The National Institute for Clinical Research (NIHR) Clinical Research Network (CRN) is the clinical research delivery arm of the Department of Health. Today the organisation is governed through around 70 hosting contracts across the NHS, in April 2014 this will reduce to 15 as the CRN implements a transition programme that will simplify the structures for clinical research in the NHS.

Having oversight of Information Governance will be easier and implementing frameworks that can be adopted for Information Security will become something that can be audited more thoroughly, but with change comes risk. New contracts, new ways of working, new staff and new monitoring arrangements. The organisation funds around 10,000 staff who work on clinical research and ensuring they have access to training and tools to protect the organisations and participants in clinical research is a huge “piece of cake”.

The organisation is a network of structures and with this in mind we have implemented information governance and security through the availability of:

Best Practice – Ranging from training through to templates for key elements

Steering Groups – Resource structures to provide support to IG leads

Frameworks – Audit frameworks to provide assurance

Enabling the organisation to learn its own lessons in a safe environment has been a goal of the last 12 months. Reducing the risk but allowing each element of the structure to evolve its own SOPs has been important to ensue that each part of the structure has ultimate buy in. Utilising tools like those demonstrated by the Analogies Project have been particularly valuable when attempting to explain to an academic researcher why Information Security and Governance are so important.

What is the key lesson as we have learnt though as we move at significant pace towards the new structure?

“If people believe in the outcome they will help implement security and governance.”

We have spent the time explaining the why it is important without turning our resource into extras for the Spooks TV series and now they understand Information Security good practice – it is becoming second nature. As an organisation we have moved from the Department of Health’s audit tool categorisation of work to do to satisfactory in 12 months, and this is down to two things, the buy in and the access to the expertise at the ISF.

All in all, Information Security is all about getting buy in to eating the piece of cake!