Information governance policy

Policy statement 

Martin House Children’s Hospice is committed to ensuring we comply with the NHS Data Security & Protection Toolkit. We are also working towards PCI Compliance and Cyber Essentials Plus.
This policy is a summary of a suite of Information Governance policies that all staff have to comply with.


Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.

It is, therefore, of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management. This will be audited on a regular basis through the completion of the NHS Data Security & Protection Toolkit (DSPT).

Martin House recognises that it holds a variety of information concerning its children, young people and their families, staff, volunteers and supporters necessary for the provision of clinical support and the continuing operation of Martin House.

This policy applies to all information held by Martin House in both paper and electronic format. It also applies to all transmitted and shared information.


Martin House recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. It fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about children, young people and their families, staff, volunteers and supporters and commercially sensitive information.
Where it is necessary to share information with other organisations, Martin House will do so in a controlled manner consistent with the interests of the child or young person and, in some circumstances, the public interest, and will ensure such disclosure is compliant with all relevant legislation and guidance.

Martin House recognises that accurate and relevant information is important in achieving the highest standards across Martin House and so expects all departments to ensure that they maintain the information held effectively.

There are 4 key interlinked strands to the Information Governance Policy:

Openness and transparency

Legal compliance

Information security

Quality assurance

Openness and Transparency

Martin House has a Data Subject Access Request Policy for providing information to children, young people or their guardians concerning their care, support and rights as service users. It also covers requests from staff, volunteers and supporters.

Non-confidential information will be communicated in a managed professional process to the public and other stakeholders, through a variety of methods, and we have clear procedures and arrangements for liaison with the media.

Legal Compliance

Martin House regards all identifiable personal information relating to patients, staff, volunteers and supporters as confidential.

It will establish and maintain policies to ensure compliance with the Data Protection Act, General Data Protection Regulations, Human Rights Act, common law of confidentiality, fundraising regulations and the requirements of regulatory bodies such as the Care Quality Commission.

Martin House has a Data Sharing Policy for the controlled and appropriate sharing of information with other agencies, taking account of relevant legislation.

Martin House is registered with the Information Commissioner for all the types of information that it processes and stores.

Martin House will undertake or commission regular assessments and audits of its compliance with legal requirements and the DSP Toolkit.

Information Security

Martin House has policies for the effective and secure management of its Information Assets and resources and will undertake or commission regular assessments and audits of its Information Security arrangements in order to comply with the DSP Toolkit.

Martin House has incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security in line with current procedures.

Martin House will support the maintenance of effective information security by ensuring all staff are trained in Data Security Awareness.

Information Quality Assurance

Martin House will establish procedures for information quality assurance and the effective management of records and will undertake or commission regular assessments and audits of its information quality and records management arrangements.

Martin House will support the maintenance and improvement of the quality of information held, by ensuring that all relevant employees receive effective training in the systems that they are using and in recording procedures.

Information Asset Owners will ensure measures are in place to support the quality of the data held. They will take ownership of, and seek to improve, the quality of information within their services.

Martin House will complete the Data Security & Protection Toolkit on an annual basis to review its Information Governance arrangements and standards.


The Board of Trustees has overall responsibility for Information Governance within Martin House, but has delegated this to the Senior Information Risk Officer (SIRO) who will monitor the action plans and activities on an on-going basis. It is the role of the Board of Trustees to define Martin House’s policy in respect of Information Governance, taking into account legal and NHS requirements.  The Board is also responsible for ensuring that sufficient resources are provided to support the requirements of the policy.

The SIRO is a Strategic Management Team (SMT) member (usually the Chief Executive) who will take overall ownership of Martin House’s Information Risks and act as champion for information risk. The SIRO is expected to understand the strategic business goals of Martin House, how those goals may be impacted by information risks, and how those risks may be managed.  They are appointed by the Board of Trustees.

The Data Protection Officer is a Strategic Management Team (SMT) member (usually a senior clinician) who will inform and advise us about our obligations to comply with the GDPR and other data protection laws. They will monitor compliance with the law and our policies including raising awareness of data protection issues, training staff and conducting internal audits. They monitor and advise on data protection impact assessments and are the first point of contact for supervisory authorities and for individuals whose data is processed. They are responsible for processing all data subject access requests and must be independent, trained in data protection, adequately resourced and report direct to the Board of Trustees. In order to remain independent, they cannot hold any other IG role.

The Information Governance Support Manager & IG Lead (IGSM) is responsible for ensuring effective management, accountability and compliance.  The IGSM will ensure a positive IG culture through the delivery of an effective programme of training and awareness in IG for all staff and volunteers.

The SIRO and IGSM will provide an annual report to the Board of Trustees in January and report on any data risks at their quarterly meeting.

The Caldicott Guardian is responsible for the establishment of procedures governing access to, and the use of, person-identifiable patient information and, where appropriate, the transfer of that information to other bodies.

The Information Governance Steering Group (IGSG) is a standing committee accountable to the Board of Trustees via the Strategic Management Team (SMT).
Its main purpose is to:

  • support the Senior Information Risk Owner (SIRO) and Caldicott Guardian in undertaking their functions;
  • support and drive the broader information governance agenda; and
  • provide the SMT and the Board of Trustees with the assurance that effective Information Governance best practice mechanisms are in place within Martin House.
  • Ensure the Data Security & Protection Toolkit is completed annually and submitted.
  • be responsible for overseeing day-to-day Information Governance issues; developing and maintaining policies, standards, procedures and guidance, and raising awareness of Information Governance.

Information Asset Owners are the senior members of staff (usually SMT members) responsible for:-

  • data management
  • ensuring that their teams are aware of all policies relating to Information Governance
  • ensuring that their teams have undertaken the relevant training (This will apply to any temporary employees and volunteers)
  • ensuring that the policy and its supporting standards and policies are built into local processes and that there is on-going compliance
  • ensuring all staff, whether permanent, temporary or contracted are made aware of the requirements of confidentiality when working in the building and are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day-to-day basis.


All employees will be required to undertake annual mandatory training in Information Governance, which will be monitored through the appraisal process. They will also be informed of the need to be compliant with all policies relating to Information Governance as part of their ICT induction.

Policy Approval

Martin House acknowledges that information is a valuable asset, therefore it is wholly in its interest to ensure that the information it holds, in whatever form, is appropriately governed, protecting the interests of all of its stakeholders.

This policy, and its supporting policies, are fully endorsed by the Board through the production of these documents and their recorded approval.

I trust that all staff, contractors and other relevant parties will, therefore, ensure that these are observed in order that we may contribute to the achievement of the Hospice’s objectives.

Signed by Martin Warhurst (Senior Information risk Officer)
On 18 December 2018, following approval by the Board.

Scroll to Top