A comprehensive guide to NHS data governance — from Caldicott Principles and data sharing agreements to CIS2 identity management and ICS data flows.
The Caldicott Principles (updated 2020) form the ethical and governance foundation for NHS data handling. Every NHS organisation must apply these principles to decisions about patient data use.
Every proposed use or transfer of confidential patient information should be clearly defined and scrutinised to establish whether the purpose is justified.
Confidential patient information should not be used unless it is absolutely necessary. Anonymised data should be used wherever possible.
Where use of confidential patient information is considered essential, each individual item of information should be justified.
Only those individuals who need access to confidential patient information should have access to it.
Action should be taken to ensure that those handling confidential patient information are aware of their responsibilities and obligations.
Every use of confidential patient information must be lawful. UK GDPR, the DPA 2018, and the common law duty of confidentiality all apply.
Health and social care professionals have a duty to share information for direct care purposes. Sharing can be as important as protecting.
Patients should be aware of how and why their information is used and what choices they have. This is fundamental to maintaining public trust.
When NHS organisations share patient data with other organisations (including for research or commissioning), a formal Data Sharing Agreement is required. DSAs must specify the legal basis, data types, retention periods, and security controls.
The National Data Opt-Out allows patients to opt out of their confidential patient information being used for purposes beyond their direct care. Organisations using data under section 251 of the NHS Act must apply opt-outs.
Section 251 of the NHS Act 2006 allows the Secretary of State to set aside the common law duty of confidentiality for specified purposes. Applications are reviewed by the Confidentiality Advisory Group (CAG).
NHS Care Identity Service 2 (CIS2) provides the national identity platform for NHS staff. It enables Smartcard and NHS login-based authentication with role-based access to NHS systems.
Serious data security incidents must be reported to NHS England's Data Security Centre as well as to the ICO. NHS organisations have specific reporting obligations beyond UK GDPR.
Integrated Care Boards (ICBs) and their partner organisations routinely share patient data for population health management, direct care, and commissioning. Clear governance frameworks are essential.
A senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. Usually a senior clinician. Every NHS Trust must have one.
National Data Guardian guidance (2021)
A board-level executive accountable for information risk. Responsible for overseeing the DSPT submission and signing off the organisation's information security posture.
DSPT requirement; Cabinet Office guidance
Mandatory under UK GDPR for public authorities (including NHS Trusts). Must be independent, expert in data protection law, and report directly to the highest management level.
UK GDPR Article 37
Responsible for individual information assets — understanding what data is held, how it is used, and who has access. Reports risks to the SIRO.
NCSC guidance; HMG Security Policy Framework
Folelse is purpose-built for NHS organisations. From DSPT evidence to Caldicott-compliant ROPA mapping, we have you covered.
Related resources
