Information Governance and Ethics

Information Governance and Ethics image

Home » Information Governance and Ethics

The purpose of the West Midlands Secure Data Environment (WMSDE) is to improve people’s health and care through research, by enabling ethical, legal and publicly endorsed access to de-identified health data. Health and care planners might also use health data through the SDE to design health and care services that work better for people living in our local communities.

Information governance (IG) and health data ethics are crucial in managing the use of and protecting health data.

This workstream, made up of IG and ethics experts from across the region, is responsible for ensuring that data access processes within the WMSDE meet national legal and ethical standards. We put processes in place that ensure patient privacy is protected at all times, while enabling precious health data to be used to develop new treatments and healthcare pathways that will improve lives.

What is information governance?

Information governance refers to the set of policies, processes, and controls required to manage data effectively and responsibly. In the context of health data, information governance encompasses the management, protection, and proper use of all types of health-related information, including electronic health records, medical images, patient histories, and more.

Key aspects of information governance for health data include:

Data security

Implementing technical and organisational measures to protect health data from breaches, unauthorised access, and cyber threats. We do this working with the WMSDE’s technical design authority workstream.


Adhering to legal and regulatory requirements related to health data protection, privacy, and security.

Data access and sharing

Defining who has access to health data, under what circumstances, and ensuring that data sharing complies with legal and ethical standards.

Data quality

Working with the WMSDE’s data and data standards workstream, ensuring that health data is accurate, complete, and reliable.

Data retention and disposal

Establishing how long health data should be held in the WMSDE, and in what format.

What is health data ethics?

Ethics, in the context of health data, refers to the moral principles and guidelines that govern the collection, use, and providing access to health information. It involves making ethical decisions and choices that respect individuals’ rights and promote their wellbeing.

Ethics in health data management includes considerations of autonomy (people being able to make their own decisions), beneficence (doing what’s in a person’s best interests), non-maleficence (not harming anyone), justice (being fair), and transparency (being open and honest).

Key ethical considerations for health data include:

Benefit to society

Balancing individual privacy concerns with the potential societal benefits that can arise from research and analysis of health data. We do this working closely with the WMSDE’s data trust committee and its patient and public involvement, communications and engagement workstream.

Transparency in data use

Informing people about the research their data is supporting and providing them with information about the choices they have.

Anonymisation and de-identification

Stripping health data of identifying information to protect patient privacy when data is used for research or analysis.


Providing access to only the minimum necessary data to achieve the intended purpose, so reducing the risk of privacy breaches.

Fairness and equity

Ensuring the use of health data does not result in discrimination or bias. This is particularly important where healthcare data is used to develop innovations like artificial intelligence.

De-identified health data research

IG and ethics also refers to the legal requirements for using de-identified health data research. These laws include:

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation that came into effect in May 2018 within the European Union (EU) and the European Economic Area (EEA). While the UK has left the EU, these principles continue to apply under the UK GDPR.

GDPR has significant implications for the handling of health data, as it classifies it as a special category of personal data (also known as sensitive data). This means that health data is subject to stricter protections due to its sensitive nature.

UK legal requirements and confidentiality

In the UK, health data is also subject to specific legal requirements and ethical considerations:

Legal Duty of Confidentiality

Healthcare professionals in the UK have a legal duty to maintain the confidentiality of patient health information. This duty is rooted in common law, as well as professional codes of conduct. Breaches of confidentiality can lead to legal and disciplinary consequences.

Data Protection Act 2018

In addition to GDPR, the Data Protection Act 2018 (DPA 2018) is the UK’s domestic data protection legislation. It supplements and tailors GDPR provisions for UK contexts, including provisions regarding the processing of health data for reasons of public interest in the area of public health.

Caldicott Principles

These are a set of principles developed to guide the sharing of patient information within the UK’s health and social care system. They emphasise the importance of justifying the purpose of sharing, ensuring the minimum necessary information is used, and respecting patient privacy.

In summary, this workstream brings together regional experts who can contribute to all aspects of information governance, UK data law and health data ethics, to ensure health data is being used responsibly, ethically and legally.