Information governance guidance

Our information governance (IG) pages provide clear and consistent IG advice and guidance to patients and service users, health and care staff and IG professionals. NHS England convenes a working group to check and challenge the guidance.

Help us to improve

We would like to find out how you use our website to get the information you need on information governance. Complete our survey

Search A-Z

Accessing health and care data for research on data-driven technology (external guidance)

This guidance gives a step-by-step overview of the process for accessing health and social care data for research of data-driven technologies.

Access to patient records through the NHS App

The NHS App is changing to make it easier for patients to read new entries in their GP record. This guidance focuses on what this change, or “switch on”, will mean for IG, and the key things that patients, GPs and IG professionals should know.

Access to the health and care records of deceased people

This guidance provides advice on access to health and care records following the death of an individual.

A just culture guide for information governance and cyber security

This guidance supports organisations to understand and embed a just culture in their IG and cyber security risk management work, taking a compassionate approach to and learning from any data incidents.

Amending patient and service user records

Guidance and advice on patients and service users requesting changes to their health and care records. It also covers how staff should amend records.

Artificial intelligence

Guidance on the IG implications of using artificial intelligence (AI) in health and care settings and around the lawful and safe use of data for AI innovations.

Bring your own device (BYOD) guidance

Bring your own device (BYOD) is where employees use their own devices including mobile phones for work purposes.This guidance aims to support their safe and secure use within health and care organisations.

Caldicott principles (external guidance)

Eight principles to ensure people's information is kept confidential and used appropriately.

IG guidance explaining what consent means in relation to using and sharing confidential patient information.

Cookies and visitor activity trackers

Brief guidance on visitor activity trackers in the context of health and care.

Data flows

Brief guidance for IG professionals about data flows to countries outside of the European Union (EU).

Equality, Diversity and Inclusion (EDI) in Health and Care Research pilot

Brief guidance about a pilot taking place which will allow the Department of Health and Social Care (DHSC) and the National Institute for Health and Care Research (NIHR) to access data to better understand Equality, Diversity and Inclusion (EDI) in health research.

Freedom to speak up

This guidance helps patients and staff of NHS organisations understand the freedom to speak up process and freedom to speak up guardians and IG professionals to manage information raised in a safe and appropriate way.

GP data for Consented Research Service

Brief guidance about the GPES Data for Consented Research Direction 2026, which legally requires NHS England to collect data from GP records and share it with approved research studies.

Guidance for Confidentiality Advisory Group (CAG) applicants (external guidance)

Detailed guidance from the Health Research Authority on submitting an application to Confidentiality Advisory Group (CAG) for both research and non-research purposes.

HIV and Sexually Transmitted Infections (STIs)

A guide to how HIV and sexually transmitted infection (STI) information is kept confidential, used and shared.

Identifying controllers and processors in health and care

This guidance is designed to help IG professionals identify whether health and care organisations are acting as a controller, joint controller or a processor in relation to the processing of personal data.

Information Governance Framework: Shared Care Records

The IG Framework for Integrated Health and Care: Part 1 – Shared Care Records has been developed to provide a structured approach to ensure Shared Care Records meet their legal obligations.

Information governance in local quality improvement (external guidance)

This guide by Healthcare Quality Improvement Partnership (HQIP), describes how IG laws and principles apply to the use of personal data in multi-agency healthcare quality improvement studies.

Information risk and impacts to individuals following personal data breaches

This guidance provides detailed information on the potential negative impacts or risks associated with the breach of certain types of information and actions that may need to be taken.

Guidance about NHS England requesting information from private health and care organisations and services to meet its legal obligations.

IG advice for health and care professionals about sharing information to support patients and service user care across multidisciplinary teams (MDTs).

This guidance will support adult social care professionals with their legal duty to share information to support individual care.

This guidance provides advice on information sharing with the Department for Work and Pensions (DWP) to support the assessment of benefits claims.

This guidance is aimed at providing health and care services with IG advice on how to deal with requests for records from statutory public inquiries, non-statutory public inquiries and courts.

Integrated Care Boards (ICBs) and risk stratification

This short guidance explains what risk stratification means for ICBs and how they can receive approval to lawfully use this process.

Integrated care systems (ICSs), integrated care boards (ICBs) and integrated care partnerships (ICPs) - a quick guide

Advice and guidance for IG professionals about sharing information between organisations within different collaborative systems, as well as determining controllership arrangements.

Legal requirements for using health and care data in data-driven technologies (external guidance)

This guidance gives an overview of the legal requirements for using health and care data in the development and deployment of data-driven technologies.

This brief guidance helps IG professionals working in local authorities understand the laws and issues to consider to ensure their information sharing with NHS England is lawful.

Microsoft 365 Copilot information governance guidance

This guidance sets out the IG implications of using Microsoft 365 Copilot in health and care settings.

NHS numbers as identifiers

Brief guidance about NHS numbers as identifiers.

OpenSAFELY COVID-19 and Data Analytics services

Brief guidance for IG professionals about the OpenSAFELY COVID-19 and the OpenSAFELY Data Analytics Services.

This guidance provides advice to patients and service users on what a personal breach is and to help health and care organisations deal with personal health breaches.

Personal health budget holders: data protection advice

Data protection advice for personal health budget holders who employ a personal assistant.

Protecting people’s confidentiality and privacy on the telephone

Brief guidance to help health and care professionals understand how to ensure people’s privacy when calling them about their health care.

Records Management Code of Practice

The Records Management Code of Practice sets out how records relating to health and care should be managed.

Requesting information from a public body: freedom of information

The Freedom of Information Act (FOIA) allows people to request any recorded information held by a public body.This guidance is to help health and care organisations deal with an Freedom of Information (FOI) request..

This guidance provides advice to patients and service users, healthcare professionals and IG professionals on sharing health and care information in emergency situations. It does not cover sharing staff information in an emergency.

Advice on information sharing with the Infected Blood Compensation Authority (IBCA) to support claims from those who have been impacted.

This guidance is about disclosure of information by health and care organisations to the police.

This guidance provides information to health and care organisations on how information about patients and service usesrs can be shared safely with the voluntary sector.

This guidance aims to advise those being cared for, carers and health and care professionals about how to share confidential information about an individual to support their care.

Staff access to health and care systems from non-UK countries

This brief guidance helps IG professionals understand how to deal with requests from staff members to access health and care information technology systems from countries outside the UK.

Subject access requests (SAR)

This guidance will help patients and service users to understand what a subject access request (SAR) is and how they can make a request. It also supports staff and IG professionals to respond to subject access requests in a timely manner.

Summary Care Record and the national data opt out

Brief guidance to help IG professionals to understand more about the Summary Care Record (SCR) and the national data opt out.

Texting, emailing and messaging patients and service users

This guidance covers IG topics you need to think about when sending or receiving messages about health and care services by text, email or other types of messaging.

The UK COVID-19 Inquiry information governance guidance

Brief guidance to support the health and care system to prepare for the UK COVID-19 Inquiry.

This operational guidance has been produced by the Health Research Authority for researchers and study coordinators on the implications of the UK General Data Protection Regulation (GDPR) for the delivery of research in the UK.

This guidance will support staff to use and share information with confidence when caring for patients and service users.