Your responsibilities as a data custodian

As a data custodian providing access to health-related data through SHIP your responsibilities are:

  • To demonstrate your commitment to privacy protection through the development and implementation of appropriate and transparent policies.
  • To comply with your legal responsibilities as a data controller under the terms of the Data Protection Act and to handle data and respond to data access requests in ways that comply with the legal and ethical requirements for optimal information governance as set out in this toolkit. 
  • Provided that appropriate approval processes are in place - to participate in appropriate and lawful sharing of data resources within the health and non-health contexts.  Your access policies should be developed in a transparent and open manner.
  • To provide information that may be useful to researchers who are seeking to access data that you hold about features of these data that may be relevant to their access request, for example, consent conditions or particular risks of identification of individual patients 
  • To take the public interest in secondary uses of patient data into account and to weigh this against potential privacy risks when making a decision about whether to provide access to data for which you are responsible.  The common law of confidentiality, the Data Protection Act and article 8 of the Human Rights Act all permit the balancing of privacy concerns against considerations of public interest – you should avoid being disproportionately restrictive in setting conditions for access to data where the proposed research uses are lawful and bring recognised public benefits.
  • To seek the advice of the national Privacy Advisory Committee (PAC) or the information governance / ethics authority within your own organisation if you have questions or concerns about providing access to data for a particular project.