Category: Governance risk · Reviewed by Jake Leat, Associate Director · Last reviewed 2026-06-10
Information governance insurance is the combination of cyber, professional indemnity and directors’ and officers’ covers that responds to claims arising from a UK organisation’s handling, storage, retention and disposal of personal and confidential data — including breaches of UK GDPR, the Data Protection Act 2018 and common-law duties of confidence.
Category: Governance risk Also known as: data governance liability, records management insurance, information risk cover Typical UK market form: cyber and privacy policy at entity level, with D&O and PI engaging on overlapping facts Related concepts: Cyber insurance, Cyber governance insurance, Professional indemnity insurance
Information governance describes the strategic framework an organisation uses to manage the information it holds — from classification, retention and disposal policies to access controls and third-party data sharing. Information governance insurance is the collective insurance response to failures in that framework, principally through cyber and privacy policies, but with significant overlap into D&O and PI placements.
Where cyber insurance traditionally responded to malicious breach scenarios, the term “information governance” reflects the broader range of incidents that the market now addresses: accidental disclosure, retention failures, unauthorised access by employees, paper records loss, supplier breaches and inadequate data-sharing arrangements.
The principal regulatory framework is UK GDPR, retained in UK domestic law by the European Union (Withdrawal) Act 2018 as supplemented by the Data Protection Act 2018. Article 5 sets the principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability). Articles 24 to 32 impose obligations on controllers and processors to implement appropriate technical and organisational measures. Articles 33 and 34 require breach notification to the ICO within 72 hours and, in higher-risk cases, to data subjects.
The ICO may impose monetary penalties up to £17.5 million or 4 per cent of global turnover for serious infringements. The Data (Use and Access) Act 2025 introduces targeted reforms to the UK data protection framework, including changes to legitimate interests, automated decision-making and ICO governance, with most provisions coming into force during 2025 and 2026.
In addition, statutory and regulatory duties of confidence apply in specific sectors: the common-law duty of confidence in healthcare reinforced by the NHS Confidentiality Code of Practice, the Solicitors Regulation Authority Code of Conduct for legal professionals, the FCA Principle 6 and SYSC requirements for regulated financial firms, and the Civil Procedure Rules in respect of legal privilege.
Civil claims arise via UK GDPR Article 82 (right to compensation for material or non-material damage), the tort of misuse of private information, breach of confidence and breach of contract. The Supreme Court’s decision in Lloyd v Google LLC [2021] UKSC 50 confirmed that “loss of control” damages are not available without proof of damage in a representative action, narrowing — but not eliminating — the litigation landscape.
Cyber and privacy policies form the core of information governance insurance. They typically cover incident response costs (forensics, legal, notification, credit monitoring), regulatory defence costs for ICO and (where relevant) FCA proceedings, fines and penalties where insurable, third-party liability to data subjects under UK GDPR Article 82 and the misuse of private information tort, and first-party business interruption.
Information governance enhancements include cover for paper records loss, internal “rogue employee” data theft, data held by sub-contractors, and breaches caused by retention or destruction failures. PI policies for professional firms (legal, accountancy, healthcare, financial services) overlap because confidentiality is a fundamental professional duty; many PI wordings now contain affirmative cyber and privacy extensions or are placed alongside a cyber policy with co-ordinated terms.
D&O policies engage where individual directors are personally pursued — for example, in an ICO investigation under section 198 of the Data Protection Act 2018 against a director who consented to or connived in an offence. Crime policies may engage for insider theft of data with intent to defraud.
The UK cyber and privacy market has matured substantially. Specialist privacy capacity exists at Lloyd’s, with Beazley, CFC, Chubb, Hiscox and AIG among the lead markets. Capacity for smaller and mid-market UK businesses is plentiful in 2026, with premiums having softened since the 2022 peak. PI insurers writing professional services have generally embraced privacy-related sub-limits or affirmative wordings. Larger placements often combine a primary cyber policy with excess layers and a Side A D&O drop-down to address director-level exposure.
Information governance is increasingly an underwriting question rather than a renewal afterthought. Underwriters expect a current data-mapping exercise, documented retention schedules aligned to the storage limitation principle, role-based access controls, encryption of data at rest and in transit, and a documented Record of Processing Activities under UK GDPR Article 30. Organisations that hold special-category data (health, biometric, criminal) or operate cross-border data transfers under the International Data Transfer Agreement face more detailed underwriting.
A UK independent school discovered that an unencrypted USB drive containing pupil safeguarding records had been lost by a member of staff travelling between sites. The school’s cyber policy funded forensic investigation, ICO notification, communications with affected families, and engagement of a specialist data protection law firm. The ICO took no enforcement action because the school’s retention schedule and breach response had been documented and were demonstrably followed. The PI policy on the school’s safeguarding lead was not engaged. The total claim was settled within the cyber policy’s primary limit.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.
Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote