SHIP Guiding Principles and Best Practice

Authorising/advisory bodies

Principles
  • In all circumstances of data use where consent has not been obtained, and for all uses of data which are beyond those specified when consent was obtained, then (a) approval from an independent oversight body/research ethics committee should be obtained and/or (b) anonymisation of data should occur as soon as is reasonably practicable.
  • Where neither anonymisation nor consent is possible or where obtaining new consent from patients is not reasonably practical, data controllers and Caldicott Guardians should obtain approval from an independent oversight body/research ethics committee before authorising use of the data.
  • In order to uphold the principle of transparency, authorising bodies, such as data controllers and Caldicott Guardians, and advisory bodies, such as PAC and research ethics committees, should clearly articulate and make readily available the criteria and procedures by which they decide whether or not to sanction data use.
  • In order to uphold the principles of transparency and good decision-making, all data use/access requests to authorising bodies should include (i) clear information on reasons for access, (ii) purposes of the analyses and (iii) measures to be put in place to ensure privacy risks are minimised.
Best Practice
  • Decisions taken by authorising and advisory bodies should be publicly available and justified.
  • Authorising/advisory bodies and responsible individuals alike should uphold the Nolan Principles on Standards in Public Life whilst carrying out their duties, namely - selflessness, integrity, objectivity, accountability, openness, honesty and leadership.
  • Authorising/advisory bodies which are constituted as a group should include members from diverse backgrounds who possess the necessary expertise to make appropriate and justifiable decisions on use/access.

Data Controllers and Data Processors

Principles
  • Data controllers and data processors and their respective roles and responsibilities should be identified clearly from the outset and this should be communicated.
  • All personnel involved in a role as data controllers or data processors should be fully aware of their roles and responsibilities, including those contained in this document.
  • These roles and responsibilities should be subject to robust governance mechanisms designed to ensure that these roles are being carried out appropriately and to the standards legally and ethically required.
Best practice
  • There should be prior agreement between stakeholders about who will be a data controller and a data processor and on what basis.
  • Data controllers should develop and publish clear instructions on the policies and procedures according to which they will consider applications to use or share their data. These instructions should include lines of decision-making and accountability, terms and conditions, time scales for decisions, and any appeal mechanisms, where appropriate.