Information Governance

Information Governance

Why we have this policy 

Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management. It is therefore of paramount importance that information is efficiently managed, and that appropriate policies, procedures, management accountability and structures provide a robust governance framework for information management. 




Position held within the practice





Much of the material is based upon personal experience of conducting CQC inspections, draft legislation and pilot inspections. We hope that you will find this helpful. RightPath4 Limited reserves the right to amend, change and alter this document without notice to you at any time it deems proper to do so. This document should be only be used as part of ongoing improvements to your CQC obligations and compliance in conjunction with other training and resources available to Registered Providers. No guarantee is given and no responsibility will be accepted for changes you decide to make or judgement decisions by CQC inspectors which vary from those expected within this document. 

Improvement and regulatory compliance is a journey rather than a destination and RightPath4 encourage you to share your experiences with us and by so doing enhance the service we provide to patients, the duty we have towards our staff, the value of our businesses and of course the efficacy and proportionality of our Regulators. 

None of the above exclusions and limitations is intended to limit any rights you may have under statute or statutory instruments. 

Diana Hayes CEO RightPath4 Ltd

Scope and purpose

This Information Governance policy provides an overview of the practice’s approach to information governance; a guide to the policies and procedures in use; and details about the IG management structures within the dental practice, including patient information and involvement, team training and monitoring.  


All team members be they permanent, temporary, and including contractors are responsible for ensuring that they are aware of and comply with the requirements of this policy and the procedures and guidelines produced to support it. 

A Confidentiality Agreement is signed by all employees, self-employed contractors and third parties.


The practice’s approach to Information Governance

This practice undertakes to implement information governance effectively and will ensure the following: 

  • Information will be protected against unauthorised access;
  • Confidentiality of information will be assured;
  • Integrity of information will be maintained;
  • Information will be supported by the highest quality data;
  • Regulatory and legislative requirements will be met;
  • Business continuity plans will be produced, maintained and tested;
  • Information governance training will be available to all staff as necessary to their role;
  • All breaches of confidentiality and information security, actual or suspected, will be reported and investigated.
  • All the principles of the GDPR 2018 will be observed within this practice at all times
  • The Data Controller appointed in this practice is Shahid Mansoor


Policies in use in this practice
This Information Governance Policy is underpinned by the following policies:


  1. Data Security Policy:- Data Security Policy.docx
  2. Confidentiality Policy:- Confidentiality Policy.doc
  3. Data Protection Policy (Includes Information Handling):- Data Protection Policy and Code Of Practice.docx
  4. Access to information policy:- Access To Information Policy.doc 
  5. Password Policy:- Password Policy.docx


Procedures in use in this practice

This Information Governance policy is underpinned by the following procedures:


  • Records management procedure that set outs how patient dental records will be created, used, stored and disposed of
  • Business continuity plan that sets out the procedures in the event of a security failure or disaster affecting computer systems;



Staff compliance with the procedures is supported by the following guidance material:


  • Records management: guidelines on good record keeping;
  • Staff confidentiality code of conduct: sets out the required standards to maintain the confidentiality of patient information; obligations around the disclosure of information and appropriately obtaining patient consent;
  • Access control: guidelines on the appropriate use of computer systems;
  • Information handling: guidelines on the secure use of patient information;
  • Using mobile computing devices: guidelines on maintaining confidentiality and security when working with portable or removable computer equipment;
  • Information incidents: guidelines onidentifying and reporting information incidents.

Responsibilities and accountabilities

The designated Information Governance lead for the practice is the practice manager.

The key responsibilities of the lead are:


  • Developing,  implementing and reviewing IG policies, procedures and processes for the practice
  • Ensuring a Confidentiality Agreement is signed by all employees, self-employed contractors and third parties.
  • Coordinating the activities of any other practice staff given data protection, confidentiality, information quality, records management and Freedom of Information responsibilities
  • Raising awareness and providing advice and guidelines about IG to all staff
  • Ensuring that any training made available is taken up
  • Supporting IG training during induction of new team members/staff
  • Supporting IG training as part of the practice commitment to ongoing personal and professional development for all team members/staff
  • Conducting an IG risk assessment at least annually
  • Conducting periodic IG compliance checks as necessary
  • Ensuring that patient data is kept secure and that all data flows, internal and external are periodically checked against the Caldicott Principles
  • Monitoring information handling in the practice to ensure compliance with law, guidance and practice procedures
  • Information incident management, including recording, reporting, analysing and sharing learning
  • Ensuring patients are appropriately informed about the practice’s information handling activities.
  • Seeking feedback and sharing feedback with the team to improve outcomes

The day to day responsibilities for providing guidance to staff will be undertaken by the practice manager.


The practice provider is responsible for ensuring that sufficient resources are provided to support the effective implementation of IG in order to ensure compliance with the law, professional codes of conduct and the NHS information governance assurance framework. (if applicable)



We inform and involve patients by communicating this policy to them with our Data Protection Code of Practice. We regularly monitor and act on feedback from patients and staff regarding their experience in the practice and make changes as appropriate.



This policy has been approved by the undersigned and will be reviewed on an annual basis. Questions about this policy or associated procedures should be raised with the practice manager or owner.