Information Governance

The Department of Health has introduced a new requirement for dental practices to adhere to as part of their contracts with the NHS.

All dental practices now have to complete an online ‘toolkit‘ that helps the practice monitor compliance with the law and central guidance surrounding keeping patient and other sensitive data safe, properly stored and secure. All practices must be at Level 2 to be compliant.

What is Information Governance?

Information Governance is to do with the way organisations process’ or handle information. It covers personal information, ie that relating to patients/service users and employees, and corporate information, eg financial and accounting records.

Information Governance provides a way for employees to deal consistently with the many different rules about how information is handled, including those set out in:

  • The Data Protection Act 1998.
  • The common law duty of confidentiality.
  • The Confidentiality NHS Code of Practice.
  • The NHS Care Record Guarantee for England.
  • The Social Care Record Guarantee for England.
  • The international information security standard: ISO/IEC 27002: 2005.
  • The Information Security NHS Code of Practice.
  • The Records Management NHS Code of Practice.
  • The Freedom of Information Act 2000.

What are the information governance requirements?

There are different sets of information governance requirements for different organisational types. However all organisations have to assess themselves against requirements for:

  • management structures and responsibilities (eg assigning responsibility for carrying out the IG assessment, providing staff training, etc);
  • confidentiality and data protection; and information security.

What is the purpose of the information governance assessment?

The purpose of the assessment is to enable organisations to measure their compliance against the law and central guidance and to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction.

Where partial or non-compliance is revealed, organisations must take appropriate measures, (eg assign responsibility, put in place policies, procedures, processes and guidance for staff), with the aim of making cultural changes and raising information governance standards through year on year improvements.

The ultimate aim is to demonstrate that the organisation can be trusted to maintain the confidentiality and security of personal information. This in-turn increases public confidence that the NHS’ and its partners can be trusted with personal data.