Information Governance review: executive summary

The Information Governance (IG) Review report, of which this is the executive summary, describes the current information governance (IG) landscape across health and care in Scotland, and make a series of evidenced-based recommendations for the improvement of Information Governance.

1. Why did we need a review of information governance?

The people of Scotland expect technology and information systems to be part of how health and care services are delivered, and for that to be a seamless and almost invisible part of the process. To enable this, Scotland needs a streamlined national information governance (IG) approach (see Box 1) that addresses:

  • inconsistencies in decisions over the delivery and use of data and digital technologies;
  • variation in interpretation of current regulations; and
  • the risk appetite among organisations, which can obstruct or facilitate the realisation of benefits from digital and data-driven health and care innovation.

The National IG Review is one of the key IG and Assurance building blocks of the Digital Health and Care Strategy.

The IG Review report, of which this is the executive summary, sets out to:

  • describe the current IG landscape;
  • inform on options for evidence-based policy learned from other countries, as well as the IG community and stakeholders; and
  • make a series of recommendations for the effective re-design of IG structures and associated processes, while empowering people to manage information and privacy risks and opportunities successfully.

The Scottish Parliament Health and Sport Committee and other stakeholders have strongly emphasised the need to review how IG could be streamlined at a national level. With more efficient ways needing to be found to assess appropriately how fair, lawful. and secure proposals for digital and data-driven innovation are, and how information and privacy risks can be better managed with greater transparency and public engagement.

Box 1. What is IG?

There is no universal definition of IG. Definitions range from describing IG as a discipline or framework with a focus on sensitive personal data, to the broader application of risk-based privacy compliance across information assets.

The information management professionals' organisation ARMA International describes IG as: "the overarching and coordinating strategy for all organisational information."

The NHS Information Authority (England) defines its scope as "to do with the way the NHS handles information about patients/clients and employees, in particular personal and sensitive information".

The Accenture Institute for Health and Public Sector Value identifies IG with five interrelated disciplines: data privacy, data confidentiality, data security, data quality, and data integrity.

And ISACA[1], an international professional association focused on IT governance, approaches governance from the alignment of information (and related technology) with the organisation strategy, and involves "setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives".

For the purposes of this review, the working definition of IG amalgamates the concepts and wide scope illustrated in Box 1.



Back to top