What About Security and Privacy?

We take security and privacy extremely seriously. All of our research meets very strict ethical and governance criteria and conforms with all data protection regulations and guidelines 

 

On this page you can read more about: 

 

Why do you need the data?

We believe access to data is essential for research. #DataSavesLives 

#DataSavesLives Animation (with subtitles)

 

Data Privacy

 

We all have the right to keep information about our personal lives private.
The NHS, governments and researchers take this issue very seriously.

 

 

Legal protection

Image of computer on a desk, with an EU flag and a padlock (the GDPR logo) displayed on the computer screen

Under legal government guidelines, researchers are only allowed to access the data that is necessary for completing their research. These include: 

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. This long list of rules includes the requirement to handle data fairly, lawfully and transparently and in a way that ensures appropriate security.

There is even stronger legal protection for more sensitive information such as race, ethnic background, genetics, health etc. (Read more about data protection on Gov.UK website)

We make sure that we only request and hold the minimum amount of data that we need for our research.

Anonymised data

4 people holding jigsaw puzzle piecesResearchers always receive information in the most anonymous (de-identified) way possible.
In most cases, this means that personal identifying information, such as address and date of birth, are removed before data is made available to researchers.

To distinguish one record (or person) from another, the researchers allocate a non-identifiable reference number (usually an arbitrary or randomised sequence of numbers or letters). 

Data linkage of anonymised data

Where different sources or types of data need to be linked together (e.g. health records and census records), this is done using a multi-step system (e.g. The Trusted Third Party system).
which separates the identifying information from the actual data, and ensures no single organisation holds both parts of the puzzle.

In practical terms, this involves the creation of an anonymised ‘index’. This is the only stage at which personal identifying information is used.

Once the index has been created, other data controllers (e.g. researchers) can use it to trace and request specific records. This avoids the need to transfer any personal information between people/organisations.

When the data is finally transferred it is done in groups or ‘batches’, with each record assigned a non-identifiable reference number.

Reducing the risk of identification

Researchers are trained to take great care of the data they receive; even though they do not know to whom it belongs.

Nevertheless, despite our best efforts, there is always a risk that even anonymised data could lead to identification of an individual (e.g. when we combine data about location and specific health conditions). However, several processes are in place to minimise this risk as far as possible.
These include:

  • production of risk assessments which are reviewed by accredited organisations;
  • double checking of all research outputs for disclosure risk, by non-research analysts (i.e. people not directly involved with the research).
  • all researchers are trained to spot and report any instances where the risk to privacy might be increased.

Data Access and Security

 

Data security is an aspect of trust – will the person I give my data to keep it safe.
Even when data has been anonymised, researchers still have an obligation to keep it secure.

Hands of a person holding up image of boldly coloured padlockVarious procedures are in place to make sure that all data is stored and accessed as securely as possible. These procedures differ depending on where the data has come from and how personal the data is.
For example, health data from the NHS (such as hospital admissions or prescribed medications) is treated with the highest level of security possible. Researchers sign legally-binding agreements to observe official procedures and to maintain the security of any data they are given access to.

Who can access the data?

When data is requested from the NHS (or another organisation), access to it is strictly limited to the individual researcher named on the application, who must have undergone specific training in data privacy and security through accredited courses (see below).
No other researchers or staff can access the data, until it has been processed further or summarized in a way that reduces or removes the risk of re-identification.

Before they are given access to the data, the researcher must sign several legal agreements, detailing how they will access the data and how it will be handled (processed).
This means that the researcher can only examine the data in the way they set out in their initial application; and for the purposes that they stated at the start. Any amendments or changes would require separate authorisation and approval, through the same strict channels as the initial application. 

When data must be shared with others in order to complete the research project (and this was stated on the original application), we ensure that the new team’s data security procedures are at least equivalent (or even better) than our own, before any data sharing takes place.

Where will the data be accessed? Who makes sure it is used properly?

Red sign with person in the middle and the text 'No entrance private area'All linked data is held on secure computer servers, either within The University of Edinburgh or within the National Safe Haven network. These servers can only be accessed by registered users, using password protected computers, which are situated in a designated (authorised) locations.

NB: No data leaves the secure servers – the computers in the access locations are essentially windows through which researchers can view but not extract data. This ensures that all data is kept securely in one place.

Users must also abide by strict access protocols, when working with research data.

The strictest protocols apply to National Safe Havens, because this is where the most sensitive data (e.g. health records) is held.

  • Researchers must provide identification upon entry.
  • Researchers are severely limited in what they can take into and out of the rooms - for example, they cannot bring in any equipment such as mobile phones or laptops. External devices such as USB memory sticks are also banned.
  • The computers within the National Safe Havens are not allowed to access the internet or any other network.
  • Researchers are also monitored (both by video camera and in-person) to ensure that they are complying with the agreed procedures.
  • Any outputs (e.g., statistical analyses) that researchers generate when they are in the National Safe Haven are double-checked for risks to privacy or security by trained non-research staff, before they are released back to the researcher.

Who approves these projects?  

Rubber stamped image that reads ‘approved’Ethics Committee Approval

All of our research must be passed by ethics committee(s) before the work can begin.
They provide expertise and oversight on what constitutes ethical research and ensure that the proposed research studies meet the highest criteria.
This includes assessing the purpose of the research, and what kinds of data will be required to address this purpose.

The process begins with the researcher completing an application form and submitting it to the committee. Several rounds of questions, answers and edits often follow this, before approval is either granted or denied.

All of our research passes through one or more of the following:

Ethics committees are entirely independent of the researchers, research managers and funders, which enables them to put participants at the centre of their review.  

 

Data Controller Approval

Rejected being stamped on documentAll research must also gain approval from the controllers (holders) of the requested data.

Data controllers are legally responsible for keeping their data safe and secure, so it is in their interests to assess proposals carefully.

This assessment is based upon

  • the potential benefits of the research,
  • any risks arising due to the type of data requested, or where and how the data will be accessed,
  • the purpose behind the research

As gatekeepers, data controllers have the power to refuse to provide the requested data, if there is no benefit to the public or if the necessary safeguards have not been ensured.
They also have the authority to impose special conditions on how the research is done; for example, they might impose restrictions on what data can be released and where it can be analyzed.

Their key questions are:

  • Would the public benefit from this research?
  • Are there adequate processes in place to protect the privacy and identity of the participants?
  • Does the potential benefits outweigh the potential risks?

For access to NHS Scotland data, researchers must gain approval from the Public Benefit & Privacy Panel (PBPP). In the first instance this PBPP process involves completion of an application form. This is submitted to the panel alongside documents which describe the project, its proposed methods, and its named researchers. The panel may approve the research at this stage, or may ask for an in-person meeting with the researchers to explore their proposal in more detail.

“We have a duty to provide an efficient and robust ethics review service that maximises UK competitiveness for health research and maximises the return from investment in the UK, while protecting participants and researchers.

We have a dual mission to protect the rights, safety, dignity and well-being of research participants and to facilitate and promote ethical research that is of potential benefit to participants, science and society.” 

Quotes from NHS Health Research Authority,  https://www.hra.nhs.uk/about-us/committees-and-services/res-and-recs/ [last accessed 5/10/18 ]

Researcher Training

 

All researchers who access health data must undergo training to teach them about data security, data ethics and confidentiality.

They must also sign a series of legal documents, stating that they are fully aware of the policies and procedures governing individual privacy, data protection (see above) and freedom of information.

Purple-toned image with silhouette of person teaching in a classroom, presumably with an audience of researchers in training

The exact set of courses each researcher must attend depends on:

  • how sensitive the data is;
  • the specific requirements of the organisation which is sharing it.

Common courses include MRC Safe Researcher Training and SURE Training.

 

SURE Training

This one day training course, teaches researchers how to handle sensitive data safely, lawfully and responsibly. It includes face-to-face training on

  • the legislation relating to data,
  • data security and researchers’ responsibilities,
  • the penalties for data breaches.

At the end of the course, researchers must complete a test.
They will only be allowed to access administrative data (such as health records) after they have passed the test.

The list is on this page is not exhaustive but gives an overview of how seriously data security and privacy is taken by researchers, the NHS and the government.