Information Governance

  • Tim Benson
  • Grahame Grieve
Part of the Health Information Technology Standards book series (HITS)


Information governance and security is a large topic, which has at its heart the ethical issue when it is right to share information. Data protection is built around some core principles, which are incorporated in HIPAA and other legislation. Healthcare staff are usually required to sign a confidentiality code of conduct. Computer systems use the concepts of consent, authentication (including OAuth) and authorization to implement access control policies. Cryptography is used to protect data from unauthorized reading. Individuals and organizations have rights and responsibilities, which may include anonymization or pseudonymization of data. These are usually set out in legal contracts.


Information governance Privacy Security Data protection HIPAA Confidentiality Consent Authentication Authorization OAuth Access control Cryptography Public key infrastructure (PKI) Digital signature Encryption Rights Responsibility Anonymization Pseudonymization Data controller 


  1. 1.
    Caldicott F. Information: to share or not to share: the information governance review. London: Department of Health; 2013.Google Scholar
  2. 2.
    ISO/ICE 27001:2013 – information technology – security techniques – information security management systems – requirements. International Organization for Standardization. 2013.Google Scholar
  3. 3.
    Health Insurance Reform: security standards; Final Rule. Department of Health and Human Services. Federal Register Vol. 68, No. 34. February 20, 2003.Google Scholar
  4. 4.
    OECD. Guidelines on the protection of privacy and transborder flows of personal data. Paris: OECD; 1980.Google Scholar
  5. 5.
    Rothstein MA. HIPAA privacy rule 2.0. J Law Med Ethics. 2013;41(2):525–8.CrossRefGoogle Scholar
  6. 6.
    Gunn PP, Fremont AM, Bottrell M, Shugarman LR, Galegher J, Bikson T. The health insurance portability and accountability act privacy rule: a practical guide for researchers. Med Care. 2004;42(4):321–7.CrossRefGoogle Scholar
  7. 7.
    ISO/TS 13606-4:2009 Health informatics – electronic health record communication – part 4: security.Google Scholar
  8. 8.
    HL7 implementation guide for clinical document architecture, release 2: consent directives, release 1. HL7 draft standard for trial use, CDAR2_IG_CONSENTDIR_R1_DSTU_2011JAN. January 2011.Google Scholar
  9. 9.
    Extensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard 2005. oasis-access_control-xacml-2.0-core-spec-os.Google Scholar
  10. 10.
    Cooper D et al. Internet X.509 public key infrastructure certificate and Certificate Revocation List (CRL) Profile. IETF Network Working Group RFC 5280. May 2008.
  11. 11.
    Ramsdell B (ed). Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 message specification. IETF Network Working Group RFC 3851. July 2004.

Copyright information

© Springer-Verlag London 2016

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (, which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  • Tim Benson
    • 1
  • Grahame Grieve
    • 2
  1. 1.R-Outcomes LtdNewburyUK
  2. 2.Health Intersections Pty LtdMelbourneAustralia

Personalised recommendations