Information governance is about using patient information safely, lawfully, and appropriately. In general practice, this means ensuring that data is:
- kept secure and confidential
- accurate and up to date
- used only for valid purposes
It matters because:
- patient care depends on reliable, accessible information
- trust is central to the GP–patient relationship
- there are legal duties under UK GDPR and common law confidentiality
Example: a patient’s record should only be accessed by staff involved in their care, and any sharing with other services should be justified and documented.
Good IG also supports wider system working, such as shared care records, while protecting patients from inappropriate use of their data.
A DPIA is required when a new activity is likely to pose a high risk to individuals’ rights or privacy.
- introducing a new digital tool or system
- sharing identifiable data with other organisations
- using data in new or innovative ways
You should complete a DPIA early, during planning, before any data is used or shared.
Even where it is not strictly required, it is considered good practice whenever handling sensitive data such as patient records.
Example: If your practice is adopting an online consultation platform that stores patient data externally, a DPIA helps you identify risks and put controls in place before going live.
Treat the DPIA as a live document and update it if the project changes.
A DPISA combines a DPIA with an information-sharing assessment. It is often used for projects involving multiple organisations.
In practice, it helps you:
- assess risks of data sharing
- clarify roles and responsibilities
- document legal and operational arrangements
This is particularly useful for:
- shared care records
- PCN or ICB-led services
- digital platforms used across organisations
Example: If your practice contributes to a shared care record, a DPISA may be used to assess both the data protection risks and the sharing arrangements between partners.
The key principle remains the same as a DPIA, identifying and mitigating risks before implementation.
A Data Sharing Agreement sets out how data will be shared between organisations.
You should have a DSA when:
- personal data is shared between separate organisations
- there is a regular or systematic data flow
A good DSA should include:
- purpose of sharing
- legal basis
- roles of each organisation
- security arrangements
Example: If your practice shares patient information with a community provider for a service, the DSA clarifies what data is shared and why.
DSAs support accountability and help ensure everyone understands their responsibilities.
The Caldicott Principles guide how confidential patient information should be used and shared.
Key principles include:
- justify the purpose for using data
- use only what is necessary
- share on a need-to-know basis
- ensure accountability
In practice, this means:
- not sharing more information than needed
- ensuring only relevant staff can access records
- documenting decisions about data use
Example: When referring a patient, include only the information required for that referral, not the full record unless necessary.
Your practice’s Caldicott Guardian can support decisions where there is uncertainty.
Understanding this distinction is essential.
- Controller: decides why and how data is used · Processor: processes data on behalf of the controller [ico.org.uk]
In general practice:
- the GP practice is usually the data controller for patient records
- IT system suppliers are typically processors
Controllers are responsible for compliance, including ensuring appropriate agreements are in place. [digital.nhs.uk]
Example: Your clinical system provider stores patient data, but your practice decides how and why it is used, so you remain the controller.
Some arrangements may involve joint controllers, particularly in integrated care settings.
Before implementing any digital tool, you should:
- complete a DPIA
- confirm data controller/processor roles
- ensure a contract or agreement is in place
- assess clinical safety requirements (see CSO section below)
Example risks to consider:
- inappropriate access to records
- data stored outside the UK
- unclear responsibilities for incidents
Good governance means understanding both data protection and clinical safety risks before deployment.
A Clinical Safety Officer (CSO) is a registered clinician responsible for overseeing clinical risk in digital systems.
Under NHS standards (DCB0160 and DCB0129):
- a CSO must be appointed when deploying or developing health IT systems
- they lead clinical risk management processes
- they ensure risks are identified and mitigated
In general practice, this applies to:
- online consultation tools
- prescribing systems
- patient-facing apps
Example: If introducing a triage system, the CSO ensures the system does not create unsafe clinical risks, such as missed urgent cases.
If your practice lacks in-house expertise, support can often be sourced through your PCN or ICB.
These are national clinical safety standards for digital systems.
- DCB0129 – applies to manufacturers of health IT
- DCB0160 – applies to organisations deploying the system
In general practice, DCB0160 is the most relevant.
Key requirements include:
- assessing clinical risk before use
- maintaining a hazard log
- appointing a CSO
Example: A system may be safe in one practice but unsafe in another due to workflow differences, so local assessment is essential.
These standards are not just technical requirements, they are about protecting patient safety.
In most cases, yes.
For direct care, information can usually be shared on the basis of:
- implied consent
- legal duties to provide safe care
This applies when:
- sharing with other healthcare providers involved in the patient’s care
- the patient would reasonably expect the sharing
However, you should:
- be transparent with patients
- respect objections where appropriate
- only share what is necessary
Example: Sharing information with a district nurse for a patient’s ongoing care is usually appropriate.
Different rules apply for non-direct care uses, such as research or commissioning.
For purposes beyond individual care, such as:
- planning
- research
- service improvement
you need a clear legal basis and often additional safeguards.
This may include:
- explicit consent
- anonymisation or pseudonymisation
- specific legal permissions
Example: Using patient data for research may require ethical approval and additional governance processes.
These uses should be clearly separated from direct care activities and documented.
As a data controller, your practice must be able to demonstrate compliance.
This includes maintaining:
- DPIAs and risk assessments
- data sharing agreements
- records of processing activities
- staff training records
You should also:
- ensure policies are up to date
- provide IG training for all staff
- regularly review access controls
Example: If challenged or audited, your practice should be able to show how decisions about data use were made and documented.
Good record keeping is not just administrative, it is central to accountability and patient trust.