1. Start as you mean to go on
Make sure you have clear company policy documents covering staff and employment practice, and that you can prove that the policies are working – this gets more important as you ascend the heights of Information Governance (IG) compliance.
2. Get the basics right
Register with the Information Commissioners Office where there is lots of information helping you get your GDPR and Data Processing agreements and policies in place. It is important to conduct Privacy Impact Assessments for your software externally and your processes internally. Make sure your staff are regularly trained on Information Governance and you can prove it. Also make sure you are registered on the Organisation Data Service with your primary contracting entity. It is also a good idea to sign up for Cyber Essentials (Plus)
3. Make sure you comply with DCB0129
This lesser known guideline kicks in when you start processing patient data, or you are involved in decision support or telehealth. This involves performing Clinical Risk Management on all changes and new features in your software. It is a development task resulting in a Safety Case document showing the risk analysis before and after changes and should be released in line with your regular release notes.
4. Comply with Data Security and Protection Toolkit
Complying a data security and protection toolkit is a more involved process and one which starts you on the road to having ISO27001. This online questionnaire requires you to evidence all processes and procedures relating to Data Security and protection. If you have done the above properly then you should have these processes in place such as internal governance policies, staff contracts and training and physical and cyber security. Most NHS Trusts will require this as the basic standard for working with patient data.
5. Meet ISO27001
This usually satisfies most security related queried from the NHS. Depending on how organised you have been in the previous sections this could be a relatively simple certification. Alternatively, it can be a time consuming task if you are a large, disparate organisation. Scope here is everything – define this well and save lots of time. In my experience it is easier for smaller companies to achieve this if they have the processes in place already and it is economically viable. This is especially relevant if you are hosting a solution into the NHS or if you provide services from abroad. You must be externally certified for all related processes and IG policies as well as security management systems, physical security, business continuity, incident reporting and so on. My advice is to create a definitive security document encompassing all the certifications here for each client. They will never doubt your security again.