IDHIS – Information Governance Certification Programme

IDHIS
Information Governance & Data Privacy for Health ICT Systems

For data facilitators, there is a new certification scheme to ensure trust in your organisation and to boost your business

Huge challenges in the re-use of health data are building and retaining trust and demonstrating GDPR compliance, amongst data providers, data facilitators and data users.

This lack of trust may slow down your business, namely as a data facilitator connecting health data sources, bridging from data providers to data users. With so many data breach scandals, cybersecurity risks and high penalties in the public eye, assurance of compliance has never been more vital for all stakeholders.

Without (accredited) certification, the market for these ICT platforms (data facilitators) will grow slowly and opportunities to conduct real-world data research, to respond to the needs within clinical research and health care, will be lost.

Prove the integrity of your health ICT system, gain trust, increase efficiency and boost your business

Need for an Independent Information Governance Assessment

Are these your organisation’s concerns?

  • Is your handling of health data secure, transparent and reliable?
  • Do you have up-to-date and state-of-the-art knowledge on privacy, ethics and security?
  • How will you ensure trust and boost your business?
  • Are you compliant with national and international legislation?
  • How do you balance the tension between being GDPR-compliant and the value proposition of re-using health data?

In order to give confidence to all interested parties that a product, process or service is compliant to specified requirements such as GDPR, certification is essential.

The value of certification is the degree of confidence and trust that is established by an impartial and competent demonstration of fulfilment of specified requirements by a third party.

Secure, protected and ethical health data flows must be demonstrated in order to foster trust and generate value.

There is a growing demand to demonstrate that ICT systems comply with the highest information governance standards.

IDHIS is the first information governance certification programme of its kind

IDHIS audits the conformity of data flows throughout the health ICT systems against a unique set of international criteria relating to privacy, ethics, security and data protection.

Independent auditors examine how the organisations govern their staff, processes, tools and procedures by assessing their information governance.

IDHIS certification programme awards those organisations that have an information governance-compliant health ICT system with a Certificate (IG1-2020).

The certificate owner shows to their customers that their data governance is trustworthy and conforms to the highest international standards.

Increase trustworthiness

Who may apply for IDHIS?

The IDHIS certification programme is a must-have for ICT companies that are facilitating (re)-use of health data via their ICT platform.

These ICT platforms act as a bridge, retrieving data from data providers, generating added value to this data and make it available to data users, e.g. research, A.I. , Learning Health Systems.

IDHIS, a journey together

Why i~HD?

  • Experienced assessment & certifying body – ISO 17065.
  • Complementary approach to relevant ISO standards.
  • Unique framework using scripts based on the uniqueness of your organisation.
  • Authors of Codes of practice, standard operation procedures and DPIA templates.
  • International knowledge with local interpretation and guidance.
  • Over 20 years of experience.
  • International experts in i~HD’s dedicated task force.

Positive impact for your organisation

External
  • Re-assure your stakeholders that your health data handling is accountable, transparent, reliable and secure.
  • Demonstrate your data is ready to be safely re-used for innovation and research.
  • Boost your branding and market impact.
INTERNAL
  • Boost your service quality throughout your business.
  • Increase the quality of your organisation’s governance.
  • Improve your time efficacy at all levels.
  • Improve confidence in your health data flows.
  • Improve your services towards the expectations and needs of your clients and business partners, by improved operation flows.

IDHIS Criteria Sets

Europe’s first Information Governance & Data privacy for Healthcare ICT Systems Certification scheme is based on a set of 142 criteria focusing on:

Example of a criterion (accountability)

The organisation has an updated and version-managed policy for the agreements/contracts that organises and properly identifies them so that the policy comprehensively covers any data processing within the baseline agreements.

Description of IDHIS Criteria Sets

Accountability Transparency Information Security Management & Implementation Audit Readiness Data Processing, Impact Assessments, Accuracy & Retention Enforcement and Corrective Action Capability

The first subset of criteria checks if the organisation’s health data flow and health data handling comply with the international and national GDPR regulations. Risk-based policies, procedures, codes of practice, data assets, data processing tools, internal audits and corrective actions and consequent updating must be in place.

  • Are definitions clear in your contracts? How do you check the ethical concerns, the execution of the data privacy rules, informed consent procedures, data handling responsibilities, the applicability of the contract and the duration of the contract?
  • Data handling is never without risks! How do you manage your company’s risks on your databases, data formats, middleware, API’s…?


The transparency criteria shall ensure that the data subject is correctly informed and fully aware of the processing of any personal data. The data subjects must be aware of the processing of any personal data. The data subjects must be aware of risks, rules, safeguards, and their rights in relation to the processing and how to exercise these rights. The organisation’s registries of clients and partners participating in the data processing have to be updated and consultable.

  • As a data subject, do I have all relevant information and are all legal bases defined as legitimate interests? How is this checked within your company?
  • Are you sure that your clients’ register is up to date? What are the corrective measures if the register is not up-to-date?


This section refers to their onboarding and offboarding of users procedures, including access management and their management of cyber security. This also includes the organisation’s ability to monitor and manage risk, their procedures for review and improvement and penetration tests, as well as internal audits.

  • How do you check if the information security action plan is managed correctly?
  • Do you check if the employee’s responsibilities related to data handling are defined and executed in line with the ISMI?

This set of Audit Readiness criteria focuses on the management and availability of logs of the auditing files and whether the organisation is able to respond to external audits. This section also focuses on the protection of the logs as well as their details.

  • Can your audit logs prove that the data have been retained, archived or destroyed according to the contract/agreements, ethics or scientific committee and/or statutory legal requirements?
  • Do your data assets registers contain audit logs and are checked for correct use?

This set of Data Processing criteria checks on determining minimum data requirements, upholding data inventory agreements, conducting Data Protection Impact Assessments (DPIA), handling minimisation of data through anonymisation and pseudonymisation and retaining data as per regulatory requirements are also within the focus of this set of criteria.

  • Does your organisation check if the data minimisation and retention conform as defined in the agreements? What if this is not the case?
  • ­How are you sure that your DPIA’s cover all GDPR and local supervisory authorities’ policies?

This set checks the ability to enforce its own compliance and contractual obligations on its staff and partners. It also checks the enforcement of data protection supervisory authorities. They also assess the performance of the Data Protection Officer and the proof of internal staff training regarding correct and adequate data handling matters.

  • If supervisory authorities start an investigation on a GDPR issue, are you prepared to enforce the required information? Is this also defined in the agreement with your clients/stakeholders?
  • Does your DPO reply to external queries within the required time limits?

How can you ensure robust data protection whilst re-using health data?

Discover the journey of the first-ever IG1-2020 awardee

Novellas Healthcare NV has been awarded the GDPR certification after the IDHIS audit.

READ THE STORY HERE

Interested? Get in touch!

Are you interested to learn more about our IDHIS Programme?

Contact our Audit Manager  Christophe Maes for a free intake meeting.

We ensure a smooth certification process

Read our brochure here
i~HD