Frequently asked questions
View all Close all
All St George’s staff have a responsibility for Information Governance (IG), but there are some specialised roles:
The University IG lead is the Director of Information Services - Rob Churm - in his capacity as the Senior Information Risk Owner.
The IG Team (who work within Information Services) are:
Each Institute or Directorate has an assigned Information Governance Lead, details of who can be found on the Information Governance_Framework page.
Contact Details:
For non-urgent enquiries please use the above email links.
For urgent enquiries or reporting please use the following email link - Data Protection
Details of the teams full responsibilities can be found on the IG Team Webpage
Information security is the preservation of confidentiality, integrity and availability of data, information and information systems.
Confidentiality: information is not made available or disclosed to unauthorised individuals, entities or processes.
Integrity: safeguarding of the accuracy and completeness of information assets.
Availability: information is accessible and usable upon demand by an authorised entity.
An information asset is a body of information, defined and managed as a single unit so it can be understood, shared where appropriate, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and life-cycles.
The DSP Toolkit is an updated replacement of the previous NHS Information Governance Toolkit and includes enhanced cyber security assessments. In practice, it is an online self-assessment tool that all organisations must use if they have access to NHS data and/or systems so as to provide assurance that they are practising good data security and that personal information is handled correctly. There are mandatory requirements within the toolkit which must be met with clear evidence of compliance.
Two main reasons:
1. The ICO require organisations that handle personal data to provide Data Protection and Information Security training to all their staff.
2. One of the DSP mandatory requirements is that annually 95% of staff in an organisation handling NHS patient data must have completed data protection and information security awareness training. If this is not achieved then St George’s will not be DSP compliant, which will have a major impact on our research work – NHS Digital will not approve the release of patient data for research to our institutes and other research agencies or funders may elect not to use St George’s in the future.
GDPR is an UK regulation, built from the EU GDPR, which strengthens and unifies data protection for all individuals within the UK. It came into force on the 25 May 2018 and is covered within the UK Data Protection Act 2018 (DPA).
For GDPR-specific questions and answers, go to GDPR FAQs.
There are two types of information a person may request from St George’s – personal or general. It is important that both types are dealt with quickly as there is a legal timeframe to respond.
Personal
Any request relating to an individual, whether made by that individual or by a third party, is a request for personal information and is dealt with under the GDPR/DPA 18 either as a Subject Access Request (SAR) or third-party request. St George’s has 1 month to respond to such requests. If you receive such a request then inform the Data Protection Officer immediately.
Guidance on SARs can be found at Requests for personal information.
General
A request for information in general, which doesn’t focus on an individual, is dealt with as a request under the Freedom of Information Act (FOI). St George’s has 20 working days to respond to such requests. If you receive such a request then inform the FOI Officer immediately.
For details on how to handle FOI requests, go to Freedom of Information.
What is a Personal Data Breach? Guidance can be found here.
St George’s has a well-defined data security breach reporting process. If you come across a personal or confidential data security breach, complete the data incident report form and send it to dataprotection@sgul.ac.uk, inform your line manager and, if possible, secure any data found.
Any personal data processing activity MUST comply with the requirements of the DPA 2018. A DPIA is a process which helps the appropriate information asset owner, project manager or principal investigator to assess privacy risks to individuals in the collection, use and disclosure of information. The DPIA must be carried out for a new system, new business process or research project, both internal and partnership, that require the collection and/or use of personal data. Any questions as to whether a DPIA is required should be raised with St George’s Data Protection Officer.
A standard DPIA Template can be found under Information and Technical Security Policies.
For Research Projects please contact the JRES.
Information sharing agreements must be in place if you are planning to share PII outside of St George’s. There are many things to consider before PII can be shared, so look at St George’s information sharing protocol in the first place. It is also recommended to discuss this with St George’s Data Protection Officer.
St George', University of London hosted videos conferences and meetings are to be carried out by the use of Microsoft Teams or Teams Live. Due to recognised security concerns we do not allow the use of of other video conferencing services for St George's hosted events without the approval of the Senior Information Risk Owner (siro@sgul.ac.uk). Staff or students can take part in externally hosted video conferences / meetings that use other tools, such as Zoom or Zoho, but St Georges's sensitive data (including personal identifiable data) is not to be communicated at these events and staff or students are not to initiate meetings using these tools.
Guidance
St George's Zoom Security Guidance (Word)
National Cyber Security Council Guidance for videoconferencing (PDF)
Guidance for all staff involved with teaching and learning activities off-campus such as hospital trusts, GP practices, or other field locations where patients are involved can be found here. Guidance