Data Access Approvals

PURPOSE

This SOP outlines the process for requesting, approving, and managing access to sensitive data within HIC (Health Informatics Centre). This SOP aims to ensure that access to data is granted to authorised roles in compliance with data access regulations, policies and privacy.

SCOPE

This SOP covers all of the projects and tasks which HIC undertake. It is applicable to all HIC staff and approved users of HIC services.

RESPONSIBILITIES

DEFINITIONS

• Caldicott Guardian: A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing.  

  • Each NHS organisation is required to have a Caldicott Guardian; this was mandated for the NHS by Health Service Circular: HSC 1999/012. The mandate covers all organisations that have access to patient records, so it includes acute trusts, ambulance trusts, mental health trusts, primary care trusts, strategic health authorities, and special health authorities such as NHS Direct. 

  • Caldicott Guardians were subsequently introduced into social care in 2002, mandated by Local Authority Circular: LAC 2002/2. 

  • The Guardian plays a key role in ensuring that NHS, Councils with Social Services Responsibilities and partner organisations satisfy the highest practical standards for handling patient identifiable information. 

  • Acting as the 'conscience' of an organisation, the Guardian actively supports work to enable information sharing where it is appropriate to share and advises on options for lawful and ethical processing of information. 

• Consented Data: The individuals to whom the data relates (data subjects) have given explicit approval for its processing for the purposes being undertaken.

• Data: Information held in electronic or paper form.

• Data Controller: A group or individual responsible for determining the purposes for which and the manner in which any personal data are, or are to be, processed. For example, NHS Tayside and Fife are Data Controllers for regional NHS data processed on their behalf by HIC Services. 

• HIC Client: Refers to an individual or organisation that receives services from Health Informatics Centre (HIC) and agrees to follow HIC's contractual obligations, policies, and procedures, ensuring compliance with legal, ethical, and professional standards.

• Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form including textual, numerical, graphic, cartographic, narrative, and audio-visual. 

• Project: ​​​​​​​One or more services that covers a client's needs.

• Project Dataset: A Project Dataset that has been anonymised uniquely and specifically for use within an Approved Project. The dataset must relate to the cohort and purpose defined in the Project Description.

• Project Description: A Project Description will specify the study cohort, aims, and methods. It will also carry a date and a version number. This document is used to help decide what data is required to fulfil the study objectives.

• TASC: Tayside medical Science Centre, Ninewells Hospital.

• TRE: Trusted Research Environment (TRE) is a secure computing environment. It is specifically designed for handling sensitive data in a way that protects privacy and ensures security.

PRINCIPLES

1. For all HIC Projects, HIC will:

   • Document the data requirement representing the data that best fulfils the objectives of the project. This document is agreed with the Principal Investigator.

   • Record a project description or protocol which must be versioned or dated.

   • Record copies of all applicable approvals.

2. HIC Clients will read, sign and date the current TRE User Agreement (unless this is not required as agreed within a Service Level Agreement between HIC and the relevant External Data Controller). Authorised signatories are required from HIC Clients, a representative for and on behalf of the client organisation, a student supervisor and a representation for and on behalf of HIC, as required. 

3. All HIC Clients are required to maintain the security and confidentiality of their Project Datasets in accordance with the TRE User Agreement and the Data Protection Principles. HIC Clients are encouraged to report inadvertent events that are in breach of the terms of the TRE User Agreement to enable improvements to be made.

4. HIC Clients will not reuse the data for purposes outside the scope of each project; share it with colleagues who are not named project HIC Clients, attempt to link it to other datasets, or to de-anonymise it.  

5. HIC Clients will only remotely access their data within the centrally-managed HIC TRE. Individual-level data is not permitted to be stored or transferred outside the TRE without explicit Data Controller (or delegate) permission. 

6. No approval is required when requesting aggregate data for developing a Project Plan. 

7. Only approved datasets will be released to the HIC Client. Partial Project Datasets can be released where approvals are already in place.

8. The HIC Client is responsible for obtaining all necessary approvals. HIC will advise on what is required based on the flowchart below. The flowchart illustrates the approvals required by HIC for different types of research, audit or service evaluation projects requiring data, following a proportional risk-based approach, i.e. lower risk data use requires less approval scrutiny.

Open

APPROVALS

1. Research Projects

• R&D Approval

  • Projects using NHS data require NHS R&D approval from the appropriate NHS R&D Office(s) responsible for the NHS Board(s)/Trust(s) of the patients residency.

  • For NHS Tayside R&D approval, an IRAS (Integrated Research Application System) approval is required as a prerequisite. NHS Tayside's R&D Office, Tayside Science Centre (TASC) can assist in this.

• Ethical Approval

  • HIC have an existing ethical approval covering retrospective deidentified research projects that operate in the TRE, if the project meets this criteria this is applicable, and the IRAS application can state that Ethics is approved.

  • A separate Research Ethics Committee (REC) review and approval is required if the project:

    • Deviates from the above criteria.

    • Will contact any patients or volunteers.

  • Approval is obtained via IRAS. Advice can also be obtained directly from the TASC Research Governance Office or the East of Scotland Research Ethics Service (EoSRES) Office.

2. Non-Research Projects

• For Audit and Service Evaluation (non-research) projects no REC review or NHS R&D approval(s) are required. 

3. Data Controller Approvals (including Caldicott)

• A data controller approval is required for:

  • Access to identifiable data.

  • Any new data not hosted within HIC.

  • Releasing data to other secure environments.

  • Any data processed or provisioned outside of existing HIC agreements.

• For NHS Data, the data controller is represented via Caldicott Guardians.

• For Scottish NHS national data, the data controller may be represented by PBPP (Public Benefit and Privacy Panel).

• Where a Data Controller carries out its own project approval process, the HIC Data Access Approval Process will not be additionally required. The Data Controller’s approval process will be described and agreed within a Data Sharing Agreement between HIC and the Data Controller.  

• Where the study uses both consented data and existing HIC hosted data, HIC will not give access to any identifiable data without an explicit approval from the Data Controller.

APPLICABLE REFERENCES

• TRE User Agreement 

• Data Security

• Information Security Policy

DOCUMENT CONTROLS