Information Governance

Understanding and Applying Good Practice

Understanding and applying good practice in information Governance (IG) is not easy. On one hand there is a business need to use information to improve performance but on the other a wide range of legal and professional obligations that limit, prohibit and set conditions on the management, use and disclosure of information. Adding to the mix there are a wide range of statutes permit or require information to be used or disclosed.

Information governance encompasses far more than traditional records management. It incorporates information security and protection, compliance, data governance, electronic discovery, risk management, privacy, data storage and archiving, knowledge management, business operations and management, audit, analytics, IT management, master data management, enterprise architecture, business intelligence, big data, data science, and finance. All making for a complex and confusing set of rules that are far from easy to understand and follow.

This workshop strips away the complexity and focuses on a range of core principles that will allow participants and their organisations to understand and apply good “IG” practice in an effective manner.

For Whom
This workshop is for operational managers, HR specialists and all those involved with handling and managing sensitive personal data. It is especially relevant to organisations operating within the Health and Education Sectors or those providing services to organisations in these sectors.

Delegates considering this workshop should be aware that we also offer a range workshops on “Data Protection”, “GDPR”, “PECR” and “Privacy Impact Assessments” which in some cases might be more appropriate.

Aims and Objectives
To enable participants understand better:

  • The legislation regarding Data Protection and Information Governance, including
    • GDRP (General data protection relations)
    • PECR (Privacy and Electronic Communications Regulations)
    • The pending ePrivacy regulations
    • Malicious Communications Act
    • Misuse of Computers Act
  • The Information Commissioner’s Office (ICO)
  • The Scrutiny frameworks that are appropriate to your sector, for example:
  • Calidicott
  • Ofsted
  • CQC
  • Good practice in handling safe and sensitive information
  • Cyber security issues in the workplace
  • Issues, risks and responsibilities for the use of social media at work
  • How to keep information safe in practice
  • How to useessential information governance training resources in an engaging and meaningful way

The workshop provides plenty of opportunity to discuss and clarify specific issues and concerns participants may have. Content can, if needed, to be tailored to the development of in-house policies and procedures and/or cascading the same to staff.


1.0 Understanding the General Principles

1.1 The GDPR

  • The Data Protection Act and Data Security
  • The 6 principles of the Data Protection Act and Links to other Legislation
  • Defining what is meant by “personal data”
  • Defining and exploring the key roles
  • Defining “processing” and “fair processing”
  • Sensitive data and the different considerations that need addressing
  • Data security issues – organisational & technical
  • Securing and Evidencing Consent
  • Individual rights and responsibilities
  • Current Sanctions, Fines and Penalties

1.2 Other Legislation

  • PECR and ePrivacy
  • Malicious Communications Act
  • Misuse of Computers Act

2.0 The Information Commissioner
Thesix information governance aims recommended by the Information Commissioner

  1. Policy – Implementing information
    Governance policies which are embedded in the day-to-day operations of the organisation and which are compliant with relevant legislation, standards and codes of practice and demonstrate good practice.
  2. Awareness
    A high level of staff and supplier awareness of information governance policy and processes to help achieve compliance and to reduce the risk of non-compliance through human error
  3. Monitoring and assurance
    Processes in place to check whether information governance policy is being implemented and to measure the effectiveness of the control environment.
  4. Records and information management
    Effective processes are in place to manage records and information.
  5. Information security
    Implement information security policies, which take account of legislative requirements and the codes of connection the organisation, are subject to; but which are appropriate, proportionate, measured and part of business as usual.
  6. Collection and use of personal information
    Personal information received or obtained is managed and used responsibly, securely and fairly

3.0 Sector Specific Frameworks
Section 3 explores the information governance requirements that your organisation may be subject to under sector specific frameworks, policies and reports such as Calidicott, Ofsted, CQC.
As an example we outline below what we may cover when considering the Calidicott report

The Calidicott Report – To Share or Not to Share*
Calidicott produced seven guiding principles on information governance in health and social care. These reflected and built upon the foregoing six points
The 7 principles from the Calidicott report are highly relevant to all organisations that handle or process personal data and sensitive personal data on individuals. These 7 principles are:-

  1. Justify the purpose(s) – Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.
  2. Don’t use personal confidential data unless it is absolutely necessary
  3. Use the minimum necessary personal confidential data
  4. Access to personal confidential data should be on a strict need-to-know basis.
  5. Everyone with access to personal confidential data should be aware of their responsibilities
  6. Comply with the law
  7. The duty to share information – this can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles.

4.0 Applying the General Principles
This session will form the majority of the course. Tutor lead session discussion on and around the general principles above and how they apply to participants and their organisations in the following contexts:

  • People’s right to access information about themselves
  • Direct care of individuals
  • Personal data breaches
  • Information governance and the law
  • Research and Commissioning arrangements
  • Public health, Education and training, Children and families
  • New and emerging technologies
  • Data management, system regulation and leadership

5.0 External Resources and Information
The 5th session provides advice and guidance on sources of additional information and considers where and when taking specific legal advice might be appropriate

  • Health and Social Care Information Centre
  • Other sources of information and support
  • Legal advice when and where it may be needed

6.0 The Parking Bay, Other Issues Arising, What Next
Session 6 provides time to for final questions and opportunity to revisit questions and issues that remain outstanding prior to closing discussion on and around what participants need to do to apply or implement the good practice better on their return to work

The Calidicott Report – To Share or Not to Share

The Calidicott review was commissioned in 1997 by the Chief Medical Officer of England,”owing to increasing concern about the ways in which patient information is being used in the NHS in England and Wales and the need to ensure that confidentiality is not undermined. Such concern was largely due to the development of information technology in the service, and its capacity to disseminate information about patients rapidly and extensively”.

A committee was established under the chairmanship of Dame Fiona Caldicott, Principal of Somerville College, Oxford, and previously President of the Royal College of Psychiatrists. Its findings were published in December 1997.The Caldicott Report] highlighted six key principles, and made 16 specific recommendations. In 2012 Dame Caldicott produced a follow up report which made 26 further recommendations including the addition of a seventh principle which is included in the list above.


we won't chase you, we wont pester you, we won't add you to any mailing list