This page explains what information governance means in practice, why it matters for innovators, and what is required to access NHS data. This will help answer questions such as:
- What is information governance in the NHS?
- Who are the main roles involved in information governance?
- What is a data controller?
- What is a data processor?
- What information governance requirements may be needed when an innovation uses personal or NHS data?
- When are GDPR, DPIAs, DSAs, DPAs, the DSPT, and clinical safety standards required?
- How long do information governance requirements typically take to complete?
- What practical steps can help shorten information governance timelines?
What is information governance?
In the NHS, information governance involves rules, policies, standards, and processes to ensure that data is handled safely, legally, and effectively. Having information governance in place ensures that patient safety and quality of care is maintained, avoids legal issues, and can support research and innovation. Information governance is not just a tick box exercise, it can directly affect how an innovation is adopted, scaled, and trusted.
What are the roles required in information governance?
There are typically three main roles within information governance:
Data subject
The individual the data refers to. For example, this can be patients in a hospital or a user of a health app.
Data controller
Decide how and why data is collected. This organisation has overall legal responsibility for UK GDPR compliance. For example, this could be a digital innovation organisation deciding how patient data is used within their app. Two or more organisations can become joint controllers.
Data processor
This organisation processes personal data on behalf of a data controller, using their instructions. For example, this could be an organisation conducting an evaluation using the data controller’s app data.
What information governance requirements does my innovation need?
If an innovation uses personal data or data from the NHS, several information governance requirements may be needed. This section outlines the main requirements when accessing data:
| Requirement | What it is | When it is required |
| UK General Data Protection Regulation (GDPR) and the Data Protection Act (2018) | Overarching legal framework for handling personal data. | All uses of personal data need to conform to this legal framework. |
| Data Protection Impact Assessment (DPIA) | An assessment of processing activities, used to establish a lawful basis for processing and ensures any associated risks can be effectively mitigated. | When processing personal data such as patient data or where a high-risk processing activity may lead to reidentification. |
| Data Sharing Agreement (DSA) | An agreement between parties establishing roles, processes, and responsibilities to support the sharing of data. | When sharing data between organisations. |
| Data Processing Agreement (DPA) | A contract between a data controller and a data processor, confirming the roles and responsibilities regarding a processing activity | When a third-party processes data on behalf of an NHS organisation, particularly where no other contractual agreement exists between relevant parties. |
| Data Security and Protection Toolkit (DSPT) | An initial self-assessment of data security and governance measures to meet the standards set by NHS Digital. | Any organisation accessing NHS patient data or systems. |
| Clinical safety standards | NHS clinical standards ensuring digital tools are safe. | If an innovation impacts clinical decisions or patient safety |
How long do information governance requirements take to complete?
There is no fixed timeline for completing information governance requirements, and this varies depending on several factors, such as the number of parties involved in a processing activity. In practice, information governance requirements can usually take around three to six months.
How can I shorten information governance timelines?
Preparing to complete information governance requirements is key. From our experience, the below factors can help to speed up the process:
Early NHS clinical or organisational sponsorship
Having a named champion staff member inside a site before formal submission of information governance documents can reduce delays as they can help to
navigate internal approvals.
Fast, structured responses during review cycles
Prompt responses to IG, security, or legal queries can significantly compress the timeline.
Avoiding ambiguity in data flows and purpose
Unclear explanations of “what data, why, and where it goes” is one of the biggest causes of repeated review cycles. Ensure to explain the purpose and how data
will be collected clearly.
Clear, minimal data approach
The less patient-identifiable data you process, or the more anonymised/pseudonymised it is, the fewer governance hurdles and escalations are required.
Establishing information governance requirements is not a tick-box exercise: it plays a critical role in patient safety, avoids legal issues, and enables innovations to be adopted appropriately. Planning early, being clear about the use of data use, and understanding roles and requirements can significantly reduce delays in fulfilling information governance requirements.