APPLICATION TO USE PERSONAL HEALTH DATA FROM MULTIPLE HEALTH BOARDS IN NHSSCOTLAND

NATIONAL CALDICOTT GUARDIAN SCRUTINY PANEL

Guidance for applicant

Applicants are invited to read the guidance document that outlines the context behind the questions and describes the process. You are welcome to append supplementary documentation (e.g. project brief, privacy impact assessment, data sharing protocols etc.), but the Caldicott Guardians will focus on what is on the form.

Why the need for adequate scrutiny?

It must be stressed that the NHSScotland health organisations(s) as Data Controllers – defined by Data Protection Act (1998) - are still responsible for that data even when passed to a processor (e.g. researchers and auditors). It is for this reason that adequate scrutiny of research/audit applications must take place.

In addition, it is vital to apply the Caldicott principles which are:

  • Justify the Purpose
  • Don’t use patient identifiable information unless it is absolutely necessary
  • Use the minimum necessary patient-identifiable information
  • Access to patient-identifiable information should be on a strict need to know basis
  • Everyone should be aware of their responsibilities
  • Understand and comply with the law

Once completed send form to:

To…

Cc…

Details of your sponsor

Name of Clinical Sponsor
Job title
Professional Registration Details
“I declare that the recipient(s) below are engaged in a reputable research/audit project and that the data requested can be entrusted to them in the knowledge that they will conscientiously discharge their obligations outlined below relating to the confidentiality of the data.”
Signature: / Date:

A) Overview of organisation(s) leading research

*If this is a joint application then all the relevant organisations’ details need to be included; making clear who are the joint-responsible persons.

Name of person/organisation responsible for the research project where identifiable personal data is required (e.g. Faculty of X, University of Y)
Name of specific team or project
Are you or the organisation registered as a Data Controller? If yes, give ICO Registration Number
Are you or the organisation already a Data Processor? If yes, provide details of whether the processing is on behalf of another person/organisation
Does your organisation have a track record of research using patient identifiable data? If yes, provide very brief details
Has your organisation made previous applications to Caldicott Guardians anywhere in the UK? If yes, summarise status of those applications
Is there anything else you wish to add about the bone fides of you or your organisation leading the research?
How is this project funded and over what duration?
Is there any commercial aspect to your research?
e.g. university-owned spin-off company that receives revenue from all or part of its research

B) Applicant’s details

*this should be the person leading the research project; and the person with whom the secretariat will make contact.

Your name
Position
Summary of any relevant academic qualifications (e.g. PhD)
Any professional registration details
Can you confirm that you are leading the research and are responsible for making this application? If not, explain circumstances
Contact address
Contact telephone number
Contact email

C) Overall project business case

Is this an entirely new application?
Is this an amended application to one that was previously not approved? If yes, provide details
Detail if this particular research application is pending a decision with any group of Caldicott Guardians in Scotland and rest of UK?

Describe in no more than 200 words the issue that you wish to address and the scope of the research. Note: applicants are welcome to attach further evidence outside of this form; but this is your opportunity to summarise why your project is important.

Describe in no more than 200 words why patient identifiable variables are required. Outline whether you have considered use of only non-identifiable patient data and the advantages/disadvantages of this.

Describe in no more than 200 words your exact methodology; size of sample, time-frame and any special considerations (e.g. feeds into other larger UK or International research projects where there is x deadline etc.)

D) Data Protection compliance

Which Schedule 2 condition and (in the case of sensitive personal data) 3 condition of the Data Protection Act (1998) are relevant to you application and make processing lawful?
Note: the most common Schedule 2 condition cited by medical researchers are (6) “legitimate interests pursued by the Data Controller or the third party.” And the most common Schedule 3 condition cited is (8), “processing is necessary for “medical purposes”…includes the purposes of medical research…”
Have you conducted any kind of Privacy Impact Assessment at planning stage? If so, this can be appended as an annex.
I.e. this can relate to privacy impact of the entire project or just on the NHS-originated material.
Is it practical for patient consent to be acquired for the sample OR has consent already been acquired?
E.g. xxx persons on a medical trial agreed for their NHS data to be used.
Has your research application been through an ethics committee in your own organisation or any part of the NHS in the UK? If pending, please give details.
Are there any existing Data Sharing Protocols in place within NHSScotland or with other parts of NHS that are relevant to your application? If yes, append as an annex.
E.g. we already share x with y NHS health board and have a protocol in place.

E) Details of data requested

List the non-personal data field’s required (i.e. clinical or non-clinical raw data).
Describe if these data fields when used together can identify a living or dead person (i.e. put, x, y and z together and persons could be identified.
List data fields required that can readily link the above clinical or non-clinical data with a living person (i.e. patient demographics).
CHI, first name, surname, date of birth, age, gender, post code etc.
Confirm whether the above does constitute sensitive personal data as defined by Data Protection Act 1998 (i.e. anything that enables you to deduce the physical or mental state of a living individual).
Outline the exact sample required
(I.e. number of persons; post-code or other geographical area used).
Outline whether the sample specifically targets vulnerable groups (adults and children) including those without capacity.
Outline whether the sample will specifically target groups where there are health and safety implications if the data is lost or misused? (E.g. child protection cases, where police involvement is likely).
Outline whether data will only relate to living persons, only dead persons, mixture of living and dead persons or whether it is not possible to be certain of this in the sample.

F) Data Processing

What persons/roles will process the above data in your organisation once it is transferred from NHSS?
Note: the definition of processing is extremely wide and includes anyone in your team involved with the data. This includes persons in IT who may need to manipulate or simply store it, persons reading it and those doing research etc.
Have any of the above undertaken Information Governance training such as Data Protection or patient confidentiality?
Specify what type of recognised course this was (e.g. computer-based training package; BCS certification or on-site training etc.)
Describe what (if any) pre-employment checks are undertaken on those who will be processing the data?
E.g. CRB, Disclosure Scotland, identity check, credit check or an industry-wide screening process.
Are there any circumstances where other parties (other than those detailed above) would have access to the data even on a temporary basis?
E.g. contractors, locums, students, IT supplier system administrators.

G) Data security

*The Data Protection Act principal 7 requires “appropriate technical and organisational measures” to be taken.

All information given should be stored upon encrypted, password protected equipment to comply with NHS Scotland’s IT security standards.

See:

What mechanism will be used to copy and transfer the data from the NHS to the research team?
E.g. encrypted file sharing protocol; encrypted hard-drive, manual records via tracked courier etc.
How far is filtering and masking of data required and will this be done prior to transfer by the NHS?
E.g. to remove x and y because only z is needed.
Are there any known digital or paper format issues that make filtering or masking difficult?
e.g. data unstructured; high cost of redacting manual files; likelihood of getting more data than you need etc.
What resource (if known) would NHSS need to have in place to prepare the data and do the transfer?
With what frequency, and in what volume, do you propose the data to be transferred?
e.g. x amount each quarter; all in one go etc.
Where will the data be stored once it has been transferred to your organisation?
E.g. x server, in y building.
Can you confirm that the data will remain within the UK and that access will be from within the UK?
Can you confirm that the data will not be transferred at any point in the research life-cycle to another storage medium within the UK? The exception being normal back up procedures.
e.g. as storage media to an off-site store; change of university campus etc.
What physical security do you have in place at the sites where the data is held?
e.g. swipe card access to IT server room, alarms, CCTV.; in the case of manual files strong cabinets etc.
What is the name of the IT application/system on which the data is to be held and accessed from?
E.g. Standalone Access Data-base or bespoke university system.
What type of IT identity and access management is used to ensure that the right persons are enrolled and removed from the system that can access the NHS-originated data?
E.g. user-name/password. Active Directory; role-based access.
How far will the data-sets from NHS be segregated from other research data and business applications?
I.e. to prevent intermingling of NHS-originated data from other business applications.
If NHS-originated data is to be intermingled with other research data and/or business applications will the data be sufficiently anonymised?
How far can researchers gain access to the data remotely and what type of authentication is in place?
E.g. two-factor authentication via VPN to the university network.
What measures will you have in place to ensure that identifiable patient data will not be copied, distributed and stored in non-authorised places?
I.e. how far researchers can put data onto personally owned devices rather than accessing data just from agreed application. How far printed copies can be made and taken outside the normal place of research.
Do the mobile devices used to access or store the NHS-originated data have whole disk encryption or encryption on the application? e.g. Encryption is AES 256.
Do the systems on which you store and access the data have an audit log showing as a minimum, user number, user name, date, time, object name?
What back-up measures do you have in place for the data?
To what extent is your IT in-house or outsourced? If outsourced what is the name and address of the company?
Confirm that there are no circumstances in which the data will be held in another place other than the official research data centre.
e.g. Public or private ‘cloud’ tools for document storage and sharing.
Describe which IT system administrators will have the technical ability to access all the NHS-originated material.
What mechanisms do you have in place to ensure that any security breach relating to NHS-originated material is reported to NHSS promptly?

H) Data Linkage and research

What health-related data-sets from non-NHS sources will also be used (and possibly cross-referenced with the NHS data) as part of the research?
E.g. own data from named individuals via questionnaires; data from non-NHS health care providers such as charities or companies.
What non-health related data may be used (and possibly cross-referenced with the NHS data)?
E.g. electoral role, published statistics on crime, social care reporting etc. in a geographical area.
What type of technical tool may be used to analyse the data?
e.g. Geographical Information Systems (GIS) that overlay data; software with algorithms set to identify common attributes across multiple data-sets etc.
Are you deploying any data-matching techniques that create patterns which may be significant but potentially sensitive?
E.g. matching medical conditions to race, sexual orientation etc. in a way that was not possible in the course of normal NHS business.

I)Information and records Management

Do you have a clear overall policy on retention/disposal of research data?
e.g. Disposal schedule for x project/faculty.
How long will the NHS-originated data be used and held for?
Secure disposal is essential. When will the NHS-originated data bedisposed off/deleted completely? This includes backup and archive copies.
How will the NHS-originated data be disposed off/deleted? And what evidence will there be that this has occurred?
E.g. IT supplier provides certificate of destruction.

J) Publication

How will the research findings be published and disseminated and in what format?
Are there any commercial considerations that prevent full publication?
E.g. medicines research to inform investment decision for sponsor.
Are there any circumstances where a living or dead identifiable individual would be cited?
E.g. where a person consented for their data to be used as a case study.
What steps will be taken to ensure that persons cannot be identified in the published findings?
E.g. use of numbers, aliases and avoidance of very small geographical areas and low likelihood factors that make persons identifiable.

Declaration

I can confirm that the information provided above is accurate and up to date.

I also understand that the Data Controller, and agents acting on its behalf in NHSScotland, reserves the right to inspect the data on the sites where it is being processed.

Signature: / Date:

1