With information governance recognised as an essential part of managing an efficient and high quality business, it is vital that organisations and individuals understand the importance of the concept and understand the way in which information is handled and transferred into and out of their organisation. Vital to understanding your own information management processes is the act of data mapping. This is now a key element for NHS bodies looking to demonstrate compliance against the information governance (IG) Toolkit standards.

Data mapping is an effective way to chart the flow of information into and out of an organisation and subsequently identify any high risk areas, allowing for the development of guidance to minimise these risks. The IG toolkit suggests that there are four key elements that need to be considered when mapping data;

1. Data Type

According to the Information Governance Toolkit guidelines, the types of data that should be mapped include such items as:

• Appointment letters

• Birth notifications

• Adoption records

• Employment records

• Personnel records

• Payslips

• Client surveys

This list is by no means exhaustive and as you start to think about the data that moves into and out of your organisation, you will appreciate that there is a great deal of information transferred.

There is also specific guidance available on the types of data that do not need to be mapped, an exclusion list, this includes items such as:

• Telephone conversations

• Face to face discussions

• Video conferencing

2. Data Format

The next thing to consider is the format that data is stored and transferred in; this includes both digital and hard copy data such as letters, x-rays, MP3 files, CDs, emails

3. Transfer methods

Again, the way in which data is transferred can include anything from courier delivery, faxes and internal documents being carried by staff to another department.

4. Location

When considering locations you need to think exactly where data is coming from and where it is going to, both internally and externally. For example: Schools, patients' homes, other NHS organisations or departments, prison services etc.

Once you have considered all of the above points the next step is to map all of the different combinations of the 4 elements so that ultimately you are able to produce a clear and easy to understand map of exactly what, how and where information is transferred.

But the task doesn't stop there, the next step is to analyse this map to identify any high risk areas where information security procedures could potentially be breached, you should then go on to produce guidance to minimise these risks to ensure that following your data mapping exercise your systems and mechanisms for data transfer are secure, efficient and appropriate.

The IG toolkit guidance suggests that within smaller organisations, all of the above could be carried out by one individual, who knows all of the processes involved in transferring data. However in larger organisations it is advised that a number of individuals contribute to this exercise to ensure that knowledge around specific department practices and procedures is shared, to enable a full understanding of the data transfer processes throughout the organisation.