Information Services Division


Information Governance FAQs

What is ‘Sensitive Data’?

Within the SLMS information governance context, we use the terms 'sensitive' and 'person identifiable' data to mean any data that is being used in research that could potentially identify an individual. This includes datasets with small numbers and the linking of seemingly anonymised data sets that can result in disclosure. For reference, the Data Protection Act includes a slightly different definition of Sensitive Data.

Who is UCL’s Caldicott Guardian?

All NHS organisations have a Caldicott Guardian, who is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. UCL does not have a Caldicott Guardian; the nearest equivalent within the SLMS is the Senior Information Risk Owner (SIRO)

Can the SIRO sign this form that says my study complies with [insert name here] standard?

Only if there is evidence to show that this is the case. The SIRO requires assurance that a study complies with the relevant legal and regulatory standards. We can help you assess risks and put in place appropriate measures to satisfy the relevant regulatory bodies.

How much IG training do I need to do?

If you are completing an Information Governance Toolkit submission, your Information Asset Owner (usually the PI) will need to supply evidence of appropriate information governance training for those handling sensitive data. The SLMS Information Governance Training and Awareness Service run regular training events and a 40 minute session covers the basic training requirement. Further training is detailed in SLMS-IG16: Training Needs Analysis (PDF).

What is ISO27001?

The ISO2700X family of standards define an Information Security Management System (ISMS). This puts in place a set of controls that have been selected to maintain the confidentiality, integrity and availability of information. A key feature of an ISMS is that it is regularly audited to ensure that  controls remain effective and adapt to changing circumstances 

The Department of Health's Information Governance Toolkit is based upon ISO27001

What is Section251?

Section 251 allows the common law duty of confidentiality to be set aside in specific circumstances where anonymised information is not sufficient and where patient consent is not practicable. For example, a research study may require access to patient identifiable data where the cohort is too large for consent.