Skip to main content

Supporting Guidance Standard 3.4

Health and Care Standards

Supporting Guidance

Standard 3.4:  Information Governance and Communications Technology


What is the Standard about?

Developing and using information management and information governance to support safe and integrated patient care and service delivery within a legal framework.


Who is it for?

All health professionals, services and users in healthcare settings

In relation to the standard criteria (in bold) the following key questions need to be considered

Safe and secure information systems are developed in accordance with legislation and within a robust governance framework.

  • How do you know you are developing and using your information systems, both electronic and hard copy, safely and securely?
  • How do you ensure you comply with Information legislation?
  • What information governance arrangements are in place?
  • How do you assess and mitigate against information risks?
  • Does your organisation use Privacy Impact Assessments during the development of all projects using personal information to ensure privacy is built in from the start?
  • Are the Caldicott Principles into Practice (CPIP) or Information Security Management System (ISMS) assurance tools used to measure information governance performance?
  • Do your internal auditors review responses to the tool?
  • Does your organisation produce an annual report that measures compliance with Information Governance standards?
  • How does your organisation manage access control to systems and data?
  • What procedures are in place for incident and breach reporting?
  • What procedures are in place to ensure appropriate data protection and IG compliance by your data processors?
  • What systems and processes are in place to ensure the safety and security of personal information taken off site for patient care or homeworking, both in transit and when in use?
  • What security in in place to protect mobile devices – phones, laptops, pads and pen drives etc?
  • How do you ensure personal information is securely transferred, for example when referring a patient on to another part of the care system or when sharing personal data for provision of partnership services?

Processes exist to operate and manage information and data effectively, to maintain business continuity and support and facilitate patient care and delivery.

  • What processes have you put in place to operate and manage information and data effectively?
  • What communication is in place to support staff to manage information and data effectively?  E.g. intranet pages, staff bulletins, information governance team, Q&A sessions, Information Governance (IG) helpline, local IG point of contact, posters etc. to provide staff a source of information and keep the issue on their agenda?
  • What are your arrangements for systems resilience and business continuity?
  • Does your organisation work to International Standards for Information Security
  • Are staff trained on the effective and safe use of data?
  • Is Information Governance and Security Training compulsory/mandated for all new staff (including students, agency staff and senior professionals) as part of their initial induction to your organisation?  Do you require staff to complete this training before they can access personal data?
  • Are all staff required to complete regular Information Governance and Security refresher training?  This should be at least once every two years, and may need to be tailored to meet the needs of different staff functions.
  • Do staff responsible for records management, IG and all aspects of specialist data management etc. have bespoke training to support them in understanding the IG responsibilities of their role?
  • Has your Caldicott Guardian (and any deputies) received IG training to support them in this role?
  • How is staff training in Information Governance and Security recorded and monitored? What follow up / consequences are there for staff who do not complete training or who struggle to meet the standard required?
  • Does your organisation have nominated leads for Information Governance specific areas of work? (e.g. Data Protection Officer, Information Asset Owners, Information Security officers)
  • Does your organisation have audit and monitoring processes in place to manage the appropriate access and use of data by staff?  What follow up / consequences are there for staff that inappropriately access personal data?

Data and information are accurate, valid, reliable, timely, relevant, comprehensible and complete. 

  • How do you ensure your data is robust, accurate and timely and meets national standards?
  • Do you utilise NHS Number in all data systems as a key NHS Wales patient identifier?
  • Does your organisation ensure that all flows of information are accounted for?
  • Does your organisation provide appropriate fair processing information to stakeholders, particularly patients and staff?

Information is used to review, assess and improve services

  • How do you use information to review, assess and improve services?
  • How do you ensure that patients, service users, carers and staff can use information appropriately?
  • Do you promote the use of information for research?
  • Do you have processes that incorporate techniques for anonymisation or psedonymisation of information?

Information is shared with relevant partners using protocols when necessary to provide good care for people.

  • Has your organisation signed up to the Wales Accord on the Sharing of Personal Information (WASPI) framework?
  • Has your organisation signed Information Sharing Protocols and Data Disclosure Agreements consistent with the (WASPI)?
  • Are there appropriate agreements in place for the sharing of information for secondary uses?
  • Are partnership working arrangements supported by appropriate and secure means of sharing personal information?
  • How do you ensure that the use of acronyms is avoided or they are explained in full?


Legislation and Guidance




Useful Contacts


Good Practice Guides