Safe havens: charter

Principles for the operation of Safe Havens in Scotland handling data from NHS patient records

Principle 1 Secure Access in a Controlled Environment

To ensure that data access is strictly controlled, the use of data is legal and ethical, and individual privacy is protected, research datasets are held in a Trusted Research Environment (TRE). Robust safeguards are in place, along with independent audits and endorsement, providing assurance that the Safe Havens operate under rigorously applied standards.

Principle 2 Ethical Conduct and Professional Responsibility

To ensure the consistent application of standards in the operation of Safe Havens, a fundamental principle of ethical conduct and professional responsibility is upheld within the Scottish Safe Haven Network (SSHN). This includes a commitment to maintaining the highest standards of integrity, confidentiality, and respect for individuals' privacy rights.

Principle 3 Collaborative Governance and Research

To promote the continual development of health and social care research and innovation and health-relevant scientific research, the Safe Havens work together, and with RDS, to share and implement good practice.

Principle 4 Transparency and Accountability

To promote openness and public understanding, all activities, data access, and governance processes are clearly documented and made accessible to relevant stakeholders. Regular industry standard audits and public reporting of supported projects, including data usage, research outcomes, and compliance with established standards, are conducted.

Principle 5 Assessment and Endorsement

To ensure consistency in the application of good practice standards and legal and ethical operations, Safe Havens undergo external assessments to ensure compliance with information governance and cybersecurity standards. Safe Havens operate with the full endorsement and regulatory support from Scottish Government and their host NHS Boards and Scottish Universities.

Operating Standards

To uphold the principles outlined in this Charter and address data security and privacy requirements, Safe Havens in Scotland have well established operating standards and procedures. Each Safe Haven is overseen by a designated senior professional responsible for its operations.

Safe People

All individuals involved in providing and accessing the Safe Haven service are Safe People, bound through contractual requirements to protect individuals’ privacy. They are subject to sanctions for any failure to fulfil these requirements. Comprehensive training from nationally approved and/or validated courses, covering information governance, privacy protection, and relevant legislation, is mandatory. Each person is responsible for adhering to ethical guidelines in line with UK policy, complying with data protection laws, and maintaining trust and confidence in the handling of sensitive data.

Safe Projects

Research and innovation projects conducted within the Safe Havens undergo rigorous review to ensure they serve a legitimate purpose and offer public benefit. All projects comply with relevant legal and regulatory requirements and are transparently documented and justified. Only approved projects that meet these criteria are permitted to access and utilise data within the TRE.

Safe Data

Data within the TRE is de-identified and processed in a manner that minimises the risk of re-identification unless re-identification is necessary and authorised for the purpose of the research. Access to sensitive data is restricted based on minimal data required basis to allow the research to be fulfilled, ensuring that authorised individuals have access to the data necessary for their work. All data handling and processing activities adhere to the highest standards of data protection and privacy, following both national and international regulations.

Safe Settings

Safe Havens provide a secure compute platform for data access and analysis, ensuring that physical and cyber security measures are in place to protect data from unauthorised access, loss, or misuse. These environments are regularly audited and assessed for compliance with security standards. Safe Havens implement robust access controls and monitoring systems to detect and respond to potential security breaches swiftly.

Safe Outputs

The outputs and findings from projects conducted within Safe Havens undergo disclosure control to ensure they do not compromise privacy or lead to the identification of individuals. All data outputs undergo disclosure control processes before release, ensuring that the risk of re-identification is minimised. Outputs are shared in a way that maximises public benefit whilst safeguarding individual privacy, following ethical and legal guidelines.

1. Safe Havens operate as Data Processors under the mandate and instruction of Data Controllers. They are responsible for ensuring that personal data processing activities are centrally logged, monitored, and audited. Additionally, Safe Havens serve as providers of data services for health-relevant scientific research on behalf of Information Asset Owners. National or local data privacy and scrutiny bodies, consisting of expert and lay members, evaluate the risks and benefits of data access within Safe Havens to ensure operations remain within their specific mandates.

2. When data is provided for researcher access:

a. Staff providing the data and Safe Haven staff are in separate management units and accountable to different line managers wherever possible, to minimise conflicts of interest from research and innovation project leads.

b. Linkage and research analysis are conducted by individuals in different roles unless explicitly agreed for purposes of data sensitivity or quality.

c. Safe Haven staff comply with the instructions and mandate agreed with the Data Controller.

d. All Safe Haven staff undergo training in Information Governance and relevant data protection legislation, with regular refresher courses.

e. Confidentiality clauses are included in all staff contracts, disclosure checks are undertaken and disciplinary procedures for breaches are in place.

3. Safe Havens maintain accurate records of:

a. All policies and written agreements underpinning the operation.

b. Names, roles, and permission levels of all staff.

c. Details of all individuals granted access to data, including the data accessed and its purpose.

d. All projects conducted or supported, including approval details and analytical outputs.

e. Data received, review dates, and deletion dates if applicable.

f. Caldicott approvals, Integrated Research Application System (IRAS) registrations, research registrations, data access agreements, collaboration agreements, inspection and regulatory reports, and releases of aggregated data for open data agreements.

g. TRE outputs.

4. De-identified and potentially identifiable data are held and processed within restricted access areas in secure networks.

5. Systems comply with relevant ISO standards, overseen by a designated security officer.

6. Penetration testing is conducted annually from both outside and inside the TRE. Consideration should be given to other tests from a cyber perspective. Additionally, it is essential to test data recovery and data backups on a regular basis to ensure comprehensive security and resilience against potential threats.

7. Data transfer only occurs when necessary and within a secure network (e.g. NHS N3, Scottish Wide Area Network (SWAN), or equivalent to Data Controllers).

8. Safe Havens publish an open data use register to increase public understanding and ensure data sources are accessible and discoverable for potential users.

9. Safe Havens remove all direct identifying information and replace it with a project-specific unique identifier, unless the direct identifier is necessary to fulfil the research purpose.

10. Safe Havens retain project datasets within the TRE for the specified period in the agreement with the Data Controller, then archive them either within the TRE or in a suitable data archive, to ensure scientific results can be replicated or reproduced in the future.

11. Safe Havens archive project datasets securely and indefinitely in the way the Data Controller decides. Access to the archived data is restricted; it is not used for making it Open Data unless the Data Controller gives written permission for other uses. If the archived data contains personal information, the Data Controller may also act as the Information Asset Owner. Additionally, records are kept that detail the archived data, when it will be reviewed, and when it is scheduled for deletion.

12. Safe Havens apply disclosure assessment and control before providing data outputs to an approved researcher.

13. Rooms containing identifiable or potentially identifiable data in paper form, as well as those housing servers storing such data in electronic form, are access restricted.

14. Safe Havens establish or approve secure access points that meet strict safety standards, allowing researchers to access data remotely using a simple system, if they have the appropriate permissions from the Data Controller. These Safe Settings consist of monitoring processes, where researcher behaviours and actions are tracked, and a comprehensive audit log of data access is maintained.

15. Ensure only designated staff place project data into the TRE.

16. Allow data access only to formally approved researchers who have signed a user agreement and met all training requirements which abide with the written instructions from the Data Controller or Information Asset Owner and adherence to all relevant Data Governance conditions.

17. Permit data access solely via two-factor authentication log-in.

18. Permit remote access via Virtual Private Network (VPN) or encrypted communication; otherwise, access is via a secure physical terminal in a Safe Setting.

19. Never allow researchers access to direct identifiers without explicit written instructions from the Data Controller, which should not be standard practice.

20. Minimise the risk of study data being copied or removed from the TRE by a researcher utilising technical and legal controls.

21. Retain copies of all analytical outputs for governance purposes and respect the copyright and intellectual property rights of the researcher for those outputs.

22. Provide researchers with secure remote access to the study-specific dataset via a secure remote-access environment to mitigate the risk of unauthorised data removal and prevent the introduction of viruses or malware into the analytic environment.

23. Facilitate the uploading of user-specific analytic files or bespoke applications, (e.g. look-up tables, statistics scripts, Machine Learning/Artificial Intelligence models) ensuring careful risk assessment and minimisation of potential threats to the TRE.