Too many trusts are using the Information Governance Toolkit return as a tick-box exercise rather than as a means to ensure that confidential information is safe, a conference has heard.

Tony Cobain, head of IM&T for Mersey Internal Audit and Assurance, told the CHKS annual user group conference in London that about a third of trusts lived and breathed IG and used audit to check whether policies were being used in practice.

One third were doing their best, he said, but a final third were “going through the motions” and viewed the IG return as a tick-box exercise.

He said: “It’s left until March 31 and is done in half an hour by one manager with no research. It is all about ticking boxes.”

Cobain is now working with the Audit Commission and Department of Health on a new toolkit and audit methodology. The IG toolkit lists 67 questions that trusts must answer each year.

Cobain said that although it had wide ranging coverage and was based on good practice, there were a number of problems. He said: “It [the IG return] tells you about policies but not about what people are doing with them.”

To highlight his point, he compared press coverage of data losses from several NHS trusts and primary care trusts in 2009 with their annual IG returns.

In one case, a health worker lost a memory stick with medical details of prisoners on it. The stick was encrypted, but the worker had written the password on a sticky note and posted the two together. It had subsequently gone missing.

However, the PCT’s IG return said that users had been given secure removable devices and instructions on using them.

In another case, a secretary was blamed for losing data on a disc. Again, the trust’s IG return said staff had been provided with secure removable devices and trained on their use. A later investigation by the trust found that there had been a delay in getting memory sticks to staff and a gap in training.

Cobain said: “Organisations are using the IG return to paint nice pretty pictures of themselves despite what is actually going on. The statements do not stack up.”

The mandated return was also limited by its lack of risk assessment, he said. Trusts score zero to three points on each of its questions and are encouraged to improve year on year.

But he added: “It has no concept of a trust having understood risk and deciding not to move forward. The last 20% of the push requires 80% of the effort and it must be up to trusts to take a risk management position on whether they expend resources on this or on something else.”

He welcomed a recommendation from the Care Quality Commission – made in its review of IG published in March 2009 – for mandatory audit of information governance with external validation.

This is now being taken up, with the new IG toolkit and audit methodology being developed by the Audit Commission and DH due for publication this summer.

He warned NHS trusts: “You will be crawled over by auditors from the strategic health authority. It not about the toolkit or its requirements but about having clear policies in place, people who understand them and doing the right thing.”

In a statement, the DH said: “We have set clear standards for NHS organisations to adhere to on data handling, and have issued guidance that sets out the steps they must take to ensure records are kept secure.”

In addition to the new toolkit and audit methodology, the DH has made training available via NHS Connecting for Health and is working proactively with NHS partners to ensure robust information governance.