Information Governance Policy


Why We Need An Information Governance Policy

The practice handles ever-increasing amounts of information. Timely and accurate information is crucial both for the clinical decision-making and efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management. It is therefore of paramount importance that information is efficiently managed in Frome Medical Practice, and that we have appropriate policies and procedures to provide a robust framework for information management.



The Frome Medical Practice recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The practice supports the principles of corporate governance and recognises its public accountability, but equally places importance on confidentiality, the security of personal information about patients and staff. The practice also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.

The reasons for sharing information may include:

  • Delivery of effective personal care, treatment and advice
  • Assuring and improving the quality of care, treatment and advice
  • Monitoring and protecting public health, safety and well being
  • Risk Management
  • To avoid duplication of information gathering
  • Investigating complaints or actual/potential legal claims
  • Teaching/staff development
  • To safeguard children and vulnerable adults

The practice has assigned responsibility for information governance to a team which consists of:

  • Caldicott Guardian (Partner)
  • Information Governance Lead (Partner)
  • Information Governance Specialist
  • Quality Assurance Officer
  • Medical Records Champions

The practice believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of all clinicians and managers to ensure the quality of information available in the organisation and to make best use of that information in decision-making.

There are 4 key interlinked strands to the information governance policy:

  • Openness
  • Legal compliance
  • Information security
  • Quality assurance

1. Openness

There will always be conflict between what is considered to be confidential information and the need to be open to facilitate the smooth management of care and treatment of patients and to maintain the safety of staff. Staff should give careful consideration to how information/data is handled and ensure that any information that is produced, or given to a third party is not in breach of General Data Protection Regulation (2018).

  • Non-confidential information on the practice and its services is available to the public through the practice website, practice leaflets and via NHS England
  • The practice have established and maintains a policy to ensure compliance with the Freedom of Information Act
  • Patients are able to request access to their medical records
  • The practice has arrangements in place for liaison with the press and broadcasting media
  • The practice has written procedures and arrangements for handling queries and complaints from patients and the public
  • Our statement on confidentiality & freedom of information with regards to how it affects patients is displayed on our website and included in new patient registration pack
  • Our freedom of information act statement is also on the website

General Data Protection Regulation includes the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling

2. Legal Compliance

  • The practice regards all identifiable personal information relating to patients as confidential
  • The practice regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise
  • The practice has established and maintain policies to ensure compliance with General Data Protection Regulation, Human Rights Act and the Common Law Duty of Confidentiality
  • The practice has established and maintain policies for the controlled and appropriate sharing of patient information with other agencies, taking account of relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act)

3. Information Security

  • The Frome Medical Practice ensures that all personal information is kept in a secure environment, where access is controlled, and security measures are in place. This includes electronic capture and storage, manual paper records, video and audio recordings, and any images, however created
  • The practice has established and maintain policies for the effective and secure management of its information assets and resources
  • The practice promotes confidentiality and data security to its staff through policies, procedures and training
  • The practice has established and maintains a Significant Event reporting procedure and monitors and investigates all reported instances of actual or potential breaches of confidentiality and security

4. Quality Assurance

  • The practice has established and maintains a policy for information quality assurance and the effective management of records. This includes clear protocols for processing, scanning and coding clinical data coming into the practice.
  • Managers are expected to take ownership of, and seek to improve, the quality of information within their services
  • Wherever possible, information quality is assured at the point of collection
  • The practice promotes information quality and effective records management through policies, procedures, staff induction and staff training

Principles In The Use Of Confidential Information: Caldicott Guidelines

The purpose of this section is to outline a local code of conduct on the use of confidential information to ensure that patient or personal identifiable data is used and disclosed in an adequate manner according to the Caldicott Principles, General Data Protection Regulation and the Freedom of Information Act.

The Practice has appointed a Caldicott Guardian

All Practice Staff, both clinical and non-clinical must adhere to all Policies and Procedures concerning Information Governance and Confidentiality


Confidentiality Policy

  • The practice has a comprehensive confidentiality policy which is mandatory reading for new employees and on the staff reading list.
  • This policy covers areas including all aspects of communication including verbal, email, written documents and post.
  • It also covers issues relating to working away from the office, and the principles of maintaining confidentiality and management of confidential waste, internet use and maintenance and security of passwords.
  • The policy refers to relevant legal tools and the practice’s right to monitor use of the internet.
  • The policy gives staff information of how to report breaches in confidentiality or information governance.
  • The policy covers user of email, including etiquette, offensive emails and confidentiality.


All staff are given training on Information Governance, confidentiality and General Data Protection Regulation at induction and as part of the ongoing training schedule. If a member of staff requires further training they will discuss this with their line manager or team leader.

Staff with line management responsibility ensure that the staff working for them are aware of the above principles and make training available if required.


Security Breaches

An Information Security incident is defined as any event which has resulted, or could result, in:

a. The disclosure of confidential information to any unauthorised individual 
b. The integrity of the system or data being put at risk
c. The availability of the system or information being put at risk
d. An adverse impact, for example: embarrassment to the NHS; threat to personal safety or privacy; legal obligation or penalty; financial loss; disruption of activities

Types of incidents that should be recorded include:

a. Computer misuse
b. Computer virus activity
c. Confidentiality breach
d. Records related incident
e. Theft or loss of records
f. System abuse or infiltration

This list is not exhaustive