Information Governance FAQs

The FAQs below can assist you in understanding basic Information Governance (IG) concepts. For a comprehensive glossary of IG-related terms, see IG Definitions (PDF).

You can find more detailed information within the IG policies and procedures.

Specific FAQs relating to the Data Protection Act (DPA) 2018 can be found in DPA FAQs.

Latest guidance updates covering DPA and Information Security can be found in IG recent updates.

Frequently asked questions

View all Close all

Who is responsible for information governance at St George’s?

All St George’s staff have a responsibility for Information Governance (IG), but there are some specialised roles:

The University IG lead is the Director of Information Services - Rob Churm - in his capacity as the Senior Information Risk Owner.

The IG Team (who work within Information Services) are:

Head of Information Governance: Geoff Gray MBE
Data Protection Officer (DPO): Claire Morrissey

Each Institute or Directorate has an assigned Information Governance Lead, details of who can be found on the Information Governance_Framework page.

Contact Details:

For non-urgent enquiries please use the above email links.

For urgent enquiries or reporting please use the following email link - Data Protection

Details of the teams full responsibilities can be found on the IG Team Webpage

What is information security?

Information security is the preservation of confidentiality, integrity and availability of data, information and information systems.

Confidentiality: information is not made available or disclosed to unauthorised individuals, entities or processes.

Integrity: safeguarding of the accuracy and completeness of information assets.

Availability: information is accessible and usable upon demand by an authorised entity.

An information asset is a body of information, defined and managed as a single unit so it can be understood, shared where appropriate, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and life-cycles.

What is the Data Security and Protection (DSP) Toolkit?

The DSP Toolkit is an updated replacement of the previous NHS Information Governance Toolkit and includes enhanced cyber security assessments. In practice, it is an online self-assessment tool that all organisations must use if they have access to NHS data and/or systems so as to provide assurance that they are practising good data security and that personal information is handled correctly. There are mandatory requirements within the toolkit which must be met with clear evidence of compliance.

Why have I been asked to complete the Data Protection Awareness and Information Security Awareness Modules in the HR Learning Management System?

Two main reasons:

1. The ICO require organisations that handle personal data to provide Data Protection and Information Security training to all their staff.

2. One of the DSP mandatory requirements is that annually 95% of staff in an organisation handling NHS patient data must have completed data protection and information security awareness training. If this is not achieved then St George’s will not be DSP compliant, which will have a major impact on our research work – NHS Digital will not approve the release of patient data for research to our institutes and other research agencies or funders may elect not to use St George’s in the future.

What is the General Data Protection Regulation (GDPR)?

GDPR is an UK regulation, built from the EU GDPR, which strengthens and unifies data protection for all individuals within the UK. It came into force on the 25 May 2018 and is covered within the UK Data Protection Act 2018 (DPA).

For GDPR-specific questions and answers, go to GDPR FAQs.

What do I do if I receive a request for information from a member of the public?

There are two types of information a person may request from St George’s – personal or general. It is important that both types are dealt with quickly as there is a legal timeframe to respond.

Personal

Any request relating to an individual, whether made by that individual or by a third party, is a request for personal information and is dealt with under the GDPR/DPA 18 either as a Subject Access Request (SAR) or third-party request. St George’s has 1 month to respond to such requests. If you receive such a request then inform the Data Protection Officer immediately.

Guidance on SARs can be found at Requests for personal information.

General

A request for information in general, which doesn’t focus on an individual, is dealt with as a request under the Freedom of Information Act (FOI). St George’s has 20 working days to respond to such requests. If you receive such a request then inform the FOI Officer immediately.

For details on how to handle FOI requests, go to Freedom of Information.

What is a personal data security breach and how do I report it?

What is a Personal Data Breach? Guidance can be found here.

St George’s has a well-defined data security breach reporting process. If you come across a personal or confidential data security breach, complete the data incident report form and send it to dataprotection@sgul.ac.uk, inform your line manager and, if possible, secure any data found.

What is a Data Protection Impact Assessment (DPIA)?

Any personal data processing activity MUST comply with the requirements of the DPA 2018. A DPIA is a process which helps the appropriate information asset owner, project manager or principal investigator to assess privacy risks to individuals in the collection, use and disclosure of information. The DPIA must be carried out for a new system, new business process or research project, both internal and partnership, that require the collection and/or use of personal data. Any questions as to whether a DPIA is required should be raised with St George’s Data Protection Officer.

A standard DPIA Template can be found under Information and Technical Security Policies.

For Research Projects please contact the JRES.

How do I share personal identifiable information (PII) externally?

Information sharing agreements must be in place if you are planning to share PII outside of St George’s. There are many things to consider before PII can be shared, so look at St George’s information sharing protocol in the first place. It is also recommended to discuss this with St George’s Data Protection Officer.

What video conferencing tools can I use?

St George', University of London hosted videos conferences and meetings are to be carried out by the use of Microsoft Teams or Teams Live. Due to recognised security concerns we do not allow the use of of other video conferencing services for St George's hosted events without the approval of the Senior Information Risk Owner (siro@sgul.ac.uk). Staff or students can take part in externally hosted video conferences / meetings that use other tools, such as Zoom or Zoho, but St Georges's sensitive data (including personal identifiable data) is not to be communicated at these events and staff or students are not to initiate meetings using these tools.

Guidance

St George's Zoom Security Guidance (Word)

National Cyber Security Council Guidance for videoconferencing (PDF)

Where do I find research related information governance guidance?

Guidance on information governance with research projects can be found in the Information Governance for Heatlh Research web pages.

What guidance is available for recording of teaching activities off-campus?

Guidance for all staff involved with teaching and learning activities off-campus such as hospital trusts, GP practices, or other field locations where patients are involved can be found here. Guidance

Explore St George's

We want to improve healthcare for everyone

Our research impact

Education transformation project

St George’s partners with Tachmed to accelerate new at-home digital diagnostics