Information governance in local quality improvement

Guidance | Published: 05 Nov 2021

This guide describes how information governance (IG) laws and principles apply to the use of personal data in local or regional multi-agency healthcare quality improvement studies such as clinical audit, productivity reviews, intervention testing, and service evaluation.

It is designed to assist clinicians, quality improvement specialists, support staff and service users who lead, take part in, or review, local and regional quality improvement studies such as clinical audits, with the application of IG law to their work.

Disclaimer: Due to the dynamic nature of IG, readers are advised to seek expert advice and refer to updated national guidance as appropriate. This guidance document does not constitute legal advice. HQIP will highlight changes and update this page with links to national information where appropriate as it becomes available.


This guide was reviewed and updated in November 2021. Going forward, we will not be updating this guide, however you can find important updates below:

Joint Data Controllership

  • The NHS Commissioning Board is renamed NHS England. Most of the functions of NHS Improvement are transferred to NHS England. This establishes a single regulatory body responsible for overseeing the funding, planning, delivery, transformation, and performance of NHS healthcare in England.

Organisational changes

  • Merger of NHS Digital and NHSX into NHSE new Transformation Directorate (November 2021) – NHSX is now part of the NHS Transformation Directorate
  • PHE officially became the UK Health Security Agency (UKHSA).
  • Integrated care systems (ICS). ICS have two statutory components: integrated care boards (ICBs) and integrated care partnerships (ICPs). ICBs will take on the commissioning functions of CCGs and are responsible for developing integration and collaboration, and for improving population health across the system. ICBs are accountable for NHS expenditure and performance within the system. They can exercise their functions through place-based arrangements. ICPs are statutory joint committees established by ICBs and their partner local authorities in the system. ICPs bring together partners from across the system to develop an integrated care strategy to address the health, social care, and public health needs of the population.


The ICO must take the code into account when considering whether you have complied with your data protection obligations when sharing data.

  • Control of Patient Information (COPI) Notices expired on 30 June 2022 – the COPI Notices required the processing of confidential patient information to take place for the purpose of managing the response to the COVID-19 pandemic (the public health emergency). They gave health professionals the security and confidence to share data to support the response to the pandemic. Health Service (Control of Patient Information) Regulations 2002 still apply and can be used as legal basis for processing data for Covid-19 purposes.

The deadline for health and care organisations to comply with the national data opt-out policy expired on 31 July 2022. For more information visit the NHS Digital website.

You can read the report by clicking on the link below.

Please send any feedback or comments to us by emailing [email protected].

Don’t miss out. Sign up to be notified when this resource is updated and to receive updates about other related quality improvement resources, events and news from HQIP. Or you can  .

By continuing you agree to receive emails with updates and other information from HQIP and you are confirming you are over the age of 13.

Please read our privacy policy to understand how HQIP uses the information you provide, your use of HQIP’s website and your interaction with the marketing emails to improve the relevance of the communications we send you. You can unsubscribe at any time.

I have read and agree with the contents of the privacy policy.

Information governance in local quality improvement