Key Takeaways
- DPIAs, DSPTs, and Data Sharing Agreements describe what organisations intend to do with data. They do not enforce it. Documentation is not governance
- Patient consent is disconnected from the systems that process data — nobody can tell you what happened to your specific consent at the specific moment your data moved
- Paper governance is survivable within a single organisation. The moment a patient pathway crosses an organisational boundary, it collapses
- Every information governance obligation not handled by infrastructure lands on a clinician or administrator — consuming time and cognitive capacity that should go to patient care
- The gap between a DPIA and reality grows silently from the moment the form is submitted. Static governance cannot govern dynamic systems
- Governance must become a property of the infrastructure, not a document about the infrastructure — enforcing consent, recording provenance, and making responsibility transfer an auditable event
- The direction of travel — more organisations, more boundaries, more distributed care — makes this urgent. Paper governance cannot scale
Healthcare's approach to information governance is broken. Not because the people doing it are incompetent, but because the model itself was designed for a world that no longer exists.
Every NHS trust, every digital health provider, every GP federation currently relies on the same basic governance architecture: documents. Data Protection Impact Assessments. Data Security and Protection Toolkit submissions. Data Processing Agreements. Information Sharing Agreements. These are paper artefacts, or their PDF equivalents, that describe what an organisation intends to do with data. They sit in folders, on SharePoint sites, in drawers. And they are treated as evidence that governance is happening.
It is not. What is happening is documentation. And documentation is not governance.
The Consent Fiction
Start with something every patient has experienced. You arrive at a clinic, a hospital, a digital health platform. You are handed a form, or shown a screen, that asks you to consent to your data being shared for the purposes of your care. You tick the box. You sign. You tap “I agree.”
Then what?
You have no way of knowing what happened to your consent. You don't know which systems recorded it, which organisations received it, whether it was honoured in its original scope or silently broadened, or whether it was even transmitted beyond the application where you ticked the box. You certainly don't know whether, three weeks later, when your data was forwarded from one provider to another as part of a referral pathway, your consent was verified at the point of transfer, or simply assumed because a Data Sharing Agreement somewhere said it would be.
The honest answer is: nobody else knows either. The clinician treating you doesn't know the consent infrastructure. The data protection officer at the receiving trust can tell you what their DPIA says should happen. They cannot tell you what did happen to your specific consent, at the specific moment your data moved. The consent form you signed is not connected to the system that processes your data. It is a piece of paper, or a database entry, that exists in parallel to the infrastructure, not within it.
This is the patient-facing reality of paper governance. The consent you gave was real. The governance of that consent is fictional.
The Assertion Problem
A DPIA is a statement of intent. It describes the data flows an organisation expects to operate, the risks it anticipates, and the mitigations it plans to implement. At the moment it is signed off, it may even be accurate. But it is not a control. It does not enforce anything. It does not detect when reality diverges from what was described. It is governance by assertion.
The Data Security and Protection Toolkit operates on the same principle. An organisation self-certifies against a set of standards once a year. Between submissions, systems change. Staff change. Integrations are added. APIs are versioned. Data flows are reconfigured. The DSPT submission doesn't know. It can't know. It is a static document describing a dynamic system, and the gap between the two grows silently from the moment the form is submitted.
This is not a theoretical concern. It is a structural vulnerability in every digital health deployment in the NHS. And it becomes catastrophic the moment data and clinical responsibility move between organisations.
The Cognitive Tax on Clinicians
Paper governance does not only fail patients. It actively harms the people delivering care.
Every information governance obligation that is not handled by infrastructure lands on a person. A clinician completing a referral must think about whether the data sharing agreement covers this pathway. An administrator must manually verify that the right consent is on file before releasing records. A practice manager must track which DPIAs are current, which DSAs need renewing, which DSPT evidence needs refreshing. None of this is clinical work. None of it improves patient outcomes. All of it consumes time, attention, and cognitive capacity that could be directed at care.
The scale of this burden is rarely acknowledged because it is distributed across thousands of small moments. A few minutes here to check a form. A few minutes there to log a disclosure. A phone call to confirm that a sharing agreement is in place before sending a referral. Individually, each task is trivial. Collectively, they represent an enormous drag on clinical productivity, and they fall disproportionately on the people least able to absorb them: frontline staff already operating at capacity.
This is not a necessary cost of good governance. It is the cost of governance that has not been engineered. When governance operates in the infrastructure layer, the system handles consent verification, provenance tracking, and access control automatically. The clinician does not need to think about whether the data sharing agreement covers this referral, because the infrastructure enforces it. The administrator does not need to manually check consent status, because the system will not release records without valid consent in place. The cognitive load shifts from people to infrastructure, where it belongs.
The promise of digital health was that technology would free clinicians to focus on patients. Paper governance inverts that promise. It uses technology to create more data, more pathways, and more organisational boundaries, then asks humans to govern them with documents. The result is clinicians and administrators spending increasing amounts of time managing paperwork about systems, rather than using systems to manage care.
The Inter-Organisation Blind Spot
Within a single trust, paper governance is inefficient but survivable. There is a single Caldicott Guardian, a single SIRO, a single Data Protection Officer. When things go wrong, the accountability structure, however imperfect, is contained within one organisation. Internal audit can trace what happened. Internal policy can be enforced.
The moment a patient pathway crosses an organisational boundary, this model collapses.
Consider what actually happens when a GP refers a patient to a digital triage service operated by a third-party provider, which then routes to a secondary care trust for a specialist consultation. Three organisations are involved. Each has its own DPIA. Each has its own DSPT submission. Each has its own IG framework. But the transfers between them, the moments where responsibility for the patient's data and clinical care moves from one organisation to another, are governed by nothing more than a Data Sharing Agreement that was reviewed six months ago and may or may not reflect the current technical reality.
Who held responsibility for the patient's data at 14:32 on a Tuesday when the API call transferred their record from the triage platform to the trust's EPR? The Data Sharing Agreement doesn't say. It can't say. It describes categories of data and purposes of processing. It does not, and cannot, describe the operational reality of a specific transfer at a specific moment. And yet that moment, the transfer itself, is precisely where governance failures occur.
This is the blind spot. Each organisation governs its own boundary. Nobody governs the space between.
The Audit Illusion
Paper governance creates an audit trail of documents, not of events.
When a clinical incident occurs in a cross-organisational pathway, the investigation will gather DPIAs, DSAs, DSPT submissions, and IG policies from each organisation involved. These documents will demonstrate that each organisation had processes. They will not demonstrate what actually happened. They cannot show the precise moment responsibility transferred, whether consent was valid at the point of data sharing, whether the receiving organisation's system was in the state described in its DPIA when it received the data, or whether the clinical intent that initiated the pathway was faithfully preserved through each handoff.
The audit trail is a reconstruction. It is retrospective storytelling assembled from documents that describe intent, not from systems that recorded reality. In any other critical infrastructure domain, aviation, nuclear, financial services, this would be considered a fundamental controls failure. In healthcare, it is the standard operating model.
Static Governance for Dynamic Systems
Digital health systems are not static. They are continuously deployed, continuously integrated, continuously changing. A modern health tech platform might push code updates weekly. API contracts evolve. New data fields are added. Authentication mechanisms are upgraded. Each of these changes potentially alters the data flows, the risk profile, and the processing activities that the DPIA was written to describe.
The governance model for these systems operates on a review cycle measured in months or years. A DPIA is reviewed annually, or when a “significant change” is identified. A determination that itself requires someone to notice that the change is significant, which requires them to understand the current DPIA well enough to recognise the divergence.
In practice, the DPIA describes the system as it was when someone last sat down to document it. The system describes itself as it is right now. These are increasingly different things, and nobody is watching the gap.
The Infrastructure Argument
The solution is not better documents. It is not more frequent reviews, more detailed DPIAs, or more granular Data Sharing Agreements. The solution is to stop treating governance as something that describes a system and start treating it as something that is the system.
Governance should be a property of the infrastructure, not a document about the infrastructure.
This means consent should be enforced at the point of data access, not described in a policy document. Provenance should be recorded automatically as data moves through a system, not reconstructed after an incident. Responsibility transfer, the moment when one organisation hands accountability to another, should be an observable, auditable, timestamped event in the infrastructure, not an assumption buried in a contract.
When governance operates in the infrastructure layer, several things change fundamentally.
First, the gap between documented state and actual state disappears. The system is the documentation. If consent is enforced by the infrastructure, then the infrastructure's behaviour is the definitive record of what consent was in place at any given moment. There is no drift between a DPIA and reality because the governance controls are the reality.
Second, inter-organisational transfers become governable. If responsibility transfer is an infrastructure event rather than a contractual assumption, it can be observed, logged, audited, and, critically, it can fail safely. A transfer that cannot demonstrate valid consent, verified identity, or preserved clinical intent can be halted by the infrastructure before it completes, rather than discovered months later in an incident investigation.
Third, audit becomes continuous rather than retrospective. Instead of assembling documents after the fact, the infrastructure produces a continuous, machine-readable record of every governance-relevant event. Who accessed what, under what consent, with what clinical justification, and who held responsibility at every point in the pathway. Not because someone wrote it down. Because the system recorded it as it happened.
Fourth, the patient's consent becomes meaningful. When consent is enforced by infrastructure, it is possible, for the first time, for a patient to know that their consent was actually honoured. Not because someone told them it would be. Because the system cannot operate without it. The consent form stops being a fiction and becomes what it always should have been: a genuine act of authority over one's own data, enforced at every point where that data is accessed or transferred. The gap between what the patient agreed to and what the system did becomes auditable, verifiable, and, if necessary, challengeable.
The Direction of Travel Makes This Urgent
Everything we know about effective digital delivery tells us that small, focused teams outperform large monolithic organisations. This is as true in healthcare as it is in technology. The future of the NHS is not fewer organisations doing more. It is more organisations, smaller and more specialised, collaborating across pathways. Virtual wards. Digital triage providers. Remote monitoring services. Specialist opinion platforms. Community diagnostic centres operating as independent entities within integrated care systems.
This is a good thing. It is how effective digital systems work. But it means more organisational boundaries, more data transfers, more moments where responsibility moves from one entity to another. Every additional boundary is another point where paper governance fails silently.
In this more dynamic, more atomised health system, the patient cannot remain a passive participant who ticks a box once and hopes for the best. Consent is not a moment. It is a relationship that evolves as the patient moves through a pathway, as new providers become involved, as the scope of data sharing changes. A patient who consented to their GP sharing data with a triage service did not necessarily consent to that triage service sharing data with a specialist platform they have never heard of. But under paper governance, that distinction is invisible. The original consent is treated as a blanket, because there is no infrastructure to manage it as anything more granular.
Dynamic consent, where the patient has genuine visibility into who holds their data and genuine agency over how it moves, is not a luxury feature. It is the only model that scales as healthcare becomes more distributed. And it is only possible when consent is managed by infrastructure, not by forms. A system that actively tracks consent state, that can prompt a patient when a new sharing boundary is reached, that can enforce scope limits in real time, is not over-engineering the problem. It is acknowledging that the problem has already outgrown the tools we are using to manage it.
The smaller and more specialised the care teams become, the more critical this infrastructure becomes. Paradoxically, the model that delivers better care also demands better governance, and better governance at scale cannot be achieved with documents.
The Resistance
The objection to this approach is predictable: it is too complex, too expensive, too disruptive. The current model, for all its flaws, is understood. People know how to write DPIAs. Organisations know how to complete the DSPT. The regulatory framework is built around documents.
These objections are real but they are arguments for inertia, not for adequacy. The current model was designed when health data lived in filing cabinets and moved in envelopes. The fact that we have digitised the filing cabinets and the envelopes does not mean we have digitised the governance. We have simply made it faster to produce documents that describe systems they cannot control.
The regulatory direction is clear. The UK GDPR's accountability principle requires organisations to demonstrate compliance, not merely assert it. The NHS's own Long Term Plan demands interoperability across organisational boundaries. These two requirements, provable compliance and cross-boundary data flow, are fundamentally irreconcilable under a paper governance model. You cannot demonstrate compliance with a document that doesn't know what the system is doing.
The Path Forward
This is not a call to abolish DPIAs or dismantle the DSPT. These instruments have a role in establishing policy intent and organisational accountability at a strategic level. But they cannot be the mechanism of governance for systems that operate at machine speed across organisational boundaries.
The mechanism must be infrastructure. Governance controls that are embedded in the data layer, that operate in real time, that produce their own audit trail, and that enforce policy rather than merely describing it. This is not a novel concept. It is how every other critical infrastructure domain operates. Financial services does not govern transactions with documents about transactions. Aviation does not govern air traffic with papers about air traffic. These domains have control planes that operate in the infrastructure layer because the consequences of governance failure are too severe to leave to documentation.
Healthcare data is at least as sensitive. Healthcare decisions are at least as consequential. The governance model should be at least as rigorous.
The technology to do this exists. The standards — FHIR, OAuth 2.0, SMART on FHIR — provide the building blocks. What has been missing is the recognition that governance is not a compliance exercise to be documented. It is a critical infrastructure function to be engineered.
It is time to stop writing about governance and start building it. Every patient who ticks a consent box deserves to know that the box is connected to something real.
