Charter for Safe Havens in Scotland: Handling Unconsented Data from National Health Service Patient Records to Support Research and Statistics.

Background

Health research can be conducted very efficiently and effectively through the use and linkage of routinely collected data held in electronic patient records. Many important health research studies may only be amenable practically using this approach. Through health informatics research, new knowledge can lead to improvements in health by, for example, understanding better the causes of disease, the effectiveness of drugs, or the impact of health services^[1]. However, alongside the potential benefits and opportunities, there are significant public concerns that patient privacy and confidentiality could be compromised through the use of these data and/or the data could be misused.

In order to address these concerns, health informatics research must be well-controlled and encompass robust governance processes that ensure NHS data are only used for approved purposes and to safeguard patient identity and privacy^[2],[3],[4]. The governance processes must be such that they provide assurance to patients, the public, and NHS organisations that hold the source data and have legal responsibilities for protecting them, that data from electronic patient records can be used safely and in a trustworthy way without compromising patient identity and privacy.

The establishment of Safe Havens has been acknowledged as a means by which robust controls and safeguards can be put in place^[1,2,3,4]. Safe Havens operating under an accreditation framework have been considered to be the most appropriate environments to facilitate research using de-identified (also termed ‘pseudonymised’) data from electronic patient records when it is not practicable to obtain specific consent from the individuals for the use of data in their records^[4].

Safe Havens are specialised, secure environments supported by trained, specialist staff where data in electronic patient records can be processed and linked with other health data (and/or non-health-related data) and made available for analysis to facilitate research while protecting patient identity and privacy. Risk of identification is minimised through ‘pseudonymisation’ of the data, stripping away information that is not required for the research study and information that would allow individuals to be identified directly (for example, names, addresses), and also through the robust safeguards in operation at the Safe Haven to protect patient identity. These safeguards include the separation of the indexing/linking platforms, where de-identified data are linked, and the analytical platforms where the newly created linked de-identified datasets can then be analysed (see Figure 1). The safeguards also include the use of agreed formal standard operating procedures by the Safe Haven support staff with compliance monitored. Furthermore, access to the data in the Safe Haven is tightly controlled; only approved and vetted researchers are permitted access to undertake analyses and the source data are never released from the Safe Haven. These safeguards are described in this charter.

The Safe Havens in Scotland that handle data from NHS patient records for research operate within a robust research governance framework. Firstly, they can only receive and process data under the express agreement of Data Controllers^[5] – the NHS or other organisations holding the source records which have legal obligations to protect the data within them – and when the Data Controllers are satisfied about the safeguards Safe Havens have in place to protect patient identity. Secondly, before research projects using data from electronic patient records can begin, they are considered by expert ethics and scientific panels in a similar way to studies involving patients. Projects are also scrutinised by an expert panel, such as the Public Benefits and Privacy Panel (PBPP)^[6] or the local Caldicott Guardians acting on behalf of the Data Controllers. The panel assesses the public benefit of the research study against the risk that individual privacy might be compromised, and also that any information releases are carefully controlled. Through these processes careful consideration is given to whether specific health informatics research studies should be done, and whether the safeguards in place provide appropriate protection of the identity and privacy of patients since they themselves cannot, for practical reasons, be approached for their specific consent. Only when the conditions of the panels are met can a research study proceed. Any decision to provide access to data must follow NHSS scrutiny, when involving NHS data, and the use of an independently accredited safe haven provides additional assurance.