Information Governance

The legal framework governing the use of personal and confidential data in health and social care is complex. It includes the NHS Act 2006, the Health and Social Care Act 2012, the Human Rights Act 1998, the Health & Social Care (Safety & Quality) Act 2015, and current Data Protection Legislation (the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR) 2021). The updated Data Protection Act 2018 includes much of the GDPR.

Data Protection, the DPA and the UK GDPR

Since April 2018, the Data Security and Protection Toolkit (DSP Toolkit) forms part of a new framework for assuring that organisations are implementing the National Data Guardians ten data security standards, and are therefore meeting their statutory obligations on data protection and data security.

The ten data security standards detailed in the National Data Guardians 2017/18 report apply to all health and care organisations. All staff are required to complete Data Security & Protection Training on arrival at the trust and then annually thereafter through an annual rolling programme.

When considering data security as part of the well-led element of their inspections, the Care Quality Commission (CQC) will look at how organisations are assuring themselves that the steps set out in this document are being taken. More information on the CQC inspection frameworks can be found here:

NHS Providers

Organisations contracted to provide services under the NHS Standard Contract (NHS providers) must comply with the requirements set out in this document, as part of the data security and protection requirements set out in that contract.

Privacy Notices

It is the Trust’s intention to provide understandable Privacy Notices (PNs) on its website and in all of our main Patient Waiting Areas.

Generally speaking, people within the healthcare system using data for secondary purposes must only use data that do not identify individual patients unless they have the consent of the patient themselves.

GDPR Article 9 2(h) affords for a legal basis to enable appropriate sharing of information in health and social care settings:

processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in Article 9 paragraph 3

National Data opt-out Programme (NDOP)

The national data opt-out was introduced on the 25th of May 2018, enabling patients to opt out from the us of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent, and Opt-Outs.

Patients can view or change their national data opt-out choice at any time by using the online service here or by calling 0300 3035678

The safe and effective management of the Trust’s Information Systems falls on three Senior roles who act as:

  • Caldicott Guardian
  • Senior Information Risk Owner (SIRO), and
  • Data Protection Officer (DPO) (Our DPO is: Roy Underwood email –

The Caldicott Guardian for our Trust is The Trust Medical Director

The Caldicott Guardian’s position:

  • Is advisory
  • Is the conscience of the organisation
  • Provides a focal point for patient confidentiality & information sharing issues
  • Is concerned with the management of patient information.

Guardians have a strategic role, developing security and confidentiality policies, representing confidentiality requirements and issues at Board level, advising on annual improvement plans, and agreeing and presenting annual outcome reports.

Local issues regarding the release of Information will inevitably arise. They should always be referred to the Caldicott Guardian, or his deputy the Head of Information Governance, for resolution.

The Senior Information Risk Owner (SIRO) for our Trust is The Chief Information Officer

The SIRO’s position:

  • Is accountable
  • Fosters a culture for protecting and using data
  • Provides a focal point for managing information risks and incidents
  • Is concerned with the management of all information assets.

The Head of Information Governance acts as:

  • the Data Protection Officer
  • the Deputy SIRO, and
  • the Assistant to the Caldicott Guardian and Clinical Safety Officer.

These roles are supported by the Trust Information Governance Group.

Content out of date? Information wrong or not clear enough? Report this page.