This site is intended for health professionals only

Chapter 6: Barriers and best practice around information governance

Chapter 6: Barriers and best practice around information governance
By Kathy Oxtoby
14 December 2023


The Rise of the Machines
AI, digital and data in healthcare
Read chapter

about AI, digital and data in healthcare

Chapter 1
Introduction and survey
Read chapter

about Introduction and survey

Chapter 2
The potential and pitfalls of AI in healthcare
Read chapter

about The potential and pitfalls of AI in healthcare

Chapter 3
Navigating the crowded digital products market
Read chapter

about Navigating the crowded digital products market

Chapter 4
Experts from Microsoft, BT and Manchester share AI insights
Read chapter

about Experts from Microsoft, BT and Manchester share AI insights

Chapter 5
Seeking better outcomes through data
Read chapter

about Seeking better outcomes through data

Chapter 6
Barriers and best practice around information governance
Read chapter

about Barriers and best practice around information governance

During the pandemic, patient data was shared more freely in the fight against Covid. Post pandemic, there’s a return to a more cautious climate, with some suggesting information governance is holding back the integration of health and social care. Kathy Oxtoby reports.

Sharing data for public health, planning, and research purposes was critical during the pandemic. So much was achieved – for example, data sharing helped to identify the needs of the most vulnerable, protecting millions of people at high risk of complications from Covid. Health data research enabled the assessment of the impact of new treatments – the RECOVERY Trial gave the UK, and the world, reliable evidence about which treatments saved lives and improved outcomes. And patient histories were used to prioritise those most in need of early vaccination. Ultimately, countless lives were saved.

But this greater sharing of data was only temporary – made possible by emergency measures triggered in March 2020 by the then health secretary Matt Hancock, to ‘manage and mitigate the spread and impact of the current outbreak of Covid-19’. 

The health secretary issued four notices under the Health Service (Control of Patient Information) Regulations 2002 (COPI), requiring NHS Digital, NHS England and Improvement, health organisations, arm’s length bodies, local authorities, and GPs to process confidential patient information for Covid-19 purposes.

After two years and three extensions, the final COPI notice expired in July 2022.

During those two years, legislative provision made under the COPI notices enabled organisations to share patient information more freely for specific purposes relating to Covid-19. This resulted in a greater understanding of the pandemic, and also inspired innovative approaches to improving population health and wellbeing.

Covid, COPI, and information governance

When the pandemic hit and COPI notices were issued, the fundamental principles of information governance in healthcare remained intact. Information governance is about ‘the systems, policies and procedures we put in place to ensure the security, privacy and confidentiality of patient data,’ says Professor Edward Kunonga, director of transformation and population health management, NECS – a care system support organisation. He is also the director of population health management at NHS North East and North Cumbria Integrated Care Board.

Information governance is also about ‘our use of data for direct delivery of care and decision making complies with the different guidelines and legal duties we have as organisations’, he says.

‘We did not relax the rigour of our information governance arrangements during the pandemic,’ says Professor Kunonga. ‘We still worked to the same principles. We respected the sensitive nature of individuals’ data, and ensured that data was handled very carefully, used lawfully and in a way that was proportionate to the individual and public health challenge as a result of Covid-19. It was important that remained clear and transparent about how data was being used.’

However, he says ‘there was a greater focus during the pandemic on ensuring that we used the data we held to drive decision making around protecting the public’s health’. ‘Greater use of data enabled us to link data sets and to begin to understand what was happening across a range of different parts of the system. This enabled rapid decision making in the best interest of both individual and population health. All of this was done in line with information governance frameworks and principles,’ he says.

The fight against Covid meant there was also a change of pace and a sense of urgency.

Dr Sarah Whiteman, chief medical director and Caldicott Guardian at NHS Bedfordshire, Luton and Milton Keynes ICB, and a Milton-Keynes based GP, says that during the pandemic, information was shared between healthcare organisations – for example primary care, community health care organisations, acute trusts and local authorities. She says ‘there wasn’t a relaxation of information governance’, but that people were ‘more tuned in to the need to make decisions more quickly, and efficiently’.

‘Processes for decision making around information governance were more streamlined. The aim was clear about what we were trying to do with a single issue – Covid-19 – what patient data was useful to share, and why, and for what purpose,’ she says.

John Farenden, former programme director for NHS England’s Shared Care Records Programme, says that during the pandemic one of the projects he worked on involved changing the opt-in model of data sharing of additional information within the Summary Care Record an opt-out model.

‘This change increased the volume of information being accessible to clinicians some 16-fold with some remarkable behavioural changes,’ he says.

‘Previously health and care professionals had tended not to look at this information resource because more often than not if didn’t have the detail they needed.

‘Suddenly – when it was expanded in scope with additional Information – then usage shot up. It sounds so obvious, but it clearly shows that when information is seen to be of value and can be readily accessed, then people will use it,’ he says.

Some GP practices used the ability to have greater access to data during the pandemic to help protect and support their local populations. Dr David Attwood, is a GP partner at Pathfields Medical Group in Plymouth, and associate medical director of Livewell Southwest, and chair of the Healthy Aging Programme Board, Plymouth and West Devon. He explains that early on in the pandemic the GP practice tracked ‘all our older people with a diagnosis of frailty, who were also vulnerable and housebound, and sent this information to the local social prescribers’.  ‘Every single housebound person got a phone call to ask how they were getting food, were they warm, comfortable, and was there anything we could do to help,’ says Dr Attwood.

Greater data sharing during Covid: benefits and risks

So much good came out of the greater sharing of data during the pandemic. ‘We were able to talk about people, cohorts of patients and population groups, their level of risk and vulnerability and ensured a coordinated response. And we were able to start bringing together the pieces of the complex jigsaw for individuals and populations to get a better picture of the issues, as well as monitor the impact of the actions being put in place,’ says Professor Kunonga.

Chris Carrigan is expert data adviser for use MY data, an independent movement of patients, relatives and carers focussed on the use of patient data to save lives and improve outcomes. He says during the pandemic, ‘the appetite to use data was enhanced, and it became a supportive, rather than a very risk adverse environment for data sharing.’

But this climate of greater data sharing during Covid was not without its risks. For example, in 2020 The Guardian reported that the Department of Health and Social Care (DHSC) had admitted after a legal challenge that ‘the UK government broke the law in rolling out its test-and-trace programme without a full assessment of the privacy implications’. The Guardian revealed that the programme had ‘led to three data breaches involving email mishaps and unredacted personal information being shared in training materials’.

The end of COPI and the start of ICSs

When the legal provisions of the COPI notices expired ‘we had to reset back to February 2020’, says Farenden. ‘While many of the changes have been retained there has been some evidence of a step back, and we have seen some organisations reverting to a more cautious position,’ he says.

For healthcare organisations the withdrawal of COPI notices offered an opportunity to reflect on, learn lessons from, and re-think how they could use and share their data, and a chance to embrace collaboration. The end of the notices also happened to coincide the legal establishment of Integrated Care Systems (ICSs) – organisations which are founded on principles of collaboration and integration in health and social care.

So, the environment was potentially ripe for change – for integrated care boards (ICBs) to introduce and develop innovative ways of looking at sharing data to benefit the health of different patient populations.

ICBs and data sharing: a varied picture

However, the picture of how individual ICSs are storing, using, and sharing patient data varies greatly.

‘With almost all areas, ICSs are at different stages of development, and some have had the benefit of much longer term partnership arrangements,’ says Sarah Walter, director of the NHS Confederation’s ICS Network. ‘And some have had greater investment in digital and data infrastructure, both across systems and individual partner organisations,’ she says.

‘There’s variation across the 42 ICSs – they are all on different parts of the journey to have more connected data,’ says Dr Pritesh Mistry, policy fellow at The King’s Fund. ‘In general, there’s a lot of siloed information, and fragmentation of systems and data across the NHS.

‘Historically, technology has been purchased by organisations at different time frames and with different decisions in mind, which means that the systems are not connected up very well, and the data that they hold will be quite different. The data that a hospital holds may be different to what a GP holds for example. Different data may be held by different organisations with different access rights. It’s very complex,’ says Dr Mistry.

Shared care records

The government has taken steps to standardise how ICSs share information. In 2022, the Department of Health and Social Care (DHSC) set a new target for each ICS to set up a ‘shared care record’ accessible by health and adult social care providers by 2024. DHSC says all ICSs now have a basic shared care record in place, and it published the Information Governance Framework for Integrated Health and Care: Shared Care Records to support local implementation.

Dr Mistry says the move was ‘an attempt to make data sharing more acceptable and established’. ‘However, it’s not as simple as that. While each ICS has a shared record, the information that’s contained in that record depends on which organisations are putting information in there. So that depends on the information governance agreements that are in place, and the digital capabilities that organisations have.’

ICBs: data sharing and innovation

Some ICBs – and their predecessors – were already “ahead of the game” when it comes to being able to share data that benefits individual patients, and patient populations.

Stephen Slough, chief digital information officer, NHS Dorset ICB, says because of work carried out in Dorset several years before the pandemic, the ICB has data sharing agreements in place between all of the NHS organisations in the county, its local authorities and GP practices. He explains the ICB shares data onto a single longitudinal care record – the Dorset Care Record (DCR) – which is a full record of patients’ health and social care from all partner agencies in the county.

The ICB also has a separate collaborative platform in place called the Dorset Intelligence and Insight Service (DiiS), which is a pseudonymised analytics platform, which has role-based access control. ‘It allows us to run and deliver population health management across all of the care settings, and with some of the data from local authorities too,’ says Mr Slough.

By putting together local authority and health data, the ICB has created ‘a much richer view of the homeless population in Dorset’, says Mr Slough. ‘If they’re registered with a GP we know where they are, what health conditions they have, their long term conditions and needs. We’re working with local authorities to target programmes to support them and to get them back into employment,’ says Mr Slough.

NHS Bedfordshire, Luton and Milton Keynes ICB is piloting a system that will allow data to be shared during major incidents. Dr Whiteman explains that the MIDI (major incident data information) project means that if there is a major incident such as a fire, the ICB will be able to target those patients known to be at greater risk, such as housebound patients, to make sure resources are sent to them to ensure their safety.

Mark Thomas, chief digital and information officer for the ICB, says it is also using population health management data for proactive falls management, to make early interventions to help prevent deterioration in people’s health.

Asim Patel, chief digital officer at NHS Lancashire and South Cumbria ICB says that there are ‘some great examples of joint working across Lancashire and South Cumbria where social care and healthcare staff come together with a collective aim to help support those people that do not need to be admitted to hospital and to help people quickly back to their preferred place of residence’.

Do health records need to be shared for an integrated NHS?

To have an integrated NHS, health records need to be shared, some health data experts believe. David Sgorbati is chief analyst, the Health Economics Unit, Midlands and Lancashire Commissioning Support Unit. He says: ‘We cannot have integrated care without integrated care records. To achieve good population health management we need to work together. We cannot work together if we’re not all looking at the same information.’

Cassie Smith, head of Legal, Trust and Ethics, Health Data Research UK (HDR UK), says ‘bringing together the different sources of data about a person’s health –  for example, GP records, hospital records, and other data – and analysing that data, can lead to huge improvements in planning, and have the potential to reduce waiting times and deliver other efficiencies –  provided this is done in a trustworthy way’. 

Laura Ellis, director of corporate affairs, NHS West Yorkshire ICB, says that in the context of integrated healthcare within the NHS, ‘the sharing of health records is essential’. ‘People often expect and rely on this sharing when it pertains to their health and care,’ she says.

But there are also risks associated with sharing health records. Sam Smith, coordinator at medConfidential, an independent non-partisan organisation, which works towards confidentiality and consent in health and social care, says there is the risk that comes from what the data is actually going to be used for – and that it may be used for different purposes to the ones people were told.

And Smith of HDR UK, says if there is ‘poor communication about how data is protected, or a lack of transparency, and public misunderstanding, this can result in members of the public opting out of the use of their data for research, and that can lead to data sets not being representative of the population’.

Information governance as a barrier

Some health data experts believe that information governance is actually holding back the integration of health and social care.

‘Information governance has a very important place,’ says Mr Sgorbati. ‘But as it is set up now, information governance is more frequently a barrier than it is a help.’

‘Information governance should be there to help us to make critical decisions – not just to say “no” and to block us,’ he says. ‘Currently the information governance framework needs to be reviewed – it is not fit for purpose’, and there is ‘inconsistent interpretation of the framework across the country’, he says. 

Dr Murray Ellender, chief executive and co-founder of e-Consult and a GP in London, says an issue with information governance is that concerns about how data is shared means the ‘default is not to share it’. ‘This is holding back the digitisation that’s required of health and social care,’ he says.

Dr Ellender says information governance needs to change, ‘but that doesn’t mean we should get rid of the rules – it means we need to have really clear and consistent rules and standards’.  And he would like those standards to come from NHS England.

Whatever is on people’s wish list for information governance, its very nature means change is guaranteed.  ‘Information governance constantly changes – it has changed since it was first created,’ says Smith.

Information governance is not the only potential barrier holding back integrated health and social care.  Mistry says it’s ‘not just the information governance or technology that blocks information sharing – if staff don’t trust how information will be used, then they won’t share it’.

He says that for information to be used, ‘there needs to be changes to workflow processes, skills, and capacity’. ‘And ICBs need to be able to support staff to come together to build collaboration and links across organisations, and to build how they’re going to work with information to improve care services,’ says Dr Mistry.

And it’s not only about building trusted relationships among staff. ‘A key element to all of this is public trust and confidence,’ says Mr Farenden. ‘And along with trust is transparency. Taking the time to explain and allow people to make well informed decisions,’ he says.

Trusted research environments

One way of building this public trust is through Trusted Research Environments (TREs). This approach is recommended in Better, broader, safer: using health data for research and analysis, Professor Ben Goldacre’s independent review for the government on how to improve safety and security in the use of health data for research and analysis.

Published in 2022, the report describes a TRE as ‘a secure environment that researchers enter in order to work on the data remotely, rather than downloading it onto their own local machine’. The report sets out the benefits of TREs, which include the replacement of ‘hundreds of dispersed analytic siloes, data centres and working practices with a small number of broadly standardised environments that facilitate the use of modern, efficient approaches to data science’.

According to the report, by providing a more secure mechanism for data access, ‘TREs can help decision-makers feel more confident about permitting users to access data’, and, crucially, TREs would earn public trust, with evaluations showing the public supports them.

The report recommends all analysis of NHS patient records should move to be done in a TRE, which will ‘allow more users to access NHS data while preserving patient privacy. It will reduce duplication of risk, work, and cost.’

Ms Smith of HDR UK, says this approach provides ‘an opportunity to review information governance processes and offer improved safeguards, because the data is not disseminated and stays within the TRE’. TREs are also ‘an important enabler of good governance’, she says.

Slough would like NHS England to ‘set out expectations on what ICBs should be doing, some guidelines on how that could be achieved, and then to let people get on with delivery’. 

As for information governance, he believes: ‘You need to have people who understand the rules and regulations deeply – who can say: “You can’t do it that way, but we could do it this way”, and that keeps the data safe, and keeps people legally safe, but it makes the important work of delivering healthcare possible.’ 

A change in mindset

Information governance remains ‘a key requirement and a key ingredient to having effective population health management’, says Professor Kunonga. ‘It allows us to have confidence and assurance of data security, privacy, confidentiality, and safety to reassure members of the public that their data is safe and being handled sensitively.

‘But what we need is more a change in mindset, and to look at information governance as an enabler – rather than as a reason why we shouldn’t share data and information.’

During the pandemic he says information governance was used as an enabler – and that lessons can be learned from this. ‘The pandemic helped us to test out the art of the possible and the power of data to inform the critical actions that saved lives. There is a lot that we learnt in the pandemic that we should build on for the post-pandemic healthcare and public health challenges. We shouldn’t waste that.’

Openness, transparency and building public trust will be key to encouraging greater sharing of population health data in the future.

Carrigan says that when looking at population health data, ‘it’s most important that we’re clear about what we’re trying to do, how we are going to do it, and how we can involve patients and the public in oversight of it.’ However, he says this should involve ‘explaining what the benefits are – not just the risks’. ‘It’s about: “say what you do, and do what say”.’

Ultimately, ‘sharing data can save lives’, says Sgorbati. ‘We talk a lot about population health management and wider determinants of health, but none of that is possible without good integrated datasets. Information governance is necessary, and patients have the right to know we are using their data ethically and legally. But we need to always balance risks with the potential benefits, and ensure our processes support our objectives rather than hinder them.’

Creating a Secure Data Environment for London

Trusted research environments (TREs) are a specific sub-set of Secure Data Environments (SDEs), which are designed to support access to data for analysts who are undertaking research.

Philippa Kirkpatrick, chief information officer, NHS South East London ICB, says as a part of the “OneLondon” collaboration, the ICS has committed to contribute to the creation of an SDE for London, with uses that include research and development.

‘The OneLondon work has received funding from NHS England’s Data for R&D programme to make this happen. This builds on previous funding the city has received as part of the Local Health and Care Record Exemplar programme and HDR UK’s Health Research Hubs,’ she says.

‘Our current plans build on foundations we’ve had in place across London over several years, and are informed by the in-depth public deliberations we have held. Our aim is to expand beyond local R&D environments to cover the full city with a population. This would establish one of the most powerful planning and research assets in the world. This could help to attract more clinical trials to London, so that Londoners can benefit from novel treatments sooner. And it will help us more effectively track the real-world effectiveness of products and pathways so that we understand the impact of innovations on patient outcomes and overall system value,’ she says.


Want news like this straight to your inbox?

Related articles