Information governance

Information governance

Information Governance provides a framework to bring together all the legal rules, guidance and best practice that apply to the handling and safeguarding of information to ensure it is:

  • Held securely and confidentially
  • Obtained fairly and efficiently
  • Recorded accurately and reliably
  • Used effectively and ethically
  • Shared appropriately and lawfully.

As part of our information governance, we must comply with the following legislation:

  • Data Protection Act 2018
  • General Data Protection Regulations 2016
  • Access to Health Records Act 1990
  • Caldicott Principles (updated 2013)
  • Freedom of Information Act 2000
  • Environmental Information Regulations.

At its core, our Information Governance is about setting a high standard for storing/handling information, and having the tools, systems and processes in place to achieve that standard.

How we manage information governance

Our information governance is managed through our Information Governance Steering Group, which is attended by our Data Protection Officer (DPO) and Caldicott Guardian (CG), and chaired by our Senior Information Risk Owner (SIRO).

  • The SIRO is responsible for information risk across the CCG. They ensure everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately. They also ensure our Governing Body and the Accountable Officer are kept up-to-date on all information risk issues. Our SIRO is Caroline Gregory, Chief Financial Officer.
  • The Caldicott Guardian is responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. They ensure there is a balance between maintaining confidentiality and the delivery of appropriate care as well as advising our Governing Body on any major issues that may arise. Our Caldicott Guardian is Gill May, Director of Nursing and Quality.
  • The DPO is responsible for tasks as defined in Article 39 of the General Data Protection Regulations (GDPR). These tasks include informing the CCG and its staff about obligations to apply with GDPR and monitoring compliance, cooperating with the ICO and being the first point of contact for the ICO and individuals whose data is processed by the CCG. Our DPO is Julie-Anne Wales, Head of Corporate Governance and Planning.

Our SIRO, Caldicott Guardian or DPO can be emailed at

To ensure our staff demonstrate information governance best practice, we provide them with training which is provided by NHS Digital. We also have a number of policies to support good information governance:

Keeping information confidential

Everyone working in/for the NHS is responsible for ensuring the personal data of patients and staff is kept secure and confidential. Personal data is information about any living person which can lead to them being identified. Examples of personal data are:

  • Name
  • Address
  • Email address
  • Date of birth
  • Medical records.

We may hold personal data manually or electronically, for example in filing cabinets or on computer disks. The use of personal data is controlled by the seven Caldicott Principles and the Data Protection Act Principles.

Subject Access Requests

Individuals can find out if we hold any personal information by making a request under the Right of Access under GDPR, more commonly called a Subject Access Request.

If we do hold information about you we will:

  • Give you a description of it
  • Tell you why we are holding it
  • Tell you who it could be disclosed to
  • Let you have a copy of the information in an intelligible form
  • Correct any mistakes to information held.

You can apply for information as a third party for someone that you are responsible for, including for a child. You will need to provide proof that you are allowed to act on their behalf.

Please download and complete a subject access request form. We will need copies of information that confirms your identity. Details of acceptable types of identification documents are included in the application form. Please do not send in any original copies of documents.

You can email your completed form and electronic copies of your identification documents to where your request will be managed by NHS South, Central and West Commissioning Support Unit on behalf of Wiltshire CCG.

You can also request your information by email, telephone or by writing to us.

Our Contact details are:


Telephone:  01380 728899 and ask for Information Governance

Postal Address:
Wiltshire CCG Subject Access Requests
Information Governance Team
NHS South, Central and West Commissioning Support Unit
Southgate House, Pans Lane, Devizes, SN10 5EQ

In line with the Access to Health Records Act 1990, personal data about deceased individuals can be requested. These requests will be treated in the same way as SARs.

There will not normally be a charge for a right to access request (SAR).

Freedom of Information

To be open and transparent, and in line with the Freedom of Information (FOI) Act 2000, we publish records of our management and decision-making processes. To find out more, including how to submit an FOI request, visit our Freedom of Information webpage.