Information Governance
How we handle your information


Every patient wishes to receive the best care possible.  Records that are accurate, complete, up to date and available to staff caring for you are critical to providing best quality care.
Your health record contains facts about your health including:

  • appointments

  • treatments and test results

  • the professional opinions of the staff caring for you.

These are used by staff to ensure they can offer you good care and treatment. Your records will only be used by staff treating you or administration staff who may book your appointments. 

Historically records have been on paper, but real progress has been and continues to be made on electronic health records.  Most General Practices and many hospitals and community services use some form of electronic record.

The benefits of electronic records are:

  • Available to staff who need them to care for you.  Paper records can be physically lost and are also only in one place at a time.
  • Improvements in completeness and accuracy, with more consistent recording of information.
  • Can be shared between staff who are working together to provide your care.
  • Aid provision of safe care by reducing possible errors

There are concerns about the security of electronic records, but many concerns are misguided and a lot of effort is put into appropriate security to be REASSURING  for patients


When you require care it is often the case that several organisations will be involved in providing it. To enable this to happen smoothly, information about you is shared between the staff in the organisations caring for you. The NHS works with many partner agencies such as Social Services, Education, Housing and the voluntary sector. Staff should discuss with you, what information they are sharing and why. You can always ask if you have any concerns.

Sometimes it may be very important for your information to be shared in order to prevent you or someone else coming to harm.

There are also a few laws that require the NHS to share information such as child protection cases, controlling infectious disease and protecting vulnerable individuals.

Any time your information is shared it will be done by the most secure method possible, this may be done by accessing information held in a secure database called Connecting Care. More information about Connecting Care, can be found at: care/

To understand more about what data is shared, why it is shared and how, it is best illustrated with a few scenarios as follows:

When your Doctor refers you to the hospital or a specialist

Following discussion with you, you Doctor will make contact with the staff providing the service you need.  They will pass relevant information about your health and condition, to enable the service to set up the further care you require.  This is often done by means of computerised booking systems that book you into a timeslot on the relevant clinic.  On other occasions your Doctor will write a letter to the service.

When your care with the other organisation is finished, they will routinely contact your Doctor and inform them of the care they have provided to you, how it has gone and any parts of the care your Doctor now needs to pick up.

Sharing with council services such as Social Care and Housing

Often where care is provided for you outside of hospital, there is a need to work with other agencies, so the whole package of care you require is provided.  Your health can be affected by factors such as your social welfare, and your housing situation.  Where it is necessary or beneficial to share some of your information with other services, staff will discuss with you what they need to share and why.

Many of the agencies work as integrated teams and share key details about you to avoid having to ask you lots of times.  Often a ‘common assessment’ or ‘single’ assessment is undertaken, particularly for services for children or older people and these assessments shared between the services that work together for the person in question.  This means the staff have access to information that is consistent, relevant and up to date and each member of staff does not have to ask the same questions as each other.

Sharing in emergency or urgent situations

There can on occasion be issues that need acting upon swiftly.  In such circumstances it isn’t always possible to talk to you beforehand.  If there is a concern that you or someone else might come to some harm or suffer avoidable distress, then information can be shared lawfully.  For example if an elderly patient is visited by a care worker, who has serious concerns about their state of health, they may well speak to the person’s GP, nurse or call emergency services or if there are concerns of possible abuse or domestic violence, staff may discuss such cases to check whether their concerns need acting upon.

Sharing where there is a legal duty

There are a number of situations that can arise where the law makes it a duty that information is shared.  In cases where children need to be protected organisations are duty bound to work together.  If any suspected terrorist activity is identified, then organisations are duty bound to inform the authorities.  If an individual contracts particular ‘communicable diseases’ then their Doctor is duty bound to notify authorities to ensure the spread of any disease is limited as far as possible (this includes Cholera, plague, smallpox and others).

All these duties to share information are set out in specific laws


The Health Service uses data extracted from patient records for a number of other purposes, all designed to ensure the service works as well and provides an appropriate level of quality.  The key uses are:

Quality monitoring

Whilst most treatments are effective and administered properly, occasionally things can go wrong.  Staff can make mistakes and work is undertaken to monitor staff performance to identify and address problems.  One activity that is undertaken is a periodic audit of patient records, to ensure that they are up to date, accurate and a reliable source of information for staff to use when caring for a patient.  Out of date, inaccurate or otherwise unreliable information can cause mistakes to be made with treatment.  Most checks on the quality of records are done by colleagues within the teams providing your care.  Occasionally the checks are undertaken by other health professionals. 

Developing services

In order to develop both new and existing services, information from patient records needs to be extracted and analysed.  Virtually all of this is done from electronic information and done on information where the identity of the person has been removed. 

Sometimes where a service is delivered across a number of organisations, such as a GP, a hospital and other health services, it is necessary to link the information from different records together, so what happened to individuals can be established.  This is only possible if there is some information that can link the data from different systems.  This is often done by use of the NHS number, which is a number unique to each patient, but used across different organisations and systems and can be used to link records and information together.  Where this is undertaken the personal details, such as name and address are removed and only the NHS number used to link the other details together.  Whilst the NHS number is linked to the identity details of an individual, it is effectively a pseudonym to prevent their identity being obvious.


The Health Service undertakes and participates in a large number of research programmes.  These vary in size and complexity, some are undertaken by extracting and analysing available data, whilst many need to identify individuals with specific illnesses and conditions and engage them in trials of new treatments and methods.

Fundamental to all research is a number of stringent checks.  These include checks on the potential use of patient records.  Where a study wishes to use information from records, the details are extracted by an individual, such as GP or nurse who already has access to the records and are then provided to the researcher in an anonymous format.

Where a researcher wishes to contact patients with particular conditions related to the subject of the research, they will ask a surgery or hospital to identify relevant patients and will give them some information for the surgery or hospital to send to the patient.  The patient then chooses whether to respond.  On this basis, the researchers do not know the identity of the individuals with the condition until the patient themselves decides it is ok for the researcher to know.

Research programmes are also checked to ensure the use of the information is ethical, appropriate and conducted in a manner that ensures the security of information that is recorded and shared.

Records and information are also used to educate new staff, but again the identifying details are removed from these records, or on occasion where this may not be easily achieved, the consent of the patient is sought and respected.


All organisations in the Health Service take the security and confidentiality of information very seriously and significant effort is put into ensuring that uses of information are as secure as they can be.  Each organisation is required to do the following:

  • Assess their security arrangements and report to the Department of Health twice a year.  The assessments are also checked by auditors once a year.
  • Ensure all staff are trained how to handle information and receive regular updates.
  • Run regular checks on the use of computerised records to ensure they are being used appropriately
  • Have processes to report concerns or issues and ensure they are addressed swiftly.
  • Ensure that controls around use of information are considered when developing and improving services.
  • Check the quality of information recorded on paper or on computer systems.



(Updated June 2016)
Information Governance, NHS SCWCS, South Plaza, Bristol BS1 3NX