Skip navigation

Information Governance: Improving the Sharing, Management and Confidentiality of Patient Information

Christopher Fincken, Chair, The UK Council of Caldicott Guardians chaired today’s conference on Information Governance: Improving the Sharing, Management and Confidentiality of Patient Information. The conference provided a practical guide to moving forward with Caldicott2 and the new code of practice in line with the recommendations from the Independent Information Governance Oversight Panel and the Information Governance Alliance in organisations.

The conference included an essential legal update and an update on issues facing Caldicott Guardians including the topical issue of information sharing with police, information sharing across organisations, Information Governance and Electronic Records, and a focus on decision making in information governance and complex information sharing arrangements.

The conference also featured an update from the Information Commissioners office on managing information governance and data breaches when things go wrong.

Professor Martin Severs, Caldicott Guardian & Professional Lead Clincian, Health & Social Care Information Centre opened the day with a National Update on information governance. In his presentation Professor Martin Severs discussed:

  • Caldicott2: an update on implementation
  • challenging and reporting on the state of information governance across the health and care system
  • an update from the independent information governance oversight panel (IIGOP)
  • IG in an increasingly 'linked' health and social care sector
  • improving information governance oversight at board level
  • the forward view and considerations for new and emerging systems

Professor Martin Severs, Caldicott Guardian & Professional Lead Clincian, Health & Social Care Information Centre Full Presentation Click Here

In his presentation Professor Martin Severs discussed: 

Processing of personal and confidential data requires all four of these tests to be passed

  • Does it meet the common law duty of confidence?
  • Does it meet the Data Protection Act?
  • Does it meet the Human Rights Act?
  • Does it meet any additional and relevant statute?

If any of these preferences are expressed then data processing could be stopped

  • Dissent (common law duty of confidence)
  • Objection (section 10 of Data Protection Act)
  • Article 8 of Human Rights Act
  • Policy

“Strengthening public trust in the use of health and care data”

“Health and care system has not yet earned public trust in this area and must be able to assure the security of confidential data”

“Be clear with citizens and professionals how personal health and care data needs to be used, and the benefits of doing so, how privacy is protected and the choices available to people to object to data about them being used”

"Data security and consent review - to address concerns, the Secretary of State has commissioned an independent review to deliver, by January 2016:

CQC Review: A review of the effectiveness of current approaches to data security in NHS organisations in relation to their handling of patient confidential data

National Data Guardian Review:

  • Develop new data security standards to be applied to all health and care organisations
  • With CQC, develop a method of testing compliance with the new standards
  • Propose a new consent / opt-outs model for data sharing"

Martin Severs is a practising Consultant Geriatrician and Associate Dean in Clinical Practice at the University of Portsmouth. He has over 20 years of professional leadership roles in health informatics, notably for the Royal College of Physicians and the Academy of Medical Royal Colleges, as chairman of their information advisory structure, which he founded and ran for eight years. Since 1999, Martin has also been the Chairman of the Information Standards Board for Health and Care in England, which is the body that approves [or not] information standards for the health care system. He also designed, set up and was the Management Board Chairman of the International Health Terminology Standards Development Organisation which has expanded from seven to 19 country members In March 2012 he took up the clinical lead position with the independent Information Governance Review being led by Dame Fiona Caldicott.  Martin has also held Non-Executive roles with two national charities.

Following Professor Martin Severs, Dr Martin Kuper, Caldicott Guardian & Medical Director, Homerton University Hospital NHS Foundation Trust discussed ‘To share or not to share: IG decision making’

Following the morning break Christopher Fincken, Chair, The UK Council of Caldicott Guardians delivered an extended session on ‘Information Governance in practice: What are the issues Caldicott Guardians are facing on a daily basis?’. In his presentation Christopher Fincken discussed:

  • implementing the duty to share information: ethical decision making
  • developing your skills as an effective Caldicott Guardian
  • ethical and legal issues that have come to the Caldicott Guardian
  • our approach to difficult decisions and case studies in practice
  • rules on disclosure of personal information to the police
  • learning from analysis incidents and queries

Christopher Fincken, Chair, The UK Council of Caldicott Guardians Full Pressentation Click Here

In his presentation Christopher Fincken stated: 

The Caldicott Principles are:

  1. Justify the purpose(s)

This is becoming increasing problematic when you have 2 caldicott guardian’s who do not agree – we need a system to solve this problem.

  1. Don’t use personal confidential data unless it is absolutely necessary 
  2. Use the minimum necessary personal confidential data
  3. Access to personal confidential data should be on a strict need-to-know basis

This is the one everybody knows

Do you trust your staff? Don’t – you need to think about access controls - what they can see in the records. You need the audit trail software

  1. Everyone with access to personal confidential data should be aware of their responsibilities

You need to train staff on information governance and confidentiality

  1. Comply with the law – there is so much law to follow.


  1. The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

The Legal Rules - An individual’s Information can be shared legally only:

  1. With Valid Consent (For Consent to be valid they must have mental capacity)
  2. When required by Law (Mandatory)
  3. When there is a legal gateway (Permissible) – Relevant and Proportionate
  4. No one knows, Its not clear, No one can agree

“There is a new document coming out from the GMC on confidentiality – this guidance will be very helpful across health and social care”

“Mental Capacity – 4 tests – 1. Understanding, 2. Making judgements, 3. Retaining and 4. Communicating”

“Current issues for Caldicott Guardians include: FGM, Information Sharing with the Police, Information sharing with relatives and Cyber security”

“Caldicott and IG should be as natural as hand hygiene for everyone. It should be clear to all those staff involved: What information they CAN SHARE and under what circumstances, What information they CANNOT SHARE and under what circumstances, What they should do if they are NOT SURE or are challenged, who they can ask for advice and how and to whom the matter should be escalated.”

Christopher Fincken is Chairman of the UK Council of Caldicott Guardians (UKCCG), and was a Caldicott Guardian for over ten years in an Acute NHS Hospital Trust serving a cathedral city and large rural population before volunteering as a Caldicott Guardian for Marie Curie, the leading UK charity which provides home nursing care and hospice care for people with a terminal illness. He was also an independent member of the National Information Governance Committee of the Care Quality Commission (NIGC - CQC) until it’s dissolution in 2015.He represents the UKCCG on the Information Governance Forum. He represented UKCCG on the NHS Protect Strategy Implementation Group and was a member of the NHS Commissioning Board’s IG Professional Leadership Group. He was also Chair of the Honest Broker PIA Steering Group and a member of the cross government data sharing workshop addressing barriers to information sharing in relation to gang violence. He has a particular interest in Multi Agency Risk Assessment Conferences on Domestic Violence (MARAC’s) and Multi Agency Public Protection Arrangements (MAPPA) and is the author of “Striking the Balance”, guidance for information sharing in relation to Domestic Violence published by the Department of Health. 

He combines a deep knowledge of the challenges that real life presents with a passion to understand and unravel problems to try and find the best solution. He writes, lectures, and provides innovative, memorable and challenging training all based on practical experience! In addition he provides advice and guidance to an extensive range of organisations both local and national on Caldicott Guardian, confidentiality, information sharing, information governance and data protection.

After the lunch break Dr Masood Nazir, National Clinical Lead Patient Online, NHS England discussed ‘Information Governance & Electronic Patient Information/Records’. In his presentation Dr Masood Nazir spoke in-depth on:

  • ensuring patient access to electronic records
  • ensuring there is an audit trail of access that is available for patients
  • integrating care & information sharing: learning from the new vanguard sites

Dr Masood Nazir, National Clinical Lead Patient Online, NHS England Full Presentation Click Here

In his presentation Dr Masood Nazir Stated: 

“The benefits of paperless: Clinical diagnosis, Patient & staff experience, Safety and Reduce burden & improve efficiency”

“We owe patients a seamless, paperless NHS, but if they want a letter – fine”

“Over last 10 years the demand on the NHS has increased significantly, increased ageing population,  increase in GP consultations from 260,000,000 to 360,000,000 per year, consultations becoming more complex due to factors such as multiple LTCs and shift of work from secondary care. General practice only receives about 7.7% of the NHS budget”

“Local information sharing with an implied consent model (for the enabling of sharing) with later explicit consent/permission to view at the point of care.”

“An implied consent model is needed for maximum patient participation.”

“High patient participation is necessary to secure buy-in from healthcare professionals.”

“Evidence shows that patients are more comfortable with their information being shared locally”

“Data Controllers need to have in place a data sharing agreement with partner organisations.”

“Your Care Connected programme is a simple, yet quite ambitious aim: To provide a more joined-up NHS service in Birmingham, Sandwell and Solihull, To support direct patient care and To give those treating patients the information they need when they need it. The record will be: Viewed via “lookup” method – no data warehouse or extraction involved, Accessed only with the permission of the patient at the point of care, unless they’ve opted out and Completely auditable”

“The benefits of the system are: Faster and easier access to up-to-date medical information, which could save lives, More secure than paper-based access, Supports the improvement of the safety and quality of patient care, Enables safer delivery of emergency care and Less time spent on the phone and fax providing or requesting patient records.”

“Better access to information means timely decisions can be made – better for patient care”

“Over 9 in 10 patients would be happy for doctors and nurses in hospitals and paramedics to view their GP medical record”

“From April 2015, practices are required to offer online access to detailed information held in coded form within the patients’ GP record.”

Dr Masood Nazir is a General Medical Practitioner at Hall Green Health in Birmingham.  Masood is also the Clinical Information Lead on the Birmingham CrossCity CCG Governing Body and the National Clinical Lead for the Patient Online programme at NHS England. Dr Masood Nazir is passionate about creating a joined-up health system for patients; he believes this will lead to safer and more effective care.  Empowering patients and putting them at the centre of services is Masood's top priority.  Sharing health information, using innovative technology and harnessing everyone's best practice, and sharing this, are all essential to achieving this.  

Chris Fokke, Chief Clinical Information Officer, Hampshire Hospitals Foundation Trust continued the afternoon sessions with a case study session and discussed Hampshire Hospitals Foundation Trust experience of in-house EPR development in context of IG, integrating care & information sharing: Collaborating with others and making it real! And audit trail of access- how to manage this successfully across systems/services on behalf of patients and citizens. Followed by a session on ‘Complex data sharing: Complex data sharing across multiple organisations involving vulnerable people’.

Following the afternoon tea break Dawn Monaghan, Group Manager of Public Services Team, The Information Commissioners Office discussed ‘When things go wrong: managing information governance breaches/untoward incidents and the role of the Information Commissioner’. In her presentation Dawn Monaghan discussed: 

  • learning from case studies of breaches by NHS and Social Care organisations
  • reporting, managing and investigating information governance serious untoward incidents
  • the role of the Information Commissioner and an update on the data sharing code of practice

Dawn Monaghan, Group Manager of Public Services Team, The Information Commissioners Office Full Presentation Click Here

In her presentation Dawn Monaghan stated: 

“The ICO are educators and influencers as well as enforcers”

“The majority of breaches involve security, but remaining compliant requires concentration on other things too.”

“Human error and naïve incompetence are more prevalent that malicious non compliance”

“If a breach occurs, be transparent”

“Only a minority of investigations end in a civil monetary penalty”

“Loss of reputation and trust can be more damaging than a fine”

“Learn from others whenever you can”

“Use of the Codes of Practice to guide you” 

The Day closed with an extended session from Paula Tighe Information Governance Director Wright Hassall LLP on ‘Ensuring information flows have a sound legal basis and are compliant with the law’.

Future conferences of interest:

Caldicott Guardian Training Course
Multiple 2016 Dates


Caldicott Guardian Training Course for Beginners
Multiple 2016 Dates


Caldicott Guardians: National Annual Conference
Tuesday 3 May 2016 
Cavendish Conference Centre, London


29 January 2016


    Partner Organisations

    The Tavistock and Portman NHS Foundation TrustInPracticeClinical Audit Support CentrePlayoutJust For Nurses
    GGI (Good Governance Institute) accredited conferences CPD Member BADS (British Association of Day Surgery) accredited conferences