Data Access Approvals

PURPOSE

This SOP outlines the process for requesting, approving, and managing access to sensitive data within HIC. This SOP aims to ensure that access to data is granted to authorized roles in compliance with data access regulations, policies and privacy.

SCOPE

This SOP covers all of the projects and tasks which HIC undertake. It is applicable to all HIC staff and approved users of HIC services.

RESPONSIBILITIES

PRINCIPLES

1. HIC Clients will read, sign and date the current Data User Agreement (unless this is not required as agreed within a Service Level Agreement between HIC Services and the relevant External Data Controller). For a student project, this will also need to be countersigned by their supervisor and for an external collaborator the HIC Services Data User Agreement must also be signed by an authorised signatory from their organisation. 

2. All HIC Clients are required to maintain the security and confidentiality of their Project Datasets in accordance with the Data User Agreement and the Data Protection Principles. HIC Services encourages HIC Clients to report inadvertent events that are in breach of the terms of the Data User Agreement to enable improvements to be made.

3. HIC Clients will not reuse the data for purposes outside the scope of each project; share it with colleagues who are not named project HIC Clients, attempt to link it to other datasets, or to de-anonymise it.  

4. HIC Clients will only remotely access their non-consented data within the centrally-managed HIC Services Safe Haven. Individual-level data is not permitted to be stored or transferred outside the Safe Haven without explicit Data Controller permission. 

5. When the project is complete the data and the analysis syntax used will be securely archived by HIC Services.  

6. HIC Clients will ensure that HIC Services and the Health Board responsible for initially providing data are acknowledged as data sources in all resulting reports and publications. E.g. “We acknowledge the support of the Health Informatics Centre, University of Dundee for managing and supplying the anonymised data and NHS ‘XXX’ (e.g. Tayside), the original data source” 

7. No approval is required when requesting aggregate data for developing a Project Plan. 

8. Specific approval will need to be obtained for particular datasets requiring sponsor approval for each use. Any component dataset within the overall Project Dataset for which the appropriate approvals are in place may be released prior to obtaining this dataset-specific approval. The unapproved data will not be supplied. 

9. Where a Data Controller carries out its own project approval process, the HIC Services Data Access Approval Process will not be additionally required. The Data Controller’s approval process will be described and agreed within a Data Sharing Agreement between HIC Services and the Data Controller.  

10. Data may be released, to other Safe Haven environments where information is securely managed according to strict rules; staff are legally and contractually obliged to respect confidentiality and access to data is closely monitored and requires authorisation. The data transfer arrangements will need to be approved by the Data Controllers of the data concerned. 

11. Where project-specific approval for data use is requested from Data Sponsors, HIC Services will not release data for the project until written Data Sponsor approval is obtained and stored on the PM System. 

12. If the study is limited to either: 

    • using non-consented data already held within, or accessed via HIC Services and will be undertaken using anonymised data  
      or 

    • also includes patient data where the patient has explicitly consented previously to its use for the study and it is anonymously linked to other data held within, or accessed via, HIC Services, the study will not require explicit Caldicott Guardian approval. The Approved Data User will have no access to any identifiable data (even the consented data).   

PROCEDURE

The flowchart illustrates the approvals required by HIC Services for different types of research, audit or service evaluation projects requiring data, following a proportional risk-based approach, i.e. lower risk data use requires less approval scrutiny.

Open

1. Data Access Request Initiation

   • HIC Client request access.

   • HIC Client provide Project Description document, with specifics of the study cohort, aims, methods with a document date and version.  

   • HIC Client and HIC Data Analysts agree on a planned study end date for when the Project Dataset will be archived. Details are recorded in the PM System. 

   • HIC Data Analyst or Developer (for development projects), initiates Data Requirement Specification for agreement of the specific data that HIC Services will provide to best fulfil the objectives of the project.

   • Data Requirement Specification is agreed with the Principal Investigator.

   • HIC will discuss with the project Principal Investigator, if necessary, to advise if project Sponsorship and formal Ethics Committee review are required. The study will require both Sponsorship and Ethical review if there is any contact with patients or volunteers and/or use of consented data. Advice can also be obtained directly from the TASC Research Governance Office or the East of Scotland Research Ethics Service (EoSRES) Office. Many HIC Services Data Studies will not need Sponsorship or Ethics Committee review (refer to flowchart above).

2. Data Access Approvals

   • Requestor completes an IRAS Research Ethics Committee (REC) form, describing HIC Services’ involvement, and submits with the necessary study documents, to REC for review as required.

   • Requestor submits a project protocol to the TASC Research Governance Office for review for Sponsorship.

   • Requestor submits to the appropriate NHS R&D Office(s) for approval. Permission will be required from the NHS Board(s)/Trust(s) of residence of the patients. NHS R&D permission is not required if the study does not involve NHS data or patients. Audit and Service Evaluation (non-research) projects also do not require Sponsorship, REC review or NHS R&D approval(s). 

   • For access to identifiable data, Requestor submits a Caldicott to NHS Tayside Information Governance Office.

   • Requestor forwards a copy of the REC favourable opinion letter, NHS R&D approval letter and Caldicott approval, where applicable, to HIC Services.

3. Record Keeping

   • HIC Data Analyst or Developer (for development projects), stores agreed Data Requirement Specifications (along with any subsequently amended versions), copies of the project description and relevant approvals on the PM System.

APPLICABLE REFERENCES

• Data User Agreement 

• Data Security

• Incident Management

• Archiving a Project Dataset

• Information Security Policy

• For Definitions see ISMS Glossary

DOCUMENT CONTROLS