Information Governance
Information Governance is everyone’s responsibility. Below is some brief information and links to external webpages for more detail.
Information Commissioner’s Office (ICO)
The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Please visit the ICO website for more information, guidance and resources.
Data Protection: UK GDPR
General Practitioners are subject to the requirements of the General Data Protection Regulations (GDPR) and as recipients of confidential patient information GPs need to be especially careful to ensure they are compliant with all privacy expectations.
Please visit the below links for guidance and information in this vital area:
- GDPR Privacy Notices for GP Practices
- GP as Data Controller under GDPR
- Access to health records – SAR /AMRA
- Online access to GP health records – NHS England Digital
- Guide to the UK GDPR – ICO
Caldicott Guardian and role
Following a request from the Secretary of State for Health, Dame Fiona Caldicott carried out an independent review of information sharing to ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care. An Independent Information Governance Oversight Panel was set up at the request of the Secretary of State for Health (IIGOP).
Please visit the www.gov.uk website for more information on the following:
- Records management: code of practice for health and social care
- The Caldicott Principles
- Reasonable expectations
- National Data Guardian guidance on the appointment of Caldicott Guardians, their role and responsibilities
- Confidentiality: NHS Code of Practice – supplementary guidance: public interest disclosures
Data Protection Impact Assessment (DPIA)
A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of your accountability obligations under the UK GDPR, and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations.
The ICO sets out the following:
- You must do a DPIA for processing that is likely to result in a high riskto individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.
- It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
- Your DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
- To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
- You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.
- If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
- If you are processing for law-enforcement purposes, you should read this alongside the Guide to Law Enforcement Processing.
- The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.
Visit here for a sample DPIA Template.
Visit here to contact the ICO about your DPIA.
Please visit the ICO DPIA webpages for more information, guidance and resources. For further details please also visit here.
Data Protection Officers (DPOs)
The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities. The ICO sets out the following:
- DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).
- The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
- A DPO can be an existing employee or externally appointed.
- In some cases several organisations can appoint a single DPO between them.
- DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
Please visit the ICO DPA webpages for more information, checklists and FAQs.
Other resources: