Policy
- Appendix 4: Guidance on IG security accreditation
Please download NHS Information Risk Management: Good Practice Guidance PDF 132Kb
Additional resources
Embedded within the guidance are the additional resource documents below:
- Example SIRO job description Word 37Kb
- Example IAO job description Word 46Kb
- Training materials for SIROs and IAOs - PowerPoint presentation 68.5Kb
- Information Classification guidelines Word 82.5Kb
- Example Information Risk Policy Word 33Kb
- Example Forensic Readiness Policy Word 33.5Kb
- Information Asset Register Tool Excel 30.5Kb
- Guidance for use of Information Asset Register Tool Word 24Kb