Published using Google Docs
P&P149.Information Governance under the GDPR Policy.docx
Updated automatically every 5 minutes

Information Governance under the General Data Protection Regulation Policy 

Introduction and Policy Aims

From May 2018, all organisations and businesses must comply with the General Data Protection Regulation (GDPR), which consolidates the current data protection laws under the Data Protection Act 2018. Organisations that have been compliant with data protection laws are likely to remain compliant with much of the GDPR, which however, introduces additional requirements, particularly regarding information governance.

This policy sets out how Focus Care Link meets its information governance duties and responsibilities under current data legislation and the GDPR.

The policy should be used with other relevant policies on:


Information governance represents the systems, policies, procedures and processes adopted by Focus Care Link to ensure that data is always:

The policy describes how this care provider manages any data, which it keeps and to which it has access, so that the information is always held safely and securely, and is lawfully used. In carrying on its business of providing care and treatment, Focus Care Link will obtain and use the personal data of different groups of people: its service users and others relevant to them, its employees and others, such as contractors and suppliers of goods and services. Focus Care Link is bound by law and its registration requirements to achieve established standards in its handling and management of information.

In addition to the record-keeping policies described above, the information governance framework includes several interrelated policies and procedures that contribute to its effectiveness. They include:

Legal Requirements

Focus Care Link recognises that information governance requirements have developed from a raft of legislation and statutory guidance, including:

It also acknowledges the importance of complying with Regulation 17: Good Governance of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, which requires registered care providers to have effective systems and processes for, among other aspects of administration, keeping records on every service user, maintaining records and striving for continuous improvements to their systems (see Regulations 17(c), (d) and (f)).

Focus Care Link recognises that it must also comply with the Information Governance Alliance: Records Management Code of Practice for Health and Social Care 2016 (referred to here as the Records Management Code of Practice), if, as an adult social care provider, its care records are integrated and used with service users’ NHS records. This will be the situation of care homes and domiciliary care services that have contracts with local Clinical Commissioning Groups, which expect the services they commission to apply the Records Management Code of Practice.

Included in a contract could be a requirement that Focus Care Link will achieve the information governance quality standards as set out in the Code of Practice, by regularly completing the Information Governance Toolkit (IGT), an online self-assessment framework that has become standard for NHS bodies and partner organisations to use. The IGT is being updated to be fit for purpose in relation to the GDPR that applies from May 2018.

The Information Governance Framework


The information governance framework for Focus Care Link covers all records used for or with the care and treatment of its service users, staff records and administrative records likely to contain confidential information. All such records will be handled and kept safely, securely and lawfully to the same standards established by the Records Management Code of Practice regardless of their formats, including written records, forms, photographs, audio-visual, CCTV records, computer and smart device electronic records.

The component parts

Focus Care Link recognises that it must achieve agreed standards for each aspect of its information governance system, which, following the Records Management Code of Practice and the GDPR requirements, requires attention to the following.

Records system design

Each set of records and record keeping arrangements are designed so that they are always fit for purpose (including using an appropriate format) and can be correctly handled and maintained. All features of the record keeping arrangements are kept under constant review, regularly audited and changed or replaced if they become unfit for purpose and fail to achieve the required standards.

Records handling and use

Focus Care Link has put into place effective procedures to ensure that records storage, arrangements for authorised access, information sharing, transfer of records, and quality of recording are all maintained to the required standard as per the respective policies referred to in the Introduction.

Audit, review and retention

All records and record-keeping systems are regularly audited and reviewed for their current purpose and quality in line with Focus Care Link’s auditing schedules. Records that are no longer needed will be stored or archived safely and securely for the retention periods set out in the Records Management Code of Practice (Appendix 3).


At the minimum retention date, records will be appraised to identify if they will be required further, and if not, they will be safely disposed of. Where service users’ health and social care records have been integrated (as they might in an NHS owned or commissioned facility or care home with nursing) Focus Care Link will comply with the eight year retention period stated in Appendix 3 of the Records Management Code of Practice.


The eight-year retention period given in the Records Management Code of Practice is at variance with the three-year minimum retention period that for data protection reasons applies to care homes and domiciliary care services, where they have independent record-keeping systems.


Focus Care Link will safely dispose of all records that have passed their minimum retention period and are no longer needed. The methods of safe disposal will depend on the type of record. Paper records will always be confidentially shredded and records kept of the means and date. Electronic records stored on computers, smartphones or other such devices will be disposed of using approved methods and IT expertise.

Management Responsibilities

Focus Care Link has designated people for information governance in each of its locations and at organisational level. [The exact arrangements will depend on Focus Care Link structure.] This includes the designation of people to be responsible for the co-ordination and completion of the IGT self-assessment work.

Where responsibilities are delegated to someone other than the registered manager, the person(s) will be responsible to the registered manager, who will be responsible to the registered provider (or service lead for information governance).

Every person with information governance responsibilities has clearly defined roles for ensuring the safe, secure and lawful use of the records for which they are responsible, for oversight of any or all stages of the lifecycle of the salient records from design to disposal (see above), and for maintaining standards.

Anyone with information governance responsibilities will be suitably inducted and trained to fulfil the requirements of their role and will be required to make regular reports to their line manager so that there is a clearly defined reporting process operating throughout and to the top of Focus Care Link.

Achieving, Maintaining and Improving Information Governance Standards

Focus Care Link is committed to ensuring that all personal data that it creates, uses, handles and manages, achieves and maintains the highest standards of information governance possible. It recognises that the current benchmarks are provided by the IGT, which is the responsibility of NHS Digital (formerly the Health and Social Care Information Centre). These benchmarks will also be consistent with the General Data Protection Regulation, which was passed in 2016 with a view to being implemented from May 2018.

Focus Care Link might be required by its commissioning authority to make active use of the IGT. Without specific requirements, Focus Care Link considers that it is good practice to benchmark their information governance achievements against the ITG and to develop improvement plans from the results.

Focus Care Link considers that it will achieve the IGT standards (at level 1/2) by, for example:

Losses and Breaches of Information Safety and Security

Focus Care Link will act quickly to repair and mitigate any damage or harm caused by accidental or deliberate loss of sensitive data or breaches of the established policies and procedures in the handling of the data, especially if the events are harmful or potentially harmful to its service users.

Focus Care Link will always investigate thoroughly any loss of information or breaches in the handling of sensitive information and will fully co-operate with other organisations that might be involved in the loss or damage, including police if there is evidence that criminal acts have been committed.

Employees who fail in their duty of care to protect sensitive information will be subject to Focus Care Link’s disciplinary proceedings. If Focus Care Link receives a complaint about the mishandling or loss of personal data, it will investigate the matter through its complaints procedures, which might also entail working with other organisations with whom the data is shared.

Focus Care Link will also take suitable action against any third parties with access to sensitive information, who have not followed the required policies and procedures over confidentiality, etc.

In the event of individuals suffering significant harm from any personal data losses or being placed at high risk of being harmed, Focus Care Link in line with its legal obligations under the GDPR inform the Information Commissioner’s Office so that it can investigate.


New care staff are trained in Focus Care Link’s policies and procedures for record keeping, consent and confidentiality, etc as part of their induction training, which follows the Care Certificate Standards framework.

All staff can expect to receive instruction and dedicated training as needed in Focus Care Link’s record keeping policies and procedures.

Staff with specific roles and responsibilities for information governance at any level in Focus Care Link can expect to receive the relevant training to achieve required information governance standards, and to implement the GDPR.

Management    November 2020