Information Governance (IG) is the framework for handling information in a secure and confidential manner that allows organisations and individuals to manage patient, personal and sensitive information legally, securely, efficiently and effectively in order to deliver the best possible healthcare and services.
IG applies to, and impacts on, everyone working for, or on behalf of, the NHS. Additionally, everyone working in the NHS has a legal duty to keep information about others secure and confidential.
IG is concerned with the standards that should apply when information is processed. Information processing has five broad aspects that encompass how information is obtained, recorded, held, used and shared. Therefore it is of paramount importance that the Trust ensures that all information is:
- Held safely and confidentially
- Obtained fairly and effectively
- Recorded accurately and reliably
- Used effectively and ethically
- Shared appropriately and lawfully
It brings together all of the legal requirements, standards and best practice (including policies and procedures, management and reporting arrangements, processes and controls, and training) that apply to the handling of patient, personal and sensitive information, including but not limited to:
- Access to Health Records Act
- Caldicott Principles
- Code of Practice on confidential information
- Common Law Duty of Confidentiality
- Computer Misuse Act
- Confidentiality: NHS Code of Practice
- Data Protection legislation - UK Data Protection Act 2018 and the General Data Protection Regulation 2016 (GDPR)
- Data Security and Protection Toolkit (DSPT)
- Freedom of Information Act
- Information Security Management: NHS Code of Practice
- Network and Information Systems (NIS) Regulations 2018
- Records Management Code of Practice for Health and Social Care 2016
The Trust collects, stores and uses large amounts of personal confidential data every day, such as care records, personnel records and computerised information. This data is used by many people in the course of their work. IG allows the Trust to demonstrate to the public that it takes its responsibilities to safeguard information seriously. It also aims to protect patient information and confidentiality, and to protect the Trust and its staff.
Our privacy notices, available on our website, inform patients, the general public and staff why we collect personal information about them, how and when we use it and with whom we may be required to disclose and share it.
If someone requires a hard copy of any privacy notice then these can be printed out and sent to the individual.
We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whatever format and medium it is held in. At Trust Board level, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.
Our Senior Information Risk Owner is John McLuckie, Chief Finance Officer, whilst our Caldicott Guardian is Tessa Myatt, Medical Director. Both these roles are supported by the Data Protection Officer (DPO) (Jeanie Hedley, Head of Information Governance) and the Information Governance Team.
All staff are personally responsible for ensuring that information they collect and use is handled, stored, processed, transferred and transported securely and confidentially at all times.
If you require further advice on IG issues and you cannot find the information on the IG Section on StaffZone, please initially contact IG Team.
In Mersey Care, the Senior Information Risk Owner is Neil Smith, Executive Director of Finance / Deputy Chief Executive, whilst the Caldicott Guardian is Noir Thomas, Executive Medical Director. The joint Senior Information Risk Owner / Information Governance Committee monitors compliance with the IG framework. The Committee meets bi-monthly, and reports to the Executive Committee, and membership is comprised of:
- Caldicott Guardian
- Senior Information Risk Owner
- Chief Clinical Information Officer
- Head of Information Governance
- Senior Nurse Management representative
- Information Security Manager
- Adverse Incident Manager
- Nominated representatives from corporate and clinical specialties
Where necessary, other attendees are also invited and attend as and when specfic issues arise.
Compliance with the national Information Governance (IG) framework and agenda is measured and monitored through the Data Security and Protection Toolkit (DSPT), to which the Trust makes regular submissions each year.
The Trust's submissions are published and publicly available on the DSPT website.
The DSPT is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use the toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
The Information Commissioner's Office (ICO) is the independent authority set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals.
They regulate, enforce and oversee the Data Protection legislation, the Freedom of Information Act, the Environmental Information Regulations, and the Privacy and Electronic Communications Regulations.
They have the power to impose sanctions, including monetary penalties up to £17million (or 4% of worldwide global annual turnover), on data controllers (whether they be organisations or individuals) for serious and/or deliberate breaches of the Data Protection legislation that are likely to cause substantial damage or substantial distress.
Further information on their role is available from their website.