Information Governance - A Beginner's Guide
Flummoxed by FOI's? Feeling some tension about Records Retention? Intimidated about Incident Reporting? You've come to the right place. This page is a helpful guide to all things Information Governance related. Refresher training sessions will be coming soon, but meanwhile please take a moment to read some of the handy overviews listed below. They're really quite helpful and should set you straight on terminology, legal obligations and best practice.
The GDPR (General Data Protection Regulations) comes into force on 25th May 2018 and it intends to strengthen and unify data protection rights for individuals. All organisations need to be compliant with the new rules to protect all personal data held by them, including employee data, customer data, supplier data, data relating to members of the public, online tracking data etc. Any data that you process (including just storing) that identifies a living individual is regarded as ‘personal data’ and you need to ensure your compliance with the GDPR. )
Personal data means any information relating to a living person that can be used directly or indirectly to identify them.
- Staff or student number
- Location data like an IP address (the string of numbers that identifies a computer/device connected to the internet and is linked to your online activity)
- Physical characteristics
- Genetic information
- Cultural information
Extra care must be taken with personal information that is sensitive. This is called special category data, and covers:
- Health data
- Religious beliefs
- Sex life
- Sexual orientation
- Biometrics (where used for identity purposes)
- Trade union membership
And information about children and criminal convictions or offences has extra protection too.
The DSP Toolkit (formerly the Information Governance Toolkit) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
Submission of incident reports, completion of asset registers, compliance with retention schedules...just about everything on this page is required to evidence that the department is processing data securely and legally.
Ensuring staff are fully informed, confident and comfortable with Information Governance is essential for our ability to continue using data for health research and maintaining a strong reputation for data security.
It is everyone's responsibility to comply with the GDPR, Data Protection Act 2018 and also University policy regarding Information Governance.
Further information on the DSP toolkit can be found here
All Department Members must complete the following two trainings initially upon hire and annually thereafter:
- The University Information Security Awareness Module (the Module) is available through the IT Services’ online course booking system (CoSy).
To book this training, Members shall follow these steps:
a) Copy and paste this link into their web browser:
b) Under the “Tools and Resources” banner on this landing page, click on the link provided to access the module.
c) Log-in using SSO credentials;
d) Complete the course booking within the CoSy application;
e) Access the training completion certificate from the Cosy dashboard; and
f) Upload the training certificate into the Department IG policy management application (PRISMs-IG) as evidence of completion.
To pass the module, Members must score 75% or above. If a Member does not pass, the application will trigger a retest. Once a Member has passed, he/she will need to access the course completion certificate and completion of a short online evaluation.
- Department IG Policies and Guides
These outline the Department IG requirements, procedures and protocols. All Members access these on demand through Department IG policy management application (PRISMs-IG): https://ig.phc.ox.ac.uk/prisms-ig/accounts/login/
Members complete their review of these documents and attest to reading and understanding them. The IGM (Phil Nieri) monitors and confirms the completion of the above two trainings initially upon hire and annually thereafter.
More information is available in the Department IG training policy (PHC_POL_IG105 _v4.0_Training_Policy).
In accordance with the GDPR, personal data must adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). A Retention Schedule documents what data types should be kept for what periods of time in accordance with the departmental and university policy.
Referring to the retention schedule allows you to determine if personal data is being kept for a justifiable purpose, and not for an excessive period of time.
Details of the University Retention Schedule can be found below:
An Information Asset Register (IAR) is a centrally held record of the data processed by an organisation. In accordance with the General Data Protection Regulation (GDPR), our asset register allows us to accurately record
*What data we process
*How long we retain it for
*The legal basis for processing the data
*Who we share the data with
*Where the data is stored
Failure to maintain an up-to-date and accurate IAR can result in significant fines and reputational damage.
We are currently in the process of creating a web based asset register to allow for quicker, easier registration of assets. A link to the asset register will be provided here as soon as the application is finalised.
What is a DPIA?
A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.
DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.
When do we need a DPIA?
You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk you need to screen for factors that point to the potential for a widespread or serious impact on individuals.
In particular, the GDPR says you must do a DPIA if you plan to:
- use systematic and extensive profiling with significant effects;
- process special category or criminal offence data on a large scale; or
- systematically monitor publicly accessible places on a large scale.
- use new technologies;
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data;
- process genetic data;
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- track individuals’ location or behaviour;
- profile children or target marketing or online services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach
Data Protection Impact Assessment forms can be downloaded here
Further guidance on DPIA's can be found here
One of the ways our department ensures staff are confident and familiar with data protection is through the conducting of Spot Check Audits. This process isn't meant to scare you! It's simply a way that we can check that data is being processed securely, staff have had an opportunity to review our policies, and we're meeting our obligations under the GDPR (General Data Protection Regulation).
You will be told in advance that a spot check audit is taking place.
The spot check audit form can be found here.
The Freedom of Information Act 2000 provides public access to information held by public authorities.
It does this in two ways:
- public authorities are obliged to publish certain information about their activities; and
- members of the public are entitled to request information from public authorities.
The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002.
Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.
Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.
The Act does not give people access to their own personal data (information about themselves) such as their health records or credit reference file. If a member of the public wants to see information that a public authority holds about them, they should make a subject access request under the Data Protection Act 2018
Freedom of Information Requests are free and must be responded to within 20 working days.
You can refuse an entire request under the following circumstances:
- It would cost too much or take too much staff time to deal with the request.
- The request is vexatious.
- The request repeats a previous request from the same person.
In addition, the Freedom of Information Act contains a number of exemptions that allow you to withhold information from a requester. In some cases it will allow you to refuse to confirm or deny whether you hold information.
Some exemptions relate to a particular type of information, for instance, information relating to government policy. Other exemptions are based on the harm that would arise or would be likely arise from disclosure, for example, if disclosure would be likely to prejudice a criminal investigation or prejudice someone’s commercial interests.
You can find out more on the ICO website here
What is the right of access?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
What is an individual entitled to?
Individuals have the right to obtain the following from you:
- confirmation that you are processing their personal data;
- a copy of their personal data; and
- other supplementary information – this largely corresponds to the information that you should provide in a privacy notice (see ‘Supplementary information’ below).
Personal data of the individual
An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is important that you establish whether the information requested falls within the definition of personal data.
In addition to a copy of their personal data, you also have to provide individuals with the following information:
- the purposes of your processing;
- the categories of personal data concerned;
- the recipients or categories of recipient you disclose the personal data to;
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organisation.
The ICO guide to the Right of Access can be found here
The rules about personal data apply to controllers and processors.
The controller determines the purposes and means of processing personal data.
Examples of controllers you may have dealings with include the following.
- The central University, together with its divisions and departments, constitutes one controller
- Each college is a separate controller
- Oxford University Innovation Ltd is a controller
The processor is responsible for processing personal data on behalf of a controller. Microsoft is one example of a processor.
Think: for the tasks or activities you carry out using personal data, do you know who the controller is? If it is the central University, we have various responsibilities, which you will find out about in the next few pages.
We might also use a processor to process data on our behalf – such as a cloud computing service – and we need to make sure we do so safely.
Processing means any activity that involves personal data:
- Collecting it
- Reading and assessing it
- Filing and storing it
- Using it to contact individuals
- Sharing it
- Analysing it
- Audio recording it
- Subjecting it to a technological process
- And more….
If you are involved in activities that use mailing lists, you need to take extra care to ensure we comply with the rules. You can find out more on the Information Compliance Team website.
Under the GDPR, there must be a lawful basis in order to process personal data.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Special Category Data (previously known as Sensitive Personal Data) requires the application of a further legal basis. The conditions are listed in Article 9(2) of the GDPR.
WHICH BASIS DO I SELECT?
When carrying out research as a public authority (such as the University), the most appropriate lawful basis for processing personal data, under GDPR, is
Article 6(1)E ‘task in the public interest’.
When processing special category data while undertaking research as a public authority, the most appropriate lawful basis under GDPR is
Article 9(2)J 'Necessary for archiving purposes in public interest, scientific or historical research purposes'.
If you are unsure whether the data you process falls under this criteria, please contact the Information Governance Lead for further information.
Further information on legal basis for processing data:
Each member state of the EU has a supervisory authority. In the UK, the supervisory authority is the Information Commissioner’s Office (ICO).
Individuals may also challenge the use of their data themselves.
If there is a breach of the rules, the ICO can fine an organisation up to 4% of its turnover or require changes in its policies and procedures.
Data Protection Officers (DPO) have been appointed to give advice in the collegiate University and to advise on internal compliance with GDPR and the Data Protection Act 2018.
The DPO for the central University is Felicity Burchett, and she heads a team of data privacy specialists, the Information Compliance Team.
The team is supported by a network of ‘hub contacts’ who University staff and students can go to for help and advice. You can find out who is your GDPR hub contact here.
Colleges and subsidiaries also have a DPO.
The rules for good information handling include the following.
Personal data must be:
1. Processed lawfully, fairly and in a transparent way.
- This means we must be open and honest about how we use individuals’ data.
We do this by providing privacy notices (sometimes called privacy policies or, in research, participant information sheets). A privacy notice gives individuals important information about how their personal data is collected and used.
There are a number of University-wide privacy notices, for various users and situations.
If your activity is not covered by one of these notices, you will need to provide your own privacy notice. Our privacy notice toolkit will help you to put this together.
- We must have a lawful basis for processing personal data.
No collection or use of personal data can take place unless there is a lawful basis for it. We must include the lawful basis in privacy notices.
There are six lawful bases in the GDPR. Consent is one of them, but in many cases it is not the most appropriate. There is guidance on the Information Compliance Team website to help you identify the most appropriate lawful basis. (If you’re handling special category data, you will need to satisfy other requirements, too.)
- We must consider individuals: they must not suffer unjustified harm from our use of their personal data.
- If we are sharing personal data with other people or organisations, or transferring it overseas, we need to do so safely.
2. Collected for specified, explicit and legitimate purposes.
- This means data must only be used for the purpose stated in a privacy notice or as individuals would reasonably expect.
- This also means if a new purpose arises you can only use the data for that purpose if it is compatible with the purpose in the privacy notice and if you tell individuals about the new purpose.
3. Adequate, relevant and limited to what is necessary.
- we must not collect, use or store more personal data than is strictly necessary;
- all processing activities must be kept to a minimum; and
- access to personal data is limited to those people with a ‘need to know’.
4. Accurate and where necessary kept up to date.
5. Kept only for as long as is strictly necessary and deleted or destroyed when no longer required.
- we must tell individuals in our privacy notice how long we will keep their personal data for; and
- we must have retention schedules that identify how long we will keep personal data and why we are keeping it, and must implement those schedules. For example, personnel files and training records should be disposed of six years after University employment ends, as detailed in Retention periods for University personnel records.
Retention periods are based on:
- statutory or regulatory requirements;
- historical value (archives); and
- demonstrable and justifiable business need.
6. Processed in a way that is secure.
- personal data must be protected against accidental loss, destruction or damage; and
- if the security of personal data is compromised, this is a data breach.
7. Processed in an accountable way.
The GDPR requires us to keep records to demonstrate how we comply with all these rules.
Individuals have various rights regarding their own data. You can find out more on the Information Compliance Team website.
Requests by individuals to exercise these rights are dealt with by the Information Compliance Team. If you receive such a request you should direct this to them without delay by emailing email@example.com.
If another controller is responsible for the data (for example, in a college), they will have their own procedures in place to deal with these requests.
Further information can also be found on the Information Commissioner's Office website:
A data breach occurs if personal data is seen by someone with no right to see it (unauthorised disclosure) or if it is lost, damaged or destroyed.
If you think, or suspect, that something isn’t right, report it immediately to:
Information Compliance Team (ICT): firstname.lastname@example.org (ext. 70285)
As soon as you know or suspect that a breach has occurred, report it straightaway, even if you do not have all the details.
The University has a legal duty to report any serious breach to the Information Commissioners Office (ICO) within 72 hours of becoming aware of it. If we fail to do this, we risk being fined.
After you submit your report, the ICT will provide guidance and support, and decide whether the breach needs to be reported to the ICO.
For more information on how to identify a data breach: https://compliance.admin.ox.ac.uk/reporting-data-breaches
''...information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.'' - Recital 26, GDPR
“…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” - Article 4, GDPR
It is vital to accurately categorise your data in consideration of the definitions above. The GDPR does not apply to anonymised data. However pseudonymised data falls fully within the scope of the GDPR and must be treated with the same levels of consideration in terms of security and processing:
"Pseudonymisation is effectively only a security measure. It does not change the status of the data as personal data. Recital 26 makes it clear that pseudonymised personal data remains personal data and within the scope of the GDPR."
In the situation where clinical trial data has had all identifiers removed, this can only be considered anonymised data if it was impossible to re-identify the trial subjects, even when cross referenced against supporting documentation.
Another way of defining the difference between anonymised and pseudonymised data is as follows:
- Anonymised data: data is unrecognisable, even to the data owner. It cannot be re-identified by referring to the study ID or by processing it together with other information which is available or likely to be available.
- Pseudonymised data: identifiable data has been replaced with alternative identifiers that bear no overt relationship to the true values. Re-identification of data can only be achieved with knowledge of the de-identification key.
If you are uncertain whether your data should be considered anonymised or pseudonymised, it should be treated as identifiable data in accordance with the department's Anonymisation Policy.
If you have any questions or concerns about the category of your data, please contact the Information Governance Lead for assistance.
What is personal data? (ICO)
Personal data anonymisation and pseudonymisation under the GDPR (Slaughter and May)