Skip to main content

Watch on YouTube

Listen to the Podcast


Check out the show description

📝Show notes:

What does an 'Information Governance' professional do anyway?

In this episode Michala Liavaag and Barry Moult explore several aspects of information governance and data protection in the healthcare sector. They also present the newly created Data Protection & Information Governance level 4 apprenticeship.

Barry is an award-winning Information Governance Consultant at BGM IG Limited, best known for his work promoting the importance of information governance and knowledge sharing in the NHS.  He now works as the DPO for GP practices, hospices, and private healthcare providers. In 2020 he won the coveted ICO Excellence in Data Protection Award 2020 and followed up with winning the NHS Strategic Information Governance Network Professional of the Year in November 2021.

 Barry's website:


👉 Cited in this episode: 



Found this useful? Please rate and review, as it helps reaching more people:

👍You can also subscribe and share on social media

💬 Contribute to future episodes with your cyber security concerns and questions:



✍🏾Written and produced by Michala Liavaag

🎦Co-produced and edited by Ana Garner video

🎵Music by CFO Garner


Read the episode transcript

(automatic transcription)


Our guest today is Barry Moult. An award winning information governance consultant at BJM IG Ltd and former NHS Trust head of information governance. He now works as the DPO for GP Practices, Hospices and private health providers. In 2020 he won the coveted ICO Excellence Data Protection Award and followed up with winning the NHS Strategic Information Governance Network Professional of the Year in November.


2021. Hi Barry. Thank you so much for joining us today. I really appreciate your time.


My pleasure. Thank you for inviting me.


Would you like to tell us a little bit about yourself?


Where do I start? So my background is originated, probably you can tell by my accent, I come from the Midlands come from Stoke-on-Trent, went to school there of course. Eventually my first job was in the pottery industry. Well, that's where the pottery is in Stoke on Trent, but eventually joined the RAF. And one thing the people don't know is the reason I joined the RAF was because I was in a sense homeless in the sense that I was living and sleeping on people's floors and sofas.


And a friend eventually said, Barry you've got to do something, go and join the army. He said, You'll have a roof over your head and food on the table. And I thought, You know what? It's not a bad idea. So I went up to the Army Recruitment Center and they said because I was sporty and I like sport.


And so you're just the sort of person we get up at 5:00 in the morning. And I thought, Oh my, I don't know if I want to get up at 5:00 in the morning. So I went next door to the R.a.f. and they said, No, no, we don't do that in the RAF. So I joined the RAF and I said, Sir, what can I do?


And he said, What do this test? And I did a test and he said, Right, you can do this list of jobs. And one of the jobs he said is that I could be a nurse. Now it had never, ever crossed my mind and I said, No, no, no, they don't have men as nurses. It's a woman's job. He said, Oh no, no, don't get don't get mistaken.


We are looking to recruit men to be nurses. There are men who are nurses. And he said, Look, if you want to join the Air Force, we can get you in just over a week if you say yes to nursing. And I said, So what are the other benefits? And he said, Well, there are 40 on the course there are 38 ladies and there'll be two men.


I was 18. I didn't need much more. I did join and I did my nursing course and I passed. I then left the RAF, I then went work to No Stuffs Royal Infirmary in theaters. I then left there and went to work for the entire company as an occupational health nurse and then I left there after about eight, nine years I did a bit of social work for the MOD with my military background and then eventually I did some I.T. training back in about 1990 when computers were the thing that was coming up.


I did well on the course. They said to me, Barry, do you want to teach the next course? And I thought, Oh, that sounds good. It was part time in the local college. I also got a job as Bob teaching it in Cardiff Prison, which was rather interesting as well. I then left there and went back into the NHS, but I was also working part time in the NHS but working part time in a council on that training team.


I did some training for those, but then the job came up in the hospital when I was nursing. They wanted somebody to do data protection you can say what, you don't have any experience in data protection, but when I was at the council right about 1998, when the Data Protection Act came in, they wanted somebody to do some training on data protection.


And I was working in the, the training team for the council and we all looked at each other and they said no, not me, but I was, must have been too slow because it fell on my desk and I was So what do I say? And they said, well go and read the Data Protection Act and just go and talk to them for 10 minutes.


And I did, I went from department to department delivering these four or five bullet points and about 10 minutes, 15 minutes. But then the hospital were looking for somebody to do data protection. I thought, well, I can just travel to the hospital, do data protection in the morning, and my nurse and in the afternoon it was ideal. I got the job and the rest, as they say, is history.


And over time I then became full time. I about 2003 doing information governance in the NHS. So that's the story of my life.


Wow. It's absolutely fascinating. Amazing. You mentioned about working in the prison so just thinking about from a security point of view that must have thought really permeating your thoughts around that point or was there another point that you would say it was more?


No, it's interesting because working in the prison, the security was more physical security. I was teaching IT in the prison but in those days it was, you know, literally this is a keyboard, this is the space bar, this is the return bar, you know, and it was just things like that. And it's interesting because if I was teaching there an hour's course, it would take me half an hour to get in and half an hour to get out.


And I was only paid for the hour



Oh no!

 Just thinking about your transition from the sort of data protection into the wider field of information governance, can you just tell us a little bit about that? Because again, information governance is a term that the NHS is very familiar with certain areas of the private sector are increasingly so, but there's an awful lot who still aren't quite sure what exactly that means.


And obviously data protection is just one part of that. So can you tell us more about that?


It's the same job, but using different words. So information governance is known quite well in the NHS and there has been conversations over the years saying, oh, we need to, we need to change that job, job name, job title from information governance to something else. And I've always resisted. I think we've become familiar now. We used to have what we call the Information Governance Toolkit and therefore everybody's familiar with it.


But in private industry they don't have information about it. They have Data protection, it's the same thing. It's, it's, it's looking after, you know, that data, protecting that data. But I think what we need to think about as well is data privacy it's about it's about my data. It's about your data and and it's about our privacy and who can see that data and who is it shared with?


And that's true in all industries. But you're absolutely right. One US information governance and maybe something we'll talk about a bit later is because of a new training course that we've put into place for health and social care it is called information governance, but in private industry it's called data protection. It just says it already.


It's pretty interesting because I've always seen information governance as the sort of overarching piece governance. funny enough, and you've got subdisciplines within it of which data protection is one security is one, and records management is one, governance itself. So all those things are within it. Would you say that when you sort of switch between the two, that you use data protection as the all encompassing term for all of those things?


Or are you literally just being that part of it?


You're absolutely right. So, you know, you missed off that things like freedom of information, of course, subject access requests, you know, but you're absolutely right. It's the overall overarching. Now, I remember some years ago we were looking at the job role for information governance. And I remember putting out a survey to colleagues that worked in hospitals to say what you include in your job role, you know, is it just is it records management?


Is it data protection? Is it I.T.? And we listed all the things and everybody had something completely different. And one of the things that we struggle to do in the NHS is what we call a job profile agenda for change, profile for information governance, because everybody's job is different and what we do is different. So I might have all those things that you mentioned and I did, some people might only have three or four of them.


So how do you mix that then with a job and a salary, what we call banding in the NHS is a band five, a band six and seven, a mandate post. You know, if you're doing all those things, you might say, well, it's a higher bandwidth, but if you're only doing some of them, it might be lower band so you're absolutely right.


And each of those things, it's a specialty in its own right. Records management, we have the Information Records Management Society, it is specific and there's lots of things to consider on the records management, but then you have cybersecurity. It's another discipline in many ways, and I'm not a cyber expert at all. I've learned a few things, you know, whether it's ISO 27,001,Cyber Essentials, Cyber Essentials+,but also about digitizing records.


You know, I've been down that route as well. So there are lots of things to consider and that's why I think I'm really keen and I'm really excited about the job. I think it's so varied and so interesting. Somebody once said to me, So Barry, how would you describe your job in practical terms? And I said, A juggler.


Because like spend a.


Day you're having to juggle whether it's records management, action, loads of different things every day. And some days I would go home thinking I never did what I thought I was going to do today.


Exactly the same experience. There's not a day I would sort of have a plan and start day, come home, and it's like, OK, well I've achieved all this, but none of that's what I thought I was doing at the start of the day. But yeah, I suggesting it's about what you're saying about the juggling because when I worked in local government and had that sort of information management umbrella role that included the data protection site management etc etc security is a part of that, but I didn't have FOI, somebody else had that as their job, which was great. As you say they are all specialties and disciplines in their own right.


And it's so easy, especially for somebody like me. I like to go quite deep into things and I was finding that I couldn't go deep into each of those because there was so much that if you go and you discover there is. So that's why even the sort of obscurity route. Would you say that you managed to sort of juggle across all of them?


effectively or you sort of leaned towards one more than the other?


I'm going to have to say, and I don't mean it in any sort of arrogant way, I think I managed to know enough about all of them. I am not the expert. I know people who are far more knowledgeable than me. And you know, Michala, we have a good network and we're able to sort of call people, email people and ask people for advice.


And yes, I do have a wide breadth of knowledge of information governance in the NHS. So if anybody asked me about finance, about data protection or retail, I'd have to say I'm not your person, but on those things. So I did do it FOI and in fact I remember before FOI came in, we, we set up a group in East Anglia to deal with FOI because it came in, in 2005.


We just put together an information governance group in the east of England. Many of us were dealing with FOI , but there was some colleagues who didn't deal with information governance, who were just doing FOI. So we got together about seven or eight of us just to share best practice and say, What should we do? And I learned from other people.


You know, the sharing I think throughout the network is so important, as you say, because we can never know everything, as soon as we sort of recognize that, I think the better off we are as professionals and it's just pointing to others who are best suited to particular things. The only thing I would just query though is that I think so much is about business processes, whatever those processes are, and being able to identify the risks through things, which I think is translatable all across different industries.


What do you think about that?


I've just come off a call with a local authority and we were looking at subject access requests and I always start off by saying it's about process, it's not the be all and end all, but if you've got a good process and the process actually goes through, you can look at where the pinch points are, where are they?


So with data sharing, so that there becomes, you know, what are the risks there? Or we have to keep this data offsite. So OK, so you're going to call it back. So what is the risk? So yet to me, I always start by saying I'd love a ten foot wall and all the staff and give them all Post-its and say let's walk all the way through.


It might take us 2 hours. But you know what? If the end of it, you hope you'll be able to take things out, you'll be able to put things in, you said, well, that's a risk. Why do we include that? Let's remove it. So it does involve other things because, you know, subject access, you've got to know where your records are.


So records management comes into it, but also training because everybody needs to know what that part of it is. So, yeah, but having a good process. But also, you know what we talk about data protection or privacy impact assessments we've had them for a long time. We had them pre GDPR, but you just never did them. But now we do them and we look through, you know, what it is we're going to be doing, who's going to be involved and we look for the risks.


We mitigate where we can and we own them if we can't mitigate them.


I think that was one of the best things to come out of the GDPR in terms of raising the awareness for organizations around, you know, that privacy by design, thinking about these things up front and then so getting it through that entire lifecycle. I'm just wondering, so my mind's going off on another little tangent here, just thinking about all the rules around health records management and coding.


Do you want to might say a little bit about that for our audience?


When I left my job at one hospital and I thought it was going to be my last job and I went to see the records manager, health records manager, information governance manager as well. Yes, it's very it was different, but it included a lot of things that I already did or knew. What I went there to do was to help to digitize the records.


We had to look at, you know, what is the risks of doing that, making sure the records were in the in the right record. But, you know, what sort of things did we scan? And that was just lots and lots of things with it, but it included lots of what I already knew and did. So although it was new in some ways, it was rewarding and I enjoyed doing it.


I had some good stuff as well.


I think generally speaking, the quite under resourced roles and so I think it's important to have a really good team around, give support to one another.


I think information governance, it's interesting. I've talked to somebody the other day, clinical safety officers, we were talking about the ICC, the integrated care systems and their involvement in joining together multiple sort of systems in different organizations so we can be able to see a holistic view of patient records. And they we're asking them and I said, you know, information governance is about patient risk and it's about patient safety and making sure that we have the right information at the right time in the right place, that we have access to it.


You know, and so, you know, there are lots of things that our jobs involve. Other sectors or other parts of the NHS as well. So but that's why I think it's a fascinating role to be in.


So you've got this sort of broad knowledge across all of  disciplines within the information governance obviously it's a Cybility Savvy is a cybersecurity podcast. So can you tell us a little bit about when you sort of first really talked about the importance of cybersecurity in your career?


When I first started in information governance, the role was based in I.T. And I have to be really honest, Michala. So everybody thought that I was part of it and it only related to i.t. So I thought I need to get out of here. I need to escape. It's not just about i.t. It's about paper records. It's about h.r records.


It's my everything. So I managed to escape. That doesn't mean to say that there isn't that link and there is so any time you know, there was a new i.t system again, we would look at and I’m trying to think when what would my first recollection of say what? You know, this is IG it  was part of IT and this system that we're having in the hospital and I was asked about access controls about who should have access.


It was a great system. The doctors loved it. But me as IG  I hated it simply because the access controls were not there. You everybody had access or no access and so we were having to give access to secretaries if they knew who was in agony. I thought, oh, my goodness. And then also the support for that i.t.


System, where was it coming from? So I rang the company, did my due diligence, were based in york. I said so my question would be so what happens at night or weekend? And this is no joke. You have medications that we follow the sun. So what does that mean? You said, well, what the weekends it goes to Johannesburg in South Africa.


So I'm now thinking potentially these people have access to all our A&E patients. Sarcastic me said: So what happens when Johannesburg go to bed? He said, oh, we've got that covered. He goes to Singapore and I'm thinking, Oh my goodness, this was way, way before GDPR. This is ten, 12, 15 years ago. And I'm thinking, Oh my goodness, so yeah, I was aware that was an issue.


We have become more aware because of, you know, of hacking and all those scamming, phishing and all those sort of things. If I could turn people to GDPR and it talks about having technical and organizational measures in place, now, the technical bit, Michala, I'm going to leave to you, you know, you make sure the patches are done, you make sure that the servers are secure, that that's your job, that's your cybery bit.


But for me, the organizational measures are making sure that the policies are in place and information security policies in place. The business continuity is in place because they all impact on you and the impact upon me. It's been one of those things that, you know, it's an issue. I don't think there's a time when the light came on and said, Oh, I need to think about cyber but I think it's become more now with the we're having to do the DPIAs.


We looking at that when there's more systems to be put in. And I would go again to my colleagues and it and say, I think I need you to give me some advice on this.


And again, those sort of relationships, again, trust department. So importance, I certainly found that it was so useful to have that and be told, oh, we've got this coming, there is a contract, perhaps that system wasn't known about by another department. And being able to join those dots, I think across organizations is one of the really powerful things about working on information governance side.


Yeah, I always use another illustration when it comes to cyber security. This isn't the destruction of I.T hardware and I think it's probably down in probably near to the left than I do where a hospital was getting rid of that hardware and they didn't have a proper contract in place. And a third party who took them somebody ended up selling some of those hard drives on eBay.


Yeah, I was in the patient's database and the hospital got fined £325,000. And that is an I.T. issue. It's not just an i.t. issue, but I have to say, oh, my goodness, what happens in our I.T. departments? Yeah. I went to talk to my senior information risk owner and he said, I don't know. So we went to I.T. We followed the process through, and I ended up getting in my car and following this all tech lorry that had got all our stuff.


And I followed it up to North Yorkshire and I watched them to go into a secure compound and I watch them destroyed because what happened to that hospital wasn't going to happen to me. Now, that is the fringes, if you like, of cyber, but it is cyber and it's I.T. as well. So it's making sure that we've got those technical measures in place as well.


As the operational measures.


And the physical, because a lot of that is about physical activity as well. So again, I always think that when I'm talking about information security, with an organization, I'm thinking about the administrative stuff. I said the policies and standards. I'm thinking about personnel. So screening, training, et cetera, physical security, CCTV, physical fences, whatever it might be, the technical, which is where that sort of sketch based comes in.


So it is very much that broad approach. Just thinking about it is always changing. The systems are getting increasingly connected, more complex, how would you say you keep yourself up to date with everything, what's going on and the precedents and stuff like this?


I think I've already mentioned about networking Michala, and I think it really is an important part. So I love to go to the exhibitions at the Olympia Exile. We have our own network meetings over in the east of England. I also go to events to do with local authorities and health where they have vendors as well. And so what happens is I go to these and talking to some of these vendors with the new IT systems, whether they are asset management, but they are email security.


I like to go and talk to them. I don't particularly in my role. It's just me. I don't need their software, I don't need the best systems, but my clients might do what I do. That is I talk to them, I get that contacts, they contact me or I contact them and say, Look, I want to demo because by doing that I learn about the new systems and I will ask those questions about what happens here, what happens there, where is the information stored?


Gives me an insight of of what is out there and what some of the issues are, because they will say to me, as we have these issues and we're aware of them and we're putting this into place to protect organizations, it helps keep me up to date with what's going on.


But that's an interesting one because generally I find that well, it depends on the event actually, as to whether the seminars are vendor led or practitioner that that the practitioner ones I find can be quite useful.


You're absolutely right. Some of these things I go to and I went to one was at central government. In fact, I chaired a central government conference. And again, the vendors come along and they want to push that. I think that sort of but some of the speakers were absolutely superb. They had somebody from data protection from the Cabinet Office, they had somebody from NHS too, and learning about just the process of what they go through and what they're looking to do.


I learned so much and I now have that trying to apply. So how is this going to work? What questions would I want to ask webinars? That's another one. I go on to webinars when I can, but I think network groups are really, really important, learning best practice from colleagues.


Excellent . And I'm just thinking because you're from well, both of us participates in the NHS whether Westpac's perhaps say a little bit about Caldicott Guardians.


OK, so Caldicott Guardians, normally, certainly in health and social care, it has to be somebody with I think a medical background. And so they understand about the records that we are thinking about and it's more about the sharing of records. What should we share as part of the patient record legally we can share well, ethically should we share?


Is there some things that we should hold back that there might be good reason for for that? And the The Caldicott Guardian is the gatekeeper and I always say they are ultimately make the decision, not I as a data protection officer can give advice that's my job, my role. And I will look at it and I will say my advice to you as the Caldicott Guardian is that we should disclose this, but I think we should not disclose this.


But the ultimate decision sits with the Caldicott Guardian to enable me and then to make a decision. There are eight Caldicott principles and those Caldicott principles should be applied. And we get sometimes people say we want all this information, don't reductionism, don't remove anything. And I always say to me, no, we are going to apply the Caldicott principles.


And if I could give you an illustration, a GP practice for that on the DPO form and they had a solicitor asking for some information and a solicitor to the GP practice says I don't want anything redacted. And it was a very sensitive record. I said, Well, I'll speak to the, to the solicitor and I rang the solicitor and the phone call took about 20 seconds and I said I'm the DPO for the practice.


I bring it up about Mrs. Smith. She said, Don't ask me why I want the recordand don’t dare redact anything. And the line went dead and wow, she must have put the phone down on me. So I've got a problem now. What do I do? What am I going to disclose? So I spoke to the practice and I spoke to the court ecology and I said, we are going to apply the Caldicott principles.


We are only going to disclose what we believe is relevant and appropriate. And we did. Now, this was just over a year ago. We heard nothing back from the solicitor. That's what our job is to protect the individual's records.


Absolutely. Data protection can say whether it's legal to do something with data security can say how securely that is said as I say the caldicott guardians here to cut the ethical use of what's appropriate say that patient data. So I think again that's what triumvirate relationship post. I want to move on to talking about this amazing scheme that you have been absolutely fundamental and coming up with and driving.


Would you like to tell our audience all about this amazing thing that you've achieved.


Many, many years ago In doing my job, I was approached by the hospital site. Did we have any space in our team for an apprentice? And I said, well, we could always do with an extra pair of hands who couldn't. I think we had a good department. We could teach them lots of good things. But what they had to do was a bit bussadmin apprenticeship.


Now, what that meant is when they finished the apprenticeship, a job came up in h.R. In estates or another department because they got that apprenticeship, got some experience, and it was probably a better paid job to be honest. Off they went. And as part of the succession planning and bringing people into information governance and for them to see what a fascinating, varied job it is, I thought, well, do we need to have an information governance data protection apprenticeship now?


Michala, there is a cybersecurity apprenticeship. Well, there wasn't one for data protection information governance. So I approached the institute of apprenticeship and I started the ball rolling. Ask you about it, and we set up a a group we met in London literally the end of February before the first lockdown. We were signed from the Department of Education, a relationship manager who has guided us through this process of setting up this information governance, data protection, apprenticeship.


It's been long. It's been two years. It seemed as though, are we ever going to get there? So we set up the standards. We discussed what we would want. It's not just for health, by the way. It's generic, it's for all industries. So the standards that we set up, the they had to be generic across all. So we had all these duties.


And I think there are about 12 in the apprenticeship and they include all the things we spoke about. So access requests, policies, training and so on. Then after that, we have to set up what we call the knowledge, skills and behaviours.  What would we be looking for and an apprentice. And then we had to think about how are we going to assess this apprenticeship.


There are a number of ways, but we've come down to what we call they'll do a project and that will be assessed and also professional discussion, which will give us an indication of their understanding, of their knowledge of the role. But what we had to wait to then is obviously that is funded because all organizations pay an apprenticeship levy.


Now let's get some of that back because the NHS pays it and local authorities paid. To me, this was a great thing of bringing people at the end of my career, but I think it's a fascinating career and I wanted people to come in and see to such. So as they come in and do this apprenticeship it may well be that we keep them.


Yes, OK, they may go off and specialize in cybersecurity because that will be a part of it. I just want to bring people in, but it wasn't just me. We did have this Trailblazer group and it was chaired by Philippa from the Combined Manchester Authority, I think it's called and we went through this and it's taken two years and all the people involved, you know, I think we all deserve, if you like, that pat on the back.


But I think it is something that's great going forward. It started, I think the first intake. One of the groups who is going to be doing the training is the end of this month. It was finally approved about a month ago and therefore we are now moving quite quickly and the amount of support many people have said, Oh, we're great, we're looking forward to this, we want to recruit Apprentice.


So that's absolutely great. I will say, though, this isn't for school leavers, it's not the 16, 17 year olds. This says it's called a level four apprenticeship. So it's people who've got some experience. So if people have got maybe members of their team who do get to access freedom of information just part of their team, I've got a little bit of knowledge and experience, an award working towards those duties.


Then this is the apprenticeship for them and I would certainly commend it.


That's absolutely brilliant. By going through that process and having it as an apprenticeship really sort of marks it as this is a viable career. It's something that isn't just NHS, as you said, it's about information no matter what industry it is and is as a proper career. I think for a lot of again the transition from school, college, etc. if it's not available as an apprenticeship I think a lot of people immediately don't even consider.


So although you know, if you want to have the talent space fast, but the idea that it's going to at least appear, at least from my point of view, it's just it's great. And also the really hard work that you've all done in terms of identifying you know, the knowledge of skills and the abilities that people need to be effective in there.


So it's that foundation, if you like. It is the foundation that people can then build on and there are lots of other things they can do after that to build on that. But you're right, this is a career and I think, you know, GDPR, it's not just GDPR when we look across the world, everybody's rewriting their data protection.


So our new ICO, what I see coming from New Zealand, he did just before he left there a new Data Privacy Act, I think it was called. And but everybody, whether it's India, China, America, they're all updating their data protection laws and it is tightening up privacy and making it privacy is really, really important. I have to say though, Michala, a little bit disappointed and sad that our own government is looking to make changes that I think would weaken people's privacy and weaken data protection.


And I think the proposals from the DCMS are short sighted. I know lots of people have written about it. I know the ICO has commented on it. Rosemary Jay has written about it. Lots of people have written about and I just we talked about data protection impact assessments there say that we don't probably need to do those under their new proposals.


We don't need data protection officers, we don't need records of processing. I just think it is a bad move. I'm not saying all that the proposals are bad, but I think, you know, with no become used to yes for some people they might say this, oh, it's more work, it's people. But actually it's doing a good job and it's protecting people's data and people's privacy.


Yes. Thank you for volunteering that information about the consultation. I agree with you in terms of short sighted, and I think it is going to disenfranchise citizens somewhat.


I think there's lots of good work that's been done already. Caitlin. I think it would be sad to to lose a lot of that. We'd become used to it. I know for some people it is a pain, but actually it is good. But I think there are other things as well are in the pipeline. It's not just the DCMS proposals, it's the Brexit proposals.


And in the NHS we've got lots of changes coming at the top. NHS, digital, NHS X, the new health and care bill, which is bringing in integrated care boards, integrated care systems, integrated care partnerships. It means a complete rejigging of what we're doing and how is information governance going to fit into that? I don't know. We are used to change and what we need to do is to make sure that we're at the forefront of still protecting people's data and people's privacy to make sure that whatever it comes out that that we do the best that we can for our clients.


I'm just wondering as well about the different approaches, I suppose, across the different regions that people are taking with the integrated catalogues in terms of working together on the information governance side of things. Do you wan to say anything on that side at all.


Interesting. There are lots of different things going on. Michala and I think that the new health and care bill is changing things of what we're doing. Lots of people are at different stages in that change. What you're doing probably down in the South might be different than what we're doing in the East, but eventually we'll all get to the same point of what we want to do is to to care for our patients and the NHS.


We want them to have the best health and doing that there is information sharing that needs to take place. But there's the holistic view of patient patients don't just belong to a hospital and that's the end of it. So my local hospital and the community team used to be separate, the community team and I was part of the hospital.


They are employed by the hospital. So, you know, when you get discharged from the hospital, you're not then just saying, well, nothing to do with us anymore. And so it's how we then work together across mental health, acute hospitals, local authorities health and social care to be able to bring things together. It does have its challenges. It has its challenges for you and for cybersecurity.


It has challenges for us for information governance. We also has a challenge, but lots of people want our data and I don't blame them. It's very, very good data. Our GP's, our hospitals, mental health, we need to look at people's health now, two years, five years, ten years time. How can we make health better? How can we deliver care efficiently?


And cost effectively? We don't have a monetary where money is available for all the things that we need to do. So research is really important and there are some things that have been proposed, but because we don't have the proper security in place, we don't have the proper information governance in place, they've had to be delayed. One of them was cheap data for planning and research.


I fully understand it and all my colleagues fully support it. It has to be done safely and securely and who is the data controller? It's the GP and you can't have somebody else making the decision about what's going to be shared.


Yeah, I can remember when at a time when there would be arguments between data protection officers in different hospitals. As to his third controller Gates predecessor, state controller, so challenging ones depending on what's going on. They do need something. Looking at all of that so that you say you can actually protect the patients because that's what we're there for in the NHS, not the health care charity as much as well.


So yeah, just to go back to the apprenticeships very quick, where do people actually go if they want to look at the available apprenticeships for these to actually become the next cohort.


Just go on Google the Institute of Apprenticeships and it would come up and then there's a search bar just in the search bar, put in data protection practitioner or information governance practitioner and it would take you to the page and all the information is on there. It is very generic and it covers society, whether you're NHS or any other industry, it's all there and I think it's yeah, that's where you can go to and then you can find all the information you want from that.


Oh, people can drop me an email and I'm more than happy to put them in the right direction.


Oh, excellent. That's great. Thank you. One of the things that I always like to ask our guests here is three things that they would recommend to our audience for you I understand that you'd like to share a person that you might have around dinner.


I would pick somebody, a comedian, a comedian, a great actress. Well, Spike Milligan, I think, would be entertaining. It'd be informative. I think he's one of those men who was a genius. And I think he did suffer with his mental health. And I think it's because he was such a clever man that mutual friend of ours sometimes quotes it to me when when I try and sort of suck up to people and want some information, and I try to be nice to he calls me a groveling something or other.


And despite Milliken's catchphrase, it was an award that he won. And he went on the stage and somebody said to him about a wonderful actor and comedian. And Spike Milligan says, You are a groveling and I will.


And how about in that spirit books?


Seven years ago today, I started off from London to Paris, cycling to Paris with a group and there was about 130 people. It was a long bike, but I love cycling, so I've got a boat that is the rules of cycling. Some of them are unwritten rules in the sense of about what you need to consider when you're cycling.


You know, you don't cycle side by side to have a conversation. You don't cycle behind somebody all the time to get that draft. And that's a great book. I enjoyed that and I've still got that. Well, is.


There a particular sort of lesson in cycling that you'd say there's a parallel with information governance at school?


Yeah, I'm just thinking it can be hard work. You know, when you've got the hills, it's hard work. But you know what? There are some real good benefits of coming down a hill and putting your legs and arms out anyway, because, yeah, there are some times when you know there are some nice wins and see the smile on people's faces when you come out and say, Oh, that's really helpful.


Thank you ever so much.


Yeah, I've seen that. It's like worth so much, isn't it? Because in our lines of work they can be quite sort of thanks less in a way. And you need to get that joy out with yourself, I think. OK, and then the final one for you. How about podcast.


While there are so many podcasts for data protection information governance, I'm going to refer to my friend Richard Merrygold. No, Richard does some podcasts and called data Protection Diaries. I've been on there and some of the things I've said today I've said on there and a number of people have done sort of similar things. But, you know, sitting there just like we are having a conversation, what we call it, a book chat, we had a pint in our hand.


But Richard's data protection diaries are really worth listening to. Lots of different people that he's had on there. And again, really good accents.


That's great recommendation. Shout out to Richard. One of the things I like as well, Data protection diaries is how open he is linked in that sharing thoughts. And I think that's really, really helpful for a lot of us, particularly the period of the pandemic. You know, it's been quite challenging. So many great shows now. I must be quite a few things.


But what's one question that you wish I'd asked you that I haven't.


What do I recommend and I think you might have hinted at it a bit early, what do I recommend? Because I've mentioned about networking being really, really important. We do have in the NHS a good network it is health and care. It's not just the NHS. People are interested in data protection, information governance, get yourself linked to a local network and if someone set one up do one, you know, even if it's only half a dozen people meeting together every three months.


But we have an east of England. It's part of what we call the the sign, the strategic information governance network, what we did, one called privacy space launch. And again, I've been to lots and lots of things at Prep Slack and all the others. Excellent, good. But privacy space was beyond our expectations. It was the first one we did.


We are doing another one later this year. I'm not going to give the data away just yet. And I can't say strongly enough I'm only where I am because of networking of colleagues who shared things with me. So get yourself into a network.


That's brilliant. Thank you. And then for the leaders that are listening who might not work directly in this space, but they need to be aware of it. What one piece of advice would you give them?


Yeah, I have the phrase demonstrate compliance with the law. You know, literally what that means is document that the ICO itself, Elizabeth Denham, said they want to support organizations. And if your organization can demonstrate you've done all that, it's reasonable to protect that data, then you're in a good place. But it's documenting your reason and rationale for doing things.


And so that's why I say, you know, demonstrate your compliance with the law. Yeah, you might get it wrong. And the ICO will then say, well, I think you've got it wrong. But I think what you might need to do is to consider this, this and this. So demonstrate your compliance with the law. That's my advice. So whatever you do, whoever you are in an organization, just say, can you defend yourself, document your reasons and rationale.


Interesting one. Thank you very much for that. Finally, where can people find you online? If they'd like to have a chat with you?


I've got a website and it is simply bjm Ig privacy and if you put that in, you'll find it.


Thank you so much. Well, it's been really lovely talking to you today. I'm so pleased that we managed to get this opportunity to work together, and particularly to share your amazing achievement of the apprenticeship with you and the Trailblazer team, because that I think, is really going to have a huge impact on me as going forward. So thank you.


Well, thank you, Michala. And that I'm sorry, I'm not the expert on cyber security, but we all need each other.


We do. Excellent thanks very much.