Information governance and data protection

Version 1.0 3 July 2023

This guidance is part of the Information governance and data protection section of the Good practice guidelines for GP electronic patient records.

Information governance

Being able to access patient data promptly in primary care allows us to work efficiently and provide a high standard of care. In certain circumstances, primary care data can also be used to guide both population health management and clinical research. It is, therefore, vital to ensure that patient information is used appropriately and processed and stored in a secure manner.

Information governance provides a framework to help us use information in a legal and ethical way, ensuring that data is:

  • safe and secure
  • available
  • up-to-date and accurate

Importantly, information governance also helps patients understand clearly and transparently what their data is used for, why it is used, and how it is used.

The best place to find in-depth, practical guidance relating to information governance is the NHS Transformation Directorate website. You can find up-to-date information relating to topics such as access to records through the NHS app, and sharing information with the police. These should be used to supplement the other subjects covered in these guidelines.

Data protection policies

Your organisation should have data protection policies in place.  As a minimum, your policies should cover:

  • data protection and confidentiality, including data protection by design, data protection impact assessments, transparency and data subject rights
  • freedom of information (FoI)
  • records management
  • data quality
  • arrangements for any of your staff members who work from home such as remote working policies, network access, video conferencing

These should be reviewed at regular intervals and be available to staff and the general public.  For more information, please see the governance section of the Data Security and Protection Toolkit guidance.

Staff awareness

All staff (including new starters, locums, temporary staff, students, volunteers and staff contracted to work in the organisation) that have access to personal data must complete an appropriate data security and protection induction and training. They must also be aware of any data protection policies which they must follow relating to their role.

For more information, please see the induction and mandatory training sections of the Data Security and Protection Toolkit guidance.

Routine topics for primary care

Email and text message communications

When using emails and text messages to communicate with patients, such as for appointments or reminders, you should ensure that information is used and shared safely.

For information on what you need to make clear to patients when using text or email messaging systems, as well as patient preferences, confidentiality and recording information, please see the NHS Transformation Directorate guidance on email and text message communications.

Video conferencing

You should have a policy and processes in place for conducting video conferencing calls, whether they occur between staff members or between clinicians and patients.

For information on using video conferencing tools securely, protecting patient confidentiality and making notes or recordings, please see the NHS Transformation Directorate guidance on using video conferencing and consultation tools. There is also another article in this series on Online and video consultations.

Remote working

It may be appropriate for staff members of primary care organisations to work from home on a part-time or full-time basis, provided they are able to fulfil their function.

For a brief summary of key things to consider for remote working including using your own device, security protocols, and accessing confidential patient information, please view ‘COVID-19 questions for health and care organisations’ on the NHS Transformation Directorate’s IG question time page. There is also another article in this series on Microsoft Teams and remote working.

Clinical images

During the COVID-19 pandemic, the Royal College of General Practitioners produced some key principles relating to receiving, storing and sending intimate clinical images. Although not all images will be considered ‘intimate’ by patients, these principles provide a good basis which can be applied more broadly when using clinical images.

Requests for information

In primary care, you are likely to receive various types of requests for information:

  • Subject access requests (SARs): Patients have the right to access and receive a copy of their personal data. There is another article in this series about subject access requests
  •  Freedom of information (FOI): You may receive requests for information from various sources. See the Information Commissioner’s Office (ICO) guide to FOI for doctors for more information. 

Personal data breaches

What is a personal data breach?

Your organisation is responsible for information security, and you are required by law to protect personal and confidential patient information.

Personal data breaches are rare, but there may be times when things go wrong. A personal data breach is an accidental or deliberate breach of security which leads to:

  • loss or unlawful destruction of data
  • alteration of data
  • unauthorised disclosure
  • unauthorised access

What to do if you think there has been a data breach

If you become aware of a personal data breach, you should follow your organisation’s procedure for reporting such an event.  This will usually be via the incident reporting process in your organisation.  If you are not sure what to do you should tell your data protection officer (DPO).

Breaches should be reported as soon as they become apparent.  If you are not sure if a breach has occurred, you should still report it via your organisation’s incident reporting system.  

For more information, please see the NHS Transformation Directorate guidance on personal data breaches. 

Data Security and Protection Toolkit (DSPT) 

Your organisation will need to allocate some time and resources to complete the DSPT each year. This is an online self-assessment tool that allows general practices and other organisations to measure their performance against the National Data Guardian’s 10 data security standards.

Completing the DSPT is a mandatory requirement to demonstrate that your organisation is practising good data security and handling personal data correctly. The Care Quality Commission (CQC) uses the DSPT to measure general practice performance against the National Data Guardian’s security standards.

Types of information

Personal data

Personal data identifies an individual including staff, patients, family or friends, and members of the public. Data protection laws, including UK General Data Protection Regulation (GDPR) apply to personal data.

Data protection laws do not apply to deceased people, but the common law duty of confidentiality does apply. For more information, please see NHS England’s Transformation Directorate guidance on access to the health and care records of deceased people.

Pseudonymised data

Pseudonymisation ensures that you cannot identify an individual without the use of additional information. It is important to remember that pseudonymised data is still personal data so it cannot be shared freely.

It could involve replacing an NHS number, a name or an address with a unique number or code (a pseudonym). For example, you could be working with other GP practices to identify patients in the area who would benefit from a new service.  Other practices would not need to know the names of your patients so you could replace identifiers with a pseudonym for the discussion. It would be important that the information about which patient had been allocated which pseudonym was kept securely at your practice and not shared. Once it had been agreed which patients were suitable for the new service, only your practice would be able to re-identify these patients because you are directly involved in the patient’s care.

Anonymous data

Anonymous data is data that no longer identifies a person or people. Truly anonymised data is not considered personal data under the UK GDPR. This means it is not subject to the same restrictions as personal data. Anonymous data may be presented as general trends or statistics.  

Key IG roles

Caldicott Guardians

Your organisation needs to appoint a Caldicott Guardian. Caldicott Guardians are senior people within organisations that help ensure confidential information about patients is used ethically, legally, and appropriately.

Their responsibilities include:

  • advising on disclosures of confidential information (particularly in situations of legal and/or ethical ambiguity)
  • being involved in addressing patient or service user complaints
  • reviewing and advising on data protection documentation
  • contributing to audits and helping to investigate data breaches

If it is not proportionate or feasible to appoint a member of your own practice staff to the Caldicott Guardian role, your organisation may choose to share a Caldicott Guardian with its primary care network (PCN) or a group of GP practices.

Data protection officers (DPOs)

A DPO is an independent advisory role held by an expert in data protection, who advises you on how to comply with your data protection obligations.

A DPO’s duties include:

  • monitoring your organisation’s compliance with data protection obligations
  • advising on specific data protection issues
  • assessing the risk attached to specific projects by overseeing data protection impact assessments (DPIAs)
  • being the designated ICO point of contact for your organisation

Specific arrangements for appointing a DPO can vary:

  • It is mandatory under UK GDPR for GP practices to appoint or designate a DPO, but not necessarily employ them directly.
  • Integrated care boards (ICBs) are required to provide a DPO service offering a named DPO to practices.  
  • Individual practices are entitled to appoint an alternative DPO of their choice, although ICBs are not expected to fund this if a DPO function has already been offered.  
  • Large practices and multi-practice groups are likely to have in-house DPOs, while smaller practices may prefer to designate external DPOs.

See the ICO website or more information about the role requirements and who to appoint.  

The British Medical Association’s (BMA) website has guidance tailored to GP practices. 

Common law duty of confidentiality

Common law is a form of law based on previous court cases decided by judges. The common law duty of confidentiality says that information about a person cannot be disclosed without that person’s consent.

Implied consent can be used:

  • when sharing relevant information with those who are directly involved in providing care services to a patient
  • for local clinical audit by staff who were involved in providing health and care services to a patient

In these cases, you do not need to explicitly ask the patient for consent. When sharing confidential patient information for other purposes, for example research, you will generally need to obtain explicit consent from the patient.

You should not share confidential patient information (even for individual care) if you have reason to believe that a person has objected or would be likely to object to the information being shared.  There are some exceptions to this, for example, where you have safeguarding concerns about a child.

For more information, please see the guidance on consent and confidential patient information, sharing information with confidence and the article in these Guidelines on consent to using and sharing patient information.

UK General Data Protection Regulation (UK GDPR)

The UK GDPR sets out seven key rules called data protection principles. Health and care professionals must follow these strict principles: 

  1. Lawfulness, fairness and transparency

There must be legal grounds for using and sharing information.  People must be made aware of how their information is used and shared, for example in your practice’s privacy notice and on your notice board and website.  You must use personal data in a way that is fair for example you must not mislead individuals or use data in a way they would not expect.

  1. Purpose limitation

You must be clear about why you are collecting information and can’t collect it for one thing but use it for something else.  For example, you can’t tell people you are collecting their personal information for their care, and then use it for marketing.

  1. Data minimisation

You should only collect, use and share the information you need.  For example when sharing information with a colleague, you should share only the information they need to provide care. 

  1. Accuracy

You should make sure that you keep factually accurate and up-to-date records.

  1. Storage limitation

You should only keep information for as long as it is necessary.  NHS England has produced clear guidance about how long health and care records should be kept.

  1. Integrity and confidentiality (security)

You should ensure that information is used and shared securely. This includes ensuring that information is not lost, destroyed or damaged.

  1. Accountability

Your practice will need to demonstrate how you are complying with all these principles.

Caldicott Principles

The Caldicott Principles are designed to ensure people’s information is kept confidential and used appropriately.  They align with data protection laws and will help guide you in how to use information.

The eight principles are:

  1. Justify the purpose(s) for using confidential information.
  2. Use confidential information only when it is necessary.
  3. Use the minimum necessary confidential information.
  4. Access to confidential information should be on a strict need-to-know basis.
  5. Everyone with access to confidential information should be aware of their responsibilities.
  6. Comply with the law.
  7. The duty to share information for individual care is as important as the duty to protect patient confidentiality.
  8. Inform patients and service users about how their confidential information is used.

Other helpful resources

Other helpful resources

Please email the Good Practice Guidelines team here for more information on this subject.

This email address is not intended for use by members of the public, patients and their representatives who should instead contact the NHS England Customer Contact Centre – england.contactus@nhs.net

NHS colleagues and contractors should use this mailbox for queries relating to the management of the GPGv5 and should contact the relevant NHS England team or programme for further information on topic content.