Health & care governance
This is a sector overlay, not a replacement for the core course. It applies the eight governance modules to the settings health and care organisations actually deliberate in — health boards, clinical governance committees, ethics review panels, and care providers. Work through the eight core modules first, then return here and use the prompts below to translate each into your own committee rooms. The overlay is deliberately board-literate and careful: it concerns the governance record of health decisions, and is not clinical advice or guidance on patient care.
How to use this overlay: complete the eight core modules and the capstone, then run the sector-specific prompts here with your board, ethics panel, or clinical governance committee. Core path: Module 1 · Module 2 · Module 3 · Module 4 · Module 5 · Module 6 · Module 7 · Module 8 · Capstone.
Where the risk shows up in health governance
Health and care governance generates some of the most sensitive deliberation records any board will ever hold. The risk is rarely in the headline decision; it is in how the decision was formed, who could see the working material, where it was processed, and whether a later inquiry can reconstruct the reasoning faithfully. The recurring exposure points:
Recurring exposure points
- Ethics-committee deliberations — the rationale, the dissent, the alternatives considered and rejected. The defensibility of an ethics decision lives in this record.
- Consent and its boundaries — what was consented to, for what purpose, and the precise edge where consent stops. Drift at that boundary is a governance failure, not a clerical one.
- Health-adjacent programme design — wellbeing, screening, outreach and care-coordination programmes that touch health data without being clinical services.
- Community-sensitive data — population, whānau, or cohort data where collective interests and cultural obligations sit alongside individual privacy.
- Incident reviews and morbidity / mortality discussions — searching, high-stakes deliberation whose value depends on a complete and attributable record.
- AI-assisted triage or summarisation of sensitive cases — where a model stands between the source material and the people deciding, and may quietly reshape what the committee sees.
Mapped against the course's five risk categories, two stand out sharply in this sector:
Jurisdiction risk (acute here): cross-border processing of health data moves the most sensitive records you hold into another legal regime — where a foreign disclosure regime, lawful-access power, or change of vendor terms can reach material your members never expected to leave the jurisdiction.
AI-reuse risk (acute here): sensitive case material fed into models can be retained, used for training, or surfaced opaquely. Once a morbidity discussion or an identifiable case summary enters an unbounded model pipeline, the board has lost the ability to prove where it went.
The other three still apply: provenance risk (can you prove who authored and changed the record?), boundary risk (can you prove what crossed which boundary, and when?), and continuity risk (does the authoritative version survive a vendor change?). Module 3 develops all five.
Worked examples
Three situations that turn an ordinary health-governance record into a contested one. Read each as a question about the properties of the record, not the clinical merits of the decision.
1 · An ethics review challenged after a poor outcome. A panel approved a course of action; the outcome was poor; the decision is now under review. The panel's defensibility rests entirely on whether it can show how the decision was formed — the alternatives weighed, the dissent recorded, the consent boundaries understood. If that deliberation lived in email threads and a vendor-controlled drive, the panel cannot prove its reasoning was sound, only assert it.
2 · An AI summary of a sensitive case that drifts from the source. A committee receives a machine-generated summary of a sensitive case. A material qualification — or a dissenting clinical view — is softened or dropped. The committee deliberates on the summary, not the source. Without a verifiable link from summary back to source, and without human authority over what the committee acts on, the drift is invisible until it is challenged.
3 · A cross-jurisdiction disclosure request for health-adjacent records. An external party, operating under a foreign legal regime, requests health-adjacent records that are processed offshore by a vendor. The question is no longer only "should we disclose?" but "can the vendor be compelled regardless of our answer, and would we even know?" Where the record sits decides who controls disclosure.
Which modules to emphasise
All eight core modules apply. For health and care governance, three carry the most weight.
Priority modules for this sector
- Module 3 — the five risk categories for sensitive-data triage. Use the five categories as a standing checklist whenever a record touches identifiable, community-sensitive, or health-adjacent data. Jurisdiction and AI-reuse risk should be named explicitly for every such record.
- Module 5 — Guardian-style verification and human authority for AI in care settings. Any AI-assisted triage or summary must remain verifiable against its source, and a named human must hold authority over what the committee acts on. The model assists; it never decides, and it never becomes the authoritative record.
- Module 8 — readiness and pilot for a bounded clinical-governance function. Do not start with the whole organisation. Pilot sovereign deliberation on one well-scoped function — an ethics panel, an incident-review committee — where the records are sensitive, the boundaries are clear, and success is measurable.
External reading
External reading
- ENISA — Data Protection Engineering — engineering practices for embedding data-protection principles into systems that process sensitive data, including health.
- European Data Protection Supervisor — TechDispatch on blockchain & data protection — distinguishes record-integrity properties from data-governance obligations, useful when assessing verifiable deliberation records.
Discussion topics
Health-specific discussion prompts
- If one of our ethics decisions were challenged after a poor outcome, could we prove — not merely assert — how the panel formed it, including the dissent and the alternatives we rejected?
- For every AI summary our committees act on, can a named person trace it back to the source and confirm nothing material was softened or dropped? Who holds that authority today?
- Which of our most sensitive health-adjacent records are processed outside our jurisdiction, and what would happen if a foreign disclosure power reached them through our vendor?
- If we piloted sovereign deliberation on one bounded function — say our incident-review or ethics committee — which one would teach us the most with the least risk?