7 Data Security and Confidentiality
Information Governance Framework
7.1 Data to support the survey were provided by ISD Scotland, PSD (both divisions of NHS National Services Scotland) and the NHS Central Register (NHSCR). NHS National Services Scotland (NSS) and NHSCR staff adhere to an NHS Scotland Information Governance Framework, which brings together all of the statutory requirements, standards and best practice that apply to the handling of personal information. This includes requirements set out in the Data Protection Act. Similarly, as the appointed survey contractors, Picker Institute Europe and Ciconi Ltd were required to comply with the principles covered by the Scottish Information Governance Toolkit (published at http://www.scotland.gov.uk/Publications/2008/07/01082955/5)
Application for use of data
7.2 The Community Health Index (CHI) is an NHS Scotland database containing personal information about every patient registered with a general practice in Scotland. This database is maintained by PSD and Atos Origin Alliance on behalf of each Scottish NHS Board. The Scottish Government, with input from ISD, submitted an application to the CHI Advisory Group seeking authorisation to obtain the necessary CHI information to be used as a sampling frame for the Survey. Permission to access CHI data for the purpose of the survey was granted in June 2011.
7.3 The sample of patients to whom the survey was sent was drawn randomly from CHI. The sampling method and process are described in more detail in Chapter 4. Each patient selected for the survey was allocated a survey-specific unique ID number. This ID number was shown on the questionnaire sent to each patient, and used to link individual survey responses back to the original list of sampled patients.
7.4 The names, addresses and survey-specific unique ID numbers of sampled patients, along with the code, name and location of their registered GP practice, were sent electronically by secure FTP (File Transfer Protocol) link to Picker Institute Europe.
7.5 On completion of survey fieldwork and data capture (described in more detail in Chapters 5 and 6), the coded questionnaire responses were sent electronically by secure FTP from the survey contractors to ISD Scotland.
7.6 In addition to this, to help support the process of identifying deceased patients, patient details were also sent to PSD and NHSCR (described in more detail in Chapter 5). The CHI numbers of sampled patients were sent electronically by secure FTP link to and from ISD and PSD. The survey-specific unique ID number, CHI number, GP practice details, names and addresses of sampled patients were also sent electronically via secure nhs.net transfer to and from NHSCR.
Access to data
7.7 Only named personnel within ISD, the survey contractors, PSD and NHSCR had access to the name and addresses of the people who were sent the questionnaire. Only named individuals within ISD and the survey contractors had access to details of those who responded. All personnel are governed by the previously mentioned Information Governance Framework. No access to patient name and address details has, or will be given to general practices, Community Health Partnerships, NHS Boards, the Scottish Government or any other organisation or individual.
Email: Gregor Boyd