Cookies on this website
We use cookies to ensure that we give you the best experience on our website. If you click 'Continue' we'll assume that you are happy to receive all cookies and you won't see this message again. Click 'Find out more' for information on how to change your cookie settings.

Flummoxed by FOI's? Feeling some tension about Records Retention? Intimidated about Incident Reporting? You've come to the right place. This page is a helpful guide to all things Information Governance related. Refresher training sessions will be coming soon, but meanwhile please take a moment to read some of the handy overviews listed below. They're really quite helpful and should set you straight on terminology, legal obligations and best practice.

The GDPR (General Data Protection Regulations) comes into force on 25th May 2018 and it intends to strengthen and unify data protection rights for individuals. All organisations need to be compliant with the new rules to protect all personal data held by them, including employee data, customer data, supplier data, data relating to members of the public, online tracking data etc. Any data that you process (including just storing) that identifies a living individual is regarded as ‘personal data’ and you need to ensure your compliance with the GDPR. )

GDPR guidance from the Information Commissioner's Office

University guidance

GDPR requirements for research



The DSP Toolkit (formerly the Information Governance Toolkit) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

Submission of incident reports, completion of asset registers, compliance with retention schedules...just about everything on this page is required to evidence that the department is processing data securely and legally. 

Ensuring staff are fully informed, confident and comfortable with Information Governance is essential for our ability to continue using data for health research and maintaining a strong reputation for data security.

It is everyone's responsibility to comply with the GDPR, Data Protection Act 2018 and also University policy regarding Information Governance. 

Further information on the DSP toolkit can be found here

Are you all up to date with your IG training? It is essential for our NHS Data Security and Protection Toolkit that we look to achieve 95% compliance for IG training across the department, so your co-operation is very much appreciated!

You can find the University Information Security module via the online learning page and make sure you're familiar with processing data securely and legally.

Also the department's Prisms IG webpage allows you to review and confirm you have read all the IG policies. 

Meanwhile if you have any questions or problems regarding Information Governance, drop me a line at

In accordance with the GDPR, personal data must adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). A Retention Schedule documents what data types should be kept for what periods of time in accordance with the departmental and university policy.

Referring to the retention schedule allows you to determine if personal data is being kept for a justifiable purpose, and not for an excessive period of time.

Details of the University Retention Schedule can be found below:

Student records retention

Staff records retention

An Information Asset Register (IAR) is a centrally held record of the data processed by an organisation. In accordance with the General Data Protection Regulation (GDPR), our asset register allows us to accurately record 

*What data we process

*How long we retain it for

*The legal basis for processing the data

*Who we share the data with

*Where the data is stored

Failure to maintain an up-to-date and accurate IAR can result in significant fines and reputational damage.

We are currently in the process of creating a web based asset register to allow for quicker, easier registration of assets. A link to the asset register will be provided here as soon as the application is finalised.

What is a DPIA?

A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.

DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.

When do we need a DPIA?

You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk you need to screen for factors that point to the potential for a widespread or serious impact on individuals.

In particular, the GDPR says you must do a DPIA if you plan to:

  • use systematic and extensive profiling with significant effects;
  • process special category or criminal offence data on a large scale; or
  • systematically monitor publicly accessible places on a large scale.
  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach

Data Protection Impact Assessment forms can be downloaded here

Further guidance on DPIA's can be found here

One of the ways our department ensures staff  are confident and familiar with data protection is through the conducting of Spot Check Audits. This process isn't meant to scare you! It's simply a way that we can check that data is being processed securely, staff have had an opportunity to review our policies, and we're meeting our obligations under the GDPR (General Data Protection Regulation).

You will be told in advance that a spot check audit is taking place.

The spot check audit form can be found here.

The Freedom of Information Act 2000 provides public access to information held by public authorities.

It does this in two ways:

  • public authorities are obliged to publish certain information about their activities; and
  • members of the public are entitled to request information from public authorities.

The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002.

Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.

Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.

The Act does not give people access to their own personal data (information about themselves) such as their health records or credit reference file. If a member of the public wants to see information that a public authority holds about them, they should make a subject access request under the Data Protection Act 2018

Freedom of Information Requests are free and must be responded to within 20 working days.

You can refuse an entire request under the following circumstances:

  • It would cost too much or take too much staff time to deal with the request.
  • The request is vexatious.
  • The request repeats a previous request from the same person.

In addition, the Freedom of Information Act contains a number of exemptions that allow you to withhold information from a requester. In some cases it will allow you to refuse to confirm or deny whether you hold information.

Some exemptions relate to a particular type of information, for instance, information relating to government policy. Other exemptions are based on the harm that would arise or would be likely arise from disclosure, for example, if disclosure would be likely to prejudice a criminal investigation or prejudice someone’s commercial interests.

You can find out more on the ICO website here

What is the right of access?

The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

What is an individual entitled to?                    

Individuals have the right to obtain the following from you:

  • confirmation that you are processing their personal data;
  • a copy of their personal data; and
  • other supplementary information – this largely corresponds to the information that you should provide in a privacy notice (see ‘Supplementary information’ below).

Personal data of the individual

An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is important that you establish whether the information requested falls within the definition of personal data. 

Other information

In addition to a copy of their personal data, you also have to provide individuals with the following information:

  • the purposes of your processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient you disclose the personal data to;
  • your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
  • the existence of their right to request rectification, erasure or restriction or to object to such processing;
  • the right to lodge a complaint with the ICO or another supervisory authority;
  • information about the source of the data, where it was not obtained directly from the individual;
  • the existence of automated decision-making (including profiling); and
  • the safeguards you provide if you transfer personal data to a third country or international organisation.

The ICO guide to the Right of Access can be found here

Anonymised data:

''...information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.'' - Recital 26, GDPR

Pseudonymised data:

“…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” - Article 4, GDPR

It is vital to accurately categorise your data in consideration of the definitions above. The GDPR does not apply to anonymised data. However pseudonymised data falls fully within the scope of the GDPR and must be treated with the same levels of consideration in terms of security and processing:

"Pseudonymisation is effectively only a security measure. It does not change the status of the data as personal data. Recital 26 makes it clear that pseudonymised personal data remains personal data and within the scope of the GDPR."

In the situation where clinical trial data has had all identifiers removed, this can only be considered anonymised data if it was impossible to re-identify the trial subjects, even when cross referenced against supporting documentation.

Another way of defining the difference between anonymised and pseudonymised data is as follows:

  • Anonymised data: data is unrecognisable, even to the data owner. It cannot be re-identified by referring to the study ID or by processing it together with other information which is available or likely to be available.
  • Pseudonymised data: identifiable data has been replaced with alternative identifiers that bear no overt relationship to the true values. Re-identification of data can only be achieved with knowledge of the de-identification key.

If you are uncertain whether your data should be considered anonymised or pseudonymised, it should be treated as identifiable data in accordance with the department's Anonymisation Policy.

If you have any questions or concerns about the category of your data, please contact the Information Governance Lead for assistance.

Useful links:

What is personal data? (ICO)

Personal data anonymisation and pseudonymisation under the GDPR (Slaughter and May)

Under the GDPR, there must be a lawful basis in order to process personal data.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:           

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Special Category Data (previously known as Sensitive Personal Data) requires the application of a further legal basis. The conditions are listed in Article 9(2) of the GDPR.


When carrying out research as a public authority (such as the University), the most appropriate lawful basis for processing personal data, under GDPR, is

Article 6(1)E ‘task in the public interest’.  

When processing special category data while undertaking research as a public authority, the most appropriate lawful basis under GDPR is 

Article 9(2)J 'Necessary for archiving purposes in public interest, scientific or historical research purposes'.

If you are unsure whether the data you process falls under this criteria, please contact the Information Governance Lead for further information.


Further information on legal basis for processing data:

MRC guidance on lawful basis

ICO guidance on lawful basis

University guidance on legal basis for processing