Information Governance

Information Governance is a framework for handling personal and sensitive information in a confidential and secure manner to appropriate ethical and quality standards in a modern health service.

What is personal data?

Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data and can also encompass pseudonymised data if a person can be identified from it.

Privacy notice for researchers

Personal Data is collected to ensure that research study personnel are appropriately qualified for all aspects of the research study process.  Personal Data is also used for quality control purposes and research study management.

Apart from collecting your name and professional address these purposes may also require financial disclosure, qualification documents and other personal information.  Personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation or habits, genetic or biometric data will not be collected.

Research governance requires the collection, processing and transfer of investigator’s and other research personnel’s Personal Data who perform study-related duties and functions, usually to the study sponsor and regulators.  Denial to disclose the requested Personal Data would exclude your eligibility as a collaborator performing study-related functions on a research study.

There are laws protecting how we handle information these include:

  • The Data Protection Regulation (2018)
  • Criminal Justice and Immigration Act 2008 
  • The Freedom of Information Act 2000 
  • Access to Health Records Act 1990 (Deceased records) 
  • Human Rights Act 1998 
  • Section 251 of the NHS Act 2006 allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. In practice, this means that the person responsible for the information (the data controller) can, if they wish, disclose the information to the applicant without being in breach of the common law duty of confidentiality.  They must still comply with all other relevant legal obligations.  Further information on section 251can be located at; .

The Caldicott Principles of data processing within the NHS:

Principle 1 - Justify the purpose(s): Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian.

Principle 2 - Don’t use patient-identifiable information unless it is absolutely necessary: Patient-identifiable information items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

Principle 3 - Use the minimum necessary patient-identifiable information: Where use of patient-identifiable information is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out.

Principle 4 - Access to patient-identifiable information should be on a strict need-to-know basis: Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes.

Principle 5 - Everyone with access to patient-identifiable information should be aware of their responsibilities: Action should be taken to ensure that those handling patient-identifiable information—both clinical and non-clinical staff—are made fully aware of their responsibilities and obligations to respect patient confidentiality.

Principle 6 - Understand and comply with the law: Every use of patient-identifiable information must be lawful. Someone in each organisation handling patient-identifiable information should be responsible for ensuring that the organisation complies with legal requirements.

To help in remembering these principles the mnemonic FIONA C can be used:

Formal justification of purpose

Information transferred only when absolutely necessary

Only the minimum required

Need to know access controls

All to understand their responsibilities

Comply with and understand the law


Was this page helpful?

Was this page helpful?

Please answer the question below, this helps us to reduce the number of spam emails that we receive so that we can spend more time responding to genuine enquiries and feedback. Thank you.