IG Information Governance

IG Information Governance


 Information Governance Policy

 Document Control

 A.         Confidentiality Notice

This document and the information contained therein is the property of DARWIN MEDICAL PRACTICE.

This document contains information that is privileged, confidential or otherwise protected from disclosure. It must not be used by, or its contents reproduced or otherwise copied or disclosed without the prior consent in writing from DARWIN MEDICAL PRACTICE.

B.         Document Details 



Author and Role:




Document Reference:


Current Version Number:


Current Document Approved By:


Date Approved:


C.         Document Revision and Approval History


Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.

It is therefore of paramount importance to ensure information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management


The Practice recognises the need for an appropriate balance between openness and confidentiality, both in the management and use of information.

The Practice fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, personal information about patients and staff as well as commercially sensitive information.

The Practice also recognises the need to share patient information with other health organisations and agencies in a controlled manner, consistent with the interests of the patient and, in some circumstances, the public interest.

The Practice believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such, it is the responsibility of everyone in the Practice to ensure and promote the quality of information and to actively use information in decision-making processes.

The formal framework that leaders of primary care organisations should commit to is set out in the National Data Guardian’s ten data security standards. These are the basis of the Data Security and Protection Toolkit (DSPT) that health and social care organisations must use to assess their information governance performance.

All personal information (including certain business or business information) needs to be stored, transmitted and only accessed or handled when necessary. This means information needs to be safeguarded when stored, accessed or when it enters or leaves the organisation whether this is by fax, post, verbally, email or other means.

There are four key interlinked strands to the Information Governance Policy:

  • Openness
  • Legal compliance
  • Information security
  • Quality assurance


  • Non-confidential information about the Practice and its services will be available to the public through a variety of media, in line with the Practice’s code of openness.
  • The Practice will establish and maintain policies to ensure compliance with the Freedom of Information Act.
  • The Practice will undertake or commission annual assessments and audits of its policies and arrangements for openness.
  • Patients will have ready access to information relating to their own health care, their options for treatment and their rights as patients.
  • The Practice will have clear procedures and arrangements for liaison with the press and broadcasting media.
  • The Practice will have clear procedures and arrangements for handling queries from patients and the public.


  • Information will be defined and kept confidential where appropriate, underpinning the principles of Caldicott and the regulations outlined in the Data Protection Act 2018 (which incorporates the EU General Data Protection Regulations).
  • Information that is not confidential about the Practice and services will be available to the public through a variety of means, in compliance with the Freedom of Information Act, Code of Conduct for Confidentiality, the Data Protection Act 2018 and Access to Records Policy.

 Legal Compliance

  • The Practice regards all person identifiable information, including that relating to patients, as confidential.
  • The Practice will undertake or commission annual assessments and audits of its compliance with legal requirements.
  • The Practice regards all identifiable personal information relating to staff as confidential, except where national policy on accountability and openness requires otherwise.
  • The Practice will establish and maintain policies to ensure compliance with the Data Protection Act, Human Rights Act, common law confidentiality and Confidentiality: NHS Code of Practice.
  • The Practice will establish and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act).

 Information Security

  • The Practice will establish and maintain policies for the effective and secure management of its information assets and resources.
  • The Practice will undertake or commission annual assessments and audits of its information and IT security arrangements.
  • The Practice will establish and maintain standards and policies for the disclosure of information.
  • The Practice will promote effective confidentiality and security practice to its staff through policies, procedures and training.
  • The Practice will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.

 Information Quality Assurance

  • The Practice will establish and maintain policies and procedures for information quality assurance and the effective management of records.
  • The Practice will undertake or commission annual assessments and audits of its information quality and record management arrangements.
  • Managers are expected to take ownership of, and seek to improve, the quality of information within their services.
  • Wherever possible, information quality should be assured at the point of collection.
  • The practice will promote information quality and effective records management through policies, procedures/user manuals and training.


It is the role of the partners in the Practice to define the Practice’s policy in respect of Information Governance, taking into account legal and NHS requirements.

The partners are also responsible for ensuring that sufficient resources are available to support the requirements of the policy. Helen Law is the designated Information Governance Lead in the Practice and is responsible for:

  • Overseeing day-to-day Information Governance issues;
  • Developing and maintaining policies, standards, procedures and guidance;
  • Coordinating Information Governance in the Practice;
  • Raising awareness of Information Governance; and
  • Ensuring that there is on-going compliance with the policy and its supporting standards and guidelines.

All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they remain aware of the requirements incumbent upon them for ensuring compliance on a day to day basis.

Information held securely and confidentially

All personal information including certain business or corporate information needs to be stored, transmitted and only accessed or handled when necessary. This means information needs to be safeguarded when stored, accessed or when it enters or leaves the organisation whether this is by fax, post, verbally, email or other means.

Obtained fairly and lawfully

Article 5(1) of the GDPR says: “Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”.

Lawfully is the grounds in which you are collecting the personal information. As a health organisation our legal basis for processing is normally to carry out “public task” i.e. as an official NHS authority to carry out the task of caring for people. It could also be “vital interest” i.e. to prevent harm. In other words we do not need consent to process information but we have to do it fairly.

We have to be open and honest on how we are using and sharing the information we are collecting - The Data Protection and Confidentially Policy has details on our responsibilities as an organisation on how we control information and how we do this fairly. It also includes how children have the right to be informed.

Recorded accurately and reliably

The core characteristics of accurate information are:

  • Authentic – i.e. the data is what is claims to be, has been created or sent by the person who said that they created or sent it, and that this was done at the time claimed
  • Reliable – i.e. the data is complete, accurate, has been created close to the time of the activity it records, and has been created by individuals with direct knowledge of the event it records
  • Integrity – i.e. the data is complete and unaltered, it is also protected from being changed or altered by unauthorised persons, any alterations are clearly marked and the person who made them can be identified
  • Useable – i.e. the data can be located when it is required for use and its context is clear in a contemporaneous record.

Used effectively and ethically, and shared/disclosed

Personal data can only be shared if there is a clear legal basis to do so or if the data subject has given their clear consent.

If we (the Practice) is required to share personal data, we should be clear about the reasons for sharing the data, and what we intend to achieve by doing so.

The legal basis for processing and sharing information is based on health and social care to perform a “public task”, meaning we do not share information based on consent, it is based on care needs.

Caldicott Principles

[See Caldicott Policy]

Principle 1 : Justify the purpose(s) for using confidential information

Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.

Principle 2: Use confidential information only when it is necessary

Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.

Principle 3: Use the minimum necessary confidential information

Where use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.

Principle 4: Access to confidential information should be on a strict need-to know basis

Only those who need access to confidential information should have access to it, and

then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.

Principle 5: Everyone with access to confidential information should be aware of their responsibilities

Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patient and service users.

Principle 6: Comply with the law Every use of confidential information must be lawful

All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.

Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

Principle 8: Inform patients and service users about how their confidential information is used

A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required.

Under the GDPR, the Practice has an obligation to implement technical and organisational measures to show that we have considered and integrated data protection into our processing activities.

‘Privacy by design’ should be a key consideration in the early stages of any project and should continue throughout its lifecycle. This allows us to minimise privacy risks and builds trust.

By designing projects, processes, products and systems with privacy in mind at the outset can lead to benefits.

Information Governance & Confidentiality Training

Staff will undertake mandatory data security awareness training annually. Those staff identified in specialist roles will identify their training needs though their annual Performance and Personal Development Reviews.


Freedom of Information Act 2000 (FOIA)

FOIA is covered under the Information Governance Framework. The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Public authorities include government departments, local authorities, the NHS, state schools and police forces.

Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.

Policy Approval

The Practice acknowledges that information is a valuable asset, therefore, it is wholly in its interest to ensure that the information it holds, in whatever form, is appropriately governed, protecting the interests of all of its stakeholders.

This Policy, and its supporting standards and work instruction, are fully endorsed by the local network  through the production of these documents and their formal approval by the Practice.

A breach of the Information Governance policy may result in disciplinary action and possible dismissal.

The Practice will, therefore, ensure that all staff, contractors and other relevant parties observe this policy, in order to ensure compliance with Information Governance and contribute to the achievement of the Primary Care objectives and delivery of effective healthcare to the local population.