The SUDGT defines questions to test the maturity of the care system's approach to governance of data management and information governance. These fundamental questions help ensure that the core governance structure of a care system has been - or will be - embedded. The tool doesn’t prescribe any specific approach, but within the reference materials are examples of governance framework documentation that a care system can use.

The care system should consider the following governance questions:

1. Is there a named individual with designated responsibility for, and oversight of, information governance within the care system? This role suits an individual who is an experienced and knowledgeable ‘Senior Information Risk Owner’ (SIRO) or has governance as a key element of their ‘portfolio’ of responsibilities. They must be actively supported by senior IG subject matter experts.

2. Is there a named individual with designated responsibility for, and oversight of, data management within the care system? This role suits a individual with the role of Chief Information Officer or Chief Clinical Information Officer in their portfolio, supported by senior staff in a Business Intelligence function.

3. Is there a formal governance mechanism in place? This may take the form of a formal committee, but could be achieved as a virtual group. The key is that representation from  partners is appropriate and the links to overall care system governance are strong, and that the mechanism meets, as a minimum, the requirements outlined below:

  • The governance mechanism is formally recognised by senior leadership of the care system
  • The governance mechanism is represented on, or has access to, the care system’s Board (or equivalent very senior mechanism)
  • The governance mechanism is governed by formal, agreed and approved terms of reference

4. Is the governance mechanism regularly attended by each organisation that has current or planned responsibility for data management or information governance relating to secondary use data activities within the care system? As a minimum the governance mechanism must be attended by each organisation identified in the care system as having ‘data controller’ responsibilities. That may be individual or may be joint with other partners.

5. Is the governance mechanism attended by members with sufficient seniority, authority and subject matter expertise in relation to information governance and data management (e.g. Data Protection Officers or Chief Information/Data Officers)? Having sufficiently set up a mechanism compliant with questions 1-4, then question 5 essentially relates to the ongoing development and maintenance of the mechanism and the active participation of the relevant parties. 

Secondary use activities may be distributed across a care system’s organisations, however those possessing statutory responsibility must be able to demonstrate that their statutory responsibilities are being effectively discharged. This is enabled through a robust governance structure for intelligence and data and clear co-ordination of roles and responsibilities.


You should now determine and record:

  • the named individuals with designated responsibility for and oversight of IG and data management within the care system
  • the formal governance mechanism that is in place (i.e. a formal or virtual group) and confirm that it satisfies the governance criteria established above
  • how the governance will operate (e.g. Terms of Reference)

This information can be recorded in the SUDGT input tool.


  • The governance mechanism should be formally commissioned with documented terms of reference

  • Members should have sufficient seniority, authority to act, understanding of their organisation’s responsibilities within the care system and access to information governance expertise

  • Membership must represent all commissioning organisations and any others who will need to receive data for secondary use activities

  • Groups of organisations (e.g. Primary Care Networks) should be represented by a nominated individual.