Skip to main content

Information governance policy and management framework (includes data protection policy content)

Contents

1 Introduction

Information is the most important asset available to an organisation and therefore all organisations must have robust arrangements for information governance (IG) which are reviewed annually and are described in the new data security and protection toolkit (DSPT).

It is of paramount importance to ensure that information is effectively managed and that appropriate policies, procedures, management accountability and structures provide a robust governance framework for information management.

The policies will provide assurance to the trust and to individuals that personal information is dealt with legally, securely, efficiently and effectively, in order to deliver the best possible care.

Through the action of approving the policy and its associated supporting documents, the trust provides an organisational commitment to its staff and the public that information will be handled within the identified framework.

The policy’s objective is to ensure that people who work for the trust understand how to look after the information they need to do their jobs, and to protect this information on behalf of patients.

RDaSH ensures the trust and its colleagues have a person-centred approach to managing the personal and sensitive information of its patients and employees, treating it and the organisation’s corporate information in a similar manner to which they would expect their own medical records or banking information to be treated.

To ensure this is undertaken effectively for all of its patients and colleagues, the trust has this policy, based on department of health (DH) guidelines and data protection (DP) related law.

1.1 General Data Protection Regulations or Data Protection Act (2018)

The UK GDPR or DPA18 is underpinned by a number of data protection principles that drive compliance.

The GDPR or DPA 2018 has six principles, that personal confidential data (PCD) must be processed.

1.1.1 First, lawful, fair and transparent

This principle emphasizes transparency for all UK data subjects. When the data is collected, it must be clear as to why that data is being collected and how the data will be used. Organisations also must be willing to provide details surrounding the data processing when requested by the data subject. For example, if a data subject asks who the data protection officer (DPO) is at that organisation or what data the organisation has about them, that information needs to be available.

1.1.2 Second, purpose limitation

This principle means that organisations need to have a lawful and legitimate purpose for processing the information in the first place. Consider organisations that require forms with 20 data fields, when all they really need is a name, email, address and maybe a phone number. Simply put, this principle says that organisations shouldn’t collect any piece of data that doesn’t have a specific purpose, and those who do can be out of compliance.

1.1.3 Third, data minimisation

This principle instructs organisations to ensure the data they capture is adequate, relevant and not excessive. In this day and age, businesses collect and compile every piece of data possible for various reasons, such as understanding customer buying behaviours and patterns or remarketing based on intelligent analytics. Based on this principle, organisations must be sure that they are only storing the minimum amount of data required for their purpose

1.1.4 Fourth, accuracy

This principle requires data controllers to make sure information remains accurate, valid and fit for purpose. To comply with this principle, the organisation must have a process and policies in place to address how they will maintain the data they are processing and storing. It may seem like a lot of work, but a conscious effort to maintain accurate customer and employee databases will help prove compliance and hopefully also prove useful to the business.

1.1.5 Fifth, storage limitation

This principle discourages unnecessary data redundancy and replication. It limits how the data is stored and moved, how long the data is stored, and requires the understanding of how the data subject would be identified if the data records were to be breached. To ensure compliance, organisations must have control over the storage and movement of data. This includes implementing and enforcing data retention policies and not allowing data to be stored in multiple places. For example, organisations should prevent users from saving a copy of a customer list on a local laptop or moving the data to an external device such as a USB. Having multiple, illegitimate copies of the same data in multiple locations is a compliance nightmare.

1.1.6 Sixth, integrity and confidentiality

This principle protects the integrity and privacy of data by making sure it is secure (which extends to IT systems, paper records and physical security). An organisation that is collecting, and processing data is now solely responsible for implementing appropriate security measures that are proportionate to risks and rights of individual data subjects. Negligence is no longer an excuse under GDPR or DPA18, so organisations must spend an adequate amount of resources to protect the data from those who are negligent or malicious. To achieve compliance, organisations should evaluate how well they are enforcing security policies, utilizing dynamic access controls, verifying the identity of those accessing the data and protecting against malware or ransomware.

For information the GDPR also introduced the principle of accountability.

1.1.7 Accountability and liability

This principle ensures that organisations can demonstrate compliance. Organisations must be able to demonstrate to the governing bodies that they have taken the necessary steps comparable to the risk their data subjects face. To ensure compliance, organisations must be sure that every step within the GDPR strategy is auditable and can be compiled as evidence quickly and efficiently. For example, GDPR requires organisations to respond to requests from data subjects regarding what data is available about them. The organisation must be able to promptly remove that data, if desired. Organisations not only need to have a process in place to manage the request, but also need to have a full audit trail to prove that they took the proper actions.

Furthermore, data subjects have increased rights to:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • rights in relation to automated decision-making and profiling

In health and social care the Caldicott principles reflect these, that when using PCD:

The Caldicott Committee Report on the Review of Patient-Identifiable Information (1997) found that compliance with confidentiality and security arrangements was patchy across the NHS and identified six good practice principles for the health service when handling patient information. Further reviews were published in 2013 and 2020, which amended the Caldicott principles as follows:

1.1.7.1 Justify the purpose(s)

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.

1.1.7.2 Don’t use personal confidential data unless it is absolutely necessary

Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

1.1.7.3 Use the minimum necessary personal confidential data

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.

1.1.7.4 Access to personal confidential data should be on a strict need-to-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

1.1.7.5 Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data, both clinical and non-clinical staff, are made fully aware of their responsibilities and obligations to respect patient confidentiality.

1.1.7.6 Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

1.1.7.7 The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

1.1.7.8 Inform patients and service users about how their confidential information issued

A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information – in some cases, greater engagement will be required.

1.2 Appointment of data protection officer

Under GDPR or DPA18, data protection officers (DPOs) will be at the heart of the new legal framework for all health and social care organisations facilitating compliance with the provisions of the GDPR.

The mandatory appointment of a DPO is required for organisations that fall in the following three categories:

  1. public authorities (except for courts acting in a judicial capacity)
  2. organisations whose core activities require regular and systematic monitoring on a large scale
  3. organisations whose core activities involve processing special categories of data or personal data relating to criminal convictions and offences on a large scale

It would also be important to ensure that the DPO contact details are available in accordance with the requirements such as in fair processing notices.

For public authorities, DPOs are also required to have knowledge of administrative rules and procedures of the organisation.

The GDPR or DPA18 requires that organisations involve the DPO, “in all issues which relate to the protection of personal data”. It is therefore crucial that the DPO is involved from the earliest stage possible in all issues relating to data protection.

In relation to data protection impact assessments (DPIA), the GDPR or DPA18 explicitly provides for the early involvement of the DPO and specifies that the controller shall seek the advice of the DPO when carrying out such impact assessments.

Ensuring that the DPO is informed and consulted at the outset will facilitate compliance with the DPA18, promote a privacy by design approach and should therefore be standard procedure within an organisation’s governance and procurement procedures.

To ensure good practice across the trust there are robust IG processes in place:

  • an annual IG audit
  • oversight by the healthcare regulator, the care quality commission (CQC)
  • a mandatory training and awareness programme
  • a staff confidentiality code of conduct distributed to all staff
  • a robust plan to communicate confidentiality and DP to data subjects
  • an IAM and business continuity (BC) programme
  • an information risk management (IRM) programme
  • data protection impact assessments (DPIA) for new projects and proposals
  • robust information security (InfoSec), cybersecurity and user access controls
  • safe haven processes to ensure data is safely transmitted and received
  • systematic records management processes
  • robust IG clauses in third party contracts
  • clarity on the legalities of processing data and the use of consent
  • robust information sharing processes
  • assurance on the transfer of PCD outside the UK
  • data quality assurance
  • subject access requests (SAR), allowing subjects to view and check their information
  • clarity on the disclosure of information to the police
  • robust processes for the reporting and analysis of information-related incidents

2 Purpose

This overarching information governance policy provides an overview of the organisation’s approach to information governance and includes data protection and other related information governance policies and details about the roles and management responsible for data security and protection in the organisation.

Information is a vital asset clinically and for the efficient management of services, resources and performance. It is therefore important that an appropriately robust policy framework is in place. IG stipulates the way in which information, particularly in an NHS environment PCD, should be handled. PCD is:

  • personal information about identifiable individuals, which should be kept private
  • the DP legislation definition of personal and special categories of data, adapted to include those who have passed away (see next two paragraphs for definitions)
  • information ‘given in confidence’ and ‘that which is owed a duty of confidence’ (Independent Information Governance Oversight Panel (2013), Information: To Share or Not to Share, p.130)

Under the DP legislation personal data is defined as:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (General Data Protection Regulation, Article 4(1)).

And special categories of personal data is defined as:

  • “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” (General Data Protection Regulation, Article 9(1)).

IG also enables the trust to ensure that all confidential information is dealt with legally, securely and efficiently, in order to deliver the best possible care to its patients.

3 Scope

This policy applies to and must be adhered to by all employees of the trust, regardless of grade or profession, including all Local Authority employees working in trust services, medical employees, directly employed, bank, agency, contractors and locum employees, non-medical employees and internal appointments, seconded employees, volunteers and any other iteration of personnel that could legitimately be considered employees. Its application is to any person who has been treated as a patient by the trust in any way.

4 Responsibilities, accountabilities and duties

  • The trust board, the board is ultimately responsible for ensuring the IG function is addressed.
  • Chief executive, the individual with overall accountability for IG within the trust is the accountable officer, the chief executive. The role provides assurance, through a statement of internal controls, that all risks to the organisation, including those relating to information, are effectively managed and mitigated.
  • Senior information risk owner, the SIRO is a director-level member of staff or member of the board of directors with overall responsibility for the organisation’s Information risk management. The SIRO also leads and implements the IG risk assessment and advises the board on the effectiveness of IRM across the organisation. This role is held by the director of health informatics. See appendix B.
  • Caldicott guardian, the Caldicott guardian is the person within the trust with advisory responsibility for protecting the confidentiality of patient information and ensuring it is shared appropriately and securely. The Caldicott guardian is supported by the trust’s IG team. This role is held by the executive medical director. See appendix C.
  • Data protection officer (DPO) or head of information governance, the DPO or head of Information governance has the leadership function for IG, maintaining the confidence of patients, staff and the public through advice and guidance on the creation of robust and effective mechanisms and assurance processes to protect and appropriately handle PCD. This includes ensuring that the trust is fully compliant with all IG-related legislation and that the trust meets statutory and mandatory obligations for IG through development of strategy and implementation of IG policies.
  • Information security officer, provides advice on all aspects of InfoSec. Their assessment of InfoSec risks, threats and advice on controls contributes significantly to the effectiveness of the trust’s InfoSec. The role holder is required to hold a formal InfoSec qualification. This role is held by the head of infrastructure.
  • Information asset owners, the SIRO is supported by IAOs. The role of an IAO is to understand what information is held, how it is used, who has access and why for information systems under their responsibility. Consequently, they can understand and address risks to the IAs they own and to provide assurance to the SIRO on their security and use, including the creation of system level security policies. The IG Team support the IAOs in fulfilling their role. See appendix D.
  • Information governance group, IGG has representatives from across the trust and is responsible for overseeing the implementation of the information governance policy and management framework and the annual IG assessment. The group also reviews and approves IG-related documentation. The group reports to the Executive Management team and the health informatics group and through that to the trust board.
  • Directors, managers and supervisors, all managers have a responsibility to promote this policy and enable good IG practice within their areas. They must promote that national and local IG standards are upheld within their department and advising all staff of their information security, confidentiality and data quality responsibilities and supporting planned evaluation or audit of IG tasks and implementing necessary actions. They also have a responsibility to liaise with the IG team where necessary regarding issues and or incidents of concern.
  • All staff, staff have responsibility to abide by their legal, professional, ethical and contractual responsibilities for IG related issues, regardless of their position, and whether directly employed or not. They must also comply with the most up-to-date version of this policy and other trust IG guidance, particularly the Information governance staff handbook and attendance at annual IG mandatory training.

A range of components fall under IG as it overlaps clinical governance and is a subset of corporate governance. The overarching NHS framework is outlined in the data security and protection toolkit (DSPT). Known as the national data security standards, they are drawn from the 2016 Caldicott 3 report and are outlined in appendix G.

In its management of PCD, the trust complies with DP and Caldicott principles. Under the new law, PCD must be processed in line with six principles:

  • lawfulness, fairness and transparency
  • purpose limitation
  • data minimisation
  • accuracy
  • storage limitation
  • integrity and confidentiality (General Data Protection Regulation, Article 5(2)(a-f))

Data subjects also have rights under the new legislation:

  1. the right to be informed, the trust addresses this by ensuring a layered approach to informing data subjects how their information is used, including posters, pamphlets and service-level leaflets
  2. the right of access, see section 6.0.
  3. the right to rectification, any request for rectification will be assessed on a case-by-case basis using the precedent of the trust’s developing experience of the legislation, along with relevant case law
  4. the right to erasure, the right to erasure is also known as ‘the right to be forgotten’ and means that individuals have the right to have personal data that the trust holds about them erased and to prevent processing in specific circumstances
  5. the right to restrict processing, data subjects may request that the trust hold only sufficient personal data about them, but not process it any further. Any request for restriction of processing will be assessed on a case-by-case basis using the precedent of the trust’s developing experience of the new legislation, along with relevant case law
  6. the right to data portability, this allows data subjects to obtain and reuse their information across different services. In healthcare there are not expected to be many requests, as much information is available as a SAR. Any request for portability of data will be assessed on a case-by-case basis using the precedent of the trust’s developing experience of the legislation, along with relevant case law
  7. the right to object, this allows the data subject to object if they do not believe the use of their information is legitimate. Any request to object will be assessed on a case-by-case basis using the precedent of the trust’s developing experience of the legislation, along with relevant case law
  8. rights in relation to automated decision-making and profiling, the trust is required to demonstrate that it has a lawful basis to carry out profiling and or automated decision-making. This is undertaken by an annual organisation-wide assessment, led by the IG team

All requests from data subjects to exercise their rights must normally be responded to within 30 days, unless there are extenuating circumstances, in which case there are some rights to extension under the legislation. The trust also ensures compliance with the Freedom of Information Act 2000 (FOI) and the associated Lord Chancellor’s Codes of Practice under sections 45 and 46.

5 Implementation

5.1 Annual information governance audit

The trust’s IG compliance is measured via a self-assessment process of compliance against standards set out in the data security and protection toolkit (DSPT) (see appendix E). The trust utilizes this to assess its IG practice and to assess its compliance against national standards.

5.2 Care quality commission oversight

CQC, as outlined in Safe Data, Safe Care (Care Quality Commission (2016), Safe Data, Safe Care) have powers to inspect the trust’s IG as part of its inspection round. To this end the trust must ensure that robust IG practices are in place. CQC specifically requires that medical records are accurate, fit for purpose, held securely and held confidentially.

5.3 Mandatory training and awareness

Fundamental to the success of delivering a robust IG agenda across the trust is the development of an IG-aware culture. Training is provided to all staff to promote this. All staff are mandated to undertake the data security awareness (IG) training, either via the data security awareness level 1 e-learning module or via face-to-face training sessions, upon commencement of employment and annually thereafter.

5.4 Confidentiality code of conduct

All staff must be aware of their individual responsibilities for the maintenance of confidentiality, DP, InfoSec management and data quality. They are given the tools for this through attending annual mandatory IG training, the Information governance handbook, and all staff receiving a confidentiality code of conduct. All new staff are issued the latter at recruitment, and all staff are annually directed to it in the Information governance staff handbook.

It is made clear in both of these documents that failure to maintain confidentiality may lead to disciplinary action, including dismissal.

5.5 Communicating confidentiality and data protection

The IG and IT teams jointly maintain an integrated working relationship to implement and improve communication and actions around confidentiality and data protection. This includes actions to ensure that patients and the public are adequately informed about confidentiality and the way their information is used and shared, their rights as data subjects, in particular how they may access their personal data and how they may exercise those rights.

5.6 Information asset management and business continuity

A core IG objective is that information assets (IAs) and the use of information in them are identified and that the business importance of those assets is established.

IAs are those that are central to the efficient running of the trust and specific departments, for example, patient, finance, stock control etc. They also include, but are not limited to the following examples:

  • information, system documentation and procedures, archive media and data
  • software, databases, application programs, systems, development tools and utilities
  • physical, infrastructure, equipment, furniture and accommodation used for data processing
  • services, computing and communications, heating, lighting, power, air conditioning used for data processing
  • people, qualifications, skills and experience in the use of information systems
  • intangible, the trust’s reputation

Essentially, it is information in any format that is of value to the organisation and would be problematic if it were not accessible

The trust has clear lines of accountability for IRM that lead directly to the board through the SIRO. IAOs are usually senior members of staff who are the nominated owner for one or more of the trust’s identified IAOs (see appendix D), and report for this function to the SIRO.

Within their area of responsibility, it is the IAOs role to log the IAs held, and to ensure this is documented in an IA Register (IAR) and undertake a data flow mapping (DFM) exercise. Collectively these IAM activities are owned by the IAOs, who are accountable for its effective completion.

Whereas it is ideal that all assets are clearly identified on the IAR, the trust has a risk-based approach that gives priority to IAs that comprise or contain PCD and or would have the greatest impact on patients, staff, a particular department and or the trust if they were not available.

The SIRO has the final decision on approving identified risk mitigation plans. Extreme rated risks must be entered on to the applicable risk register and reported to the board of directors for consideration.

IAOs are mandated by the SIRO to receive training, delivered by the IG team, to ensure they remain effective in their role.

Data in the IAR includes necessary information to assist in a business continuity event. IAOs must ensure that IAM risk assessments are performed at least annually, and that any significant risks to their asset, whether identified in the annual risk assessment or on an ad hoc basis, are reported immediately to the SIRO.

All information and assets associated with information processing facilities must be owned by a designated part of the organisation, for example a trust care group or service. The IAO is responsible for ensuring that information and assets associated with information processing facilities are appropriately identified and classified, defining and reviewing access restrictions, classifications, and business continuity arrangements taking into account applicable access control policies.

The IAO role is especially important where IAs are shared by multiple parts of the trust.

Each IA and its IAO must have in place regular documented local data quality audits; local data quality issue logs; and regular documented data quality spot checks.

All changes to IAs, such as system upgrades, should follow an established change control procedure, such as a DPIA, see section 6.h.

IAOs are encouraged, as best practice, to engage an IA administrator or assistant to support them in their role, particularly if they manage a large operational area, to ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management, and ensure that IAM records are accurate and up to date.

When considering transferring PCD outside the UK it is important under the legislation to ensure there is a legitimate basis for doing so when those jurisdictions do not have adequate data protection regulations, as this ensures data subjects’ information is not undermined. Whereas this changes little from previously, there is now greater encouragement to use transfer adequacy codes of practice and certification schemes.

5.7 Information risk management

The trust is committed to making the best use of the information it holds to provide efficient healthcare and services to its patients and the local health economy while ensuring that
adequate safeguards are in place to keep information secure and to protect data subjects’ right to privacy

The trust recognises that information handling represents a significant corporate risk in that failures to protect information properly, or use it appropriately, can have a damaging impact on its reputation. Furthermore, failure to protect information adequately can attract the attention of the information commissioner’s office (ICO), which regulates DP and has access to a range of sanctions including significant fines. IRM complements the trust’s risk management framework. As part of this, information risks are clearly recognised and the appropriate controls implemented through a board-approved corporate risk management strategy and policy.

Information risk is intrinsic in all administrative and business activities and all staff must continuously manage it. The trust recognises that the aim of IRM is not to eliminate risk, but to provide the structural means to manage it, by balancing its treatments with anticipated benefits that may be derived.

The trust acknowledges that IRM is an essential element of broader IG and InfoSec arrangements and is an integral part of good management practice; it should not be seen as an additional requirement. The risk management framework is dependent on allocating clear organisational responsibilities, identifying all the IAs, assessing the associated risks and managing any incidents arising from them. This will:

  • protect the trust, its staff and its patients from information risks where the likelihood of occurrence and the impact is significant
  • provide a consistent risk management framework in which information risks will be identified, considered and addressed
  • encourage proactive rather than reactive risk management
  • inform decision-making throughout the trust
  • meet legal and statutory requirements
  • assist in safeguarding the trust’s IAs

Information risk assessments are performed for all information systems and critical IAs at the following times:

  • at least annually, as an integral part of the IAM process
  • ahead of introducing new systems, applications, facilities, etc. that may impact the assurance of trust information or systems, using a DPIA (see section 6)
  • ahead of agreeing enhancements, upgrades, and conversions associated with critical systems or applications. Those containing or which involve personal information will also require a DPIA
  • when NHS policy, legislation or associated guidance requires risk determination, or when that legislation and guidance is changed or updated
  • when required by the trust, as directed by the SIRO, Caldicott guardian or data protection officer or head of information governance

Information incident reporting is in line with the trusts’ overall risk management incident reporting processes, utilising the Ulysses software. Additional guidance is drawn from NHS digital’s (NHSD) checklist guidance for reporting, managing and investigating information governance and cybersecurity serious incidents requiring investigation.

Indicators that IRM is being positively enacted include, but are not limited to, successful completion of the DSPT and there having been no involvement from the ICO as a result of significant DP breaches.

An annual review will be carried out by the IG team on behalf of the SIRO and reported to IGG or other suitable management route. Overall responsibility for action plans lies with the SIRO, to be completed by relevant IAO and monitored by IGG.

5.8 Data protection impact assessments

In line with ICO’s guidance, a DPIA must be undertaken for any project, procurement, business case, transfer of personal data or departmental or team initiative where there is a potential impact upon the privacy of individuals (Information Commissioner’s Office (2014), Conducting Privacy Impact Assessments Code of Practice).

DPIAs are a risk assessment tool to analyse how a particular project or system will affect the privacy of the individuals involved (Information Commissioner’s Office (2014), p.5.). The ICO uses the term project in a broad and flexible way, it means any plan or proposal in an organisation and does not need to meet an organisation’s formal or technical definition of a project, for example, set out in a project
management methodology (Information Commissioner’s Office (2014), p.5.) This includes potentially any proposal, procurement, business case and or departmental or team initiative that includes transfers of personal data and or potential sensitive business information.

The DPIA process must be integral to conventional project management techniques and be started from the very earliest stages of the project’s initiation, often as a result of the business case process being invoked.

DPIAs are chiefly concerned with an individual’s ability to manage their information; the trust’s processes are therefore aligned to DP and Caldicott principles, with specific concentration being given to the minimising of harm arising from intrusion into privacy, as defined by those principles.

An effective DPIA allows the organisation to identify and resolve any such problems at an early stage, minimising costs and reputational damage which might otherwise occur.

For further procedural detail see appendix F.

5.9 InfoSec, cybersecurity and user access controls

ISO 270001, the international standard on information security defines the concept as the ‘preservation of confidentiality, integrity and availability of information’, adding that other properties are involved such as authenticity, accountability, non-repudiation and reliability.

Increasingly, all organisations and their information systems and networks are faced with security threats from a wide range of sources, including lost or stolen equipment or data, computer-assisted fraud, sabotage, vandalism, fire or flood.

The trust ensures that PCD is protected by encryption in accordance with DH directives. To prevent unauthorised access to information systems, formal procedures are in place to control the allocation of access rights to information systems and services, which cover all stages in the lifecycle of system access. This is supported by the IAO and IAM processes outlined in section 6.f and 6.g.

Users are made aware of their responsibilities for maintaining effective access controls through the inclusion of InfoSec in data security awareness (IG) training, particularly with regard to the use of passwords and the security of equipment.

Security facilities at the operating system level should be used to restrict access to computer resources, including terminal identification, access records, authentication mechanisms and access time restrictions.

Responsibility for registration authority (RA) and smart card production sits with the HR team.

The SIRO ensures that individuals assigned RA responsibilities have sufficient skills and access to knowledge to perform their roles, that there are procedures to ensure all NHS smart cards and access profiles are issued appropriately and that RA equipment meets current specifications, is adequately maintained, subject to business continuity and contingency planning needs, and are securely stored.

5.10 Safe haven

All transfers of PCD, for whatever reasons, must wherever possible, be undertaken within a Safe Haven environment, to ensure it adheres to the legal restrictions that govern transfer of such information.

Safe Havens are arrangements put in place to ensure that PCD can be transmitted safely and securely, for example a physical location such as a lockable room where faxes are received, or a virtual network of staff that are authorised to receive or send PCD and may do this by any method of communication. The trust fully endorses and promotes the use of such processes when sending or receiving PCD for any purpose.

Detailed operational guidance, which must be followed, is available for staff within the information governance staff handbook (see appendix A).

5.11 Records management

The trust is committed to a systematic and planned approach to the management of records within the organisation, from their creation to their ultimate disposition. The trust ensures it controls the quality and quantity of the information that it generates, can maintain that information in an effective manner, and can dispose of the information efficiently and securely when it is no longer required.

Medical records are managed in accordance with the records management code of practice, as set out in the trust’s records policy. Corporate records are equally guided by this code of practice.

To ensure that the trust maintains the highest standards in the quality of its medical records an annual audit of clinical records is undertaken.

5.12 Third party contracts

It is not unusual to have third parties undertaking tasks and services on behalf of the trust. It is possible that as a result of access to information assets, third party staff may have significant access to patient or staff PCD.

Without exception, contracts and or data processing agreements must be in place for any activity where third parties have access to patients, their PCD, or staff PCD on behalf of the trust.

The SIRO and IAOs must take all reasonable steps to ensure that contractors and support organisations to whom PCD is disclosed comply with their contractual obligations to keep PCD secure and confidential.

Directors, managers and supervisors at all levels, and IAOs must ensure that all existing contracts are monitored and reviewed annually to ensure that IG controls are being adhered to and to resolve problems or unforeseen events.

An accurate register of all third-party contracts must be maintained by the trust and is managed by the contracts or Procurement team.

5.13 Processing data, the use of consent and information sharing

Sharing and use of information about an individual within and between partner agencies is vital to the provision of co-ordinated and seamless provision of care and services. The trust recognises the need for shared information and robust InfoSec to support the implementation of joint working arrangements. The uses and sharing of clinical data can be divided into two broad categories.

The first of these is immediate direct care, which the independent IG oversight panel defines as:

  • a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care (Independent Information Governance Oversight Panel (2013), p.128.).

For such use patient consent is not generally required under new legislation. However, practitioners must maintain an awareness of the common law duty of confidentiality, that if the patient disclosed information in circumstances where it was expected that a duty of confidence applied, it should not normally be further disclosed without that data subject’s consent.

If this has not been obtained it is beholden on the member of staff intending to share personal information to make an appropriate decision based on whether disclosure is essential to safeguard either the data subject or a third party and is considered to be in the public interest. There may also be a legal obligation to share the information, such as a court order.

The second category is secondary uses, which the national IG board defines:

  • Any purpose which does not “directly contribute to the diagnosis, care and treatment of an individual and the audit or assurance of the quality of the healthcare provided” to the individual’ (National Information Governance Board (2011), Information Governance for Transition, p.42.).

For such use patient consent is generally required. This is defined as ‘freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement’ (General Data Protection Regulation, Recital 32.)

5.13.1 How should we obtain, record and manage consent?

Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:

  • the name of your organisation;
  • the name of any third party controllers who will rely on the consent;
  • why you want the data;
  • what you will do with it; and
  • that individuals can withdraw consent at any time.

You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.

Keep records to evidence consent – who consented, when, how, and what they were told.

There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

Make it easy for people to withdraw consent at any time they choose.

Keep consents under review and refresh them if anything changes. Build regular consent reviews into your processes.

Under the new legislation consent is not required where there is another condition for processing. There are specific legal gateways for sharing PCD for the planning of services and management of health and social care systems and services. For such uses a DPIA must be completed where identifiable special categories of data are present and formal advice must be sought from the IG team. A documented information sharing agreement (ISA) is highly likely to be required (see appendix H).

An ISA is good practice and can be a useful way of providing transparency for organisations needing to exchange information, providing assurance in respect of the standards that each party agrees to adopt

Beyond sharing for immediate direct care and secondary uses, an ISA is required for large-scale regular or permanent sharing, such as giving access to a clinical system.

For use of PCD in other circumstances, the Secretary of State for Health is permitted to make regulations to set aside the common law duty of confidentiality for defined medical purposes under section 251 of the National Health Service Act (2006). These are essential activities of the NHS, and important medical research, that require the use of PCD but, because patient consent had not been obtained to use it for these other purposes, there was no secure basis in law.

Section 251 can be utilised when it is not possible to use anonymised information and where seeking consent is impractical, having regard to the cost and technology available. It is administered by the NHS health research authority, through a confidentiality advisory group.

Internal enquiries regarding s251 must be made to the Grounded Research department.

5.14 Data quality assurance

The quality of information acquired and used within the trust is a key component to its effective use and management. As such, IAOs and managers are expected to take ownership of, and seek to improve, the quality of data collected and held within their services.

The trust promotes data quality through the use of policies and procedures and associated statutory professional requirements to ensure that wherever possible, information quality will be assured at the point of collection.

The IAM process encourages that data quality audits are undertaken annually.

5.15 Subject access requests (SARs)

All living individuals, whether patients or staff, have a right to verify the lawfulness of the processing by:

  • having it confirmed to them that their data is being processed
  • being given access to their personal data
  • being given supplementary information, similar to that given in a privacy notice, explaining why the data is being processed

The IG team are responsible for dealing with the majority of SARs received by the trust. They must be processed within a statutory 28 to 31 days, using a defined subject access request procedure.

Other requests may be received elsewhere in the trust and these should be forwarded to the IG team without delay.

Applications from third parties for access to records of deceased patients are managed by the IG team under the provisions of the Access to Health Records Act (1990), in line with DH’s guidance for access to health records requests. Staff must be aware that anything they record about patients or colleagues, wherever it is stored, legally could and should in principle be released when a request is received, as all information technically forms part of the data subjects’ wider human resource or medical record.

5.16 Disclosure of information to the police

Under the law, the police and other law enforcement agencies do not have an automatic right to see PCD about patients or staff, however, the trust will cooperate with them as much as possible, when it is legal to do so.

When requests are received, even with a police officer in attendance, each one must be considered individually on its own merit. PCD should not be released without careful consideration.

Requests from the police are considered under section 2(1)(2) of the Data Protection Act (2018). This should not prevent them being actioned in line with legislation, which allows for the release of personal and special categories of data for, ‘the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’ (General Data Protection Regulation, Article 23(1)(d). An exemption to allow such releases is also written into the Data Protection Act 2018.).

The trust requires any request to release personal or sensitive data about patients or staff to be signed or countersigned by a police officer of at least Inspector rank.

The types of scenarios where requests are likely to be considered appropriate are based on those outlined in the Confidentiality: NHS Code of Practice and include, but are not limited to, murder, manslaughter, rape, treason, kidnapping, child abuse, serious harm to state security, serious harm to public order, as well as crimes involving substantial financial gain (Department of Health (2003), Confidentiality NHS Code of Practice, p.35.). As most requests are unlikely to be urgent, they will be processed by the IG team usually during normal office hours. In difficult cases the IG team, along sometimes with the SIRO and or Caldicott guardian, will assess the decision to release to the police.

6 Information governance, information security and cybersecurity incidents

The information governance team must be informed immediately of all information governance (IG), information security (InfoSec) and Cybersecurity incidents. These include, but are not limited to, NHS Digital’s classifications:

  • lost in transit
  • lost or stolen hardware
  • lost or stolen paperwork
  • disclosed in error
  • uploaded to website in error
  • non-secure disposal hardware
  • non-secure disposal paperwork
  • technical security failing (including hacking)
  • unauthorised access or disclosure

IG incident reporting is undertaken on the trust’s Ulysses incident reporting application.

The decision to report externally to the ICO is made in line with NHSE’s checklist guidance for reporting, managing and investigating information governance and cybersecurity incidents.

IG group has a key function to monitor and review IG incident trends and guide overarching remedial action to those trends. Any reports are made by the IG team.

7 Training implications

7.1 All Colleague

  • How often should this be undertaken: Upon Commencement of employment and annually thereafter.
  • Length of training: 1 and a half hours.
  • Delivery method: E-learning or face to face.
  • Training delivered by whom: IG or NHS Digital e-Learning package.
  • Where are the records of attendance held: ESR.

7.2 Senior information risk owner (SIRO)

  • How often should this be undertaken: Annually.
  • Length of training: 1 hour.
  • Delivery method: Workbook or face to face training.
  • Training delivered by whom: NHS digital workbook or external provider.
  • Where are the records of attendance held: ESR.

7.3 Information asset owner (IAO)

  • How often should this be undertaken: Annually.
  • Length of training: 1 hour.
  • Delivery method: Workbook.
  • Training delivered by whom: NHS digital.
  • Where are the records of attendance held: ESR.

7.4 Caldicott guardian

  • How often should this be undertaken: Annually.
  • Length of training: 1 hour.
  • Delivery method: Workbook or face to face training.
  • Training delivered by whom: NHS digital workbook or external provider.
  • Where are the records of attendance held: ESR.

7.5 Data protection officer (DPO)

  • How often should this be undertaken: As required.
  • Length of training: Varied.
  • Delivery method: External provider.
  • Training delivered by whom: External provider.
  • Where are the records of attendance held: ESR.

As a trust policy, all staff need to be aware of the key points that the policy covers. Staff can be made aware through, a variety of means such as:

  • all user emails for urgent messages
  • continuous professional development
  • daily email (sent Monday to Friday)
  • group supervision
  • intranet
  • one to one meetings or supervision
  • induction
  • practice development days
  • special meetings
  • team meetings

The training needs analysis (TNA) for this policy can be found in the training needs analysis document which is part of the trust’s mandatory risk management training policy located under policy section of the trust website.

8 Monitoring arrangements

8.1 Ensure adequate arrangements are in place to manage requests for access under

  • Freedom of Information Act (2000).
  • Data Protection Act (2018).
  • Environmental Information Regulations (2004).
  • Access to Health Records Act (1990).
  • How: Monitor compliance through reporting.
  • Who by: Information governance group.
  • Reported to: EG or HIG.
  • Frequency: Monthly.

8.2 Incidents and potential incidents involving information, data and personal or sensitive records are reported, analysed and lessons learned

  • How: Information governance incidents are reviewed as part of the overall risk management framework.
  • Who by: Information governance group.
  • Reported to: EG or HIG.
  • Frequency: Monthly.

8.3 Continual progress against the data security and protection toolkit

  • How: Monitoring reports assessing compliance with the IG toolkit in preparation for the annual assessments.
  • Who by: Information governance group.
  • Reported to: EG or HIG.
  • Frequency: Quarterly.

8.4 Compliance with data security and protection toolkit

  • How: Internal Audit will carry out a yearly audit against the IG toolkit and other audits as and when required.
  • Who by: Internal audit.
  • Reported to: IG group or EG or HIG.
  • Frequency: Annually.

8.5 Data security and protection toolkit submission

  • How: NHS digital.
  • Who by: Head of information governance.
  • Reported to: Information governance group.
  • Frequency: Baseline assessments 28 February or final submission 30 June.

9 Equality impact assessment screening

To access the equality impact assessment for this policy, please see the overarching equality impact assessment.

9.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

9.1.1 How this will be met

No issues have been identified in relation to this policy.

9.2 Mental Capacity Act (2005)

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals’ capacity to participate in the decision-making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all staff working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.

9.2.1 How this will be met

All individuals involved in the implementation of this policy should do so in accordance with the principles of the Mental Capacity Act (2005).

11 References

References to guidance documents are included throughout the document.

12 Appendices

12.1 Appendix A information governance handbook

The trust maintains and makes available to all staff an Information governance staff handbook, which is updated annually. This has operational guidance regarding good information practice. A copy of the current edition is available on the intranet or from the IG team.

12.2 Appendix B Senior information risk owner role description

  1. The senior information risk owner (SIRO) should be an executive director or other senior member of the Board (or equivalent senior management group or committee). The SIRO may also be the chief information officer (CIO) if the latter is on the board but should not be the Caldicott guardian as the SIRO should be part of the organisation’s management hierarchy rather than being in an advisory role.
  2. The SIRO will be expected to understand how the strategic business goals of the organisation may be impacted by information risks and it may therefore be logical for this role to be assigned to a Board member already leading on risk management or information governance.
  3. The SIRO will act as an advocate for information risk on the board and in internal discussions and will provide written advice to the accounting officer on the content of the annual statement of internal control (SIC) in regard to information risk.
  4. The SIRO will provide an essential role in ensuring that identified information security risks are followed up and incidents managed and should have ownership of the information risk policy and associated risk management strategy and processes. They will provide leadership and guidance to a number of information asset owners.
  5. The key responsibilities of the SIRO are to:
    1. oversee the development of an information risk policy, and a strategy for implementing the policy within the existing information governance framework
    2. take ownership of the risk assessment process for information and cybersecurity risk, including review of an annual information risk assessment to support and inform the statement of internal control
    3. review and agree action in respect of identified information risks
    4. ensure that the organisation’s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff
    5. provide a focal point for the resolution and or discussion of information risk issues
    6. ensure the board is adequately briefed on information risk issues
    7. ensure that all care systems information assets have an assigned information asset owner

12.3 Appendix C Caldicott guardian role description

  1. A Caldicott guardian is a senior person within a health or social care organisation who makes sure that the personal information about those who use its services is used legally, ethically and appropriately, and that confidentiality is maintained. Caldicott guardians should be able to provide leadership and informed guidance on complex matters involving confidentiality and information sharing.
  2. The Caldicott guardian should play a key role in ensuring that their organisation satisfies the highest practical standards for handling person-identifiable information. Their main concern is information relating to patients, service users and their care, but the need for confidentiality extends to other individuals, including their relatives, staff and others. Organisations typically store, manage and share personal information relating to staff, and the same standards should be applied to this as to the confidentiality of patient information.
  3. Caldicott guardians should apply the eight principles wisely, using common sense and an understanding of the law. They should also be compassionate, recognising that their decisions will affect real people, some of whom they may never meet. The importance of the Caldicott guardian acting as “the conscience of the organisation” remains central to trusting the impartiality and independence of their advice.

12.4 Appendix D information asset owners role description

  1. For information risk, IAOs are directly accountable to the SIRO and will provide assurance that information risk is being managed effectively for their assigned information assets. In large organisations IAOs will be assisted in their roles by staff acting as information asset administrators (or persons with equivalent responsibilities) who have day to day responsibility for management of information risks affecting one or more assets.
  2. It is particularly important that each IAO (or equivalent) should be aware of what information is held and the nature of and justification for information flows to and from the assets for which they are responsible.
  3. The role of the IAO is to understand what information is held, what is added and what is removed, how information is moved, who has access and why. As a result they should be able to understand and address risks to the information and to ensure that information is fully used within the law for the public good. The IAO will also be responsible for providing or informing regular written reports to the SIRO (or equivalent), a minimum of annually on the assurance and usage of their asset.
  4. It is important that “ownership” of information assets is linked to a role, rather than a named individual, to ensure that responsibilities for the asset are passed on, should the individual leave the organisation or change jobs within it.
  5. It is the responsibility of Information asset owners to ensure there is good understanding of the hardware and software composition of their assigned assets to ensure their continuing operational effectiveness. This includes establishing and maintaining asset records that will help predict when asset configuration changes may be necessary

12.5 Appendix E National data security standards

The national data security standards are from the national data Guardian’s Review of Data Security, Consent and Opt-Outs (2016) (Caldicott 3) and form the structural basis of the data security and protection toolkit.

12.5.1 Leadership obligation 1

People, ensure staff are equipped to handle information respectfully and safely, according to the Caldicott principles.

  1. All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes.
  2. All staff understand their responsibilities under the national data guardian’s data security standards including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
  3. All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised information governance toolkit.

12.5.2 Leadership obligation 2

Process, ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.

  1. Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
  2. Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
  3. Cyber-attacks against services are identified and resisted and care CERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
  4. A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.

12.5.3 Leadership obligation 3

Technology, ensure technology is secure and up-to-date:

  1. No unsupported operating systems, software or internet browsers are used within the IT estate.
  2. A strategy is in place for protecting IT systems from cyber threats which is based on a proven cybersecurity framework such as cyber essentials. This is reviewed at least annually.
  3. IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the national data guardian’s data security standard.

12.6 Appendix F Data protection impact assessment process

A non-exhaustive list of projects that would require a data protection impact assessment (DPIA) includes:

  • a new IT system for storing and accessing personal confidential data (PCD)
  • a data sharing initiative where multiple organisations seek to link sets of PCD
  • a proposal to identify people in a particular group or demographic and initiate a course of action
  • using existing PCD for a new, unexpected or more intrusive purpose.
  • a new surveillance system, especially one which monitors members of the public, or the application of new technology to an existing system, for example adding number plate recognition capabilities to existing CCTV
  • a new database which consolidates information held by separate parts of an organisation
  • legislation, policy or strategies which will impact on privacy through the collection of use of information, or through surveillance or other monitoring
  • use of data that appears to be pseudonymised or anonymised, but could be identifiable if combined with other information. Pseudonymisation is the process of distinguishing individuals in a dataset by using a unique identifier which does not reveal their ‘real world’ identity’, and anonymisation ‘the process of rendering data into a form which does not identify individuals and where identification is not likely to take place’ (Information Commissioner’s Office (2012) Anonymisation: Managing Data Protection Risk Code of Practice, pp.48-49.)

When a DPIA is completed it is then reviewed and approved by IG, IT and finally the DPO for sign-off.

A DPIA is completed via the DPIA portal (opens in new window) located on the home page of the trust’s intranet. Following the review of the screening questions, if any of the questions have been marked ‘yes’ this determines that a full DPIA is required. The IG team will assist the project lead in the completion of the DPIA form sections 1-3. It is recommended that the data protection officer, information security and, where applicable, clinical safety risk agreement is sought prior to the final DPIA being submitted to the IG group for approval by the SIRO and Caldicott guardian (if involving patient identifiable data).

The outcomes of a DPIA include:

  • the identification of the project’s privacy impacts
  • appreciation of those impacts from the perspectives of all stakeholders
  • an understanding of the acceptability of the project and its features by the organisations and people that will be affected by it
  • identification and assessment of less privacy-invasive alternatives
  • identification of ways in which negative impacts on privacy can be avoided
  • identification of ways to lessen negative impacts on privacy
  • where negative impacts on privacy are unavoidable, clarity as to the business need that justifies them
  • documentation of the outcomes

Compliance with the DPIA requirement is monitored by the IG team, which regularly reviews incidents reported on Ulysses to establish if they have been caused in whole or part by DPIAs not being appropriately completed.

12.6.1 Publishing data protection impact assessments (DPIAs)

All DPIAs are to be included within the organisation’s publication scheme. It is acknowledged that DPIAs may contain commercial sensitive information such as security measures or intended product development. It is acceptable for such items to be redacted but as much of the document should be published as possible. RDaSH will publish a log of DPIAs via their public website, with full or redacted DPIAs available by request.

12.7 Appendix G Checklist for ensuring information governance compliance In third party contracts

12.8 Appendix H Information sharing agreements

Whenever an information sharing agreement is required, the following basic information must be covered:

  • what information is to be shared
  • the business rationale for sharing it
  • the legal basis for sharing it under Data Protection legislation.
  • the benefits to either the data subject, organisation, or health and social care economy
  • which organisation is the data controller
  • how data quality will be assured, going forward
  • what processes are in place to assure the information security of the processing: When in transit from the sending to the receiving organisation, and or at the receiving organisation
  • what the arrangements are for the retention and disposal of the information
  • how requests concerning the use of the information under the Freedom of Information Act (2000) will be managed between the organisations
  • how data breaches will be dealt within in line with data protection law
  • the date the agreement is effective from, and for how long
  • sign-off by the Caldicott guardian within the sending and receiving organisations

13 Glossary of terms

Definitions
Term Definition
Anonymisation It is the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous
Business continuity plans (BCP) Documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organisation to continue to deliver its critical activities at an acceptable defined level
Caldicott guardian (CG) A senior person responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing
CareCERT NHS Digital has developed a Care Computer Emergency Response team (CareCERT). CareCERT will offer advice and guidance to support health and social care organisations to respond effectively and safely to cybersecurity threats
Code of conduct A set of rules to guide behaviour and decisions in a specified situation
Common law The law derived from decisions of the courts, rather than acts of Parliament or other legislation
Care quality commission (CQC) This is an organisation funded by the government to check all hospitals in England to make sure they are meeting government standards and to share their findings with the public
Data controller The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Data processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Data Protection Act 1998 (DPA 1998) An act for the regulation of the processing of information relating to living individuals, including the obtaining, holding, use or disclosure of such information
Data Protection Act 2018 (DPA18) Act replaced DPA 1998 above
Data protection impact assessment (DPIA) A method of identifying and addressing privacy risks in compliance with GDPR requirements
Data protection officer (DPO) A role with responsibility for enabling compliance with data protection legislation and playing a key role in fostering a data protection culture and helps implement essential elements of data protection legislation
Data security and protection toolkit (DSP toolkit) From April 2018, the DSP toolkit will replace the information governance (IG) toolkit as the standard for cyber and data security for healthcare organisations
Data sharing agreement  A contract outlining the information that parties agree to share and the terms under which the sharing will take place
Freedom of Information Act 2000 (FOI) The Freedom of Information Act 2000 provides public access to information held by public authorities
General Data Protection Regulation (GDPR) The General Data Protection Regulation (GDPR)
Information asset owner (IAO) Information asset owners are directly accountable to the SIRO and must provide assurance that information risk is being managed effectively in respect of the information assets that they ‘own’
Information assets Includes records and documents that contain key information to the organisations business
Information commissioner’s office (ICO) The information commissioner’s office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals
Individual funding requests (IFR) Application to fund treatment or service not routinely offered by NHS
Key performance indicators (KPIs) Targets which performance can be tracked against
Pseudonymisation The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
Record lifecycle Records life-cycle in records management refers to the stages of a records “life span”: from its creation to its preservation (in an archives) or disposal
Senior information risk owner (SIRO) Board member with overall responsibility for:

  • the information governance and data security and protection policies
  • providing independent senior board-level accountability and assurance that information risks are addressed
  • ensuring that information risks are treated as a priority for business outcomes
  • playing a vital role in getting the institution to recognise the value of its information, enabling its optimal effective use.
Subject access request (SAR) A subject access request (SAR) is simply a written request made by or on behalf of an individual for the information which he or she is entitled to ask for under the Data Protection Act

Document control

  • Version: 4.2.
  • Unique reference number: 482.
  • Date ratified: 15 January 2024.
  • Ratified by: Corporate policy approval group.
  • Name of originator or author: Head of information governance or DPO.
  • Name of responsible individual: Information governance group or director of health informatics.
  • Date issued: 24 June 2024.
  • Review date: 31 December 2026.
  • Target audience: All staff.
  • Description of change: Changes to terminology and links.

Page last reviewed: December 16, 2024
Next review due: December 16, 2025

Problem with this page?

Please tell us about any problems you have found with this web page.

Report a problem