This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.

Information governance

Last updated on 13 Dec 2019

Information Governance, to the HRA, is a framework for handling not only personal and sensitive information but all information in a robust and transparent manner, applying confidentiality and security where appropriate and operating to high ethical and quality standards. It is therefore about:

  • holding information securely and confidentially
  • obtaining information fairly and efficiently
  • recording information accurately and reliably
  • using information effectively and ethically
  • sharing information appropriately and lawfully.

To do this requires:

  • striking an appropriate balance between openness and confidentiality in the management and use of information;
  • fully acknowledging its public accountability, but equally placing an importance on the confidentiality of personal information and commercially sensitive information;
  • recognising the need to share information with other organisations in a controlled manner consistent with the interests of research and, in some circumstances, the public interest.
Our IG Confidentiality Code of Conduct sets out the standards that you can expect from us.


To help maintain the highest standards we have the following management structure:

  • the Director of Corporate Services, is the Caldicott Guardian;
  • the Director of Finance is the Senior Information Risk Owner (SIRO);
  • the Data Protection Officer is Chris Dunn and can be contacted at;

  • directors, REC centre managers and heads of department are Information Asset Owners (IAOs);

  • an Information Governance Steering Group meets regularly to discuss current issues and monitor actions;
  • it has a suite of policies in place to ensure information is processed properly by all staff;
  • an established incident reporting procedure is in place that ensures all security information incidents are reported; and
  • it produces an annual information governance report reviewed by the Department of Health.

Relevant laws

The main codes, standards and laws which apply are:

Information Asset Register

All information assets and associated systems are identified and included in an Information Asset Register and are subject to annual information asset assessments. The principal information assets managed by the HRA are:

  • Integrated Research Application System: a web-based utility for researchers to make applications;
  • The HRA Assessment Review Portal (HARP):  an application that supports the administration of Research Ethics Committees;
  • Business Services Authority (BSA) Human Resources (HR) division use the NHS Electronic Staff Records (ESR) system to store staff records;
  • Shared Business Services (SBS) finance and payroll also make use of ESR;
  • Electronic business information is stored on shared drives provided under the Department of Health’s Open Services contract with ATOS;
  • The website;
  • The training booking and management system;
  • Paper-based applications and associated documentation submitted for ethical review; and
  • Paper-based staff records.

Back to governance