Complying with Information Governance

Management of the NHS is dependent on understanding the needs of patients, who are at the heart of everything that is done within the NHS. Ensuring that patient data is processed appropriately and in accordance with the law and in-line with patient expectations is key to upholding the trust placed on all NHS employees in the course of their duties.

Whilst the information governance landscape is complex, these resources aim to provide clear guidance in order to simplify and support the use of data required to ensure patients benefit from the most appropriate care.

Chapter 7 of the Information Commissioner’s Office (ICO) Code of Practice on anonymisation outlines that different levels of granularity of released data are appropriate dependent on the other safeguards to minimise the risk of re-identification. It identifies that published data need to be fully anonymised, however the Code of Practice identifies that more granular information is frequently needed for richer analysis, for example in research. It outlines that data made available under limited access with robust controls in place can be more granular and it would be for this type of data release that pseudonymisation or anonymisation should be considered.

Further guidance from the ICO outlines that the level of risk of re-identification depends upon the richness and type of data released to the recipient and the range of other data that the recipient has or could have access to. In reality, this would be difficult to assess, unless access were provided in a controlled environment that did not allow other datasets in and limited information going out, or only limited and carefully selected individual data are released.

The IG resources will consist of

  • An outline of statutory duties which support commissioning
  • IG Frameworks and documentation required to support commissioning data flows
  • Guidance on completion of data sharing/data processing agreements
  • Guidance on the roles and responsibilities of commissioning organisations
  • Up-to-date information on Confidentiality Advisory Group (CAG) applications
  • An updated Risk Stratification Register
  • An updated Controlled Environment for Finance (CEfF) Register
  • How to Guides covering the access to and management of data
  • Further resources as the IG landscape changes to meet commissioning requirements

These link to other resources and in particular to the Information Governance Alliance (IGA) whose mission is to “enhance the quality of health and care services, including people’s experience of using those services, by improving information governance”.