Frequently Asked Questions

A Free Licence organisation is setup without an admin group licence being assigned. This will enable them to be included in data shares and sign them off but will prevent them from:

• Uploading documents

• Accessing reports

• Accessing support from the central ISG team

• Having more than 3 organisation users

• Guaranteed return of data

An organisation registering in this way will still have to go through the normal registration/setup process and will have to agree to the terms of use of the system (sign the MoU) as with any other organisation.

A contracting organisation is an organisation which contracts to use the ISG and pays a fee for 100 organisations (standard contract) to use within its organisational area

For further information about pricing see:

https://www.informationsharinggateway.org.uk/pricing

Once you have registered yourself and your organisation for the system you will need to complete the steps detailed on your in-tray under Organisational Setup Progress.

When you have gone through all these steps you will have all the requirements in place to safely create and enter into data shares.
As you will have already registered your organisation and registered an administrator, the next step will be to Register a senior user.

Click the Go button next to this step which will direct you to the manage users tab. See How to Apply and Revoke Roles for more information on this step.

When you return to your in-tray, you will notice that the progress setup bar will have increased.

Complete all the other steps listed such as; submit organisational assurance, sign the MOU etc. until the progress bar reaches 100%.

When you are fully setup your organisation you can safely create and review sharing agreements.

Please note; you can create data summaries and data flows before completing these steps but other organisations have the ability to see your setup status before entering into shares with you.

If you would like to request other organisations to sign off a data flow you have created:

1. Click the Sign Off tab in Data Flow Details

2. Ensure the data flow has been finalised

3. Click Request Sign off

From the organisations listed select the appropriate user(s) to sign off the data flow. They will receive a notification email asking them to sign off the data flow. As soon as the data flow is signed by one user at an organisation, it will be shown as signed and not require signing by any other users at the organisation.

To enter a sign-by date click More Options and enter the date along with any comments. Ticking enforce will prevent users from singing the data off after the sign-by date. Not ticking enforce will send a notification to the requester if signed after the sign-by date.

If your organisation has been named in a data flow you will see it listed in your data flow list. Listed against it will be the organisation who created it. If you have the appropriate role at your organisation, you will be able to edit this data flow whilst in 'Draft' status. Only the organisation who created it can finalise it. Once in Finalised status the data flow can no longer be edited by any party to the agreement.

Your role in the system depends on the role you have in your organisation.

For example, if your job requires you to sign and agree to data sharing agreements, you can choose a Senior Officer role, or if your job requires you to set up data sharing agreements or monitor your organisation's usage of the ISG you can choose an Administrator role.

To view other roles in the ISG please see the User Role Matrix

You need to have at least one Administrator and a Senior User identified in the system for each organisation.

A Senior Officer (or their delegate) or an Information Asset Owner can sign off data sharing agreements.

The MoU stands for Memorandum of Understanding. The Memorandum of Understanding sets out the general principles of Information Governance that all organisations who access and use the Information Sharing Gateway have agreed to. It provides a framework for safeguarding the processing of all personal confidential information.

Only system users with the role of Senior Officer (or their delegates) can sign the MoU.

You can view the MoU by clicking on the Organisation > Assurance tab and selecting View Agreement. You can also download the MoU once signed.

To complete your assurance details:

1. Navigate to the Organisation > Assurance tab

2. Click add new assurance

3. Complete the form

4. Click Submit

If you have more than one IG compliance standard please select the most significant.

Only Seniors Officer, Administrator and IG/Project Officer roles can add or edit assurance details.

After 5 unsuccessful password attempts your account is locked out.

If you lock your account, please email isg@mbhci.nhs.uk and a member of the central ISG support team will assist you.

If you would like to use the ISG for a group of your organisations, please email isg@mbhci.nhs.uk to discuss contracting arrangements.

If you would like to use the ISG system using one of the licences purchased by your contracting organisation, please register using the link provided by your contracting organisation, or if you are unsure how to access this link, please email isg@mbhci.nhs.uk for further information.

A data summary gives an overview or summarises the nature of a data share. The summary will capture the organisations involved in the share, the data asset and the overall purpose of the data share. Other elements like benefits, format and review cycle are also detailed at summary level.

Under a data summary you can detail as many data flows as required. For example a data summary may be for ‘Transport Statistics’ across a region. The share may involve several different organisations, who may all have different modes and controls for transferring the data. If this is the case, then different data flows can capture these nuances between the organisations but the overall purpose of the data share all links back to the summary.

A data flow captures the detail of a data share between organisations and it is the data flow that is signed off by all organisations involved named in it. Whilst the summary names who is involved in the overall sharing for a particular purpose, the data flow details the organisation in each flow and details the frequency and direction of flows of data, transfer modes and controls in place. A privacy and impact assessment is submitted and risks are generated and reviewed for each flow.

You can upload documents to the ISG with a maximum file size of 5MB. To decrease your file size, you can save it as a .pdf and/or zip it for upload.

An organisation can be named at Data Summary level but isn’t necessarily named or added to all Data Flows under it. If for example, a Data Summary shows 8 Data Flows but your organisation is not involved in 3 of them, you will only be able to see 5. The exception to this would be if you created the data flows but were not named in them.

A Data Sharing Agreement is not a legal document and as such the signatures from parties to the agreement are not entering into a legal contract with one another.

Signatures made to an agreement do however comply with UK law on electronic signatures and are classed as 'Advanced electronic signatures' – these are uniquely linked to the signatory, are capable of identifying the signatory and are linked to data within the signature that can detect any changes made.

If you feel that a wet signature is required on a data sharing agreement then you can download a finalised agreement as a pdf and have it signed in person. The scanned document can then be uploaded against the electronic version and stored in the system.

A merge request must be completed by the Organisation that the others will be transferred into. The requesting Organisation will keep their current name - however you can change it later on.

1. Navigate to Organisation > Organisation Details

2. Click Merge Organisation

3. Read the disclaimer

4. Click the checkbox and enter reason for merge

5. Click Accept

Next, to select organisations you wish to merge with:

1. Click the Search button

2. Search by name or ICO number

3. Pick the organisation from the list using the Select button

To remove an organisation click the bin icon

Once all organisations involved in the merge have been added to your list click the 'Request Merge' button.

Confirm the merge by clicking 'Confirm Merge' An email will then be sent to all users with the role of Administrator, Senior Officer and DPO in these organisations notifying them of the merge request and asking them to review the merge.

Click here for more information on merging organisations

To close an organisation in the ISG, login to the organisation which needs to be closed and access the Organisation > Organisation Details tab.

Select Request Closure of Organisation and enter the reason for the closure. The central ISG team will then be notified of the change and will close as requested.

Risk Assessments will not carry over from the original Data Flow when copying a Data Flow - this is because Risk Assessments should be generated each time a data flow is created/copied.

You can find pricing information about contracting to use the ISG here; https://www.informationsharinggateway.org.uk/pricing

Note: Prices are subject to change and this will be indicated on the pricing page detailed above. Any existing contracts will not be subject to these price increases but may be subject to a 5% increase for renewals.

Privacy notices are viewable to other organisations when they search or click to view your organisation's details.

To upload a Privacy Notice:

1. Navigate to Organisation > Organisation Details

2. Ensure you have clicked Edit

3. Click Browse

4. Select the Privacy Notice you wish to upload

5. Click Upload

6. Alternatively, you can use a URL link

7. Click Update at the bottom of the page

A lead organisation can support another organisation's use of the Information Sharing Gateway. A lead organisation uses the system fully to create and enter into data shares. If a lead organisation wants to enter into a data share with an organisation but this organisation does not have the administrative support in place the lead organisation can support them to get them set-up in the system.

Supported organisations will usually be defined as an acceptor of a data sharing agreement such as a GP surgery or charity.

The administrator from the lead organisation has a role at their supported organisation and can provide support in using the system.

A supported organisation can use one of the licences provided by the contracting organisation or can be setup without a license to use the system and will therefore use it within the free model.

If you know which organisation you should have a role at and the organisation is registered on the ISG, contact isg@mbhci.nhs.uk and we can provide you with the contact details for the organisation so you can ask them to add you as a user.

If the organisation you wish to have a role at is not yet registered on the ISG you may need to register your organisation.

1. Click the Sign Off tab

2. Ensure the data flow has been finalised

3. Click Request Sign off

4. Click More Options

Additional comments can be entered here. Additional comments will be emailed to the requested user(s) and will be detailed in their request for sign off notification.

You may wish to import a risk assessment from another data flow if:

• You have copied a data flow and the risk assessment remains the same

• You have added a risk assessment to another data flow that is also applicable to this one

NOTE: Importing a risk assessment WILL NOT update any of the information you have entered in the data summary, data flow or privacy tabs.

Organisations are unable to upload/export documents if they are using the ISG under the free model.

To discuss contracting and pricing arrangements contact isg@mbhci.nhs.uk

To find other organisation's contact details click on their assurance badge. Alternatively, you can click on their marker on the dashboard map.

There is a link to the ISG security statement at the bottom of the ISG home page.

Organisational Assurance gathers an organisation’s IG credentials which includes ICO registration/review date, IG compliance standards/score, staff screening and training status. Once submitted it is visible by all other organisations registered on the ISG and provides information to enable an organisation to assess whether they are sharing data with a safe pair of hands.

The ISG won't stop organisations from sharing data with none or limited assurance but the assurance level will be displayed when adding a data flow and searching for organisations on the ISG.

An organisation’s assurance level is generated by the information submitted. The organisation will be given an assurance rating of either Significant (green), Limited (amber) or None (red) - as well as Not Submitted (grey) and Expired (grey)

To add a Data Protection Officer (DPO) for your organisation:

1. Click Organisation

2. Click Manage Users

3. Click Add Organisation User

4. Enter the users full name and email address

5. Choose the role of Data Protection Officer

6. Click Add User

If your DPO is already listed on your Manage Users tab with another role:

1. Click the pen icon next to their name

2. Click the Roles dropdown

3. Choose Data Protection Officer

4. Click Submit

To mark your organisation exempt from requiring a DPO:

1. Click Organisation

2. Click Manage Users

3. Click Click here under the Data Protection Officer Not Yet Assigned notification

4. Read and appreciate the DPO Role Exemption Guidance

5. Click Confirm DPO Exemption

If a Data Flow contains personal data, DPO approval is mandatory (at least one DPO must approve the flow). Once a DPO has been requested to review the flow, it will be locked (unless another DPO subsequently rejects it).

Data flows can be finalised after at least one DPO approval or if the review-by date has passed.

You cannot finalise a data flow if there is at least one open rejection.

The requester will be notified when the DPO rejects or approves a data flow.

The ISG expects you to:

• Be ICO registered

• Use an IG assurance framework (any)

• Train your staff in IG

• Screen your staff on entry to the organisation.

• Supply a link to or upload a Privacy Notice.

If all of the above are present, the assurance score will be Significant (green)

If one is missing, the assurance score will be Limited (amber)

If more than one is missing, the assurance score will be None (red)

Private organisations need a licence where they are using the full of functionality of the system. A private organisation who is just signing off data flows can use the system under the free model. See ‘What is a Free Licence Organisation’ for further information.

A group licencing organisation can allocate one of their licences to a private organisation where they are sharing data between themselves. If the private organisation is then using the system for other purposes not connected to the licencing organisation, we recommend that the private organisation contracts to use the system separately. The ISG is run under a ‘not for profit’ pricing structure and to protect the viability of the project and the pricing structure currently in place, we ask that Super Administrators allocating licences to private organisations check that these organisations are using it for sharing of data between public sector organisations only.

You can manage your notifications in the Home > Profile tab. There you can unsubscribe/subscribe to individual email notifications or all. Email notifications are set to subscribe by default.

Note: Notification settings will be applied to all your ISG user roles, including those at other organisations.

Email notifications will not be distributed from the ISG Sandpit because the Sandpit is for testing, training and evaluation purposes only

• When moving between the tabs in the data flow screens, data is saved.

• When adding organisations involved to a data flow summary, organisation data is saved.

• When adding files to a data flow or summary, file data is saved.

• When adding a risk assessment or risks to a risk assessment, risk data is saved.

The ISG Data Inventory is a tab within the system which holds information on systems within your organisation that store information which is used for data sharing purposes. So the location i.e which IT system or database the information is held on or in relation to manual records the physical location.
So for example this could be;

• PAS system

• Administration system

• Appointment booking system

• HR record / Payroll system

• Delivery systems – post

This tab captures information about;

• The owner of the system or the IAO

• The type of data it holds (i.e. personal, commercial etc)

• The data items (fields) is personal sensitive or special category data.

• Who are the data subjects

• The format of the information

The transaction log is located at summary and data flow level and records the user(s) who have made changes to a data sharing agreement, the date of the change, the fields that have changed, and captures the old and new values.

The Data Security and Protection Toolkit (DSP) has been added to the ‘Please select the most significant, recognised Information Governance compliance standards adhered to by your organisation?' drop down with the following options:

• Have you met the appropriate standards? Yes/No [No – Ability to give a reason why]

• Year of completion

• Score achieved

• Evidence Upload

To upload evidence:

• Navigate to Organisation > Assurance

• Click New Assurance Submission

• Click Browse

• Select the evidence you wish to upload

• Click Upload

There should only be once instance of the ISG open at a time. If you do open two instances of the ISG and try to complete an action you will receive the error message:

An attempt to open two ISG tabs in the same browser was detected. You have been logged out as this can cause data corruption or loss.

If you need to work with two open tabs please consult the FAQ.

Please log in again to continue working with the ISG.

Some users, such as Super Administrators, may find it easier to work with two tabs open. If this is the case, we recommend using an incognito or private tab to do so.

Data flows with personal or special category personal data must go through DPO approval before they can finalised.

• Ensure the data flow is complete including adding all organisation involved to the data flow. Any collaboration on the data flow details needs to take place before DPO review

• Navigate to the DPO Review tab

• All DPOs identified at all organisation involved are listed. Request DPO review from as many DPOs as required.

• Once DPO review is requested, the data flow becomes locked for ALL organisations involved.

• When the data flow is approved by at least one DPO the data flow becomes 'Approved' and the organisation that created the data flow can move it to 'Finalised'.

Note: If the organisation that created the data flow wants all organisations DPOs to review then the flow should not be moved to finalised until this has been completed.

• Before finalisation, other organisation’s DPOs can still access the data flow and review (it will be locked for editing). They can approve or reject and provide details and comments.

• If the data flow is rejected then the status becomes ‘Rejected’ and the organisation that created the data flow can then edit it. Any changes that have been described through the detail of the rejection can be taken into consideration by the data flow creator. Once the organisation that created the data flow has made the changes required, they can click on the ‘DPO Re-Review Request’ button next to the rejection and ask them to re-review

Note: Here they can provide details of what they have rectified.

• Once the organisation that created the data flow is satisfied with DPO responses (and there is no open rejections) the data flow can be finalised.

• Only when a data flow is finalised can it go to sign off.

In the event of a breach organisations can be contacted by notifying the main contact at each organisation.
The find the main contact at each organisation:

• Click the organisation assurance badge

• Find Contact Details

• Click the contact email address to open an email

The Law Enforcement section was added in update 3.2.0 to the ISG, this has added the ability for competent authorities (or their processors) to record the processing of sensitive data which is strictly necessary for criminal law enforcement purposes. To record this data, go to:

1. Data Sharing

2. Data Sharing List

3. Select/Create a Sharing Summary

4. Select Law Enforcement under the question What information is being shared?

5. Complete the subsequent information required

This information will also be referenced at data flow level.

To copy a data summary press the blue copy icon next to any Data Sharing Summary.

When copying a Data Sharing Summary all the data from the previous Data Sharing Summary you have chosen to copy will be duplicated in the copy, this includes:

• Data Summary Information

• Data Flows

• Documents Attached

• Additional Contacts

• Risk Assessment

An Activity within the ISG is defined as any new project, process or system (including software and hardware) which is introduced within the user’s organisation. The tab records the detail around the Activity and multiple DPIAs are able to be recorded under an Activity.

If you cannot see the Add Activity button on the Activity list you most likely do not have a DPIA licence in place for your organisation. Please contact your super administrator or the central admin team at isg@mbhci.nhs.uk if you would like to request one.

This means you are not currently added as a contributor to this DPIA. To get access please contact the ‘Created by’ user listed in the Activity section.

To do this follow the instructions below:

1. Go into your DPIA

2. Browse to the Contacts tab

3. Click Add Contributor

4. Select the user(s) you would like to add

5. Select OK

These user(s) will now have access to the DPIA.

The screening outcome is based on an algorithm designed by the ISG Central Admin team to advise what the most appropriate action is in this situation. This is simply an advisory and you are able to move through the DPIA process no matter what the outcome.

The screening outcome is based on an algorithm designed by the ISG Central Admin team to advise what the most appropriate action is in this situation. This is simply an advisory and you are able to move through the DPIA process no matter what the outcome.

Task can be assigned to users who have been added to the DPIAs contacts list. Firstly, you will need to add their organisation and if they have a role within that Organisation, you will be able to select them from the Contributor’s list.

To assign tasks the user has to be registered on the ISG. If the user is from within your organisation, they need to be added to the manage users tab, assigned a role and follow the registration process.

If it a user from outside your organisation, they will be able to register on the ISG by using either the free limited model or by contracting to use the full functionality. They can contact the central admin team to enquire about accessing a licence.

To assign a task, click the Tasks tab within the DPIA and then Add Task.

A DPIA is a process to help identify and minimise the data protection risks of a project or activity.

A DPIA should begin in the very early stages before any processing starts and should run alongside the planning and development process. In line with GDPR, organisations have now embedded the requirement to complete a DPIA into their processes for all staff and as such, DPIAs could be completed by anyone within an organisation who is involved in the start-up of a project or activity.

This means a user on the ISG would like you to be part of their DPIA. If you need more information on specifics then please contact the users listed as ‘Contributors’ on the contacts page of the DPIA.

You do not have to complete anything on the DPIA you do not want to, we do this so the user is able to fill out what they would like on the system without it getting in the way.

To do this follow the instructions below:

1. Go into your DPIA

2. Browse to the DPIA tab

3. Next to the question you would like to attach the file or evidence to, Click on the paperclip icon

4. Click Browse

5. Select the file(s) you would like to upload

6. Press Close

7. Scroll to the bottom of the page and click save

The files or evidence will now be attached to this question and you will find them under the question. You are also able to find these in the Additional Documents tab.

The person responsible for the project or activity such as the Project Manager will be responsible for completing the DPIA in most circumstances, within most organisations. However, the DPIA module is flexible enough to allow for anyone registered within the correct role within the organisation to start the process.

The Data Protection Officer, IG Lead or the Compliance Manager, can provide advice and guidance to the person completing the DPIA by being added in as a contributor and will usually be the individual asked to approve the detail on the Approvals tab.

To set a review date for a DPIA look at the top bar we call the Information Panel. There you will see a ‘Review Date’.

To do this follow the instructions below:

1. Go into your DPIA

2. Browse to the Risk Assessment tab

3. Click on the Generate Risk Assessment button

If you have carried out a DPIA that identifies a high risk (outstanding red risks are highlighted on the approvals tab) and you cannot do anything to reduce it, prior consultation with the ICO is required under UK GDPR. You should not go ahead until you have consulted the ICO. Any outcome should be detailed in the Executive Summary and the DPIA Risk assessment revisited to ensure you have taken any mitigating measures they have recommended.

If your DPIA identified a high risk but you have mitigated these in your risk assessment to reduce the risk and updated it so it is no longer high, you need not consult the ICO.

From 15th June 2022 the ISG will no longer support the browser Internet Explorer 11. Please switch to its successor Microsoft Edge or Google Chrome for a compatible experience. For more information please see: IE11 End of Support - Microsoft