Cookies on the NHS England website

We’ve put some small files called cookies on your device to make our site work.

We’d also like to use analytics cookies. These send information about how our site is used to a service called Google Analytics. We use this information to improve our site.

Let us know if this is OK. We’ll use a cookie to save your choice. You can read more about our cookies before you choose.

Change my preferences I'm OK with analytics cookies

Date published : 1 November, 2023 Date last updated : 16 August, 2024 Download as a PDF

Information governance and data protection

Version 1.0 3 July 2023

Content

Information governance

Being able to access patient data promptly in primary care allows us to work efficiently and provide a high standard of care. In certain circumstances, primary care data can also be used to guide both population health management and clinical research. It is, therefore, vital to ensure that patient information is used appropriately and processed and stored in a secure manner.

Information governance provides a framework to help us use information in a legal and ethical way, ensuring that data is:

Importantly, information governance also helps patients understand clearly and transparently what their data is used for, why it is used, and how it is used.

The best place to find in-depth, practical guidance relating to information governance is the NHS Transformation Directorate website. You can find up-to-date information relating to topics such as access to records through the NHS app, and sharing information with the police. These should be used to supplement the other subjects covered in these guidelines.

Data protection policies

Your organisation should have data protection policies in place. As a minimum, your policies should cover:

These should be reviewed at regular intervals and be available to staff and the general public. For more information, please see the governance section of the Data Security and Protection Toolkit guidance.

Staff awareness

All staff (including new starters, locums, temporary staff, students, volunteers and staff contracted to work in the organisation) that have access to personal data must complete an appropriate data security and protection induction and training. They must also be aware of any data protection policies which they must follow relating to their role.

Routine topics for primary care

Email and text message communications

When using emails and text messages to communicate with patients, such as for appointments or reminders, you should ensure that information is used and shared safely.

For information on what you need to make clear to patients when using text or email messaging systems, as well as patient preferences, confidentiality and recording information, please see the NHS Transformation Directorate guidance on email and text message communications.

Video conferencing

You should have a policy and processes in place for conducting video conferencing calls, whether they occur between staff members or between clinicians and patients.

For information on using video conferencing tools securely, protecting patient confidentiality and making notes or recordings, please see the NHS Transformation Directorate guidance on using video conferencing and consultation tools. There is also another article in this series on Online and video consultations.

Remote working

It may be appropriate for staff members of primary care organisations to work from home on a part-time or full-time basis, provided they are able to fulfil their function.

For a brief summary of key things to consider for remote working including using your own device, security protocols, and accessing confidential patient information, please view ‘COVID-19 questions for health and care organisations’ on the NHS Transformation Directorate’s IG question time page. There is also another article in this series on Microsoft Teams and remote working.

Clinical images

During the COVID-19 pandemic, the Royal College of General Practitioners produced some key principles relating to receiving, storing and sending intimate clinical images. Although not all images will be considered ‘intimate’ by patients, these principles provide a good basis which can be applied more broadly when using clinical images.

Requests for information

In primary care, you are likely to receive various types of requests for information:

Personal data breaches

What is a personal data breach?

Your organisation is responsible for information security, and you are required by law to protect personal and confidential patient information.

Personal data breaches are rare, but there may be times when things go wrong. A personal data breach is an accidental or deliberate breach of security which leads to:

What to do if you think there has been a data breach

If you become aware of a personal data breach, you should follow your organisation’s procedure for reporting such an event. This will usually be via the incident reporting process in your organisation. If you are not sure what to do you should tell your data protection officer (DPO).

Breaches should be reported as soon as they become apparent. If you are not sure if a breach has occurred, you should still report it via your organisation’s incident reporting system.

For more information, please see the NHS Transformation Directorate guidance on personal data breaches.

Data Security and Protection Toolkit (DSPT)

Your organisation will need to allocate some time and resources to complete the DSPT each year. This is an online self-assessment tool that allows general practices and other organisations to measure their performance against the National Data Guardian’s 10 data security standards.

Completing the DSPT is a mandatory requirement to demonstrate that your organisation is practising good data security and handling personal data correctly. The Care Quality Commission (CQC) uses the DSPT to measure general practice performance against the National Data Guardian’s security standards.

Types of information

Personal data

Personal data identifies an individual including staff, patients, family or friends, and members of the public. Data protection laws, including UK General Data Protection Regulation (GDPR) apply to personal data.

Data protection laws do not apply to deceased people, but the common law duty of confidentiality does apply. For more information, please see NHS England’s Transformation Directorate guidance on access to the health and care records of deceased people.

Pseudonymised data

Pseudonymisation ensures that you cannot identify an individual without the use of additional information. It is important to remember that pseudonymised data is still personal data so it cannot be shared freely.

It could involve replacing an NHS number, a name or an address with a unique number or code (a pseudonym). For example, you could be working with other GP practices to identify patients in the area who would benefit from a new service. Other practices would not need to know the names of your patients so you could replace identifiers with a pseudonym for the discussion. It would be important that the information about which patient had been allocated which pseudonym was kept securely at your practice and not shared. Once it had been agreed which patients were suitable for the new service, only your practice would be able to re-identify these patients because you are directly involved in the patient’s care.

Anonymous data

Anonymous data is data that no longer identifies a person or people. Truly anonymised data is not considered personal data under the UK GDPR. This means it is not subject to the same restrictions as personal data. Anonymous data may be presented as general trends or statistics.

Key IG roles

Caldicott Guardians

Your organisation needs to appoint a Caldicott Guardian. Caldicott Guardians are senior people within organisations that help ensure confidential information about patients is used ethically, legally, and appropriately.

Their responsibilities include:

If it is not proportionate or feasible to appoint a member of your own practice staff to the Caldicott Guardian role, your organisation may choose to share a Caldicott Guardian with its primary care network (PCN) or a group of GP practices.

Data protection officers (DPOs)

A DPO is an independent advisory role held by an expert in data protection, who advises you on how to comply with your data protection obligations.

A DPO’s duties include:

Specific arrangements for appointing a DPO can vary:

See the ICO website or more information about the role requirements and who to appoint.

The British Medical Association’s (BMA) website has guidance tailored to GP practices.

Legal and regulatory bases

Common law duty of confidentiality

Common law is a form of law based on previous court cases decided by judges. The common law duty of confidentiality says that information about a person cannot be disclosed without that person’s consent.

In these cases, you do not need to explicitly ask the patient for consent. When sharing confidential patient information for other purposes, for example research, you will generally need to obtain explicit consent from the patient.

You should not share confidential patient information (even for individual care) if you have reason to believe that a person has objected or would be likely to object to the information being shared. There are some exceptions to this, for example, where you have safeguarding concerns about a child.

UK General Data Protection Regulation (UK GDPR)

The UK GDPR sets out seven key rules called data protection principles. Health and care professionals must follow these strict principles:

  1. Lawfulness, fairness and transparency

There must be legal grounds for using and sharing information. People must be made aware of how their information is used and shared, for example in your practice’s privacy notice and on your notice board and website. You must use personal data in a way that is fair for example you must not mislead individuals or use data in a way they would not expect.

You must be clear about why you are collecting information and can’t collect it for one thing but use it for something else. For example, you can’t tell people you are collecting their personal information for their care, and then use it for marketing.

You should only collect, use and share the information you need. For example when sharing information with a colleague, you should share only the information they need to provide care.

You should make sure that you keep factually accurate and up-to-date records.

You should only keep information for as long as it is necessary. NHS England has produced clear guidance about how long health and care records should be kept.

  1. Integrity and confidentiality (security)

You should ensure that information is used and shared securely. This includes ensuring that information is not lost, destroyed or damaged.

Your practice will need to demonstrate how you are complying with all these principles.

Caldicott Principles

The Caldicott Principles are designed to ensure people’s information is kept confidential and used appropriately. They align with data protection laws and will help guide you in how to use information.

  1. Justify the purpose(s) for using confidential information.
  2. Use confidential information only when it is necessary.
  3. Use the minimum necessary confidential information.
  4. Access to confidential information should be on a strict need-to-know basis.
  5. Everyone with access to confidential information should be aware of their responsibilities.
  6. Comply with the law.
  7. The duty to share information for individual care is as important as the duty to protect patient confidentiality.
  8. Inform patients and service users about how their confidential information is used.

Other helpful resources

Other helpful resources

Please email the Good Practice Guidelines team here for more information on this subject.

This email address is not intended for use by members of the public, patients and their representatives who should instead contact the NHS England Customer Contact Centre – england.contactus@nhs.net

NHS colleagues and contractors should use this mailbox for queries relating to the management of the GPGv5 and should contact the relevant NHS England team or programme for further information on topic content.

Related GPG articles