Charter for Safe Havens in Scotland: Handling Unconsented Data from National Health Service Patient Records to Support Research and Statistics.

The Charter for Safe Havens sets out the agreed principles and standards for the routine operation of Safe Havens in Scotland where data from electronic records can be used to support research when it is not practicable to obtain individual patient consent while protecting patient identity and privacy.

Principles for the operation of Safe Havens in Scotland handling data from NHS patient records

The principles for the routine operation of the Safe Havens handling data from NHS patient records are set out below. For each principle, the principle (in bold), the background to the principle (in italics), and (at a high level) how Safe Havens implement each principle (in normal text) are described. Operating standards and procedures that set out in more detail how the principles will be achieved in practice are given in the Technical Annex.

In this paper, reference to Data Controller should be taken to mean the individual NHS board or organisation with responsibilities as a Data Controller, as defined in the Data Protection Act 1998, and registered with the Information Commissioner’s Office, agents acting on their behalf, such as individual Caldicott Guardians, and/or governance or scrutiny mechanisms operating delegated decision making on their behalf.

Principle 1

Safe Havens will provide secure environments that are trusted by NHS Data Controllers which allow the safe and secure transfer of data with maximum fidelity from Data Controllers in Health Boards (and where applicable other bodies) to Safe Havens and between Safe Havens.

The Guiding Principles for Data Linkage states that:

“Security of data transfer, storage and use is vital for the protection of privacy, especially where there is any risk of reidentification.”

“Appropriate and proportionate physical and technical security measures should be applied to ensure the confidentiality, integrity and availability of information and should reflect the assessment risk level of information assets.”

“The default position should be that data users have access only to data from which names and direct identifiers have been removed, and data users should be subject to obligations not to attempt to re-identify individual data subjects. Any requirement for researchers to have access to data containing identifiers should be fully justified and risk assessed.”

Safe havens will ensure that data are only transferred and held within secure networks (such as the NHS N3 or SWAN networks) or using secure file transfer protocols that encrypt data in flight to ensure that individuals’ privacy is protected.

Research datasets will be held on electronically Secure Analytic Platforms in physically secure data centres, with access provided either from a ‘Secure Safe Setting’ (i.e. a specified and sanctioned physical location) or via a Virtual Private Network or encrypted communication sessions. Data Controllers will be responsible for determining the appropriate route of access. Researchers will not be able to add or remove any information from the Secure Analytic Platform before it has been reviewed through methods applied by the Safe Haven to ensure that individuals’ privacy is protected.

Principle 2

Safe Havens must not independently develop nor retain non-consented datasets or linked datasets that could potentially be used to identify individuals unless the development, use and retention of these datasets are described clearly and set out in the data sharing agreements with the Data Controller(s) in the Health Board(s) (and where applicable other bodies) that hold the source records.

The Guiding Principles for Data Linkage states that:

“Linked datasets should be kept for the minimal time necessary for the original purpose of the linkage to be met. The onus is on those wishing to hold datasets for longer to justify this, e.g. by demonstrating that adequate anonymisation takes the data outside the remit of the data protection regime. If a secondary purpose arises, a new Privacy Impact Assessment should be considered, and data-sharing agreements revised.”

Safe Havens will not act as data repositories to collate, maintain, curate and use datasets or linked datasets of potentially identifiable data without the explicit agreement of the Data Controller(s) in the Health Board(s) (and where applicable other bodies) holding the source records, and unless specific provisions are made and set out in the data sharing agreements between the Safe Havens and the Data Controller(s).

Principle 3

As Safe Havens will act as Data Processor(s) on behalf of the Data Controller(s) of NHS Scotland Board(s), an application to become a Safe Haven which can safely and securely process NHS data must be approved by the appropriate Health Board Chief Executive(s) or the delegated authorities within the Health Board(s) (for example the Caldicott Guardian). Accreditation, once established, can facilitate continued approval.

The Guiding Principles for Data Linkage states that:

“Every reasonable effort should be made to consider and minimise the risks of identification (or re-identification) to data subjects and their families arising from all aspects of data handling.

“Where obtaining consent is not practicable, then removal of direct identifiers should occur as soon as is reasonably practicable…”

“Procedures to link data should involve the separation of identifiers (e.g. name, or unique reference number) from the rest of the data, and consideration should be given to separating the indexing, linking and analysis functions and personnel.”

“The linkage method used should be that which requires the minimum necessary identifiable data.”

“Data controllers should determine and agree upon the appropriate extent of anonymisation to be applied to any given dataset or linkage exercise.”

In order to obtain the approval from NHS Board(s), Safe Havens need to ensure that all data are held securely and in accordance with the instructions of the Data Controller(s) holding the source records, and that they will process data only in ways approved by the Data Controller(s). Data within analytic platforms of Safe Havens must not contain personal identifiers (for example names, addresses etc.). The Safe Haven will need to demonstrate that there are robust processes in place for de-identification so that data are pseudonymised before entering the analytic platform of the Safe Haven for analysis. Safe Haven accreditation, once established, will provide a mechanism for ensuring robust procedures and processes are in place.

Principle 4

All staff working within Safe Havens who are providing the Safe Haven service will be trained in Information Governance and the law relating to the protection of individuals’ privacy (such as the Data Protection Act) and will be trained on and work to written standard operating procedures. Both staff and operating procedures will be subject to monitoring as well as regular review and audit.

The Guiding Principles for Data Linkage states that:

“All personnel involved in data linkage activities should be properly trained on the data security policies and procedures, and should undertake periodic refresher training.

“The importance of data security should be reflected in the business objectives of all organisations involved in data linkage.”

“Information about data security policies and procedures should be highly visible within organisations conducting indexing or linking or sharing of personal data.”

“All practices, including all data linkages, shall be appropriately monitored and regulated by a relevant individual, organisation or governance body.”

Staff involved in providing the Safe Haven service must be bound through contractual requirements to protect individuals’ privacy and be subject to sanctions if they fail to fulfil these requirements. The Safe Haven must ensure that these staff are trained on and work to written standard operating procedures with regular internal monitoring, review and audit of procedures and their operation. Audit records must be kept of staff members’ access to personal identifiable information.

Principle 5

Safe Havens work in partnership with academia, public service providers and industry to undertake research using de-identified or anonymised data that is in the public interest. However, personal data cannot be sold by a Safe Haven or transferred to a commercial organisation. Nor can they be transferred, nor access provided, to a third party (i.e. researchers or others) unless specified explicitly by the Data Controller(s) holding the source records and unless the third party operates to, at minimum, equivalent standards and with equivalent safeguards.

Findings from research on public attitudes suggests that, whilst the use of anonymised patient data for publicly funded research is generally accepted, attitudes to commercial use of patient data are much more ambivalent and are dependent on the research aims and whether or not public benefits are likely[13],[14],[15].

The Guiding Principles for Data Linkage states that:

“Benefits arising from linkage of personal data are public goods and should be shared as widely as possible.”

“Where linkages resulting in commercial gain are envisaged, this should be clearly and publicly articulated and widely communicated.”

Safe Havens must not sell personal data nor transfer sensitive personal information (or information which is likely to allow the identification of individuals) to commercial organisations. Nevertheless, Safe Havens should promote cross-sector partnership working between industry, academia and public service providers to undertake research using de-identified data that is in the interests of the people of Scotland, through open and transparent managed collaborations. However, as with all access to linked datasets for research, the data cannot be copied, nor removed from the Safe Haven, nor can they be released outside of the Safe Haven (unless shared between Safe Havens within the federated network) unless specified explicitly within the data sharing agreement with the Data Controller(s) holding the source records and unless the third party operates with, at least, equivalent standards and safeguards.

Principle 6

Only researchers who have completed nationally approved safe researcher training satisfactorily and have been vetted by a designated member of the Safe Haven support staff will have access to research datasets in or through that Safe Haven.

The Guiding Principles for Data Linkage states that:

“All data recipients should be appropriately vetted to ensure they have adequate training. Vetting procedures should be robust and transparent and proportionate to the requests made and the sensitivity of the data requested.”

“The terms and conditions for data sharing should be set out in the form of a data sharing agreement. Where researchers wish to deviate from or modify the terms of the data use/sharing agreement, new terms must be agreed by all parties.”

Only researchers (this may include supervised students for the purposes of training) that have completed a nationally approved and/or validated course, once these have become established, which covers information governance, privacy protection and the relevant legislation, can access research datasets in Safe Havens. Approved researchers will work for a recognised academic, public sector or industry organisation, have agreed to a ‘terms of use policy’ and will be liable to sanctions should they breach the terms of use. Approved researchers from industry will access research databases as part of managed collaborations with recognised academic or public sector organisations. Sanctions can be applied at individual, research group, and institutional levels. Approved status is verified by the Safe Haven before each time of granting access to the Safe Haven and a single National Register of Approved Researchers will be kept and maintained by eDRIS on behalf of the federated network.

Principle 7

Organisations hosting Safe Havens within the federated network of Safe Havens in Scotland will participate in the development of the governance and research activities of data linkage across Scotland and the collaborative working across the federated network.

Through the collaborative opportunities provided through the federated network, best practice will be shared and the federated network of Safe Havens in Scotland will function as a single research site when it makes sense to do so. Appropriate governance mechanisms will be established to support this activity.

Technical Annex

Operating standards and procedures for Safe Havens in Scotland to enable the Principles set out in this Charter and to address data security and privacy requirements are set out below. Each Safe Haven must be supported by a designated senior professional who is responsible for the operation of the Safe Haven.

1. Safe Havens function as a Data Processor for any given dataset, agree a mandate with each Data Controller to ensure activity is centrally logged, monitored and audited, and act only in accordance with the explicit instructions from each Data Controller. Established national or local data privacy and scrutiny bodies comprising appropriate expert and lay members can make assessments on behalf of Data Controllers about the risks and benefits of data releases to Safe Havens which must then operate in strict accordance with their specific mandate.

2. Where a Data Controller provides data to a Safe Haven located within their organisation:

  • the staff providing the data to the Safe Haven, and the Safe Haven staff should be in separate management units and accountable to different line managers to minimise conflicts of interest arising within these roles; and
  • other than where agreed explicitly for purposes of data sensitivity or quality, linkage and analysis should be undertaken by individuals in different roles
  • the Safe Haven staff must comply with the instructions and mandate agreed with the Data Controller.
  • Safe Havens must maintain accurate records of:
  • all policies and written agreements underpinning the operation of the Safe Haven
  • the names, roles and levels of permissions to view and process data of all staff employed within the Safe Haven
  • the names and roles of all those staff given access to data, alongside summary information of the data accessed and the purpose for which access was approved
  • all projects conducted or supported through provision of data, information about who approved the project and a summary of the analytical outputs
  • data received into the Safe Haven and review date and deletion date if applicable
  • cross reference with Caldicott approval, IRAS registration of the dataset, research registration
  • data sharing agreements
  • collaboration agreements
  • inspection and other regulatory reports
  • release of aggregated data in pursuit of open data agreements
  • publications

4. Safe Havens must ensure all Safe Haven staff undertake training which addresses Information Governance and the relevant data protection legislation and regular refresher training as required.

5. Safe Havens must include confidentiality clauses within the contractual conditions of all staff involved in the management, processing or use of data, and instigate disciplinary procedures in the event of contractual conditions being breached.

6. Safe Havens must hold and process all de-identified data and potentially identifiable data exclusively and separately within restricted access areas within secure networks[16].

7. Systems should comply with relevant ISO standards. Oversight of systems security and compliance should be the responsibility of a designated security officer.

8. Safe havens must conduct penetration testing every two years; both from outwith and within the Safe Haven environment.

9. Safe Havens must restrict physical access to any room within which identifiable or potentially-identifiable data are stored in paper form.

10. Safe Havens must restrict physical access to any room within which the servers hosting identifiable or potentially-identifiable data electronically are stored.

11. Safe Havens must receive and transfer data only when necessary and do so within a secure network (NHS N3, the Scottish Wide Area Network (SWAN) or a network with equivalent controls for comparable data). Where use of a secure network is not possible, a secure method for file transfer must be used, such as Secure File Transfer Protocol (SFTP).

12. Safe Havens must develop a publication plan and publish a list of all active data sharing agreements on their websites to increase public understanding of data use, and to ensure information on data sources is accessible and discoverable, so that potential users can also find out about data resources and how to apply for access.

In the creation of project specific datasets from a single data controller Safe Havens must:

13. Remove all direct identifying information and replace them with a project specific unique identifier.

14. Retain project datasets (data extracts or linked datasets) in an analytic environment for the time period specified through written agreement with the Data Controller(s) and subsequently archive or delete.

15. Archive data in a secure environment for a specified period of time only in accordance with the specific written agreement with the Data Controller(s). Archived data must not be accessed for any purpose other than the original research unless by written agreement with the Data Controller(s). Clear and transparent records of archived data, review and planned deletion dates must be maintained.

16. Disclosure assessment and disclosure control will be applied before data are provided to an Approved Researcher in an Analytic Platform.

In the creation of project specific linked datasets from multiple data controllers Safe Havens must:

17. In addition to 13 to 16, undertake data linkage in a manner that separates the functions of the indexer/linker and researcher with the objective of minimising the number of staff with access to identifiable information. A written description of how this standard is complied with should be recorded for each linkage.

In delivering the function of a Secure Analytics Platform Safe Havens must:

18. Ensure project data are only placed into the Secure Analytics Platform by the designated staff that provide the support for the Safe Haven.

19. Only allow Approved Researchers access to data on written instruction from the Data Controller and with strict adherence to all conditions laid down in relevant Data Governance documentation (e.g. data sharing agreements, user agreements etc.).

20. Permit access to data only to Approved Researchers and via two factor authentication log-in.

21. Permit remote access to data via a Virtual Private Network or using encrypted communication sessions only with the agreement of the Data Controller(s), otherwise permit access only via a secure physical terminal within a secure Safe Haven room.

22. Never allow Approved Researchers access to direct identifiers without direct written instruction from the Data Controller. Such instructions should not be part of the standard approach: under most circumstances only project specific unique identifiers should be accessible to the Researcher.

23. Minimise the risk of study data being copied or removed from the Secure Analytics Platform by an Approved Researcher.

24. Allow analytical outputs (e.g. reports, summaries, aggregate statistics, graphs etc.) to be downloaded only after they have been checked for statistical disclosure by designated analytical staff supporting the Safe Haven if instructed by the Data Controller(s).

25. Retain, for governance purposes, copies of all analytical outputs which leave the Analytic Platform.

In delivering the function of a Secure Analytics Platform Safe Havens should:

26. In conjunction with 21, provide Approved Researchers with a view of the study specific dataset via a secure remote-access environment (e.g. Citrix) to enable remote access while mitigating the risk of data being removed from the Secure Analytics Platform without permission and minimise the risk of the introduction of viruses or malware to the analytic environment.

27. Facilitate the uploading of user-specific analytic files (e.g. look-up tables, statistics scripts) or bespoke applications with careful risk assessment and consideration of how to minimise the risk of the introduction of viruses or malware to the analytic environment.

Secure Safe Setting

28. Safe Havens should provide or sanction access points that meet the requirements of a Secure Safe Setting and allow researchers to access data held in any of the Secure Analytics Platforms across Scotland via a ‘thin client’ mechanism (assuming appropriate permissions are in place).

29. Secure Safe Settings consist of ‘thin client’ terminals that are located in secure physical environments where the researchers’ behaviours and actions are monitored. An audit log of who has accessed which data should be kept.


Email: Pamela Linksted

Back to top