Read Standard 7: data and information

Clinical Governance Standards
National

Standard statement

Clinical services store and share personal data appropriately and use safe, secure systems and tools. 

Rationale

Integrated and readily accessible healthcare records can reduce duplication of work, avoid unnecessary appointments, interventions or medication, support safe transfers of care (including between settings and providers) and improve people’s experience of the health and social care system. Compliance with information and data standards supports integration and development of digital systems to improve the quality and safety of clinical care. Access to personal health data can support people to better manage their own healthcare in line with what matters to them.62 This standard covers all forms of organisational and healthcare records including paper and digital.  

The collection, retention and sharing of information is governed by legislation and national guidance, including the UK General Data Protection Regulation (2021)Data Protection Act (2018) and the Network and Information Systems Regulations (2018).63-65 All public sector organisations are required to ensure appropriate operational and technical protections are in place when they, or their suppliers, process and share personal data. This requires oversight and assurance to protect people’s right to privacy and safeguard their personal clinical data. The Public Records (Scotland) Act 2011 governs the use of records management plans and good records management.  

Information collected for the provision of health and social care is governed by the eight Caldicott principles, which apply to the use of confidential information and when such information is shared with other organisations and between individuals, both for individual care and for other purposes. Consent should be obtained in line with national policies and procedures. Information should only be shared with consent and in line with legislation and national guidance for example, child and adult protection policies.66-69 In some circumstances, information can be shared without the person’s consent if this is deemed necessary to protect them, or other people, from harm.70-72  

Data security guidelines require organisations to improve resilience against cyberattacks, data breaches and system errors.73, 74 Contingency plans reduce harm by ensuring essential networks and systems can continue operating during outages and security risks.  

person-centred approach is essential to the development of safe, secure and ethical data systems and digital tools.65  

References

Criteria

7.1

Organisations have systems and processes in place to ensure personal healthcare data or clinical information is: 

  • recorded accurately, consistently and timeously in clinical records, care plans and related documentation, including handover 
  • anonymised appropriately  
  • to obtain appropriate consent in line with national policies and procedures Consent should be obtained in line with national policies and procedures 
  • shared with other services or organisations when it is in a person’s best interests or the public’s best interests75 
  • managed in line with legislation and national guidance, including records management.63-65  
7.2

Organisations have accessible policies on the collection, use, storage and sharing of their personal data. 

7.3

Organisations use up-to-date technical systems to maximise: 

  • quality of clinical care 
  • service efficiency 
  • data interoperability 
  • clinical data flow between systems. 
7.4

Organisations demonstrate that they meet the Network and Information Systems Regulations (2018) and other relevant legislation and guidance by: 

  • taking appropriate and responsive measures to mitigate data security risks 
  • having technical and organisational measures in place to ensure continuity of essential network and information systems. 
7.5

Organisations have processes in place to provide assurance on the security, efficacy and ethical use of new and emerging technology, including Artificial Intelligence (AI). 

7.6

Staff and volunteers, where appropriate, undertake training relevant to roles and responsibilities about:

  • handling and using clinical data responsibly 
  • how and when to share clinical data 
  • cyber security risks and how to prevent them 
  • data protection and records management. 
7.7

Organisations ensure that all clinical records and documentation are accurately and consistently completed with actions recorded. This includes risk assessments. 

What does this standard mean for...

What does the standard mean for people?

  • Your personal data will be kept safe and secure. 
  • Clinical services will be able to access information about you to help you get the right care at the right time. 
  • Information about you and your care, including personal data, will only be shared with your consent unless there are concerns for your wellbeing. This will be explained to you. 
  • You can request access to your information and personal data. 
  • Organisations use the best available digital tools and systems. 
  • Digital systems will be tested and developed to ensure they remain safe. 
  • Organisations have a back-up plan if digital systems fail or are attacked. 
  • All digital tools used in healthcare, including AI, will be ethical, safe and secure. 

What does the standard mean for staff?

Staff, in line with roles, responsibilities and workplace setting: 

  • understand the appropriate sharing of clinical information  
  • understand their role in keeping clinical records and information systems safe from unauthorised access  
  • are trained in information governance, including prevention of cyber security risks 
  • test and embed new, proven digital technologies where appropriate 
  • use digital tools to improve the quality and safety of integrated care. 

What does the standard mean for the organisation?

Organisations, in line with their respective governance and delivery structures: 

  • demonstrate compliance with national guidelines and legislation related to records management, data and digital systems 
  • implement information management and information governance training for staff, including volunteers and contractors 
  • take appropriate technical and operational measures to ensure clinical data is securely stored and accessed  
  • take appropriate and responsive measures to mitigate information risks, for example data security, data loss, over retention or data breaches 
  • have contingencies in place to ensure the continuation of essential services 
  • renew and assess the digital estate regularly to ensure state-of-the-art digital innovations can be adopted and implemented  
  • work in partnership to ethically develop and test new digital tools 
  • integrate systems and share data to improve the quality and safety of care. 

Benchmarking and measuring performance: Examples of what meeting this standard might look like [linked criteria]

Examples may vary according to the size and scale of the service, NHS board, organisation. 

  • Governance papers and minutes demonstrating discussion and scrutiny of information governance and data management at board level or equivalent. [7.1, 7.2, 7.4] 
  • Implementation of local records management policies that are aligned with national legislation and codes of practice. [7.3, 7.10] 
  • Compliance with national information governance and cyber security audits. [7.1, 7.3] 
  • Data sharing protocols and agreements between services, partnerships or organisations. This may be part of service-level agreements or memorandums of understanding. [7.1, 7.5, 7.9] 
  • Routine use of Data Protection Impact Assessments. [7.1, 7.3, 7.9, 7.10] 
  • Provision of information leaflets or signposting to NHS Inform or Care Information Scotland on confidentiality and data protection. [7.2] 
  • Use of integrated healthcare records or systems to support clinical service delivery, for example MyCare. [7.1, 7.3] 
  • Implementation and training plans for rollout of new technology or software. [7.5, 7.6] 
  • Software and technology audits to ensure systems remain up to date. [7.1, 7.2, 7.4] 
  • Service or organisational Disaster Recovery Plan. [7.7] 
  • Evidence of routine resilience planning and system testing. [7.7, 7.8] 
  • Contingency plans for local and system-wide issues or network outages. [7.7]  
  • Alternative offline processes in case of local system issues. [7.7] 
  • Routine testing of recovery protocols for digital systems. [7.7] 
  • System security policies to appropriately risk assess data processing and security. [7.7, 7.10] 
  • Protocols for ethical use of technology and digital tools. [7.8] 
  • Development of a local digital or AI strategy with a focus on ethics and governance. [7.8] 
  • Plan-Do-Study-Act cycles to embed and expand the use of new digital tools. [7.6, 7.8] 
  • Training programmes and awareness raising sessions on information governance and cyber security. [7.6] 
  • Organisational chart with named staff for data protection, information governance and business continuity. [7.1, 7.6]  
  • Annual reports on percentage of staff with completed training. [7.6]