Why do digital health companies need Information Governance support?

Data is key for a digital health company whether you are a start-up, several years down the line or an established presence in the space. Digital health companies will process a huge amount of personal and special category data relating to patient care. With big plans for that data, a digital health company needs to know how to use that data within regulations and the law. This can be a complex and potentially worrying situation, which is where an Information Governance or IG consultant can step in to help.


Aren’t Information Governance are the people that say ‘no’?


An IG consultant worth their salt does not just say ‘no’. That doesn’t mean you can wring their hands and jump straight into monetising data with no thought to ethics, law, regulation, policy or procedure. Seriously, don’t do this.


What I might say is, you can do that as long as you put certain things in place that ensure that you stay within the law and regulations.


This may mean that you need consent for processing, for example. Consent needs to be informed, which means you need to tell people what you are going to do with personal data relating to them and only do with it just what you have told them you will do. Also, consent can be withdrawn at any time so you need a process in place to respect these requests.

So, if you don’t think people will consent to your selling their data to a well-known controversial newspaper then perhaps focus on a more ethical use of the data.


If your ideas for data use are big and still ethical then following good Information Governance puts the framework in place for you to undertake the processing appropriately and legally.


This may seem complex and time consuming but you should take the perspective that you’d rather make things right now, from the start. Rather than have to potentially shut down a good earner or wait for a costly and reputation damaging data breach, the cost and time taken now shouldn’t seem so off putting.


What does an Information Governance specialist help with that we can’t do ourselves?


Data protection and compliance is clearly a risk that needs managing.


Using a specialist consultant to provide, often complex, advice and guidance should give you peace of mind that you are focusing on the right things in the right way.


The guidelines from the Information Commissioners Office are a good starting point for any company bit you need to know how best to put these in practice. Not forgetting, there are also the regulations the NHS put in place for IG, you need someone to help you work through those policies and procedures to maintain appropriate compliance. For example, do you understand what the Caldicott Principles are and how to keep on the right side of them? I can help you with that.


Information Governance and Data Protection is just a tick-box exercise, right?


Wrong. It is true that you need policies and procedures to provide the framework for your colleagues, suppliers and contractors to ensure that everyone is working to the same standards, which may seem like a long list to be ticked off. The key to good compliance is to embed this into culture and day to day working practice.


Have you thought about how to ensure privacy by design and default, for example? have the knowledge necessary to take you through a Privacy Impact Assessment with successful risk assessment before the risk turns into a costly and time-consuming incident.

I can provide you with training that goes beyond the e-learning package, helping you to understand how to work in a way that is Information Governance compliant, not just on specific projects but keeping IG at the forefront of colleagues minds every day.


GDPR is the buzz word of today but it isn’t something a company can be compliant with if you don’t understand how it affects you and your colleagues on a daily basis. GDPR is everyone’s responsibility and as a company and individual, you need to take accountability for compliance. How is accountability shown? Not just by employing an IG Consultant to do the work for you but also using them to train colleagues to work and act in a data protection compliant way.


You may even need an IG Consultant to manage your first data security and protection toolkit submission (DSPT). The DSPT gives you a basic grounding in Information Governance, Information Security and Data Protection, if it isn’t treated as a tick box exercise. The DSPT provides a framework that can be built on as it is reviewed year on year.

What about that tricky question a customer has asked about how you manage data? An IG Consultant can help you craft responses to IG related documentation that customers have asked you to put in place as part of the contract or tender.


Perhaps, you also need someone to act as a Data Protection Officer? To keep you in line with GDPR, UK GDPR and the UK Data Protection Act, giving you peace of mind that you have someone on hand to help when needed.


Been told you need to audit your current IG compliance and don’t even know where to start? Contact an IG Consultant.


There are many more examples of how employing an external IG consultant can help you manage your data in a successful way within the law and NHS regulations.


IG seem a bit overwhelming at the moment?


If you want someone to work with you, training on the job so that colleagues are upskilled to continue the work going forward then look no further. I’m an IG consultant and I can help you. Get in touch for more information.



Louise Paddock, Director and Head Consultant at Paddock Privacy


Email: louise@paddockprivacy.com Tel: 07369 238 967







24 views0 comments

Recent Posts

See All