Set conditions for data access

In order to satisfy your legal and ethical responsibilities as a data controller you will have the opportunity when working with the SHIP to set conditions on the ways that the researchers may access and use the data.  Two key conditions you may wish to set relate to the level of anonymsiation of the data and the researcher’s  use of a SHIP Safe Haven.  You may also work with the SHIP Research Co-ordinator to negotiate particular modifications to the research proposal and associated data uses to meet your concerns. 

Specify level of anonymisation

  • As data custodian you must only agree to disclose the minimum of information necessary to achieve the objective of the research project.  When responding to a data access request, you will be able to specify the level of anonymisation that must be applied to any patient data you provide for research use.  In practice this will often mean that you will transfer data which has already been anonymised to the Safe Haven or directly to the researcher. 
  • However, anonymised data will not always we suitable for the researcher purposes for which it is sought.  In these cases you may wish to specify that the researchers may only access the data through a SHIP Safe Haven, thereby increasing the security of the environment in which that data is accessed.
  • When a research project requires linked datasets, SHIP has established an indexing service to facilitate deterministic linkage of datasets. This service will maintain a population index based on a unique patient identifier (UPI; e.g. the Community Health Index (CHI) in Scotland). The indexing service will add anonymised identifiers (referenced to UPI) to individual records for the purposes of linking these records across two or more datasets.

With both anonymised and pseudonymised data, it is sometimes possible that an individual will still be able to be identified through combinations of information.  The most common potential identifiers are:

  • Rare disease or treatment
  • Partial address
  • Place of treatment
  • Rare occupation or place of work
  • Combinations of birth data, ethnicity, place of birth data or death data etc

When providing access to data and considering the legal obligations you must comply with, you must assess whether the data itself contains combinations of information which could lead to individuals being identified, or whether the researcher is likely to possess other data sets which, when combined with the new dataset, could produce identifiable information.
SHIP Guiding Principles and Best Practice: anonymisation 

SHIP Guiding Principles and Best Practices reflect the values which underpin the SHIP project. They are designed to act as a guide for all those involved in SHIP and data sharing. You as a researcher or data custodian should be aware of these guiding principles and best practices as they provide useful guidance as to the standards of information governance promoted and expected by SHIP.

  • Researchers should normally only have access to anonymised data and be subject to an obligation not to attempt to re-identify individual data subjects.
  • Where possible and practicable, data should be anonymised before linkage and use so as to minimise risk of re-identification of individuals.
  • Where researchers cannot or do not intend to anonymise data and where consent for use of personal data has not been obtained, approval from an oversight body, e.g. the Privacy Advisory Committee, must be obtained.
  • Where data have been anonymised, authorisation should be obtained where there is a risk of re-identification; anonymisation does not remove the need for authorisation.
  • Risk of re-identification must be assessed by a body/individual with the relevant expertise to make such judgments.
  • Data controllers should determine and agree upon the appropriate level of anonymisation to be applied to any given dataset or linkage exercise.
Best Practice
  • The appropriate level of anonymisation for each linkage should be agreed upon by all data sources and maintained by the linker i.e. the individual/programme responsible for combining data.
  • Where possible and practicable, data subjects should be provided with accurate information about the levels of protection afforded to their data by anonymisation as well as an account of the real risks involved.
  • There should be a separation of functions between data controllers, safe havens, linkers, indexers and recipients of linked datasets.
  • All users of data should have signed a Memorandum of Understanding with respect to data storage, use and protections of data subjects.

return to top of page

Require use of SHIP Safe Haven

A researcher may choose to specify that they wish to use a SHIP Safe Haven to access patient data.  However, even if they do not, if you assess that the risk to confidentiality of transferring the data directly to them is too great you may make this a condition of permitting data access. 

There are three key features of a Safe Haven:

  1. The Safe Haven will provide a secure environment for the linkage, storage and analysis of personal data.
  2. Only ‘approved researchers’ will be permitted to access the data from defined physical locations, initially via dumb terminals (i.e. within safe havens).
  3. There will be penalties for anyone who abuses personal data. Researchers will be bound by a strict code, which prohibits disclosure of any personal identifying information. Safe havens will carry out statistical disclosure control on outputs to prevent accidental disclosure.

To ensure high levels of information security and the protection of confidentiality, the storage of contributory datasets, indexing, linkage of data, and storage of the final dataset must be carried out separately.  In practice this means that no individual should be directly involved in any more than one of these processes, but a single organisation could host more than one activity with appropriate segregation of roles and IT facilities.  The Indexing Service will be ‘stand alone’, because this is the only function for which patient identifiers are required.

The Safe Haven will however be responsible for the remainder of the processes as these all use anonymised data: linkage of data, provision of analytical software, the separate storage of the source and linked datasets and the analytical outputs. The Safe Haven will also be responsible for the implementation of other safeguards, including statistical disclosure control, accreditation of researchers (as part of a central register of approved researchers) and adherence to the good governance framework.

Refusing access

It is possible that, having assessed a researcher’s data request, that the risks to patient confidentiality are too high or the merits of the research proposal are insufficient to justify providing access to data for which you are responsible.  However, the objective of SHIP is to facilitate scientifically sound and ethically robust research through the appropriate use of health data, so before making this decision it is recommended that you review the following considerations:

  1. Even if there are potential risks to confidentiality from the proposed research, is it possible that these may be justified because they are outweighed by the benefits of a  public interest in the research outputs?
  2. Might the SHIP Research Coordinator be of assistance by liaising with the researchers to achieve modifications in their research proposal or data request in ways that would offer you reassurance about the balance of risks and benefits of providing access to the data?
  3. Would it help to seek further advice from the  Privacy Advisory Committee (PAC) or the information governance / ethics authority within your own organisation about any questions or concerns about providing access to data for a particular project you have?
  4. Your agreement to provide access to data is not the final step in deciding whether data sharing may take place via SHIP. A further layer of safeguard is provided by SHIP's  proportonate authorisation process which assigns a privacy risk category to the data access application, according to transparent criteria.  

Return to top of page

Return to route map