Information governance

This page explains what information governance means in practice, why it matters for innovators, and what is required to access NHS data. This will help answer questions such as:

  • What is information governance in the NHS?
  • Who are the main roles involved in information governance?
  • What is a data controller?
  • What is a data processor?
  • What information governance requirements may be needed when an innovation uses personal or NHS data?
  • When are GDPR, DPIAs, DSAs, DPAs, the DSPT, and clinical safety standards required?
  • How long do information governance requirements typically take to complete?
  • What practical steps can help shorten information governance timelines?

What is information governance?

In the NHS, information governance involves rules, policies, standards, and processes to ensure that data is handled safely, legally, and effectively. Having information governance in place ensures that patient safety and quality of care is maintained, avoids legal issues, and can support research and innovation. Information governance is not just a tick box exercise, it can directly affect how an innovation is adopted, scaled, and trusted.

What are the roles required in information governance?

There are typically three main roles within information governance:

Placeholder Image

Data subject

The individual the data refers to. For example, this can be patients in a hospital or a user of a health app.

 

 

Placeholder Image

Data controller

Decide how and why data is collected. This organisation has overall legal responsibility for UK GDPR compliance. For example, this could be a digital innovation organisation deciding how patient data is used within their app. Two or more organisations can become joint controllers.

Placeholder Image

Data processor

This organisation processes personal data on behalf of a data controller, using their instructions. For example, this could be an organisation conducting an evaluation using the data controller’s app data.

 

What information governance requirements does my innovation need?

If an innovation uses personal data or data from the NHS, several information governance requirements may be needed. This section outlines the main requirements when accessing data:

How long do information governance requirements take to complete?

There is no fixed timeline for completing information governance requirements, and this varies depending on several factors, such as the number of parties involved in a processing activity. In practice, information governance requirements can usually take around three to six months.

How can I shorten information governance timelines?

Preparing to complete information governance requirements is key. From our experience, the below factors can help to speed up the process:

Placeholder Image

Early NHS clinical or organisational sponsorship

Having a named champion staff member inside a site before formal submission of information governance documents can reduce delays as they can help to

navigate internal approvals.

Placeholder Image

Fast, structured responses during review cycles

Prompt responses to IG, security, or legal queries can significantly compress the timeline.

Placeholder Image

Avoiding ambiguity in data flows and purpose

Unclear explanations of “what data, why, and where it goes” is one of the biggest causes of repeated review cycles. Ensure to explain the purpose and how data

will be collected clearly.

Placeholder Image

Clear, minimal data approach

The less patient-identifiable data you process, or the more anonymised/pseudonymised it is, the fewer governance hurdles and escalations are required.

Want to speak to an information governance specialist within our team?

Contact us