Useful resources

Information Governance Panel Guidance: NHS England Transformation Directorate – A portal of guidance on numerous key IG topics which has been reviewed by the Health and Care Information Governance Panel, including the Information Commissioner’s Office (ICO) and the National Data Guardian (NDG).

Records Management Code of Practice 2021: NHS England Transformation Directorate - The Records Management Code of Practice for Health and Social Care 2021  is a guide for you to use in relation to the practice of managing records. It is relevant to organisations working within, or under contract to, the NHS in England. The Code also applies to adult social care and public health functions commissioned or delivered by local authorities.

Confidentiality Advisory Group (CAG) information: Health Research Authority – Information about the CAG, an independent body which provides expert advice on the use of confidential patient information for research uses, including how to apply and a register for approved applications.

Caldicott Guardian FAQs: UK Caldicott Guardian Council – Frequently asked questions about the appointment of Caldicott Guardians, their role and responsibilities.

Guidance on the appointment of Caldicott Guardians, their role and responsibilities: National Data Guardian - Issued under the National Data Guardian's statutory powers, this guidance is about the appointment, role and responsibilities of Caldicott Guardians.

National data opt-out: NHS England – A service that allows patients to opt out of their confidential patient information being used for research and planning.

Guide to the UK General Data Protection Regulation (UK GDPR): Information Commissioner’s Office - The Guide to the UK GDPR explains the provisions of the UK GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection. 

FOI self-assessment toolkit: Information Commissioner's Office - The toolkit is designed to help public authorities assess their current FOI performance and provide indicators of where efforts should be focused in order to improve. It also provides templates for taking improvement actions. 

Data protection self assessment: Information Commissioner's Office - This self assessment toolkit will help assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure.

Accountability Framework: Information Commissioner's Office - The framework is an opportunity for you to assess your organisation’s accountability – one of the key principles in data protection law.

Publications and Resources page on Delen: NHS England - Clinical Coding section on Delen. The information sharing and collaboration platform for users of our Terminology and Classifications products. Here you can access up-to-date information, resources, educational materials and technical support relating to our core products.

Risk management guidance: National Cyber Security Centre - Guidance to help organisations make decisions about cyber security risk. Outlining the fundamentals of risk management and describing techniques you can use to manage cyber security risks.

Board toolkit: National Cyber Security Centre - Resources designed to encourage essential cyber security discussions between the Board and their technical experts.

Secure sanitisation of storage media: National Cyber Security Centre - Why sanitisation is necessary, the risks to manage, and how to sanitise affordably.

Cyber and data security: NHS England - Links to news and guidance for organisations to support health and care to keep patient and service user information and computer systems safe.

Data security awareness programme: Health Education England – Overview of the NHS England training for Data Security Awareness Level 1, Level 2 and Level 3, as well as how to register as a user and access them.

Advice and guidance: NCSC - Expert, trusted, and independent guidance for UK industry, government departments, the critical national infrastructure and private small to medium sized enterprises (SMEs). 

10 Steps to Cyber Security: NCSC - Guidance on how organisations can protect themselves in cyberspace.

Top tips for staff: NCSC - The resources introduce why cyber security is important and how attacks happen, and then covers 4 key areas:

• defending yourself against phishing
• using strong passwords
• securing your devices
• reporting incidents ('if in doubt, call it out')

Training needs analysis template

NHS England Quality Improvement Training - Use the education and training standards online benchmarking application (ESOBA) to self-assess your training service against the national standards. You can also upload supporting evidence and calculate your achievement level.

Cyber Associates Network (CAN): NHS England - CAN members benefit from enhanced knowledge-sharing, professional development and networking with peers in health and care.

Specialist training for SIROs: NHS England - A free cyber security training course offered by NHS England for senior information risk owners (SIROs) working in NHS trusts and commissioning support units (CSUs).

The role of the Caldicott Guardian: Health Education England – E-learning for Caldicott guardians, and those with an interest in finding out more about the role Caldicott guardians play in keeping people’s health and social care data safe, and ensuring it is used appropriately.

Data Security Awareness - Level 1 - Staff can access this free Data Security Awareness Level 1 session produced by NHS England for an introduction to data security and cyber awareness.

Information sharing – advanced module for frontline staff: Health Education England – Scenario-based training produced by NHS England which staff can access for free to help them understand the principles behind information sharing and how to apply them in practice.

Immersive Labs online cyber security e-learning

NHS England is offering health and care colleagues free user licences for Immersive Labs, an innovative cyber security learning platform.

Immersive Labs is a gamified learning environment that helps users develop their skills in cyber security. With something to suit all roles from administration to technical architecture, information governance to cyber analysis – it offers customised training all under one platform.

You can claim continuing professional education (CPE) credits by completing challenges on the Immersive Labs platform.

Licences are available to everyone working for a health and care organisation. Complete the request form to register.

e-learning for healthcare - High quality education and training for a better health and healthcare workforce.

Identity and access management: NCSC - Control who and what can access your systems and data.

Advice and guidance: NCSC - Expert, trusted, and independent guidance.

Multi-factor authentication (MFA) policy - This policy will ensure that MFA is used on digital systems throughout the health sector, with particular requirements on accounts that are remotely accessible or have privileged access to systems.

CSED business process re-engineering methodology: NHS Networks - A toolbox for process re-engineering.

Incident management: NCSC - How to effectively detect, respond to and resolve cyber incidents.

Personal data breaches: NHS England Transformation Directorate - Guidance designed to help health and care organisations deal with personal data breaches. It provides advice on what a personal data breach is and the steps that need to be taken if a breach occurs.

Guide to the Notification of Data Security and Protection Incidents: NHS England - Guidance on reporting an incident for the General Data Protection Regulation (GDPR) and Networks and Information System (NIS) Directive.

Freedom to Speak Up review: an independent review into creating an open and honest reporting culture in the NHS - Sir Robert Francis publishes his report on the Freedom to Speak Up review. In his report Sir Robert sets out 20 Principles and Actions which aim to create the right conditions for NHS staff to speak up, share what works right across the NHS and get all organisations up to the standard of the best and provide redress when things go wrong in future.

Vulnerability management: NCSC - Guidance to help organisations assess and prioritise vulnerabilities.

NHS Cyber Alerts Portal: NHS England - A home of cyber security alert notifications to health and care organisations, ranging from weekly threat bulletins to immediate high-severity alerts.

Data and cyber security: NHS England -  View the latest cyber and data security policy and good practice guidance from NHS England's data security centre. Sign up for security threat bulletins and emergency notifications.

Cyber Incident Response: NCSC - The NCSC set up the Cyber Incident Response (CIR) scheme to certify companies who can help organisations who have been the victim of a significant cyber attack.

Emergency Preparedness, Resilience and Response (EPRR) business continuity toolkit: NHS England - Highlighting the need for business continuity management in NHS organisations so that they can maintain continuity of key services in the face of disruption from identified local risks.

Emergency Planning/Business Continuity: Pharmaceutical Services Negotiating Committee (PSNC) - PSNC has produced a business continuity template to meet the requirements of community pharmacy service providers.

Response and recovery planning (CAF): NCSC - Putting suitable incident management and mitigation processes in place. There are well defined and tested incident management processes in place, that aim to ensure continuity of essential functions in the event of system or service failure. Mitigation activities designed to contain or limit the impact of compromise are also in place.

Data and cyber security: NHS England - View the latest cyber and data security policy and good practice guidance from NHS England's data security centre. Sign up for security threat bulletins and emergency notifications.

How to handle the media following a cyber-attack: Mediafirst - Example from the commercial sector highlighting things to consider when handling the press following a cyber incident.

Device security guidance: National Cyber Security Centre - Guidance for organisations on how to choose, configure and use devices securely, including short-term steps for transitioning away from out-of-date platforms and applications. 

Vulnerability management: NCSC - Guidance to help organisations assess and prioritise vulnerabilities.

Penetration Testing: NCSC - Advice on how to get the most from penetration testing.

Vulnerability management: NCSC - Guidance to help organisations assess and prioritise vulnerabilities.

Supply chain security guidance: NCSC - A series of 12 principles, designed to help you establish effective control and oversight of your supply chain.

Guide to UK GDPR accountability and governance contracts: ICO - The ICO’s guide to written contracts between controllers and processors. 

UK GDPR guidance contracts and liabilities between controllers and processors: ICO – The ICO’s overview of contracts as a legal basis for processing.

UK GDPR Regulations: The European Parliament and the Council of the European Union - On the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (UK General Data Protection Regulation).

UK GDPR checklist: ICO - Checklists to assess compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure.