Information Governance

Information is a vital asset to support the activities of the Clinical Informatics Research Group, both in terms of its research portfolio and its educational programme. It is of paramount importance to ensure that healthcare data entrusted to the Research Group for the purposes of research and teaching is efficiently and securely managed, and that appropriate policies, procedures and management structures provide a robust governance framework for information management consistent with legal obligations, and national and professional guidelines.

The Research Group works within the research and Information Governance frameworks for health and social care in the United Kingdom and is compliant with the University’s best practice standards. The University of Surrey is registered with the Information Commissioner’s Office Data Protection Register and is compliant with the Data Protection Act and other legislations.

The Clinical Informatics Research Group has continuously worked to adapt to the changing research environment to reflect innovations in technologies and developments in Information Governance standards. In 2013, the Research Group reviewed its Information Governance policies and procedures against the criteria of the NHS Information Governance Toolkit Version 11, and the review was subsequently approved by the IG Subject Matter Expert, Information Governance, Health and Social Care Information Centre. A number of new Departmental policies and procedures were approved by the Faculty as a result of this review. The Research Group is currently reviewing its processes and policies with a view to meeting the standards set out in the Information Governance Toolkit Version 12.

Minimum IG training

As required by the NHS Data Security Standard 3 in the Caldicott 3 Review, all staff members of the Research Group, including students, associated and temporary staff members, who need to access patient-level healthcare data as part of their roles are required to complete the Data Security Awareness on an annual basis.

The NHS Digital recommended Data Security Awareness Level 1 e-learning package is now live on  Level 2 and Level 3 learning material will be released over the coming months.  The Security Awareness Level 1 training covers the following 4 topics for which there will be a short mandatory assessment at the end:-

  • Introduction to security awareness
  • Information and the law
  • Data security – protecting information
  • Breaches and incidents

The modules can be taken in any order and the system will record the assessment pass mark and issue a certificate on successful completion (a score of 80% or more).

The IG Lead has registered all existing data processing or research active staff members (and will register all new staff members as they join the Research Group) to access this training.  To access your e-learning, please go to and click the ‘Log in’ button, enter the username and password provided by NHS Digital, and complete your on-line training.  Please send Tom Chan a copy of your certificate for our records.

Information Incident Management and Reporting Procedures

An information security incident is a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of University and Departmental Information security policies.  Examples of information security incidents include:-

  • Computer system intrusion
  • Unauthorized or inappropriate disclosure of sensitive institutional data
  • Suspected or actual breaches, compromises, or other unauthorized access to U-M systems, data, applications, or accounts
  • Unauthorized changes to computers or software
  • Loss or theft of computer equipment or other data storage devices and media (e.g., laptop, USB drive, personally owned device used for university work) used to store private or potentially sensitive information
  • Denial of service attack or an attack that prevents or impairs the authorized use of networks, systems, or applications
  • Interference with the intended use or inappropriate or improper usage of information technology resources.

At the University level, the responsibility for coordinating a response to information incidents is assigned to Mr Andy Sherman, Senior Information Security Analyst.    The Senior Information Security Analyst , or one of his colleagues as appropriate, are contactable at and , as appropriate, will invoke the Cyber security response protocol and escalate to the CRAC (Cyber-Security Response and Compliance) team of the University as appropriate.

Within the Research Group, all members of the Group have a duty to report any potential or actual breaches of information security as soon as they are identified, initially to the Project Manager and/or the Head of Department.   The Head of Department, on receipt of the report of any potential or actual breaches of information security, will triage the incident report and coordinate an effective management of the information incidents, and direct onward reporting to the University and to the commissioning/ funding organisation and research partners at the project level, as appropriate.

Where an onward report to the University is directed by the Head of Department, the staff members will report the incident to the IT Support Help Desk (if urgent, copy in The IT Support Help Desk uses a support system that will assign any Information Security issues directly to the Senior information Security Analyst.

 All reports of potential or actual breaches of information security are reviewed in the Research Group’s monthly Governance Review Group to detect patterns and revise procedures as needed.

Disease Surveillance Programme: GDPR Statement

The Royal College of General Practitioners, Research and Surveillance Centre (RCGP RSC) has worked for over 50 years in partnership with Public Health England and its predecessor bodies in disease surveillance. The RCGP RSC, through its weekly upload of pseudonymised data, is the principal primary care surveillance system across England. The information technology, analysis capability, and clinical leadership of the RCGP RSC are based at the Clinical Informatics and Health Outcomes Research Group, University of Surrey.

The Clinical Informatics and Health Outcomes Research Group’s research outputs utilize only pseudonymised information for its disease surveillance projects. The Surrey Research Group is compliant with Article 6 of the EU General Data Protection Regulation 2016/679 (GDPR) in the use of personal data, and Article 9 in the use of special category sensitive data (such as health data). The Surrey Research Group works within the governance framework of the University, NHS Digital and the Medical Research Council. For the vast majority our PHE/RCGP RSC projects, the legal basis for our work is medical research (consent or Section 251 exemption if we need patient identifiable information for some specific tasks, such as data linkage with Hospital Episode Statistics). The Research Group’s processes have been approved by the RCGP RSC, PHE and accepted by NHS Digital and the relevant NHS ethics committees (where ethical approval is needed).

The Research Group also meets with the transparency requirements of GDPR. ‘Privacy notices’ are integral part of all project information published by the Surrey Research Group on the RCGP RSC websites. The project information is also made available to general practices for sharing in their websites, and/or displayed as posters in the waiting areas of surgeries. Within the published project information for patients, the Research Group provides patients with contact details of the investigators, their rights to opt out and how to opt-out.

Patients who have opted not to share their information for disease surveillance will be respected by RCGP RSC and by the Surrey Research Group (there are some exemptions in exceptional circumstances such as a pandemic where PHE is required to monitor diseases as a national emergency). The Research Group will not extract records of patients who have registered opt-out codes in the GP information system. The opt-out codes are only superseded where patient has subsequently given written consent to share their data for specific projects.

If you require further details of the Research Group’s NHS information governance and GDPR compliance arrangements, please contact: –
Dr Filipa Ferreira:
Dr Tom Chan: