What is Information Governance?

In the healthcare sector, it is inevitable that professionals and the organisations they work for will use and process large amounts of individuals’ personal data. The use, storage, and processing of personal data within health and social care is governed by a wide range of legislation and guidelines, including:

• General Data Protection Regulation (GDPR) 2016
• Data Protection Act 2018
• Regulation of Investigatory Powers 2000
• Environmental Information Regulations 2004
• Freedom of Information Act 2000
• Re-use of Public Sector Information Regulations 2005

Information Governance (IG) is the term used to describe how organisations meet their obligations under this legislation, and other guidelines around preserving the privacy of personal data.

Whose personal data is involved?

Although the most obvious type of personal data processed in health and social care is that of patients, it is not only their privacy which is protected by robust IG procedures. The rules are also concerned with the personal data of employees, contractors, and other staff; patients’ friends and family; professionals in partner organisations; and any other personal data with which organisations come into contact.

Information Security

For any personal data, security is paramount. This is particularly the case with records management, where organisations have a legal responsibility to ensure that only those staff who need to have access to a patient’s record, and that they can only see the parts of it which are relevant to their role and the task they are undertaking.

Security standards and code of practice exist in this area, and staff must make sure that they abide by them at all times.

There is a particular tension between the patient’s right to privacy and ensuring that enough information is available to medical staff in order to provide safe and effective treatment. Where it is absolutely necessary, staff may be able to share personal data without an individual’s consent. However, any sharing such as this must be in accordance with the security standards and staff would be well advised to seek advice from a manager or professional association.

NHS Policy on ‘Secondary Uses’

The law allows the sharing of data where it is necessary for the direct care of patients while limiting the sharing of data for any other purpose. However, healthcare services depend on the use of patient data to be able to run a safe, effective, and efficient health service. Uses of personal data that do not fall within the definition of ‘direct care’ might include, for example:

  • Reviewing and improving the quality of care provided
  • Researching what treatments work best
  • Commissioning clinical services
  • Planning public health services

It is illegal to use individual’s personal data for these purposes without their express, informed, consent. This cannot be a blanket consent to, for example, all research; but must be consent gained on a case by case basis from every patient whose personal data is to be used in any project.The only exception to this is if the personal data is anonymised such that there is no method by which it can be used to identify any living person. Generally speaking, the pseudonymisation of data (using identifying codes rather than names) is not sufficient to comply with the law, since the data could still be used by a determined individual to identify the person to whom it refers.

Information governance toolkit

The IG toolkit is a set of resources provided by NHS England to enable organisations, and individuals, to properly formulate policies and practices to safeguard personal data. It sets out NHS policy and provides a baseline set of expectations for data security with which every NHS employee should be familiar.

What is the difference between Information Governance and GDPR?

Information Governance is a core component of the Mandatory Core Skills Training Framework developed by Skills for Health. This requires an understanding of the fundamentals of confidentiality, Coldicott principles, the Freedom of Information Act and data protection (now GDPR). GDPR is new legislation that replaces the existing data protection act and is therefore a component requirement of Information Governance. All healthcare professionals will need a top level understanding of GDPR and its implications – the Skills for Health Information Governance course has been updated to cover this. However, depending on their role, some professionals will require in-depth GDPR training. Please note that GDPR specific training on its own does not cover the range of topics required for Information Governance requirements.

The challenges of primary care

Imagine a typical GP surgery waiting room. A few patients are sat in reception waiting to be seen, when the practice

telephone rings. A member of staff answers, and on the phone is a patient requesting an appointment. The receptionist says, “Oh, hello Mrs. Davies. Let me just check, are you still at 123 New Street? Yes, oh good. And is it about your asthma? Fine, I’ll make you an appointment for 3pm on Thursday.”

In case you weren’t counting, there are at least four separate pieces of personal data which the diligent receptionist has just revealed to everyone within earshot. More than enough information to burgle Mrs Davies’ house while she’s at her appointment, or to pose as a relative and access her health records or steal her identity.

All healthcare settings have their own unique challenges, but it is especially important that staff working in primary care, who tend to carry out their duties in less formal environments, are fully aware of their obligations when processing personal data. In the example above, asking the patient neutral questions, such as, “Can you just confirm your address for me?” would have avoided a breach of data protection altogether.

NHS Training

All staff should receive training in Information Governance during their professional training, and on starting work in the NHS. Additionally, whenever moving to a new role staff should receive specific training which explains how IG applies to their new role, and any specific policies or procedures which apply.

This could be face to face healthcare training, or an eLearning package.

Additionally, further training such as CPD for nurses should be available as and when it is needed, on demand, within all healthcare organisations.


Good information governance is, at its heart, about protecting patients. However, it also protects staff. Breaches of data protection are a criminal offence and, in serious cases, can attract multi-million pound fines or even prison sentences. As a healthcare professional, it is essential that you safeguard yourself by ensuring that you are familiar with, and abide by, all of the IG rules, codes of practice, and training you receive.

Interested in learning more? View all Information Governance courses here

Recent Posts

A brief history of phlebotomy

We all experience blood being taken at some point in our lives, but what you might not know is how… Read More

9 February 2023

Pharmacists Train Up for Post-Lockdown Demand – Free CPD Courses

With restricted access to GP practices, people are turning to their local pharmacists. 56% of pharmacists have experienced increased hours.… Read More

25 January 2023

What Are the Eight Principles of the Data Protection Act?

The UK Data Protection Act was originally designed to protect personal data stored on computers and paper filing systems. Since then, technology has evolved… Read More

12 December 2022