Information governance guidance

Information Governance Framework: Shared Care Records

The Information Governance Framework for Integrated Health and Care: Part 1 - Shared Care Records has been developed to provide a structured approach to ensure Shared Care Records meet their legal obligations.

Use and share information with confidence

This guidance will support you to use and share information with confidence when caring for patients and service users.

Using video conferencing and consultation tools

This guidance sets out how video conferencing and consultation tools can be used safely and securely.

Information sharing in Multidisciplinary Teams (MDTs)

A MDT is a group of health and care staff from different organisations and professions that together make decisions regarding the treatment of individual patients and service users. There are some IG considerations when working as part of an MDT.

Sharing information with the voluntary sector

This guidance provides information to health and care organisations on how information about patients and service users can be shared safely with the voluntary sector

Use of mobile devices by patients in hospitals

This guidance provides advice for patients using mobile devices such as phones, tablets and cameras in acute hospitals.

Access to patient records through the NHS App

The NHS App is changing to make it easier for patients to read new entries in their GP record. This guidance covers the key things that patients, GPs and IG professionals should know.

Sharing information with unpaid carers

This guidance aims to advise those being cared for, carers and health and care professionals about how to share confidential information about an individual to support their care.

Integrated care systems (ICSs), integrated care boards (ICBs) and integrated care partnerships (ICPs) - a quick guide

Advice for information governance professionals on sharing information between organisations within different collaborative systems, as well as determining controllership arrangements.

Universal information governance templates

NHS England has produced a suite of universal IG templates to support the lawful use of data within health and care.

HIV and Sexually Transmitted Infections (STIs)

A guide to how HIV and STI information is kept confidential, used and shared.

A just culture guide for information governance and cyber security

This guidance supports organisations to understand and embed a just culture in their information governance (IG) and cyber security risk management work, taking a compassionate approach to and learning from any data incidents.

Child Protection Information Sharing (CP-IS) system template DPIA

This data protection impact assessment (DPIA) template is for professionals in health and care organisations who are responsible for managing their organisation’s access to and use of the Child Protection Information Sharing (CP-IS) system.

Personal data breaches and related incidents

This guidance provides advice to patients and service users on what a personal data breach is and to help health and care organisations deal with personal data breaches.

Records Management Code of Practice

The Records Management Code of Practice sets out how records relating to health and care should be managed.

Sharing information with the police

This guidance is about disclosure of information by health and care organisations to the police.

What is and isn’t direct marketing?

The ICO has produced wider guidance on direct marketing for the public sector. This guidance, produced by the panel, specifically considers the rules on direct marketing in the context of health and care communications.

Bring your own device (BYOD) guidance

BYOD is a service offered by organisations to their employees to enable them to use their own devices for work, such as mobile phones, laptops and tablets. This guidance focuses on the IG considerations.

Subject Access Requests

This guidance will help you understand what a Subject Access Request is and how they are responded to.

Consent and confidential patient information

This guidance is about consent and what it means when sharing Confidential Patient Information.

Caldicott principles

Eight principles to ensure people's information is kept confidential and used appropriately.

Amending patient and service user records

This guidance provides advice on patients and service users requesting changes to their health and care records. It also covers how staff should amend records.

Access to the health and care records of deceased people

This guidance provides advice on access to health and care records following the death of an individual.

Preparing for the UK COVID-19 Inquiry

This guidance does not constitute legal advice. It is for each individual organisation to ensure they are appropriately prepared to respond to any request from the inquiry and seek independent legal advice where required.

Information sharing in social care

This guidance will support adult social care professionals with their legal duty to share information to support individual care.

Inquiries, reviews, investigations and court orders in health and social care services

This guidance is aimed at providing health and care services with IG advice on how to deal with requests for records from statutory public enquiries, non-statutory public enquiries, and courts.

Requesting information from a public body: freedom of information

The Freedom of Information Act (FOIA) allows people to request any recorded information held by a public body. This guidance is to help health and care organisations deal with Freedom of Information (FOI) requests.

Freedom to Speak Up

This guidance helps patients and staff of NHS organisations understand the Freedom to Speak Up (FTSU) process, and FTSU guardians and information governance professionals to manage information raised in a safe and appropriate way.

Sharing information during major incidents and emergencies

This guidance provides advice to patients and service users on how information may be shared in emergencies and also provides advice to health and care organisations of considerations that need to be made when sharing information during major incidents and emergencies.

Information risk and impacts to individuals following personal data breaches

This guidance provides detailed information on the potential negative impacts or risks associated with the breach of certain types of information and actions that may need to be taken.

Sharing information relating to Infected Blood Compensation Authority claims

This guidance provides advice on information sharing with the Infected Blood Compensation Authority (IBCA) to support claims from those who have been impacted.

Information sharing with the Department for Work and Pensions (DWP)

This guidance provides advice on information sharing with the Department for Work and Pensions (DWP) to support the assessment of benefits claims.

O365 migration DPIA templates

These data protection impact assessment (DPIA) templates are for project leads and IG professionals in health and care organisations who are involved in managing and supporting Microsoft Office 365 (O365) data transfers.

Cyber incident IG checklist and template notification letter

NHS England has produced two templates for information governance (IG) professionals in health and care organisations to use when managing and supporting a cyber incident.

Subject Access Request (SAR) form

This form can be used by patients and service users to make a SAR to a health or care organisation.

Using information for reflective practice

This guidance provides advice on how patients’ and service users’ information should be used for reflective practice.

OpenSAFELY DPIA templates

Data protection impact assessment (DPIA) templates for GP practices to use as controllers of the GP datasets used by the OpenSAFELY services.

Information sharing between private healthcare services and NHS England

Guidance about NHS England requesting information from private health and care organisations and services to meet its legal obligations.

Texting, emailing and messaging patients and service users

This guidance covers information governance (IG) topics you need to think about when sending or receiving messages about health and care services by text, email or other types of messaging.

Personal health budget holders: data protection advice

Data protection advice for personal health budget holders who employ a personal assistant.

Identifying controllers and processors in health and care

Guidance to help IG professionals identify whether health and care organisations are acting as a controller, joint controller or processor in relation to processing of personal data.

Virtual wards

Virtual wards support people, who would otherwise be in hospital, to receive the care and treatment they need in their own home or usual place of residence. Virtual wards are suitable for a range of conditions that can be safely and effectively monitored at home including respiratory conditions, heart failure and COVID-19.

Artificial Intelligence

This guidance focuses on the IG implications of using AI in health and care settings, and should help support the lawful and safe use of data for AI innovations.

Legal requirements for using health and care data in data-driven technologies

This guidance gives an overview of the legal requirements for using health and care data in the development and deployment of data-driven technologies.

Accessing health and care data for research on data-driven technology

This guidance gives a step-by-step overview of the process for accessing health and social care data for research of data-driven technologies.

Using AI-enabled ambient scribing products in health and care settings

Information governance guidance on the use of AI-enabled ambient scribing products in health and care settings

Microsoft 365 Copilot

This guidance sets out the IG implications of using Microsoft 365 Copilot in health and care settings.

UK GDPR guidance for researchers and study coordinators

This operational guidance has been produced by the Health Research Authority for researchers and study coordinators on the implications of the UK GDPR for the delivery of research in the UK.

Guidance for CAG Applicants

Detailed guidance from the Health Research Authority on submitting an application to Confidentiality Advisory Group (CAG) for both research and non-research purposes.

Information governance in local quality improvement

This guide by Healthcare Quality Improvement Partnership (HQIP), describes how information governance (IG) laws and principles apply to the use of personal data in multi-agency healthcare quality improvement studies.