How to Create a Robust Information Governance Action Plan


In order to successful achieve each of the Information Governance (IG) standards of compliance there is a need to produce a range of different pieces of evidence that demonstrate how well your organisation adopts the IG principles. This desired evidence spans; job descriptions, training programmes, audit documentation, patient feedback mechanisms, patient facing documentation, policies, logs, registers, data mapping and a series of action plans for ensuring that Information Governance is at the forefront of the organisation at all times.

The NHS Information Governance Toolkit suggests that you have three key action plans in place to support the development and management of your IG framework within an organisation. These action plans are:

– An Information Governance Action Plan

– An Information Security Action Plan

– A Lifecycle Policy Action Plan

To produce a simple action plan you need to ensure that the following information is available:

– A list of relevant actions

– A date each action is due

– The individual responsible for the completion of the action

– A column to show if an action has been completed or not

– A blank column for any arising comments

– A RAG (Red, Amber, Green) rated column to visually show if an action is on target / completed, slightly behind its completion date or is slightly concerning, or if it is very delayed or has a large delivery problem associated with it

Let’s have a look at some of the more generic actions that can be included in each of the three main IG action plans on a routine basis.

Information Governance Action Plan:

– Board to endorse policy

– All supporting IG related policies to be written and agreed by the Board

– IG Steering Group to be created and Terms of Reference to be written

– Patient information to be produced with information on how patient information is managed

– All contracts to be reviewed to ensure an Information Governance clause is included

– Website information to be written to ensure that there is some information available on Information Governance for the general public

– All staff to complete IG training

– Staff knowledge of Information Governance to be assessed routinely via audits or questionnaires

– Service Users understanding of how their personal data is used to be audited throughout the year

Information Security Action Plan:

– Board to endorse Information Security Policy

– All staff to read, understand and declare their understanding of the Information Security Policy

– IG online toolkit (as provided by Connecting for Health) to be completed by all staff

– All contracts to be reviewed to ensure that Information Sharing protocols are included

– Staff survey to be conducted to check understanding and adherence to the Information Security Policy

– Awareness session on Information Security to be presented to staff

Lifecycle Action Plan:

– Board to endorse Life Cycle Action Plan

– Risk Register to be routinely populated and reviewed

– Spot audits to be completed to ensure staff are abiding by the safe haven processes

– External audit commissioned to ensure organisation is complying with the lifecycle guidance

– Audit actions incorporated into action plan


Source by Joanne Draper