Expert wanted to help doing Information Asset Audit in primary care

Hi All,

Newbie here, usual apologies but more importantly many thanks … I’ve been following the NHSbuntu project since I converted to linux as my daily driver so I was very sad to see the ‘final straw’ message about it. I know one of the characters that got name-checked in that post and I just can’t square up the events with the person, all I can think of is that they must have been stepped on from a very great (m$ sized) height. Anyway, just seeing someone (many ones) working up Linux for NHS use helped me in the early days migrating from M$ to opensource and I’m so glad I did.

=== TLDR ===
(a) So I’m looking for someone with experience in IT security please or at least experience in IT resource management.
(b) I think I’ll need about 3 x half-a-day of your time please. If required I can probably manage to remunerate for that at ‘normal’ (not corporate consultancy) rates.
© DOI = this is towards a book I’m writing and I think this sub-project will be suitable for submission to the BMJ or BJGP.


  • I’m a GP, in London, do digital consultation development about 2/3 of my time.
  • I’m working out how the GDPR will affect & need to be implemented by GP practices. Because I’ll need to implement it. However the information I can find (with 2m to go) is very scanty, tissue paper thin about GDPR in healthcare. There’s almost nothing for general practice. What there is has come out of NHSD and the IGA and it looks like they’re falling behind their own schedule of publications. So far between them and the ICO all I can find is statutory level or policy level guidance. A few days ago the BMA published a reasonable summary to date, but it’s mostly a reworking of the policy level stuff without translating it to the on-the-ground actions/ steps to take.
  • Hence the book I’ve written = basically just applying all that policy miasma in a nuts & bolts manual for GPs. The draft is riddled with placeholders where I’ve speculated/ inferred and written “For version 2 we hope to confirm what ICO/ NHSD/ IGA/ NHSE will recommend and require”
  • So far the book proposal has been passed over by all the major medical publishers; but how many times were the beatles rejected. Once I’m closer to the finished project I’ll resubmit it but in any case I don’t suppose it’s ever going to be a bestseller or actually generate an income so I can’t see a great deal of interest from publishers. For me the main point of getting into print with an established name is just to add credibility - I actually hope the book will be helpful to readers in GP surgeries and on wildly enthusiastic days I think it might have a chance of influencing the big players (NHSD/ IGA) as they develop their guidance. However it looks like the thing might be an Amazon vanity publication in the end.


  • One major requirement of the GPDR is to do an “information audit”. Again I can’t find anything pre-built to help GPs do that - if your Google-fu is strong then PLEASE point me in the right direction.
  • I envisage something like “Hey Dr Overworked at Littlebottom-on-Head Surgery, do this then that and the other and once you’ve finished you’ll have completed a lovely shiny Information Audit”
  • I’ve pulled together the cross-sector guidance I can find and written up a methodology for doing an InfoAudit in a GP surgery.
  • My intention is to grab a passing practice manager and run the method in a handful of surgeries; they’ll get a freebie information audit, I’ll get a bit of field research/ testing ==> refinement & improvement of the methodology :: the final method is something I want to include in the book.

(1) to read the methodology and talk it through/ improve it with me before I go to the surgeries. The Johari window (Rumsfeld’s unknown unknowns) always worries me so I want someone with some experience of security/ pentesting/ managing infrastructure to pick holes and say “what about that pink elephant over there that you missed”.
(2) to review the method once I’ve done the site visits and made refinements - in the real world I wouldn’t be surprised if there’s a few phone calls in the interim, but shouldn’t bee too onerous.

If that sounds like you then please get in touch!

​We have been working very closely with our GP practice members across Devon CCGs on this very subject. We held a seminar in January for all 138 GP practices (We had attendance from all but a few. The seminar was supported by the Devon LMC, and has helped us engage with our GP partners to ensure that practices are engaging with the requirements you have highlighted below. Your CCG IG Team should be doing similar, as they establish the proposed Data Protection Office support service. I have visited Practice manager groups across our wider area, and held detailed sessions to assist in the development of a practice information asset register and practices have found this extremely valuable. If we can standardise how this is consumed/approached across Primary Care, then I am all for that approach.

Happy to help wherever possible

Mr Kennington,

Sir, yours is a great mind!

Thanks a lot for the tip about Devon LMC, I had a look at the slide deck from that training day at the Exeter Racecourse. The content is remarkably similar to what I cover in the book draft, it would be wouldn’t it - same subject matter and same gaps in existing materials. Good to know I’m not just going off on a tangent.

I have to say that, from what I can tell, in Devon you’re well ahead of the curve compared to London! I’ve checked with contacts in 4 different CGG areas and looked at the CGG & LMC websites; there’s very little evidence of support for implementing GDPR, just links to the NHSD/ IGA publications. Maybe the good stuff is behind a login page?? One PM here said the most he’s heard about GDPR is from an email sent out by Natwest Business Banking.

I’d be grateful to talk to you about the InfoAudit - will send my number by email.

Many, many thanks for your reply.

NHS Digital have, in the last few days, published some guidance on GDPR here:


1 Like

Many thanks Marcus,

That looks excellent !!

I need to set up a few RSS watch notices for the main websites to make sure I know when materials are released.