Charter for Safe Havens in Scotland: Handling Unconsented Data from National Health Service Patient Records to Support Research and Statistics.

The Charter for Safe Havens sets out the agreed principles and standards for the routine operation of Safe Havens in Scotland where data from electronic records can be used to support research when it is not practicable to obtain individual patient consent while protecting patient identity and privacy.

Technical Annex

Operating standards and procedures for Safe Havens in Scotland to enable the Principles set out in this Charter and to address data security and privacy requirements are set out below. Each Safe Haven must be supported by a designated senior professional who is responsible for the operation of the Safe Haven.

1. Safe Havens function as a Data Processor for any given dataset, agree a mandate with each Data Controller to ensure activity is centrally logged, monitored and audited, and act only in accordance with the explicit instructions from each Data Controller. Established national or local data privacy and scrutiny bodies comprising appropriate expert and lay members can make assessments on behalf of Data Controllers about the risks and benefits of data releases to Safe Havens which must then operate in strict accordance with their specific mandate.

2. Where a Data Controller provides data to a Safe Haven located within their organisation:

  • the staff providing the data to the Safe Haven, and the Safe Haven staff should be in separate management units and accountable to different line managers to minimise conflicts of interest arising within these roles; and
  • other than where agreed explicitly for purposes of data sensitivity or quality, linkage and analysis should be undertaken by individuals in different roles
  • the Safe Haven staff must comply with the instructions and mandate agreed with the Data Controller.
  • Safe Havens must maintain accurate records of:
  • all policies and written agreements underpinning the operation of the Safe Haven
  • the names, roles and levels of permissions to view and process data of all staff employed within the Safe Haven
  • the names and roles of all those staff given access to data, alongside summary information of the data accessed and the purpose for which access was approved
  • all projects conducted or supported through provision of data, information about who approved the project and a summary of the analytical outputs
  • data received into the Safe Haven and review date and deletion date if applicable
  • cross reference with Caldicott approval, IRAS registration of the dataset, research registration
  • data sharing agreements
  • collaboration agreements
  • inspection and other regulatory reports
  • release of aggregated data in pursuit of open data agreements
  • publications

4. Safe Havens must ensure all Safe Haven staff undertake training which addresses Information Governance and the relevant data protection legislation and regular refresher training as required.

5. Safe Havens must include confidentiality clauses within the contractual conditions of all staff involved in the management, processing or use of data, and instigate disciplinary procedures in the event of contractual conditions being breached.

6. Safe Havens must hold and process all de-identified data and potentially identifiable data exclusively and separately within restricted access areas within secure networks[16].

7. Systems should comply with relevant ISO standards. Oversight of systems security and compliance should be the responsibility of a designated security officer.

8. Safe havens must conduct penetration testing every two years; both from outwith and within the Safe Haven environment.

9. Safe Havens must restrict physical access to any room within which identifiable or potentially-identifiable data are stored in paper form.

10. Safe Havens must restrict physical access to any room within which the servers hosting identifiable or potentially-identifiable data electronically are stored.

11. Safe Havens must receive and transfer data only when necessary and do so within a secure network (NHS N3, the Scottish Wide Area Network (SWAN) or a network with equivalent controls for comparable data). Where use of a secure network is not possible, a secure method for file transfer must be used, such as Secure File Transfer Protocol (SFTP).

12. Safe Havens must develop a publication plan and publish a list of all active data sharing agreements on their websites to increase public understanding of data use, and to ensure information on data sources is accessible and discoverable, so that potential users can also find out about data resources and how to apply for access.

In the creation of project specific datasets from a single data controller Safe Havens must:

13. Remove all direct identifying information and replace them with a project specific unique identifier.

14. Retain project datasets (data extracts or linked datasets) in an analytic environment for the time period specified through written agreement with the Data Controller(s) and subsequently archive or delete.

15. Archive data in a secure environment for a specified period of time only in accordance with the specific written agreement with the Data Controller(s). Archived data must not be accessed for any purpose other than the original research unless by written agreement with the Data Controller(s). Clear and transparent records of archived data, review and planned deletion dates must be maintained.

16. Disclosure assessment and disclosure control will be applied before data are provided to an Approved Researcher in an Analytic Platform.

In the creation of project specific linked datasets from multiple data controllers Safe Havens must:

17. In addition to 13 to 16, undertake data linkage in a manner that separates the functions of the indexer/linker and researcher with the objective of minimising the number of staff with access to identifiable information. A written description of how this standard is complied with should be recorded for each linkage.

In delivering the function of a Secure Analytics Platform Safe Havens must:

18. Ensure project data are only placed into the Secure Analytics Platform by the designated staff that provide the support for the Safe Haven.

19. Only allow Approved Researchers access to data on written instruction from the Data Controller and with strict adherence to all conditions laid down in relevant Data Governance documentation (e.g. data sharing agreements, user agreements etc.).

20. Permit access to data only to Approved Researchers and via two factor authentication log-in.

21. Permit remote access to data via a Virtual Private Network or using encrypted communication sessions only with the agreement of the Data Controller(s), otherwise permit access only via a secure physical terminal within a secure Safe Haven room.

22. Never allow Approved Researchers access to direct identifiers without direct written instruction from the Data Controller. Such instructions should not be part of the standard approach: under most circumstances only project specific unique identifiers should be accessible to the Researcher.

23. Minimise the risk of study data being copied or removed from the Secure Analytics Platform by an Approved Researcher.

24. Allow analytical outputs (e.g. reports, summaries, aggregate statistics, graphs etc.) to be downloaded only after they have been checked for statistical disclosure by designated analytical staff supporting the Safe Haven if instructed by the Data Controller(s).

25. Retain, for governance purposes, copies of all analytical outputs which leave the Analytic Platform.

In delivering the function of a Secure Analytics Platform Safe Havens should:

26. In conjunction with 21, provide Approved Researchers with a view of the study specific dataset via a secure remote-access environment (e.g. Citrix) to enable remote access while mitigating the risk of data being removed from the Secure Analytics Platform without permission and minimise the risk of the introduction of viruses or malware to the analytic environment.

27. Facilitate the uploading of user-specific analytic files (e.g. look-up tables, statistics scripts) or bespoke applications with careful risk assessment and consideration of how to minimise the risk of the introduction of viruses or malware to the analytic environment.

Secure Safe Setting

28. Safe Havens should provide or sanction access points that meet the requirements of a Secure Safe Setting and allow researchers to access data held in any of the Secure Analytics Platforms across Scotland via a ‘thin client’ mechanism (assuming appropriate permissions are in place).

29. Secure Safe Settings consist of ‘thin client’ terminals that are located in secure physical environments where the researchers’ behaviours and actions are monitored. An audit log of who has accessed which data should be kept.


Email: Pamela Linksted

Back to top