Information Governance (IG) & Data Security

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulations (GDPR). Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. These principles ensure information is used fairly, lawfully, and transparently, only used for a specified purpose and only what is necessary, is not kept longer than required and is handled appropriately. There is stronger legal protection for more sensitive areas.

Key IG roles and responsibility in BOB ICB:

Caldicott Guardian – Heidi Beddall, Deputy Chief Nursing Officer/Director of Quality

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of people's health and care information and making sure it is used properly. All NHS organisations and local authorities providing social services must have a Caldicott Guardian.

Catherine Mountford, Director of Governance

A SIRO is an Executive Director or member of the Senior Management Team with overall responsibility for an organisation's information risk policy. They ensure that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately.

Catherine Mountford, Director of Governance

Accountable for ensuring effective management, accountability, compliance, and assurance for all aspects of IG.

Lesley Corfield, Governance Manager

DPOs are responsible for overseeing data protection strategy and its implementation to ensure compliance with UK GDPR requirements.

All Staff IG Responsibility:

Undertake IG Staff induction
All new staff need to undertake their Data Security Awareness training within two weeks of joining the BOB ICB.

Primary Care/GP IG support
Members of the public /patients should in the first instance, contact their GP practice for help and support on GP and Primary Care Network (PCN) IG issues.

BOB ICB staff should contact the SCWCSU GP Information Governance Manager and DPO for GP practices,, for help and support on GP and primary Care Network (PCN) IG issues.


A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

If you receive confidential information (unless you are authorised to) respond to the sender informing them that this is a breach and delete that email from your inbox, sent and deleted folders. If it is part of an excel or other document, request the person to resend the document(s) after removing the identifiable details. Report the information governance breach immediately on Blueteq here

If the breach has been committed by you, you still need to report it on Blueteq (by filling out the same form) as well as inform your line manager.

Serious breaches need to be reported to the Information Commissioner’s Office within 72 hours.  Thus, is it important for breaches to be reported promptly and with all the information available to enable them to be investigated and risk assessed.

If you have any queries about a data breach, contact the DPO, Lesley Corfield, or an IG Manager in the SCW CSU IG team:


Details of IG training completion are sent to NHS Digital as part of BOB ICB IG compliance each year – Data Security Protection Toolkit (DSPT).

A DPIA is a way for you to analyse your data processing and help you identify and minimise data protection risks.

You need to complete the DPIA Screening questions or the full assessment DPIA at the beginning of every Business Case or Project or initiation document. For help and advice on how to complete a DPIA kindly contact the SCW CSU IG team.

The DPIA should:

    • Describe the nature, scope, context and purposes of the processing
    • Assess necessity, proportionality and compliance measures
    • Identify and assess risks to individuals
    • Identify any additional measures to mitigate those risks.

A template and guidance document are in the Related Downloads section at the top of this page, above.

Teams have responsibility of informing the organisation what data they currently hold/send/receive and update on their section of the OCCG Data Flow Map and Information Asset Register each year.  The Data Flow mapping and Information Asset Register is submitted to the Department of Health as part of the DSPT submission. 

If you are a new Information Asset Owner or an Information Asset Administrator and need training, contact the SCW CSU IG team.

On signing a new contract with any organisation or adding a new clause / contract variations contact the DPO, Lesley Corfield, and the SCW CSU IG team to ensure UK GDPR and data security requirements are fulfilled in the contract.

Data Controllers are the main decision-makers and exercise control over the purpose and means of the processing of personal data – decide what data to process and why.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers.  However, they are not joint controllers if they are processing the same data for different purposes.

Data Processors act on behalf of, and only on the instructions of, the relevant controller.


A DSA is an agreement between a party that has useful data (the discloser), and a party seeking data to do research on (the recipient), under which the discloser agrees to share its data with the recipient.  The data sharing agreement should include:

  • The parties’ roles
  • The purpose of the data sharing
  • What is going to happen to the data at each stage
  • The standards set (with a high privacy default for children)
  • Details of the regular review process.

Where a Data Controller engages another party as Data Processor, a DPA needs to be put in place to ensure the data processor complies with their legal obligations and fully protects the personal data being processed on the controller’s behalf and the rights of the individuals whose data is being processed.

The IG policies and procedures are available in the Related Downloads section above.