What is Information Governance in the NHS?
Information Governance (IG) in the NHS and healthcare ensures data is stored and handled legally, securely, efficiently, effectively and ethically, not just about patients but everyone who works for, and on behalf of, the NHS and healthcare organisations.
The NHS handles some of the most sensitive personal data available, and patients have a right to expect that any information being held about them will be looked after and kept safe.
The Information Commissioner's Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Information Commissioner, John Edwards, had this to say when he took up the role in 2022: “Privacy is a right not a privilege. In a world where our personal data can drive everything from the healthcare we receive to the job opportunities we see; we all deserve to have our data treated with respect.”
Our award-winning IG service provides consultancy, training and learning products to help our host trust - the Calderdale and Huddersfield NHS Foundation Trust (CHFT) - and our other healthcare clients handle personal and corporate data in accordance with the NHS IG framework.
Discuss your requirements
Not sure which services you require? Our team is here to help. We reflect NHS values of professionalism, service and accessibility. We are here to explain options, provide solutions and serve diverse clients. You’re guaranteed a friendly welcome, expert advice and ongoing support. Get in touch for more details.
Why is Information Governance important in the NHS?
Confidentiality is the cornerstone of good medical practice and is central to the trust between doctors, colleagues and patients.
IG is the legal framework that provides protection for patients and everyone working for, or on behalf of, the NHS. It covers a huge spectrum of activity ranging from Freedom of Information (FoI), data protection and confidentiality to IT security, anti-virus assurance and internet filtering and reporting.
It makes sure organisations comply with the mandatory data protection regulations across all healthcare sectors so that data is stored, used and shared in a safe, legal and ethical way.
Fundamentally, all data should be:
- Safe and secure.
- Available.
- Current and accurate.
For patients seeking information, it helps them to understand clearly and transparently what their data is used for, why, and how it is used.
For staff and everyone working on behalf of the NHS, it is a clear structure that enables them to deal consistently with the rules, legislation and ethics surrounding how data is handled and shared.
Common challenges in NHS Information Governance
Managing large volumes of data makes the NHS a target for hackers. Data breaches - and accidental non-compliance with IG regulations - can have significant consequences.
That was illustrated by a ransomware attack on a pathology business working for the NHS by a group of Russian cyber criminals, which meant several London hospitals could not carry out blood transfusions and had to cancel operations and tests.
Figures compiled by NHS England showed that over 10,000 acute outpatient procedures had to be postponed along with 1,700 for elective procedures.
Whilst that was the work of hackers, there are other threats, such as:
- Phishing - when criminals use scam emails, text messages or phone calls to trick victims into revealing sensitive information or deploying malware on the victim’s computer.
- Social engineering – a broad range of malicious activities accomplished through human interactions to trick users into making security mistakes or giving away sensitive information.
THIS has accreditation to provide training on all aspects of threat containment and secure email compliance through NHS England’s secure email standard DCB1596 certification that ensures sensitive and confidential information is kept secure.
Jason Cresswell, THIS’ IT and cyber security Manager team, explains: “Any e-mail that comes from outside the organisation typically contains a warning banner that appears at the top of the e-mail saying this is external, be cautious with malicious attachments and malicious links that you click on. We try to drill it into all staff that if you're not certain, alert our team and we can check it for you.
“To be registered as a secure e-mail provider between health and social care organisations you must have the DCB1596 certification from NHS Digital. It ensures that malicious attachments get blocked, there's anti malware and spam controls in place, and that the general well-being and security of the of the e-mail environment is up to a certain standard.
“We put customers through that accreditation. The threat landscape is evolving all the time and it’s important there is user awareness of staying abreast of changes and being aware of how you can keep your organisation safe.”
Microsoft Teams is the preferred communication platform for CHFT as it is UK-hosted, General Data Protection Regulation (GDPR) compliant, ISO/27001 compliant and provides integration with other trust software such as Outlook and ultimately Office 365.
THIS’ cyber security team has put in place some mandatory procedures to ensure Personal Confidential Data (PCD) is kept secure. These include:
- Minimising the use of PCD.
- Implementing security measures for accessing Teams on personal devices.
- Not extracting or storing PCD on non-Trust, personal or any other storage device.
- Working from home guidelines.
- Ensuring recorded Teams meetings comply with GDPR and Information Governance policy.
How THIS supports NHS Information Governance
Our six-strong team of IG consultants, who boast 60 years’ worth of experience between them, provide high quality, specialist support and assistance to ensure organisational compliance in handling personal and corporate data legally, securely, efficiently and effectively.
The team supports NHS organisations, NHS arms-length organisations, charitable organisations and private entities that have to access NHS data.
We provide information governance training, consultancy, and learning products for the complete IG arena, including:
- Freedom of information
- Data protection and confidentiality
- Environmental information regulations
- Information security
- Senior information risk owners
- Caldicott Guardians
- Privacy impact assessments
- Information asset owners and administrators
- Data flow mapping
- Records management
- Data quality
- IT security
- Anti-virus assurance
- Internet filtering and reporting
Fundamentally, IG is an enabling service to ensure data is handled safely and stored securely. Our end solution takes away any difficulties clients might encounter.
Helen Holt, THIS’ Data Protection Officer, explains: “For example, many NHS organisations have an IG officer and/or data protection officer within their organisation, who are responsible for the data they handle.
“The beauty of working with THIS is we can work with an organisation without really being visible, making them safe, secure and compliant. We make them compliant before they really have to worry about it, taking up the slack for them and providing peace of mind.
THIS expertise covers consultancy, training and learning products for all aspects of IG, such as Freedom of Information, privacy impact assessments, data flow mapping, records management, data quality, and IT security including anti-virus assurance.
Attaining the level of knowledge and best practice required by organisations is achieved via THIS’ specialist training services.
The essential training provides guidance and education for senior information risk owners, information asset owners and administrators, data protection officers and Caldicott Guardians – a senior staff member responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. All NHS organisations and local authorities providing social services must have a Caldicott Guardian.
THIS holds ISO 27001 Information Security Management, 9001 Cyber Management, Cyber Essentials, AMAM level 6 and 20000-1 Information Technology Service Management. We are compliant with NHS England Data Security and Protection Toolkit (DSPT), a set of requirements that organisations have to comply with to be able to process any NHS data.
Real-Life impact: An Information Governance case study
Vigilance regarding cyber security is now tantamount. In one period of just two months, THIS’ host trust received 46,600 phishing emails and 34,600 spam emails that resulted in 1,658 malicious websites and 1,432 malwares being blocked.
Helen Holt: “I think there are two reasons for this. Firstly, criminals know more people are working from home and the potential to catch them off-guard has increased. Second is the use of personal equipment being used at home to link into work, which people can do, but they might not have the same security inbuilt into their personal equipment.
“Our information security team can identify the IP addresses and the source of the emails. We are constantly blocking emails, websites and malware. We are constantly reminding our own teams and those of our clients to be more vigilant.”
Our Information Governance support in action
Here’s an example of how we support Spectrum Community Health Community Interest Company (CIC), a social enterprise that delivers a range of community and offender healthcare services on behalf of the NHS, local authority public health services and other partners predominantly in the North of England.
The organisation has a full time, dedicated IG Manager employed by THIS who Spectrum describe as ‘invaluable’.
This is what Spectrum says: “She manages and leads all aspects of our IG programme and data protection requirements by providing specialist expertise and support to colleagues across our organisation in health and justice, sexual health and community-based services with all data protection related issues.
“She supports our Subject Access Request team with vital advice and guidance, particularly with complex requests. This has led to improved compliance with GDPR. She has recently supported the selection and compliance testing of an artificial intelligent solution to assist with the redactions of subject access requests, which should also enhance our compliance with GDPR requirements.”
Partner with THIS for NHS Information Governance excellence
Data protection is compulsory whether you are an NHS or private organisation. Our information governance services are founded on the Data Security and Protection Toolkit (DSPT).
We provide information governance training, consultancy, and learning products for the complete IG arena.
We hold ISEB qualifications in data protection, information security, risk management and freedom of information, and can ensure compliance with UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018 through our Data Protection Officer service.
And all services are externally certified to Information Security Management System standards ISO/IEC 27001.
As the uses and applications of patient data grow and adapt to an ever-changing landscape, how this information is stored and who has access to it is deserving of the very best practice.
Our team of specialists are also available to discuss your requirements and provide demonstrations. Get in touch here to see how we can help.
Find out more about our other services
Bespoke Service
In addition to our core services of digital health solutions, we offer bespoke services and can tailor our solutions to each customers’ needs. We can combine a number of services into a package, discuss other service solutions that your organisation may benefit from, including new innovations and collaborative projects. Contact us to discuss your requirements.
Request a free consultation
Want to know more? We offer face-to-face or online demonstrations of our services along with brochures and other information resources to suit your needs. Get in touch to see how we can help.
Request
Case studies and insights
As a leading digital healthcare organisation with proud NHS links, we believe in sharing insights into the work we do, the issues our clients face and the latest developments in our field. View all our case studies and insights.
What our customers have to say
“THIS have provided Spectrum Community Health with quality service for over 10 years. They consistently strive to meet our IT needs and digital ambitions in a supportive partnership approach.”
Sharon Hardcastle
Director of Finance, Spectrum Community Health CIC
Judy has asked for Spectrums thanks to be passed on to the Service Desk and all support staff for the efforts we are going to help and support them.
Judy Threlfall-Sykes
Head of Digital, Spectrum Community Health CIC
“Really want to thank Daniel P for all his help, he was really patient and helpful. Clearly communicated what he was doing and that he would contact me back to test that things were working.”
CHFT
"Problem quickly resolved and gave information about how to resolve in the future.”
Wakefield CCG
Who we work with
Supporting organisations throughout the UK
Across the UK, we work closely with NHS and healthcare organisations in many different locations. From our roots in Yorkshire, we support clients across England, Scotland, Wales and Ireland.
Examples of our NHS clients include London’s Great Ormond Street Hospital and hospital trusts in Southampton, Oxford, Cambridge, Nottingham, Derby, Birmingham, Liverpool, Manchester, Middlesbrough, North Tees & Hartlepool, Newcastle Upon Tyne, Edinburgh, Lanarkshire and Glasgow.
Subscribe to Informatics Insights & Advice
Take advantage of the latest news and information from The Health Informatics Service. Read about our innovative work with healthcare clients across the UK and get our expert insights and recommendations to help and inspire your work.