Skip to main contentSkip to footer
Brighton & Sussex Medical School

Information governance

Information governance

The legal framework governing the use of personal confidential data in health care is complex. It includes the NHS Act 2006, the Health and Social Care Act 2012, the Data Protection Act, and the Human Rights Act.

The law allows personal data to be shared between those offering care directly to patients but it protects patients’ confidentiality when data about them are used for other purposes. These “secondary uses” of data are essential if we are to run a safe, efficient, and equitable health service.

They include:

  • Reviewing and improving the quality of care provided
  • Researching what treatments work best
  • Commissioning clinical services
  • Planning public health services

Generally speaking, people within the healthcare system using data for secondary purposes must only use data that do not identify individual patients unless they have the consent of the patient themselves. 

Read more >


What this means for you

1) If you are handling any data from an NHS trust or collected from NHS patients or staff, you must complete the NHS Information Governance Training which is free to all BSMS students – the link is on studentcentral [link to be inserted here]

2) General principles for handling data:

  1. Storage
    a. Identifiable data: store this on Trust or university network storage which is password protected. Encrypted USB sticks can be used for temporary transportation. No portable media should be used for permanent storage or back up. Where patients have not individually consented to the project, patient identifiers (names, DOB etc) should not leave the clinical environment.
    b. De-identified data: store this on Trust or university network storage which is password protected.
  2. Sharing
    a. Identifiable data should not be shared with anyone else by email or cloud storage e.g. dropbox. Sussex University provides a university cloud storage system allowing file-sharing at
    b. De-identified data can be shared via email and institutional cloud storage.
  3. Transportation
    a. Identifiable data should only be transported on an encrypted device such as an encrypted laptop or an encrypted USB stick.
    b. It is still recommended that de-identified data is password protected on USB sticks, CDs and laptops.