Data access through SHIP Safe Haven

Release of the research dataset

The research dataset will only be released for analysis once the SHIP research Co-ordinator is satisfied that all the requirements for such release have been met. These requirements apply whether the data is being released directly to a researcher or for access via a Safe Haven. The requirements are:

  • The research project is logged onto the project management system
  • The project has obtained all necessary approvals, including, if required, Research Ethics Committee approval, Caldicott Guardian approval, Privacy Advisory Committee (PAC) approval, and NHS R&D approval.
  • The project only provides data for the cohort, aims and methods specified in the study protocol.
  • The researcher is on the “approved researcher” list and has signed and dated the SHIP Data Sharing Agreement.
  • A research dataset will only be released once the project level anonymisation has been carried out on the dataset. This step is not required if the project requires patient identifiable data.
  • A research dataset will be released to people identified on the project management system as being linked to the Research Project.  This may be to a dedicated workspace for access via a Safe Haven or directly to a researcher depending on PAC advice.
  • The Data Compliance section of the project management system has been completed confirming that all approvals are in place.

Release of a research dataset is coordinated by the SHIP Research Co-ordinator. Once all of the necessary approvals are in place, the Research Co-ordinator will advise the data custodian to release the data to the Safe Haven. The datasets, once linked, will then be held by the Safe Haven. At the Safe Haven the  SHIP Data Analyst will make sure the right data is in the right directory for the right researcher to access with the right access permissions/passwords.

The diagram below shows the SHIP process for releasing the dataset:

Set Conditions For Data Access Diagram

Return to top of page

What is a SHIP Safe Haven?

A SHIP Safe Haven is a place where research can be done on sensitive data in a way which reduces the risk that the data will be disclosed.

The key features of a Safe Haven are:

  • The Safe Haven will provide a secure environment for the linkage, storage and analysis of personal data.
  • The Safe Haven will hold datasets and ensures that only approved researchers can gain access. 
  • Researchers access the data held within the Safe Haven via a dumb terminal in a secure access facility.  The dumb terminals will be configured so that the researcher cannot download or remove any of the data or outputs held at the Safe Haven.
  • Analytical software will be available within the Safe Haven for use by researchers. 
  • A dedicated file space will be provided for the researcher to store their outputs pending release by the Safe Haven.
  • Safe Havens will carry out statistical disclosure control on outputs to prevent accidental disclosure of identifiable information.
  • There will be penalties for anyone who abuses personal data. Researchers will be bound by a strict code, which prohibits disclosure of any personal identifying information.

Return to top of page

The benefit of accessing data through SHIP Safe Haven

The benefit of accessing data through a Safe Haven is that this will reduce any privacy risks associated with your use of the data.

Offering to use a Safe Haven to access data may therefore be a good way of reducing the privacy risk classification assigned to your research proposal by the SHIP Research Co-ordinator.

Even if you do not offer to use a Safe Haven to access the data, this may be a condition requested by the data custodian if they assess that the risk to confidentiality of transferring the data directly to the researcher is too great.

Alternatively, if you are assigned a high privacy risk classification and therefore your request is sent to the Privacy Advisory Committee for consideration, PAC may set the use of a Safe Haven as a condition of authorising the data access application.

Return to top of page

Conditions upon a researcher’s use of a SHIP Safe Haven

When using a SHIP Safe Haven, the researcher must undertake to perform the analysis without:

  • attempting to remove data
  • attempting to identify individuals, households, or firms
  • using data for which they are not licensed
  • using data for anything other than the proposed project
  • linking/matching data without permission
  • handing out usernames and passwords to others
  • writing anything down from the screen
  • attempting to photograph computer screens etc

A researcher’s session in the Safe Haven will be recorded.

In the event of a breach of these conditions of use, the breach must be brought to the attention of the manager of the Safe Haven within one week of the breach.  Reports will then be submitted to the management group, the oversight group and auditors.

Return to top of page

Safe Haven security principles

The following security principles should be observed when accessing data through a SHIP Safe Haven. The SHIP Data Analyst will help to ensure that these security principles are observed.

  • The data controller(s) must be defined at each stage of the process and that controller must be aware of their responsibility. Remember that the ‘data controller’ is the body or bodies who decide the purposes and methods for the processing of data. When data is accessed through a SHIP Safe Haven the Safe Haven, the Safe Haven takes on the legal responsibilities of ‘data controller’ jointly with the data custodian for the duration of the research project.
  • An indexing service should never receive any information about the patient/client/research subject other than the required identifiers.
  • All information must be encrypted before transmission between data controllers, Safe Havens, indexing and linkage services.
  • All data in the Safe Haven are held on secure servers located on the NHS network.
  • Data should be de-identified where possible.
  • Where the Safe Haven must hold data with identifiers it must be held on separate servers from de-identified data.
  • All data processes are carried out within secure offices, on the NHS network, prior to secure releases to external data users
  • Safe Haven to check that all approvals are in place before receiving data for processing.
  • A record of all projects, approvals and data releases is to be kept on a Project Management System.
  • All processes are audited annually by external auditors and actions taken in response to issues raised.

Return to top of page

Services provided by the SHIP Safe Haven

As well as a SHIP Safe Haven simply providing a safe and secure environment for data analysis, the Safe Haven also provides a data indexing service, a data linkage service, and it will guide you through the process of releasing your research results. This final service will be discussed in later stations in this route-map, but please see the information below on the SHIP data indexing and data linkage services.

Data Indexing Service

SHIP has established a separate National Indexing Service to facilitate deterministic linkage of datasets. An indexing service receives only a project code, local identifiers and subject identifiers from the data sources for each of the datasets that are to be linked and no other data. The indexing service creates a study specific anonymised identifier for each subject (called a study number) and returns this with the associated project code and local identifier.

The SHIP indexing service will maintain a population index based on a unique patient identifier (UPI; eg the Community Health Index (CHI) in Scotland). The indexing service will add anonymised identifiers (referenced to UPI) to individual records for the purposes of linking these records across two or more datasets. The indexing service will be separate from the linkage agent.

The Safe Haven is not responsible for the data indexing service, as this is the only process which involves the use of patient identifiers. However the Safe Haven will help to co-ordinate the indexing of the datasets you will be using in your research project.

Data Linkage Service

The SHIP linkage agent will use anonymised identifiers to perform the matching of records belonging to individuals from two or more datasets to form a single linked dataset. The identifiers for the linkage will be provided by the indexing service.

Separation of responsibilities

To ensure high levels of information security and the protection of subject confidentiality, the storage of contributory datasets, indexing, linkage of data, and storage of the final dataset must be carried out separately. 

  • In practice this means that no individual should be directly involved in any more than one of these processes, but a single organisation could host more than one activity with appropriate segregation of roles and IT facilities.
  • The Indexing Service will be ‘stand alone’, because this is the only function for which patient identifiers are required.

The Safe Haven will be responsible for the remainder of the processes, which use anonymised data: linkage of data, provision of analytical software, the separate storage of the source and linked datasets and the analytical outputs. The Safe Haven will also be responsible for the implementation of other safeguards, including statistical disclosure control, accreditation of researchers (as part of a central register of approved researchers) and adherence to the good governance framework.

Return to top of page

Return to route-map