Information Governance

Information is a vital asset to support the activities of the Clinical Informatics Research Group, both in terms of its research portfolio and its educational programme. It is of paramount importance to ensure that healthcare data entrusted to the Research Group for the purposes of research and teaching is efficiently and securely managed, and that appropriate policies, procedures and management structures provide a robust governance framework for information management consistent with legal obligations, and national and professional guidelines.

The Research Group works within the research and Information Governance frameworks for health and social care in the United Kingdom and is compliant with the University’s best practice standards. The University of Surrey is registered with the Information Commissioner’s Office Data Protection Register and is compliant with the Data Protection Act and other legislations.

The Clinical Informatics Research Group has continuously worked to adapt to the changing research environment to reflect innovations in technologies and developments in Information Governance standards. In 2013, the Research Group reviewed its Information Governance policies and procedures against the criteria of the NHS Information Governance Toolkit Version 11, and the review was subsequently approved by the IG Subject Matter Expert, Information Governance, Health and Social Care Information Centre. A number of new Departmental policies and procedures were approved by the Faculty as a result of this review. The Research Group is currently reviewing its processes and policies with a view to meeting the standards set out in the Information Governance Toolkit Version 12.

Minimum IG training

As required by the NHS Data Security Standard 3 in the Caldicott 3 Review, all staff members of the Research Group, including students, associated and temporary staff members, who need to access patient-level healthcare data as part of their roles are required to complete the Data Security Awareness on an annual basis.

The NHS Digital recommended Data Security Awareness Level 1 e-learning package is now live on  The Security Awareness Level 1 training covers the following 6 topics for which there will be a short mandatory assessment at the end:-

  • Introduction
  • Data security awareness
  • Introduction to law
  • Threat to data security
  • Breaches and incidents
  • General data Protection Regulations

The modules can be taken in any order and the system will record the assessment pass mark and issue a certificate on successful completion (a score of 80% or more).

The IG Lead has registered all existing data processing or research active staff members (and will register all new staff members as they join the Research Group) to access this training.  To access your e-learning, please go to and click the ‘Log in’ button, enter the username and password provided by NHS Digital, and complete your on-line training.  Please send Tom Chan a copy of your certificate for our records.

Information Incident Management and Reporting Procedures

An information security incident is a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of University and Departmental Information security policies.  Examples of information security incidents include:-

  • Computer system intrusion
  • Unauthorized or inappropriate disclosure of sensitive institutional data
  • Suspected or actual breaches, compromises, or other unauthorized access to U-M systems, data, applications, or accounts
  • Unauthorized changes to computers or software
  • Loss or theft of computer equipment or other data storage devices and media (e.g., laptop, USB drive, personally owned device used for university work) used to store private or potentially sensitive information
  • Denial of service attack or an attack that prevents or impairs the authorized use of networks, systems, or applications
  • Interference with the intended use or inappropriate or improper usage of information technology resources.

At the University level, the responsibility for coordinating a response to information incidents is assigned to to Mr Sam Wong, Head of IT Security. The IT Security team are contactable at and , as appropriate, will invoke the Cyber security response protocol and escalate to the CRAC (Cyber-Security Response and Compliance) team of the University as appropriate.

Within the Research Group, all members of the Group have a duty to report any potential or actual breaches of information security as soon as they are identified, initially to the Project Manager and/or the Head of Department.   The Head of Department, on receipt of the report of any potential or actual breaches of information security, will triage the incident report and coordinate an effective management of the information incidents, and direct onward reporting to the University and to the commissioning/ funding organisation and research partners at the project level, as appropriate.

Where an onward report to the University is directed by the Head of Department, the staff members will report the incident to the IT Support Help Desk (if urgent, copy in ). The IT Support Help Desk uses a support system that will assign any Information Security issues directly to the Senior information Security Analyst.

 All reports of potential or actual breaches of information security are reviewed in the Research Group’s monthly Governance Review Group to detect patterns and revise procedures as needed.