Skip to main content
WhitepaperData Governance & Analytics

Data governance in healthcare: beyond compliance to capability

Data Governance Practice2 min read

When a hospital trust talks about data governance, the conversation usually starts and ends with compliance. The UK General Data Protection Regulation, the Data Protection Act 2018, and NHS England's Data Security and Protection Toolkit set the floor of what good looks like, and most boards treat that floor as the ceiling [1][2][3]. Compliance buys you the right to operate. It does not buy you the ability to use your data.

The published evidence on what well-governed health data can do is now reasonably mature. The Goldacre Review, commissioned by HM Treasury and the Department of Health and Social Care and published in April 2022, set out 185 recommendations that were largely about turning regulatory plumbing into research and operational capacity, including the move toward Trusted Research Environments rather than bulk data dissemination [4]. The Data Saves Lives strategy, published in June 2022, formalised that direction at the policy level, with commitments on secure data environments, the GP Data for Planning and Research programme, and patient access [5]. The Topol Review (Health Education England, 2019) had already argued that the constraint on adopting data and AI inside the NHS was workforce capability rather than technology [6]. Three years on, that diagnosis has held up.

The framework most health data leaders we work with reach for is the DAMA Data Management Body of Knowledge, second edition (DAMA International, 2017). DMBOK v2 organises the practice into eleven knowledge areas, with Data Governance at the centre of the wheel: Data Architecture, Data Modeling and Design, Data Storage and Operations, Data Security, Data Integration and Interoperability, Document and Content Management, Reference and Master Data, Data Warehousing and Business Intelligence, Metadata, and Data Quality [7]. The framework is not specific to healthcare and does not need to be. What healthcare adds is the regulatory weight: Article 9 of the UK GDPR on special category data [1], the common law duty of confidentiality, the National Data Opt-Out under section 251B of the Health and Social Care Act [8], and the DSPT annual self-assessment with its evidence requirements for every organisation that processes NHS data [3].

What we observe across published implementations and our own engagements is that the order of investment matters more than the framework choice. Trusts that lead with architecture before quality end up with elegant data platforms that nobody trusts. The Health Foundation's analysis of NHS data quality in 2021 quantified the scale of the underlying problem: missing, duplicate, and inconsistently coded records at a level that materially affects population health analysis [9]. The Wellcome-backed Understanding Patient Data programme has documented the same pattern from the public engagement side, where trust in NHS data use is contingent on the public believing the data is accurate as well as protected [10]. Quality is not a tidying-up exercise to do once the architecture is built. It is the architecture's foundation.

The second pattern that holds across the literature is that data stewardship has to live inside clinical teams, not parked with IT. The NHS England Federated Data Platform programme, launched in late 2023 with Palantir as prime contractor, has illustrated what happens when stewardship is not embedded: the controversy around the procurement was less about the technology than about who decides what good use looks like, and clinicians and the public were not the loudest voices in that decision [11]. The Ada Lovelace Institute has made the same point about health AI specifically, that legitimate data use is built through ongoing public participation rather than retrospective consultation [12].

The third pattern is incremental scope. The trusts that have moved furthest under the DSPT and into research-grade Trusted Research Environments did not run a single big-bang programme. They picked a clinical pathway, fixed the data, demonstrated the value, and then expanded. The UK Health Data Research Alliance has published a Building Blocks framework that codifies this approach, treating each TRE-ready dataset as a unit of work with its own governance, metadata, and access controls [13].

None of this is novel advice and we do not present it as such. What we want to push back on is the idea that healthcare data governance is mostly a legal exercise. It is mostly an organisational exercise, with legal and technical components. The legal component is the part that fails most visibly in the press, which is why it gets the budget. The organisational component is the part that determines whether anything useful happens once the legal questions are answered.

The honest closer is this. Most NHS organisations we look at are competent at the DSPT and uneven at everything else. The next two years of UK health data policy, including Secure Data Environments and the operational rollout of the Federated Data Platform, will reward the trusts that have been quietly investing in stewardship, metadata, and quality. They will be hard on the trusts that treated the toolkit as the strategy.

Coderex advises NHS trusts, integrated care boards, and ministries on the operational shape of data governance: which DMBOK areas to invest in first for a given clinical pathway, where stewardship needs to live inside clinical teams, and how to sequence quality, metadata, and architecture so the platform delivers value rather than surfaces accumulated data debt at higher resolution.

Expect the Federated Data Platform's first round of acute trust go-lives in 2026 to expose the data-quality gap that the procurement debate did not centre on. Expect at least one Secure Data Environment programme to publish a formal post-implementation review naming clinical stewardship as the binding constraint before 2028. Expect the DSPT to be re-baselined again before the next general election, raising the floor and widening the gap between trusts that have done the unglamorous work and those that have not.

Methodology note: This whitepaper synthesises UK health data policy documents, DAMA International's published framework, and a small number of independent reviews of NHS data practice. No primary survey was run. Where we make claims about what we observe in client work, those claims describe patterns rather than named deployments, in line with our research and disclosure standards.

References

16 sources, all verified at the time of writing

  1. [1]UK Government, 2016. UK General Data Protection Regulation. Legislation.gov.uk. https://www.legislation.gov.uk/eur/2016/679/contents.
  2. [2]UK Parliament, 2018. Data Protection Act 2018. Legislation.gov.uk. https://www.legislation.gov.uk/ukpga/2018/12/contents.
  3. [3]NHS England, 2024. Data Security and Protection Toolkit. NHS England. https://www.dsptoolkit.nhs.uk/.
  4. [4]Goldacre, B. and Morley, J., 2022. Better, Broader, Safer: Using Health Data for Research and Analysis (the Goldacre Review). HM Treasury and Department of Health and Social Care. https://www.gov.uk/government/publications/better-broader-safer-using-health-data-for-research-and-analysis.
  5. [5]Department of Health and Social Care, 2022. Data Saves Lives: Reshaping Health and Social Care with Data. DHSC. https://www.gov.uk/government/publications/data-saves-lives-reshaping-health-and-social-care-with-data/data-saves-lives-reshaping-health-and-social-care-with-data.
  6. [6]Topol, E., 2019. The Topol Review: Preparing the Healthcare Workforce to Deliver the Digital Future. Health Education England. https://topol.hee.nhs.uk/.
  7. [7]DAMA International, 2017. DAMA-DMBOK: Data Management Body of Knowledge, Second Edition. Technics Publications. https://www.dama.org/cpages/body-of-knowledge.
  8. [8]UK Parliament, 2012. Health and Social Care Act 2012, section 251B (operationalised as the NHS National Data Opt-Out by NHS England). NHS Digital. https://digital.nhs.uk/services/national-data-opt-out.
  9. [9]The Health Foundation, 2021. Data analytics for better health: improving the quality of NHS data. The Health Foundation. https://www.health.org.uk/publications/reports/data-analytics-for-better-health.
  10. [10]Understanding Patient Data, 2023. Public attitudes to NHS data use. Wellcome / Understanding Patient Data. https://understandingpatientdata.org.uk/.
  11. [11]Davies, M. and Mahase, E., 2023. NHS England awards Federated Data Platform contract to Palantir. The BMJ. https://www.bmj.com/content/383/bmj.p2752.
  12. [12]Ada Lovelace Institute, 2023. Going public: exploring public perspectives on NHS data partnerships. Ada Lovelace Institute. https://www.adalovelaceinstitute.org/report/going-public-nhs-data/.
  13. [13]UK Health Data Research Alliance, 2024. Building Blocks for Trusted Research Environments. HDR UK. https://www.hdruk.ac.uk/access-to-health-data/trusted-research-environments/.
  14. [14]OECD, 2023. Health at a Glance 2023: OECD Indicators. OECD Publishing, Paris. https://www.oecd.org/health/health-at-a-glance/.
  15. [15]Information Commissioner's Office, 2023. Guidance on AI and Data Protection. ICO. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/.
  16. [16]World Health Organization, 2021. Ethics and Governance of Artificial Intelligence for Health: WHO Guidance. WHO. https://www.who.int/publications/i/item/9789240029200.