Brief summary of changes

This policy has been updated following the merger of NHS England, NHS Digital, and Health Education England.

1. Introduction

1.1 This is NHS England’s overarching policy for information governance (policy). It explains how NHS England aims to meet the highest information governance standards.

1.2 NHS England is responsible for collecting, using, protecting and sharing a vast amount of incredibly sensitive information. This ranges from health information in national patient datasets, to sensitive personal information about our colleagues. It is essential that we maintain high standards of information governance to ensure that we respect and protect the information for which we are responsible.

1.3 Information governance is a broad framework for managing and controlling all forms of recorded information. Information governance is an umbrella term which includes data protection, confidentiality and records management.

1.4 This policy explains the roles and responsibilities for information governance in NHS England, including how information governance is overseen and assured by the Board and is directly supported by the following policies, each of which focus on specific elements of information governance:

a. Data protection policy
b. Confidentiality policy
c. Records management policy
d. Public Records Act: Operational selection for preservation policy

1.5 This policy is also supported by all other information governance policies, standards, procedures, processes, and guidance documents which it should be read alongside.

2. Scope

2.1 All NHS England directorates and regions fall within the scope of this policy. This includes staff who are employed on a permanent, fixed term or zero-hours basis, contractors, temporary staff, secondees and volunteers.  It also covers nonexecutive directors and non-executive associate directors. We us the term “staff” within this policy to cover all of these different types of staff.

2.2 Staff of the following NHS areas are also within the scope of this policy: 

a. all commissioning support units  
b. all other NHS England hosted bodies, such as strategic clinical networks and clinical senates 

2.3 Compliance with this policy is mandatory. 

The information to which this policy applies

2.4 This policy applies to all recorded information for which NHS England is responsible, including:

a. personal data: personal data we process, or which is processed by others on our behalf and for which we are responsible. Personal data can relate to patients, staff or others. Further details about personal data for which we are responsible is set out in our Data protection policy
b. confidential information: includes confidential patient data, commercially sensitive information and corporate confidential information. Further details about confidential information for which we are responsible is set out in our Confidentiality policy
c. records: all documents and records held by or on behalf of NHS England, regardless of format. A record is information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business. Further details about records for which we are responsible is set out in our Records management policy.

2.5 The definitions table in Appendix A explains the meaning of each category of information. The same information could be personal data, confidential information and be part of a record so it could be covered by more than 1 policy.

3. Policy statement

The importance of information governance

3.1 Information governance is important because it ensures that information for which we are responsible is managed effectively, securely, and in compliance with legal and regulatory requirements. It ensures that we use information in ways which are fair, lawful, transparent, and secure.

3.2 Good information governance has the following benefits:

a. For individuals:

• informing them of the way in which their information is used
• respecting their rights under data protection laws
• reducing the risk of their information being subject to a personal data breach which could cause harm and distress
• improving the quality of care which patients receive
• keeping confidential information confidential

b. For NHS England:

• increasing the trust of the public and stakeholders by demonstrating responsible use of information and data
• ensuring we comply with the law, including data protection law
• ensuring we have regard to the need to respect and promote the privacy of patients and service users
• reducing legal, regulatory and clinical risks
• ensuring information is accurate, consistent and accessible, subject to appropriate technical and organisational controls, by those who need to use it
• improving strategic planning, commissioning, policy and performance through insights obtained from data
• reducing time searching for or verifying the accuracy of information
• strengthens internal controls and accountability to manage information risk appropriately
• encourages data driven innovation to improve efficiency, performance and patient care

Your information governance responsibilities

3.3 All staff will be involved in handling information on behalf of NHS England. Such information could include confidential information, commercially sensitive information, patient information or information about staff. All staff must therefore be aware of their information governance responsibilities which are set out in the following policies:

a. Data protection policy: this policy sets out:

• staff are responsible for complying with data protection law (for example, the UK GDPR) when using personal data
• staff must be aware of their responsibilities for managing personal data including complying with the data protection principles, compliance with individual rights and requests made by individuals to exercise their rights, carrying out data protection impact assessments (DPIAs) and identifying and reporting potential personal data breaches

b. Confidentiality policy: this policy sets out:

• staff must comply with the confidentiality principles listed in the policy which include respecting the duty of confidentiality, protecting confidential information from improper disclosure, ensuring that access to confidential information is only provided to staff who require access to perform their role and identify and report any breaches of confidentiality
• staff must meet the responsibilities for handling or making decisions concerning confidential information listed in the policy which include marking confidential information, ensuring the information is secure

c. Records management policy: this policy sets out:

• staff must be aware of what documents are also records, their obligations for maintaining, naming, appraising, retaining and disposing of records
• staff must be aware of their additional responsibilities for complying with any legal holds on records

d. Public Records Act: Operational selection for preservation policy: this policy sets out:

• NHS England’s policy and criteria for identifying and selecting historical corporate records, known as public records, that are suitable for permanent preservation and transfer to the National Archives, within 20 years of their creation
• staff must attend training, familiarise themselves with the policy and identify, retain and select potential public records for preservation in accordance with the policy, associated procedures and guidance

4. Roles and responsibilities

The roles and responsibilities relating to information governance within NHS England are set out below.

All NHS colleagues and others who this policy applies to

It is the responsibility of everyone to whom this policy applies to adhere to this policy and all associated information governance policies and procedures.

Everyone to whom this policy applies is required to:

• comply with their data protection responsibilities set out in the Data protection policy including complying with the data protection principles and identifying and reporting personal data breaches in accordance with the incident reporting procedure
• comply with their confidentiality responsibilities set out in the Confidentiality policy including complying with the confidentiality principles
• comply with their records management responsibilities set out in the Records management policy and the Public Records Act: Operational selection for preservation policy including complying with their obligations for maintaining, naming, appraising, retaining, selecting for preservation and disposing of records
• undertake mandatory information governance training in line with mandatory training requirements, and seek and undertake other appropriate information governance training required for their role
• Seek advice from the Privacy, Transparency and Trust (PTT) team where required on information governance matters via the IG Query Management Portal
• obtain approval of DPIAs from PTT on behalf of the senior information risk owner (SIRO) in accordance with the DPIA procedure
• seek advice from PTT before engaging with the Information Commissioner’s Office (ICO), the National Data Guardian (NDG), or the Confidentiality Advisory Group (CAG) in relation to any projects, programmes of work or section 251 applications relating to processing of information by NHS England

Chief executive

Overall accountability for procedural documents across the organisation lies with the chief executive as the accounting officer that has overall responsibility for meeting all statutory, legal and regulatory requirements relating to information governance.

Caldicott Guardian

The Caldicott Guardian is an advocate for patients and acts as the conscience of the organisation for patient information, patient confidentiality, patient information sharing issues and the proper management of patient information. The role of the Caldicott Guardian is advisory. Within NHS England the Caldicott Guardian responsibility is under the remit of the national medical director.

The Caldicott Guardian:

• ensures that NHS England satisfies the highest ethical and legal standards for processing confidential information/personal data about patients and staff
• provides leadership and informed advice on complex matters involving the use and sharing of patient confidential information, particularly in situations of legal and/or ethical ambiguity
• advises on the application of and promotes the 8 Caldicott Principles and good information governance throughout their organisation, using the principles to encourage and facilitate decisions in the best interests of patients and their care and in line with the common law duty of confidentiality, data protection law, and human rights
• helps to ensure that information sharing is safe and effective, in line with the seventh Caldicott Principle

The day-to-day responsibilities of the Caldicott Guardian are carried out by the Deputy Caldicott Guardian and the Caldicott Guardian team.

Chief information security officer

Has been authorised by the SIRO for the day-to-day management of information and system security and cyber risk within NHS England and is supported by the Cyber Operations Governance, Risk and Compliance function who are responsible for providing advice, guidance and assurance on information security, system security and cyber security.

Cyber security and risk committee

Sub-committee of the NHS England Data, Digital & Technology Committee, responsible for overseeing and assuring cyber and information governance risks and issues. Includes the SIRO, executive representatives and non-executive directors of the NHS England Board.  

The committee’s responsibilities include undertaking assurance on:

• the effectiveness of cyber threat protection, information security and information governance risk management for all corporate and national systems, digital and data platforms
• how NHS England protects confidential patient data and other steps taken to follow the statutory guidance on NHS England’s protection of patient data

Data, Digital and Technology Committee

A committee of the NHS England Board responsible for providing oversight and objective assurance on how NHS England manages its data related duties and powers, and oversight of risks. Includes the SIRO, executive representatives and non-executive directors of the NHS England Board. 

The committee’s responsibilities include:

• agreeing the digital and technology strategy (including cyber strategy) and activities of NHS England and receive assurance of its ongoing implementation
• agreeing the digital and technology strategy for the NHS in England
• advising on the development of data and technology architecture
• assuring the Board on how NHS England discharges its duties regarding data functions, including overseeing and scrutinising how such functions are exercised, the steps taken by NHS England to follow the statutory guidance on NHS England’s protection of patient data and how NHS England protects confidential patient information

Senior information risk owner (SIRO)

The SIRO is a national director and senior advocate for information governance and security matters at board level.

The responsibilities of the SIRO include:

• influencing the Board to foster a culture that values, protects and uses information for the success of the organisation and benefit of its patients
• staying informed about information risks, including data security and protection risks, and managing those risks in accordance with the NHS England Risk management framework
• signing off key elements of the Data security and protection toolkit
• overseeing the development of information risk procedures
• managing high severity cyber alerts and accepting appropriate residual risk
• providing leadership during a major incident or breach
• taking ownership of the organisation’s information risk assessment processes
• ensuring that the organisation’s approach to information risk is communicated to all staff and effective in terms of resource, commitment and execution
• ensuring the organisation’s Risk management framework is implemented consistently by information asset owners (IAOs)

The day-to-day responsibilities of the SIRO are carried out by the deputy SIRO (the director of privacy and information governance), and in relation to cyber and security matters, by the chief information security officer.

Data protection officer (DPO)

It is a legal requirement under UK GDPR for NHS England to appoint a DPO. The DPO is an independent advisory role held by an expert in data protection (deputy director of data protection and trust). The DPO and the Data Protection Office and Trust team are part of the Privacy, Transparency, and Trust Sub-Directorate.

The responsibilities of the DPO include:

• providing advice to the organisation and its staff on compliance with data protection law
• monitoring compliance with data protection law and organisational information governance policies
• co-operating with, and being the first point of contact for the Information Commissioner’s Office (ICO) on information governance matters
• being available to be contacted directly by individuals and members of the public about information governance matters
• overseeing and advising on the organisation’s response to personal data breaches, including determining when a personal data breach needs to be notified to the ICO and impacted individuals
• raising awareness of information governance issues with staff within NHS England
• reviewing and updating our data protection and related information governance policies, standards, procedures and guidance in line with legal and regulatory requirements

Executive Corporate Group (ECG)

The Executive Corporate Group is responsible for overseeing NHS England’s approach to discharging its information governance responsibilities, including receiving regular updates on handling and responses to subject access requests, personal data breaches and compliance with its legal responsibilities.

Information asset owners (IAOs)

IAOs need to:

• understand what information is held by their unit or directorate
• identify and address risks to their information in accordance with the DPIA procedure and the Risk management framework
• ensure that information is appropriately protected and marked
• ensure information is used in compliance with all legal requirements, including information governance requirements
• ensure information about the assets for which they are responsible is logged on the information asset register and is kept up to date
• obtain approval of DPIAs for their information assets from PTT on behalf of the SIRO in accordance with the DPIA procedure
• provide written input to the SIRO annually on the security and use of their information asset and the accuracy of the information asset register as part of meeting the Data security and protection toolkit requirements
• familiarise themselves with information asset owner guidance

Privacy, Transparency and Trust team

The Privacy, Transparency and Trust Sub-Directorate is led by the director of privacy and information governance, who is also the deputy SIRO and provides internal guidance, advice and assurance to all staff on this Information governance policy.

The PTT Team is responsible for:

• discharging the statutory responsibilities of the DPO under UK GDR, including being the primary contact point for communication with the Information Commissioner’s Office (ICO) in relation to NHS England’s processing of personal data
• advising on, investigating, and where appropriate reporting personal data breaches by NHS England to the ICO and notifying individuals impacted by those personal data breaches
• advising on and supporting the Cyber Security Operations Centre and the National Emergency Preparedness Response and Resilience team response to significant external NHS and NHS supply chain cyber security incidents
• managing and responding to subject access requests and other UK GDPR rights requests, privacy complaints and ICO investigations
• providing an IG delivery service, including advising on privacy by design, data sharing agreements, data processing agreements, joint controller agreements, privacy notices and advising on and approving DPIAs on behalf of the SIRO, and ensuring information risks are appropriately managed in line with the law and Risk management framework to comply with law
• corporate records management, providing advice and guidance on records management including selection and transfer of records for preservation
• drafting legal directions and associated specifications for nationally provided IT products, platforms and digital services and directions and statutory requests to establish and operate systems for the collection and analysis of data in line with the directions and statutory requests procedure
• facilitating all ICO, NDG and CAG engagement and consultation by NHS England in relation to NHS England’s processing of data, including advising on and submitting any section 251 applications on behalf of NHS England
• hosting and overseeing the NHS England Advisory Group for Data (AGD) and facilitating advice and assurance for programmes, projects and the Data Access Request Service (DARS) from AGD

5. Equality impact assessment (EQIA)

As part of the development of this policy, its impact on equality has been analysed and no detriment identified.

6. Associated documentation

Supporting data protection and information governance policies, procedures, standards, templates, guidance and advice can be found below:

• NHS England Data protection policy
• NHS England Confidentiality policy
• NHS England Records management policy
• NHS England Public Records Act: Operational selection for preservation policy
• NHS England’s Information governance intranet page
• NHS England’s Information Governance Query Management Portal
• NHS England’s Information Asset Owner Guidance
• Information Commissioner’s Office website

Appendix A – Key Definitions used in this policy 

The following terms are used in this policy and have the meanings set out below:

Caldicott Principles

The Caldicott Principles apply to the use of confidential information within health and social care organisations and when such information is shared with other organisations and between individuals, both for individual care and for other purposes. The principles are:

• Principle 1: We shall justify the purpose(s) for using confidential information.
• Principle 2: We shall use confidential information only when it is necessary.
• Principle 3: We shall use the minimum necessary confidential information.
• Principle 4: Access to confidential information should be on a strict need-to-know basis.
• Principle 5: Everyone with access to confidential information should be aware of their responsibilities.
• Principle 6: We shall comply with the law.
• Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality.
• Principle 8: We shall inform patients and service users about how their confidential information is used.

Controller

A controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data or who is obliged under legislation to process the personal data.

CISO

Chief information security officer.

Data protection

The protection of personal data and the actions we take to ensure that we comply with the law.

Data Protection Principles

The principles set out in Article 5 of the UK GDPR.

DPIA(s)

Data protection impact assessments in a form that meets the requirements of UK GDPR.

Incident

An actual or suspected security breach or data loss incident.

ICO

Information Commissioner’s Office.

Information governance

This is our overall strategy and framework we apply for managing information within our organisation. Good information governance supports our compliance with our data protection obligations.

Joint controller

Where 2 or more controllers jointly determine the purposes and means of processing, they are joint controllers.

Personal data

Has the meaning given in UK GDPR being any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to 1 or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the purposes of this DPIA this also includes information relating to deceased patients or service users. personal data can be directly identifiable personal data or pseudonymised data.

Personal data breach

Has the meaning given in UK GDPR being a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Privacy notice

Means a notice providing transparency and privacy information to the public as required by UK GDPR.

Process or processing

Has the meaning given in UK GDPR being any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Processor

Has the meaning given in UK GDPR being a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Pseudonymisation

Has the meaning given in UK GDPR being the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Pseudonymised data

Personal data that has undergone pseudonymisation.

PTT

The Privacy, Transparency and Trust team, a sub-directorate of the Delivery Directorate.

SIRO

Senior information risk owner.

Subject access request

A request from individuals for access to the personal data we process about them, including providing copies of it.

UK GDPR

UK GDPR as defined in and read in accordance with the Data Protection Act 2018.