This article is part of a series: Bennett Institute teams

What is Information Governance?

Information Governance (IG) is the term given to a set of rules (sometimes called a “framework”) about how researchers access patient data; the purpose of the framework is to allow organisations to maintain the highest standards for patient privacy, whilst adhering to the necessary legal frameworks and best practice ethical principles.

Who are we?

The IG Team includes our Team Director Dr Amir Mehrkar, a senior clinical researcher and practising NHS GP, and our research administrator Liam Hart.

What do we do?

The IG Team supports the research cycle from application to the publication of research. We establish if researchers are properly trained, ensure they have the correct permissions in place to access patient data, and provide them with the policies they must adhere to in order to protect patients’ privacy.

Our work includes:

  1. Confirming that an applicant’s proposal falls within the legal framework and area of focus that OpenSAFELY has been permitted to access patient data; since the start of the pandemic, OpenSAFELY was permitted to access patient data for COVID-19 related analyses (referred to as the NHS England OpenSAFELY COVID-19 service), but working with NHS England, the BMA, RCGP, privacy advocates and patient groups, we are hoping to extend to non-COVID-related analyses.
  2. Working with external bodies (in particular the HRA) to ensure the OpenSAFELY platform and the application process align with existing ethical requirements expected when patient NHS data is used (for research, service evaluation and audit).
  3. Overseeing developer and researcher access to the platform
  4. Checking that researchers abide by accepted codes of practice, such as those learnt on Safe Researcher courses, and supporting them to adopt the OpenSAFELY Open Science principles.
  5. Being the primary contact for any IG issues such as responding to incidents and data breaches.
  6. Working alongside other OpenSAFELY teams to ensure we give due consideration to the governance, privacy and security issues associated with our support processes and technology developments; for example, ensuring the Co-pilot team, who support the external researcher throughout their research analysis-review-publication lifecycle, are clear about the applicant’s study purpose; or ensuring our developer teams are clear about the controls we have agreed with external data providers regarding the secure transfer and access to their datasets; or how new features, such as OpenSAFELY Interactive, continue to align with our agreed IG frameworks.
  7. Working with external data providers (such as the Office for National Statistics, ISARIC and UK Kidney Association) and NHS England to draw up, implement and review data sharing agreements for new data that will be made available to OpenSAFELY.


The IG Team’s involvement begins even before any patient data is made available for analysis, principally by identifying the legal basis (under UK GDPR and Common Law) for processing patient data; for the OpenSAFELY COVID-19 related studies this is explained here. This work requires that we support NHS England to complete all the necessary IG documentation, such as: the Data Protection Impact Assessment (DPIA); Data Processing Agreements (DPAs) with EMIS and TPP; Data Sharing Agreements (DSAs) with data providers.

And once the OpenSAFELY platform was established, we worked with our developers to create an easy to use online application form, which describes all the requirements expected of researchers. The application form helps us: review applications at the weekly NHS England approval meetings; ensure researchers sign our data access agreement; and make sure applicants know what additional supportive information is required for an audit, a service evaluation or a research application.

Our conduct ensures we adhere to new developments and evolving thinking that support best practice in research.

We take pride in being thought leaders in the design and implementation of Trusted Research Environments and work to build relationships with key external organisations; these include:

  • Health Research Authority (HRA);
  • Office for National Statistics (ONS);
  • formerly NHS Digital;
  • Simulation and Integrative Learning Institute (SAIL);
  • British Medical Association (BMA);
  • Royal College of General Practitioners (RCGP);
  • MedConfidential;
  • the Department of Health and Social Care (DHSC).

Responding to the potential threat of misuse of patient data remains an ongoing priority for us, and to do this well we strive to foster an open “no-blame” culture to help our teams, researchers and collaborators to share concerns, risks and incidents. We review legal, ethical or contentious aspects of studies and platform developments with our stakeholders. Our other arm of support comes from the Policy team to co-produce governance processes, and assist on matters related to Patient and Public Involvement and Engagement (PPIE).

As we look forward, with the immediate risks of the pandemic subsiding, we are turning our attention to supporting NHS England to identify a permanent legal basis for OpenSAFELY, as well as championing the benefits of OpenSAFELY beyond COVID-19 purposes. We are delighted that the Joint GP IT Committee of the BMA and RCGP, as well as the privacy group medConfidential, have recently re-affirmed their support of the OpenSAFELY approach both for COVID-19 and non-COVID-19 related analyses (specifically all research, service evaluation, clinical audit and health surveillance, as well as for when citizens have given their consent for their health data to be used for studies). In addition, in 2022 the BMA wrote a letter of support for OpenSAFELY, as part of a collection of submissions to the Secretary of State for Health and Social Care to evidence the support for OpenSAFELY to continue to operate (with a legal basis such as a Direction) beyond the pandemic; the widespread support from stakeholders culminated in OpenSAFELY obtaining an ongoing legal basis for COVID-19 related analyses in July 2023. We are now focused on working closely with NHS England and the Department of Health to obtain a legal basis for OpenSAFELY to benefit the NHS and public for all research, service evaluation, clinical audit and health surveillance studies, especially involving GP data.

The unprecedented access to patient data, almost the entire English patient population during the pandemic (over 58 million people’s health records), has highlighted the substantial rewards to patient care that come from the appropriate use of NHS patient data. Examples include:

  • multiple ongoing and rapid analyses on vaccine effectiveness, safety, and coverage;
  • research on the consequences of COVID-19 infection including cardiovascular outcomes and Long COVID;
  • analyses of effectiveness for monoclonal antibody and antiviral treatments;
  • health services research on changes in clinical activity and population impact during the pandemic;
  • randomised trial follow-up;
  • epidemiological transmission dynamics within households;
  • observational pharmacoepidemiology to evaluate treatment candidates and safety issues;
  • factors associated with risk of death from COVID-19;
  • ethnicity and COVID-19;
  • comparative risks of different COVID-19 variants.

Our journey is to explore the unimaginable by continually developing lawful, secure, trustworthy, and ethical mechanisms of access to patient data to improve the safety and quality of NHS healthcare made available to the public.

Amir Mehrkar
Amir Mehrkar, Director of Information Governance and External Relations

Liam Hart
Liam Hart, Research Administrator