Safe havens: charter

Background

The information held in electronic patient health records and other linkable data sources presents incredible research opportunities to support population health improvement and the development of more effective and safer health services and treatments, as well as a deeper understanding of the causes and development of diseases. While the public is highly supportive of health and social care research for its potential to enhance healthcare outcomes, there is a clear expectation that robust safeguards will be in place to protect privacy and ensure ethical use of data.^{[3][4][5][6][7][8]}

To ensure the ethical and secure use of health records for research and innovation, a robust governance framework has been successfully in operation for over a decade in Scotland. This framework supports ethically conducted health and social care research and innovation which is both in the public interest and scientifically sound with patient identity and privacy meticulously protected. A key component of this framework is that the SSHN provides TREs which are essential for safeguarding patient identity and privacy while facilitating valuable research and innovation.

Safe Havens in Scotland operate within a comprehensive governance framework. They can only receive and process data with the explicit agreement of Data Controllers, such as the NHS or other organisations responsible for the source records. Data Controllers have legal obligations to protect the data, only approving data access when fully satisfied with the safeguards in place to protect patient identity, and to ensure the research taking place using this data can have public benefits.

Before any projects using personal data from electronic patient records can commence, they undergo rigorous review by expert ethics and scientific panels, similar to the scrutiny applied to projects directly involving patients. For Scotland-wide projects, these reviews are conducted by a specialised panel which includes senior health board/data controller representatives while regional projects are assessed by local Caldicott Guardians and Ethics Committees. These panels evaluate the public benefit, at a point which it can be quantified, of the research against any potential risks to individual privacy, ensuring that all information releases are meticulously controlled.

Through these thorough processes, careful consideration is given to the public benefit of specific health and social care research and innovation projects. For over a decade, Safe Havens, as providers of TREs, have ensured the Scottish Government, the public, Data Controllers, and their approvals panels have confidence that personal data is handled securely and responsibly. They implement appropriate safeguards to protect patient identity and privacy, when obtaining specific patient consent is impractical. Safe Havens are also committed to being transparent about these processes, regularly publishing details of their data handling practices and decisions to ensure public accountability and trust.

The operation of the SSHN in adherence to this Charter is underpinned by independent audit, aligning with relevant industry standards including ISO27001.

There may be instances where, to support an important research project, one or more Safe Havens need to depart from aspects of this Charter. For example, in the case of urgent public health crises such as a pandemic, Safe Havens may need to expedite the personal data approval process to provide critical information more quickly than usual, even if it means temporarily adjusting the standard governance outlined in the Charter. Under these circumstances, the Safe Haven(s) will be required to seek specific additional permissions and approvals from Data Controller(s) to ensure that the necessary safeguards and assurances are in place. However, even in such situations, strict measures will be enforced to protect patient privacy and data security.

This established Charter has been reviewed in consultation with SSHN, Research Data Scotland, NHS Information Governance Leads, University-based researchers and Scottish Government experts. The review has taken into account changes within Scotland, the UK and internationally such as emerging technologies, data standards and streamlined governance approaches. The appendices contain more details and will be developed and reviewed at regular intervals.