Patient data and information governance policy (gp)

1. Purpose

This policy sets out how the Practice governs patient data, record access, Caldicott decision-making, data-breach response, subject access requests and learning from information-governance incidents.

It reflects the higher risk in primary care because GP records contain dense longitudinal clinical and personal information.

2. Sources to verify before adoption

• UK GDPR, Article 5: https://www.legislation.gov.uk/eur/2016/679/article/5
• UK GDPR, Article 6: https://www.legislation.gov.uk/eur/2016/679/article/6
• UK GDPR, Article 9: https://www.legislation.gov.uk/eur/2016/679/article/9
• UK GDPR, Article 33: https://www.legislation.gov.uk/eur/2016/679/article/33
• UK GDPR, Article 34: https://www.legislation.gov.uk/eur/2016/679/article/34
• Data Protection Act 2018: https://www.legislation.gov.uk/ukpga/2018/12/contents
• ICO, Personal data breaches: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/
• ICO, Guide to UK GDPR: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/uk-gdpr-guidance-and-resources/
• GOV.UK, National Data Guardian review of Caldicott Principles: https://www.gov.uk/government/publications/the-caldicott-principles
• GOV.UK, Guidance on the appointment of Caldicott Guardians: https://www.gov.uk/government/publications/guidance-on-the-appointment-of-caldicott-guardians-their-role-and-responsibilities
• Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, Regulation 17: https://www.legislation.gov.uk/uksi/2014/2936/regulation/17

3. Scope

This policy applies to:

• patient records
• clinical correspondence
• referrals and results
• emails, letters, text messages and online messages containing patient data
• record access by staff
• subject access requests
• data-breach assessment and notification
• Caldicott decision-making
• information held in GP clinical systems, Verivius records and local Practice systems

It applies to all staff, GP partners, locums, contractors, trainees and suppliers who handle patient data for the Practice.

4. Lawful basis and Caldicott process

The Practice keeps a lawful-basis record for each main category of patient-data processing.

4.1 Lawful basis register

The lawful-basis register records:

• processing activity
• type of personal data
• type of special-category data
• purpose
• UK GDPR Article 6 basis
• UK GDPR Article 9 condition where health data is processed
• Data Protection Act 2018 condition where relevant
• retention position
• access controls
• data-sharing route
• source material checked

The Practice verifies each entry against current UK GDPR, Data Protection Act 2018 and ICO source material before adoption.

4.2 Caldicott Guardian role

The Practice identifies the person or role responsible for Caldicott decisions.

The Caldicott Guardian or equivalent senior information-governance lead:

• advises on patient-identifiable data use
• reviews high-risk sharing decisions
• supports breach assessment
• reviews record-access concerns
• advises on confidentiality and public-interest decisions
• reports themes to the governance group

The Practice verifies whether a formal Caldicott Guardian appointment is required for its service type and contract position.

4.3 Access to records

Staff access patient records only where there is a work-related reason.

The Practice:

• sets role-based access
• removes access when staff leave or change role
• audits access where concern is raised
• investigates access without clinical or administrative need
• records disciplinary, professional or regulatory action where required

Staff do not access their own record, family records or records of people they know unless there is a clear and recorded work reason approved by the Practice.

5. Data-breach decision tree

The Practice records every suspected personal data breach and assesses it promptly.

The decision tree covers:

• what data was involved
• whether the data identifies a patient or staff member
• whether special-category health data was involved
• how many people were affected
• who received or accessed the data
• whether the data has been recovered or contained
• likely risk to rights and freedoms
• whether ICO notification is required
• whether the patient or other person should be informed
• whether CQC, NHS or commissioner notification is required

For ICO notification, the Practice checks the current ICO wording. The exact ICO phrase "within 72 hours" is load-bearing and must not be restated from memory without checking the source.

6. Email, subject access and patient communication

The Practice treats misdirected email or message incidents as potential data breaches.

Staff:

• stop further sending where possible
• contact the unintended recipient where appropriate
• ask the recipient to delete or return the information where appropriate
• inform the Practice Manager or information-governance lead
• record the incident
• assess notification requirements
• update the communication process where needed

The Practice handles subject access requests through the current ICO and local Practice process. Staff log the request, verify identity, check exemptions or third-party information where relevant and record the response decision.

The Practice does not use this policy to restate statutory response deadlines. Staff check the current ICO source before recording a deadline.

7. Responsibilities

• Registered Manager: owns this policy, ensures information-governance oversight and signs off annual review.
• Caldicott Guardian or information-governance lead: owns patient-data sharing advice, breach assessment support and Caldicott decision records.
• Practice Manager: maintains access controls, supplier records, subject access logs and staff training records.
• Lead GP or GP Partner: reviews complex clinical confidentiality decisions and professional-risk cases.
• All staff: access records only for work reasons, report suspected breaches and follow secure communication procedures.

8. Recording requirements

The Practice keeps the following records:

• lawful-basis register
• data-sharing record
• Caldicott decision record
• system-access register
• record-access audit
• suspected breach log
• ICO notification decision
• patient notification decision
• email misdirection incident record
• subject access request log
• staff training records
• improvement actions

Records are kept securely and access is limited to staff who need them for care, governance or legal compliance.

9. Audit cadence

The Practice uses the following Verivius default audit rhythm unless current source material requires more frequent review:

• Monthly: the Practice Manager reviews open breach actions, subject access requests and urgent access changes.
• Quarterly: the governance group reviews data-breach themes, record-access concerns and staff training.
• Annually: the Registered Manager audits lawful-basis records, Caldicott records, access controls and this policy against ICO, UK GDPR, Data Protection Act and Caldicott source material.

Audit findings are recorded as improvement actions with an owner and review date.

10. Version control and review date

The Practice keeps a controlled copy of this policy. The footer or document-control table records:

• policy owner
• version number
• date approved
• next review date
• changes made since the last version
• source material checked during the review

11. Related records

• Data-breach register
• Subject access request log
• Caldicott decision log
• Staff access-control register
• Incident register
• Complaints policy
• Safeguarding policy
• Supplier register
• Improvement action register

Review cadence: annual or on regulatory change, whichever sooner. Owner: Registered Manager.