National Health Service (NHS) Information Governance (IG) Toolkit

Azure is certified to the Health Information Trust Alliance Common Security Framework.

Microsoft and NHS IG Toolkit

As a commercial third party, Microsoft Azure has completed level 2 of the NHS IG Toolkit assessment. Interim assessments are also expected to be completed during the year when a new version of the NHS IG Toolkit is released.

Microsoft in-scope cloud services

  • Azure and Azure Government detailed list
  • Intune
  • Power BI: cloud service either as a standalone service or as included in an Office 365 branded plan or suite

Audits, reports and certificates

The Azure assessment will be renewed annually.

NHS IG Toolkit Overview

The National Health Service (NHS) is the national health system for England, and provides the majority of healthcare for the citizens of England, covering all healthcare practice areas. Founded in 1948, the NHS was the world’s first single-payer health system. It is also the world’s largest health system, employing over 1.5 million people with a 2016 budget of £116.4 billion.

The NHS manages the health data of more than 64 million NHS patients. The collection, storage, and processing of NHS patient data is subject to multiple laws and regulations, including the Data Protection Act of 1998 and the Confidentiality NHS Code of Practice.

The NHS commissioned the Health and Social Care Information Centre (HSCIC) to develop and maintain a single standard that governs the collection, storage, and processing and patient data, the Information Governance (IG) Toolkit. The IG Toolkit is designed to encourage and guide organizations that are interested in hosting personal health data through the process of complying with the guidelines.

All organizations that have access to NHS patient data are required to provide evidence, by using the NHS IG Toolkit, that they are taking adequate measures to protect patient data.

Additionally, organizations such as Microsoft that provide a platform for healthcare providers use the toolkit to conduct a self-assessment on their security and privacy controls against NHS information governance, security, and privacy requirements.

Adherence with the NHS IG Toolkit helps protect the integrity and confidentiality of patient data against unauthorized access, loss, damage, and destruction. Appropriate mitigating steps must be taken to remediate any noncompliance issues identified during the assessment process.

The NHS IG Toolkit is intended to:

  • Provide a standard to address common customer concerns about the security and confidentiality of NHS patient data and the impact on business
  • Demonstrate measurable compliance and provide visibility into potential risks to patient data
  • Promote trust and public confidence in NHS and partner organizations
female working on laptop with male colleague looking at her screen
female working on laptop with male colleague looking at her screen

Assess your GDPR compliance

Find out if your organization meets personal data protection requirements. Take our quick, interactive 10-question evaluation to assess your readiness to comply with the GDPR today.

Take the assessment

Frequently asked questions

Expand all

Organizations that want to use Microsoft Azure as a platform to host NHS patient data can build on Microsoft’s assessment report to launch their own NHS IG Toolkit assessment, keeping in mind that they also must address any additional controls, especially those not under the responsibility of the Cloud Service Provider.

Organizations that are interested in hosting NHS patient data are encouraged to become familiar with the governing requirements by reviewing the NHS IG Toolkit guidelines to determine the scope and controls that they must have in place.

IG Toolkit attainment levels are from 0 to 3:

0) There is insufficient evidence to attain level 1

1) The organization has begun to plan the policies, procedures, and/or processes that are necessary to become compliant

2) There are approved and implemented IG policies and procedures in place that have been made available to all relevant staff

3) Staff compliance and the effectiveness of the policies and procedures is monitored and assured