Information Governance Policy / Procedure

Approved by:Dr A Larkin
Date approved11.05.2022
Last Review Date: 11.05.2022
Next Review date:11.05.2024 or as needed
Target audience:All health care staff working in The Alexandra Practice including locums, placements  and agency staff

Validity statement

Only the electronic copy of this document is guaranteed to be the currently valid version. Downloaded versions must be regularly checked for validity; this is the responsibility of the individual user

Policy amendments

Amendments to the Policy will be made from time to time and the most recent version is classed as in force at any given time.

To be read in conjunction with:

  • GDPR Policy
  • Records Keeping & Storage Policy
  • Confidentiality Policy / Consent Policy / SCR Policy
  • Clear Desk Clear screen Policy
  • Plus all information contained with the GDPR / Information Governance folder

Policy Statement and Purpose

The purpose of the Information Governance Policy is to provide a clear understanding of the practice’s position with regards to information Governance.

Scope of the policy

This policy applies to all employees and associated healthcare providers of The Alexandra Practice without discrimination to any group. All employees will be treated in a fair and equitable manner recognising any special needs of individuals where adjustments may need to be made. Everyone involved in the process is entitled to be treated calmly and with respect. Any form of discrimination, inequality, victimisation, harassment or bullying resulting from the implementation of this policy will be dealt with as misconduct under the disciplinary procedure


3.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.

3.2 It is of paramount importance to ensure that information is effectively and efficiently managed, and that appropriate policies, procedures and management accountability provide a robust governance framework for information management.

3.3 The policy is intended to be fully consistent and compatible with the policies and practices throughout the NHS for Information Governance and is developed to achieve compliance to the Care Quality Commission Outcomes.


4.1 Breach of Confidentiality: A breach of confidentiality is the unauthorised disclosure of personal information provided in confidence.

4.2 Confidential / Personal and sensitive Information: Confidential / Personal and sensitive information can be anything that relates to patients, staff or any other information (such as contracts, tenders etc) held in any form (such as paper or other forms like electronic, microfilm, audio or video) howsoever stored (such as patient records, paper diaries, computer or on portable devices such as laptops, PDAs, mobile telephones) or even passed by word of mouth. Person identifiable information is anything that contains the means to identify an individual.

4.3 Disclosure: This is the divulging or provision of access to data.

4.4 Patient identifiable Information: Key identifiable information includes:

  • Patient’s name, address, full post code, date of birth;
  • Pictures, photographs, videos, audio-tapes or other images of patients;
  • NHS number and local patient identifiable codes;
  • Anything else that may be used to identify a patient directly or indirectly. For example, rare diseases, drug treatments or statistical analyses which have very small numbers within a small population may allow individuals to be identified
  • Any information which if pieced together can be used to identify a patient / data subject

4.5 Public Interest: Exceptional circumstances that justify overruling the right of an individual to confidentiality in order to serve a broader societal interest. Decisions about the public interest are complex and must take account of both the potential harm that disclosure may cause and the interest of society in the continued provision of confidential health services.

4.6 Sensitive Data: Data held about an individual which contains both personal and sensitive information. There are only seven types of information detailed in the Data Protection Act 1998 that are deemed as sensitive:

  • Racial or ethnic origin;
  • Religious or other beliefs;
  • Political opinions;
  • Trade union membership;
  • Physical or mental health;
  • Sexual life; and
  • Criminal proceedings or convictions


5.1 Caldicott Guardian:  The Alexandra Practice’s Caldicott Guardian Dr S Campbell has   overall responsibility for reflecting patient’s interests regarding the use of patient identifiable information. The Caldicott Guardian is responsible for ensuring patient identifiable information is shared in an appropriate and secure manner.

5.2 Senior Information Risk Officer (SIRO): Our SIRO is Dr A Larkin and he is responsible for ensuring information security including Risk Assessment, data mapping and adherence to data protection procedures, and our responsibilities as data controllers under the law and GDPR 2018.

5.3 Information Governance Lead:  The Information Governance Lead is the Practice Manager who is responsible for ensuring that this policy is implemented, including any supporting guidance and training deemed necessary to support the implementation and monitoring in this respect.

5.4 Data Processors: All Staff: All employees including anyone working on behalf of The Alexandra Practice, involved in the receipt, handling, processing or communication of all data but especially personal identifiable / sensitive information are classed as data processors and have legal responsibilities under GDPR and the current UK Data Protection Act.  All data processors must adhere to this policy, our GDPR policy and all information governance procedures to support the legal responsibilities of The Alexandra Practice and themselves. Everyone has a duty to respect a data subject’s legal rights and protection of confidentiality.

5.5 Data : Protection officer: Shavarnah Purves 0161 765 4428 | |

Responsibilities of The Alexandra Practice

6.1 All information used in the NHS is subject to handling by individuals and it is necessary for these individuals to be clear about their responsibilities and for the practice to provide and support appropriate education and training.  Individual’s responsibilities are as outlined above.

6.2 The Alexandra Practice must ensure legal requirements are met.

6.3 The Alexandra Practice must make arrangements to meet the performance assessment requirements of the Department of Health Information Governance Data Security Toolkit.

6.4 To manage its obligations, The Alexandra Practice will issue and support standards, policies and procedures ensuring information is held, obtained, recorded, used and shared correctly.

6.5 The Alexandra Practice will continue to report on the management of information risks and details of data loss and confidentiality breach incidents via the IG Toolkit and internal audit.

Responsibilities of Users

  All data processors must:

  • Be aware of their responsibilities, both legal and other, and that failure to comply may result in disciplinary action
  • Comply with policies and procedures issued by the Practice, and be aware that

failure to comply may result in disciplinary action

  • Work within the principles outlined within the GDPR 2018, the current UK Data Protection Act and associated NHS working ethics such as the common law duty of confidentiality
  • Undertake annual Information Governance training
  • The Data Security Lead will ensure that all It accounts are disabled upon any staff member no longer working at the Practice or if no longer requiring access
  • There is no generic access at the Practice. Each user has password protected individual access to allow for audit and governance at all times
  • All data processors are advised that usage and access to records will be monitored for audit and governance purposes

Information Governance Aims

   The Alexandra Practice’s Information Governance aims are to:

  • Hold information securely and confidentially;
  • Obtain information fairly and efficiently;
  • Record information accurately and reliably;
  • Use information effectively and ethically;
  • Share information appropriately and lawfully; and
  • Encourage best practice
  • Adhere to current UK and EU Laws as outlined above
  • Ensure all staff are aware of their roles and responsibilities

Information Governance Principles

The Alexandra Practice recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. We fully support the principles of corporate governance and recognise our public accountability.  Equally The Practice places importance on the confidentiality of, and the security arrangements to safeguard, both personal and sensitive information about patients and staff plus commercially sensitive information.

Data Protection

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:  A) at least one of the conditions in following schedule is met and B) in the case of sensitive personal data, at least one of the conditions in following schedule is also met.

  • Personal data shall be retained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose of those purposes
  • Personal data shall be processed in accordance with the rights of data subjects under GDPR and the current UK Data Protection Act
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that county or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data


  • Workers must not under any circumstances disclose patient or employee information to anyone outside the Practice, except to other health professionals on a need to know and lawful basis, or where the patient has provided written explicit consent (in the case of competency queries decision making responsibility lies with the Caldicott Guardian or if absent the patients regular GP)
  • All information about patients is confidential: from the most sensitive diagnosis, to the fact of having visited the surgery or being registered at the Practice
  • Workers must not under any circumstances disclose confidential information about the Practice to anyone unless for a lawful reason and never outside the Practice unless with the express consent of the Practice Manager
  • Workers should limit any discussion about confidential information only to those who need to know within the Practice and out of earshot of anyone else including visitors and patients
  • The duty of confidentiality owed to all persons irrespective of age
  • Workers must be aware of and conform to the requirements of the Caldicott recommendations and the Practice information Governance procedures
  • All patients can expect that their personal information will not be disclosed without their permission (except in the most exceptional circumstances when disclosure is required by law e.g. threat of serious harm or danger to public)
  • Electronic transfer of any confidential information, once approved by the Caldicott Guardian, must be transmitted via the secure email. Workers must take particular care that confidential information is not transmitted in error by email
  • Data Processors must only transmit data to a secure or approved email address – in the case of patient email addresses, the patient must provide photo ID when submitting this and sign our forms
  • Data Processors must not take data from the Practice’s computer systems (e.g. on a memory stick or removable drive) off the premises under any circumstances unless it is absolutely necessary during a disaster and the use of the Business Continuity plan is in place
  • Data Processors who suspect a breach of confidentiality must inform the Practice Manager immediately and no later than within 24 hours
  • Any breach of confidentiality may be considered as a serious disciplinary offence and may lead to dismissal
  • Data Processors remain bound by the requirement to keep information confidential even if they are no longer employed at the Practice. Any breach, or suspected breach, of confidentiality after the worker has left the Practice’s employment will be passed to the Police for investigation

Data Sharing

Routine Data Sharing is the sharing of Data between different Health organisations and Public health organisations such as referrals to secondary care, Community Nurses or Podiatry.

The Practice also shares data as required by stature for the purpose of healthcare planning, public health awareness and national NHS England data extractions.  These are pseudonymised data extracts.

Patients also have the option of a summary care record as per below.

If patients wish to opt out of any data sharing for healthcare there is an online system and this will be done by patients themselves (see privacy notice) There is also type one opt out for GP Practices.  The details for this are in the IG folder / Shared drive – we can no longer opt out patients from research in General Practice,

Freedom of Information

  • Non-confidential information about The Alexandra Practice and its services will be available to the public when requested
  • The Alexandra Practice will adhere to and ensure  compliance with the Freedom of Information Act;
  • Patients have ready access to information relating to their own health care, their options for treatment and their rights as patients; this is not classed as FOI information
  • The Alexandra Practice has clear procedures and arrangements for liaison with the media as outlined within the Employee Handbook
  • The Alexandra Practice will handle FOI queries from patients and the public in line with current law and in a timely manner
  • Staff should direct FOI requests to the Practice Manager

Summary Care Records

A Summary Care Record is an electronic record which contains information about the medicines you take, your main health problems e.g. COPD, allergies patients suffer from and any bad reactions to medicines they have had.  Having this information stored in one place makes it easier for healthcare staff to treat them in an emergency, or when the GP Practice is closed.

Admin staff have clear guidance and procedures for what actions to take when patients request to opt out or into SCR, this is usually at the point of registration.

Legal Compliance

  • The Alexandra Practice will undertake or commission annual assessments and audits of its compliance with legal requirements;
  • The Alexandra holds Data mapping , Asset register inc risk assessment and data protection impact assessment (DPIA) records for all data processing and storage
  • The Alexandra Practice regards all identifiable information relating to patients and staff as confidential
  • The Alexandra Practice will ensure compliance with GDPR, the current UK Data Protection Act, Human Rights Act, the common law duty of confidence and the Confidentiality NHS Code of Practice via training, policies and staff meetings.

Records Management

  • The Alexandra Practice has established and will maintain policies and procedures for the effective management of records;
  • promotes records management through policies, procedures and training
  • All data processors are expected to ensure effective records management in line with Practice training and policy
  • All data processors are expected to adhere to the Records Management Code of Practice for Health and Social Care 2016 and associated retention periods as the standard for records management (shared drive: Legacy, Information Governance & GDPR plus GP Net)


 All data processors at The Alexandra Practice are provided with appropriate training on Information Governance and all areas associated with this e.g. GDPR and role based further training such as Caldicott Guardian.  All data processors are expected to complete training annually, and this also forms part of the annual appraisal where appropriate.


  • Information Governance Folder GDPR Policy
  • Consent Policy
  • Confidentiality Policy
  • Freedom of Information Guidance
  • Summary Care Records Policy

(shared drive: Legacy, Information Governance & GDPR)

Date published: 21st November, 2022
Date last updated: 21st November, 2022