All countries are investing in health data. There are however significant cross-country differences in data availability and use. Some countries stand out for their innovative practices enabling privacy-protective data use while others are falling behind with insufficient data and restrictions that limit access to and use of data, even by government itself. Countries that develop a data governance framework that enables privacy-protective data use will not only have the information needed to promote quality, efficiency and performance in their health systems, they will become a more attractive centre for medical research. After examining the current situation in OECD countries, a multi-disciplinary advisory panel of experts identified eight key data governance mechanisms to maximise benefits to patients and to societies from the collection, linkage and analysis of health data and to, at the same time, minimise risks to the privacy of patients and to the security of health data. These mechanisms include coordinated development of high-value, privacy-protective health information systems, legislation that permits privacy-protective data use, open and transparent public communication, accreditation or certification of health data processors, transparent and fair project approval processes, data de-identification and data security practices that meet legal requirements and public expectations without compromising data utility and a process to continually assess and renew the data governance framework as new data and new risks emerge.