Cross-agency data sharing does not usually fail because partners disagree on principles. It fails because governance is either too complex to operate or too weak to control risk when pressure hits. This article sits within Data Sharing Agreements & Cross-Agency Governance and assumes the interoperability realities described in Health & Social Care Interoperability Frameworks. The aim is practical: a minimum viable governance model that can run in the real world and still stand up to oversight.
What âminimum viable governanceâ actually means
Minimum viable governance (MVG) is not âlight touchâ governance. It is the smallest set of controls that reliably prevents predictable failure modes: unauthorized sharing, unclear decision rights, silent scope drift, unmanaged vendor risk, and weak evidence trails. MVG prioritizes repeatable routines over big committees and focuses on what must happen monthly, what must happen immediately, and what must be provable later.
Oversight expectations you should assume
Expectation 1: governance must be evidenced, not implied. Auditors and funders expect minutes, decisions, action logs, and proof of follow-throughâespecially where multiple agencies are involved.
Expectation 2: risk controls must be measurable. If you cannot show monitoring metrics (access review completion, exception counts, incident timelines), governance is assumed to be informal.
The four components of minimum viable governance
1) Named decision rights: who can approve scope changes, authorize emergency pathways, and sign off remediation.
2) A shared action register: a single place where issues, incidents, exceptions, and remediation tasks are logged with owners and deadlines.
3) Monitoring and review routines: scheduled reviews that check specific indicators and drive actions, not discussions.
4) Escalation and closure rules: what happens when partners miss actions, controls fail repeatedly, or risk increases.
Operational Example 1: A monthly âcontrol pulseâ review that partners actually complete
What happens in day-to-day delivery
Each month, a rotating governance lead sends partners a standardized control pulse pack: access review completion status, top access anomalies (after-hours, high-volume users, unusual partner destinations), exception volumes, incident summaries, and open actions from the shared register. Partners submit short confirmations: what they reviewed, what they investigated, and what actions they took. The governance lead compiles results into a one-page dashboard for executive sponsors and flags any overdue items for escalation. The pack is designed to be completed in under 60 minutes per partner to avoid âgovernance fatigue.â
Why the practice exists (failure mode it addresses)
This practice prevents the common failure mode where governance meetings are held but controls are not actually run, leaving risk undetected until a complaint or audit.
What goes wrong if it is absent
Monitoring becomes optional and inconsistent. Issues are discovered late, partners cannot prove routine review activity, and governance credibility collapses under scrutiny.
What observable outcome it produces
Completion rates are measurable, anomalies are documented with outcomes, and sponsors can see whether controls are being operated across agenciesânot just discussed.
Operational Example 2: Controlled scope change management to stop âsilent driftâ
What happens in day-to-day delivery
A partner requests adding a new data element to improve care coordination. Under MVG, scope changes must follow a defined pathway: a change request form (purpose, minimum necessary justification, risk impact), a technical feasibility note (where data comes from and how it moves), and a governance sign-off that sets an âeffective dateâ and review point. Implementation requires updating the data map, confirming role-based access controls, and updating partner training guidance. Once live, the change is sampled in the next monthly pulse review to confirm that sharing aligns with the agreed scope.
Why the practice exists (failure mode it addresses)
This prevents silent drift, where data sharing expands incrementally through ad hoc requests until the system no longer matches the DSAâs stated scope.
What goes wrong if it is absent
Partners begin sharing broader data sets informally, controls lag behind, and later audits find âunapproved expansionâ without evidence of decision-making or risk review.
What observable outcome it produces
Scope changes become traceable. The system can show who approved expansion, what risk mitigations were applied, and whether minimum necessary assumptions still hold.
Operational Example 3: A shared remediation register that closes actions, not just opens them
What happens in day-to-day delivery
When a monitoring review identifies repeated exceptions (for example, manual exports during system outages), the issue is logged in the shared register with a named owner and a concrete closure definition: âAutomated export pathway implemented and tested,â or âEmergency workflow formalized with time-limited approvals.â The governance lead requires evidence before closureâscreenshots of configuration changes, updated procedures, training attendance logs, or sample audits showing reduced exceptions. If deadlines are missed, escalation rules trigger sponsor notification and a decision on whether to suspend the risky pathway until remediation is complete.
Why the practice exists (failure mode it addresses)
This prevents the âpermanent remediation backlogâ pattern where risks are acknowledged repeatedly but never resolved, degrading system trust and safety.
What goes wrong if it is absent
Partners normalize workarounds, repeat incidents occur, and governance loses the ability to demonstrate effective control. Oversight interprets this as unmanaged risk.
What observable outcome it produces
Actions close with evidence. Repeat issues decline, and governance can show improvement over time rather than recurring findings.
How to implement MVG without over-engineering
Minimum viable governance succeeds when it is designed around what teams can actually do under pressure. Keep the routines short, the metrics meaningful, and the escalation rules real. If governance cannot trigger action, it is not governanceâit is conversation.