This website uses cookies

We use essential cookies to make this website work. Additional cookies help us to make improvements (analytics) or are set when we incorporate functionality from other websites, such as video, social media feeds and ReachDeck (text-to-speech and translations). More on how we use cookies

Set preferences

This site is best viewed with a modern browser. You appear to be using an old version of Internet Explorer.

Information Governance and confidentiality

Good information governance practice helps to ensure that personal information about all individuals is dealt with legally, securely, effectively and ethically.

Our Trust Policies, setting out our approach to information governance, can be found at the links below.

This covers information about:

  • patients
  • staff
  • contractors
  • corporate business, and
  • interactions with other relevant organisations.

Oxford University Hospitals has its own Information Governance Team which ensures this framework is followed throughout the organisation. It provides training to all staff to ensure that they comply with the law and best practice.

Contact us

What are the standards and requirements that make up information governance?

  1. Confidentiality NHS Code of Practice
  2. Data Protection Act 2018
  3. Information Security Management NHS code of Practice
  4. International standard for Information Security: ISO/IEC 27002:2005
  5. Health Records Management
  6. Records Management NHS Code of Practice
  7. Information Quality
  8. Payment by Results Code of Conduct
  9. The Freedom of Information Act 2000
  10. Corporate Records Management

Data processing

The Trust is required by the General Data Protection Regulation (GDPR) 2016 Article 35 to carry out a Data Protection Impact Assessment (DPIA) in situations where the Trust is contemplating the processing of data which could impact the rights and freedoms of individuals. A list of Data Protection Impact Assessments can be found at the link below.

Data Protection Impact Register (pdf, 87 KB)

Copies of Impact Assessments can be disclosed on request by contacting the Information Governance Team.

Patient confidentiality

Everyone working for the NHS has a legal duty to keep information held about you confidential and secure.

Information concerning you or your condition can often be of a sensitive nature, which you may not wish to be known by others. Staff dealing with information are under an obligation by law to make sure it is protected at all times.

Giving patients the best care possible often means sharing personal information with others, for example, other Trust departments or GP practices directly concerned with your treatment.

Whenever information is shared, Oxford University Hospitals staff adhere to strict codes of confidentiality. Guidelines are in place to ensure all staff deal with patient information in the strictest confidence.

These are known as the Caldicott Principles:

Principle 1 - Justify the purpose(s) for using confidential information.
Every time patient-identifiable information is transferred in an organisation it should be clearly defined and scrutinised, and the transfer process should be regularly reviewed by an appropriate guardian.

Principle 2 - Don't use patient-identifiable information unless it is absolutely necessary.
Patient-identifiable information should only be used if there is no other alternative.

Principle 3 - Use the minimum necessary patient-identifiable information.
Every measure should be taken to ensure the use of patient identifiable information is justified by reducing how easily it can be identified.

Principle 4 - Access to patient-identifiable information should be on a strict need-to-know basis.
Only those individuals who need access to patient-identifiable information should have access to the information items that they need to see.

Principle 5 - Everyone should be aware of their responsibilities.
Action should be taken to ensure clinical and non-clinical staff who handle patient-identifiable information are aware of their obligations to respect patient confidentiality.

Principle 6 - Understand and comply with the law.
Every use of patient-identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the organisation complies with legal requirements.

Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality.

Caldicott Guardian

The Trust also has a Caldicott Guardian who is responsible for upholding the Caldicott Principles and advising the Trust on the protection of patient confidentiality in accordance with your legal rights.

Dr Alastair Moore
Acting Caldicott Guardian
Level 3, Academic Centre
John Radcliffe Hospital
Headley Way
Headington
Oxford OX3 9DU

caldicott.guardian@ouh.nhs.uk

Last reviewed:18 August 2023

In this section