Information Governance

April 25, 2014

Confidential documentsWhat is IG?

Information Governance, or IG as it is commonly known, is a set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements.

Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. Key areas are information policy for health and social care, IG standards for systems and development of guidance for NHS and partner organisations.

Key areas

Six key areas of IG are:

  • Confidentiality – Standards of practice for confidentiality and patient consent to information sharing.
  • IG Toolkit – Information Governance standards and guidance for the NHS and partner organisations.
  • Information Governance Statement of Compliance – Updated IG requirements for organisations accessing NHS digital services, including N3.
  • Information Security – The technical assurance of the safeguards protecting patient data, through clear guidelines.
  • Looking after your health and care information – Protecting your personal confidential information is central to all that we do, so we treat it with the greatest care and respect.
  • NHS Codes of Practice and legal obligations – For confidentiality, information security management and NHS records management.


Organisations that handle confidential health and social care information have to ensure that it is held securely and shared appropriately. Health and social care is being transformed so that every patient can have greater control of their own care. There has been a swell of information produced by the increase in internet use, social media and electronic information systems. It’s more important than ever to protect confidential information, healthcare professionals and patients should feel confident about the security and appropriateness of information storage, handling and sharing.

IG Toolkit

The IG Toolkit is an online system which allows NHS organisations and partners to assess themselves against Department of Health Information Governance policies and standards. It also allows members of the public to view participating organisations’ IG Toolkit assessments.

The Information Governance Statement of Compliance (IGSoC)

The Information Governance Statement of Compliance (IGSoC) is the process by which organisations enter into an agreement with Health and Social Care Information Centre (HSCIC) for access to the NHS National Network (N3). The process includes elements that set out terms and conditions for use of HSCIC systems and services including the N3, in order to preserve the integrity of those systems and services.

The steps in the IGSoC process set out a range of security related requirements which must be satisfied in order for an organisation to be able to provide assurances in respect of safeguarding the N3 network and information assets that may be accessed.

Information Security

The principles of information security require that all reasonable care is taken to prevent inappropriate access, modification or manipulation of data from taking place. In the case of the NHS, the most sensitive of our data is patient record information.

In practice, this is applied through three cornerstones – confidentiality, integrity and availability:

  • Information must be secured against unauthorised access – confidentiality
  • Information must be safeguarded against unauthorised modification – integrity
  • Information must be accessible to authorised users at times when they require it – availability

Information Governance is there to ensure these principles are upheld by setting clear guidelines (policy) for all NHS users. More importantly, Information Governance provides guidance and an update to the contractual controls that protect patient, system and employee information. Without these contractual controls there is no way for the NHS to support, through legal action, human rights, data protection or other forms of regulation, the levels of protection we all work so hard to maintain.

Looking after your care and health information

Patient information is often moved around electronically to ensure health and care professionals can get to it when they need it. HSCIC control many of the systems that allow this to happen. Important information is also sent securely to HSCIC from wherever patients receive care. This allows activities such as healthcare planning, medical research and clinical audit to be carried out. This is different to using information to support patient care directly.

From autumn 2014 there are still plans for HSCIC to collect data from GP records for purposes other than direct care. This will be linked to data already collect from hospitals to supposedly give a more rounded picture of care and treatment. This data sharing was postponed from spring 2014 and it remains to be seen if will actually transpire.

NHS Codes of Practice and Legal Obligations

The ‘Confidentiality: NHS Code of Practice’ sets out the required standards of practice concerning confidentiality and patients’ consent to use their health records. It is a guide for those who work within or under contract to NHS organisations and is based on legal requirements and best practice.

The ‘Information Security Management: NHS Code of Practice’ is a guide to the methods and required standards of practice in the management of information security, for those who work within or under contract to, or in business partnership with NHS organisations in England. It is based on current legal requirements, relevant standards and professional best practice. This Code of Practice replaces HSG 1996/15 – NHS Information Management and Technology Security Manual, and provides a key component of information governance arrangements for the NHS. It is part of an evolving information security management framework because risk factors, standards and practice covered by the Code will change over time.

The guidelines contained within the Code of Practice apply to NHS information assets of all types. The ‘Records Management: NHS Code of Practice’ was published on 5 April 2006. It sets out the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England, based on current legal requirements and professional best practice. Part 2 of the Code, which contains guidance on retention schedules, was revised (2008) in light of guidance received from the NHS and professional best practice. It sets out the minimum periods for which the various records created within the NHS or by predecessor bodies should be retained, either due to their ongoing administrative value or as a result of statutory requirement.

There are a range of complex legal and professional obligations that limit, prohibit or set conditions in respect of the management, use and disclosure of information and, similarly, a range of statutes that permit or require information to be used or disclosed. NHS Information Governance – Guidance on Legal and Professional Obligations is best practice guidance, which outlines the likely impact of these provisions primarily to NHS information but also includes some social care requirements. It will be of particular use to those working within the Information Governance field. Where necessary, organisations should obtain professional legal advice.

The Caldicott Principles

The Caldicott Report (December 1997) set in motion a process of continuous improvement in medical confidentiality within the National Health Service, including the organisations now comprising the Health Protection Agency (HPA). In accordance with guidance laid out in the report, the HPA has appointed a Caldicott Guardian and Security of Information Officers (SIO), whose functions are to ensure that data handling is in accordance with the recommendations of the Caldicott Committee, subsequent guidance and requirements of the Data Protection Act. These requirements especially affect data with Personal Identifiable Information (PII).

The principles in the Caldicott Report are summarised below:

  1. Justify the purpose(s) for using patient data.
  2. Don’t use patient-identifiable information unless it is absolutely necessary.
  3. Use the minimum necessary patient-identifiable information.
  4. Access to patient-identifiable information should be on a strict need to know basis.
  5. Everyone should be aware of their responsibilities to maintain confidentiality.
  6. Understand and comply with the law, in particular the Data Protection Act.

The QCS Information Governance Policy and Procedure provides information for safeguards and appropriate use of patient and personal information.


Health and Social Care Information Centre (HSCIC) – Information Governance


NHS Information Governance – Guidance on Legal and Professional Obligations

Quick reference to Caldicott and the Data Protection Act 1998 Principles‎

placeholder Image
Alison Lowerson

GP Specialist


February 19, 2024
QCS 12 audit series: Understand why each audit is important and learn how to share your audit actions with the team – Resource 12: Health and Safety
Read more
February 5, 2024
QCS 12 audit series: Understand why each audit is important and learn how to share your audit actions with the team – Resource 11: Observation
Read more
January 22, 2024
QCS 12 audit series: Understand why each audit is important and learn how to share your audit actions with the team – Resource 10: Medication
Read more