Guidance relating to information governance, with particular reference to best practice in the NHS.

Information governance includes the concept of CIA: confidentiality, integrity, and availability. The absence of any of these three concepts undermines the proper practice of information governance policies.

Confidentiality is the prevention of information disclosure to unauthorised individuals or systems. If information governance policies did not adequately maintain the confidentiality of research and development files, and these files were to be accessed by a rival company, the loss of confidential information would have a negative affect on the company.

Integrity ensures that the information has not been altered and is recorded and stored accurately. Easily gaining access to information is not of any value if the information in question is not what it should have been. In the interest of saving money on the cost of storage, a company would never consider randomly deleting sections of documents. Ensuring information integrity is crucial to supporting information governance.

Availability is the ability to access information when it is needed. If an organizational leader needs information for a shareholders meeting, but cannot access the files, the availability of this information is too low and will undoubtedly have a negative impact on the perception by the shareholders. If the availability of information is so low that the people who need it cannot access it, the information cannot properly serve its purpose. Information, no matter how valuable, is essentially worthless if it cannot be used to carry out tasks for which it is needed.

All three aspects of CIA must work together to achieve the necessary balance for information governance to function in the sought-after fashion. Too much or too little of any of these attributes will cause information governance to fail. Businesses should therefore apply these concepts on a case-by-case basis. Within the corporate structure, various documents may call for various levels of security. Research and development may be guarded more securely than lesser administrative functions like plans for company fire drills. Elements of CIA will need to be applied to all aspects of information, but it is up to the organization’s leaders to decide upon where and how much.

The Data Security & Protection Toolkit

This is the tool used by the NHS to assure itself that its organisations, and those it works with, have secure and legally compliant systems and processes for handling the large amount of sensitive personal data that they deal with daily.


NHS Information Governance

Information governnance has long been an important field within the NHS due to the large scale processing of sensitive personal data that the largest health organisation in the world undertakes.