Assess overall privacy risks

Purpose of submitting a privacy risk assessment to SHIP

Before you submit your data access request to the SHIP Research Coordinator, you should assess the overall privacy risk of your research project and proposed data use. If you think  when balancing any risks to confidentiality with the public benefit of your research, that there is too great a risk to privacy, you may need to either request to access a different type of data, or to agree to undertake to take special security precautions.

The information that you give SHIP in your data access request will be used to assign a privacy risk category to your request.  This category will be communicated to the relevant authorising bodies and will aid them in their determination of whether to release the requested datasets and whether to attach any conditions for data use.

If in doubt about the extent of privacy risk, please consult the Research Coordinator and do not automatically assume that your application will be rejected, afterall, SHIP is here to help you gain access when research is in the public interest and safety concerns are met, it is not aimed at hindering important research!

Understanding SHIP's proportional authorisation process

There are 5 key elements of risk which the SHIP framework will use to assign a privacy risk category to your data access request. Each of these will be given due consideration in any risk assessment. They are:

  1. Privacy (the likelihood of breach)
  2. Impact of any privacy breach
  3. Reputational impact for data controllers
  4. Research motive
  5. Public expectations including the public interest in your research project

Alongside these risks, 5 core concerns must also inform any privacy assessment, in essence any relevant considerations pertaining to the application will fall under the following 5 concerns and thus they should be kept in mind at all times :

  1. Public interest- is there a public interest in your research project?
  2. Safe data- is the data you propose to access safe and secure, e.g. has it been or can it be anonymised?
  3. Safe people- have you attained SHIP approved research status?
  4. Safe environment- is a SHIP Safe Haven being used? Or if there is to be data travel are adequate security measures in place?
  5. Relative risks- what are the risks associated with your proposed data access? What measures could be taken to combat these risks?

After these core elements of risk and concern have been assessed, your application will be given a privacy risk category. The fewer concerns that are raised by your proposed data access and use, the lower the privacy risk category that will be assigned to your access request.

The consequences of an application being assigned a particular the risk category are threefold:

  1. Th category determines the authority responsible for authorising the data use.  For categories 0 and 1 approval will be given at an early stage and without the need for further review, for category 2 a ‘fast track review’ will be conducted by PAC, and for category 3 a full review will be conducted by PAC.
  2. The lower the risk category,  the more likely it is that the researcher will be granted data access and that access will be granted quickly.
  3. The lower the risk category, the fewer the additional conditions that may be attached to the data use.

These are summarised in the following table:

SHIP Triage Classification Table

You can reduce the category that is assigned to your access request by, for example, requesting to use non-disclosive and non-sensitive data where possible and by offering to use a SHIP Safe Haven to access the data.

Return to top of page

The use of SHIP Safe Havens

Offering to use a SHIP Safe Haven to access data for your research project is one way to reduce the privacy risk category assigned to your data access request.

Key features of a Safe Haven

There are three key features of a Safe Haven:

  1. The Safe Haven will provide a secure environment for the linkage, storage and analysis of personal data.
  2. Only ‘approved researchers’ will be permitted to access the data from defined physical locations, initially via dumb terminals (i.e. within Safe Havens).
  3. There will be penalties for anyone who abuses personal data. Researchers will be bound by a strict code, which prohibits disclosure of any personal identifying information. Safe havens will carry out statistical disclosure control on outputs to prevent accidental disclosure.

Functions of a Safe Haven

To ensure high levels of information security and the protection of confidentiality, the storage of contributory datasets, indexing, linkage of data, and storage of the final dataset must be carried out separately.  In practice this means that no individual should be directly involved in any more than one of these processes, but a single organisation could host more than one activity with appropriate segregation of roles and IT facilities.

The Indexing Service will be ‘stand alone’, because this is the only function for which patient identifiers are required.

The Safe Haven will however be responsible for the remainder of the processes as these all use anonymised data: linkage of data, provision of analytical software, the separate storage of the source and linked datasets and the analytical outputs. The Safe Haven will also be responsible for the implementation of other safeguards, including statistical disclosure control, accreditation of researchers (as part of a central register of approved researchers) and adherence to the good governance framework.

Please see the route-map on ‘managing data securing during research project’ for more information the benefits of using a Safe Haven to access data, the functions of Safe Havens, and your obligations when accessing data in this way.

Return to top of page

When data is released directly to the researcher

Certain categories of data are deemed to be less sensitive than others and may be inherently less disclosive if it is aggregated etc.  If the Privacy Advisory Committee approve, such data may be transferred directly to the researcher for analysis.  Therefore an advantage of requesting to use data which has a lower privacy risk category is that you may avoid having to travel to a SHIP Safe Haven to access your data.

All researchers who have data released directly to them are expected to maintain the security and confidentiality of their research datasets in line with the data protection principles. Specifically:

  • Researchers will not reuse the data for purposes outside the scope of each project, share it with colleagues who are not project staff or collaborators, attempt to link it to other datasets, or to de-anonymise it.
  • Further transfer of data between named project collaborators or staff should only be of encrypted data, usually directly from an access controlled FTP server to the FTP client but data may also be sent via email using encrypted data files. SHIP can offer advice and provide encryption tools, to help meet this requirement.
  • Researchers should notify SHIP when the project is complete and arrange for the return of the data and the analysis syntax used for archiving, deleting all local copies. SHIP will require written confirmation that all locally-held data has been deleted. This confirmation will be added to the project management system.
  • Researchers should ensure that SHIP and the organisation responsible for initially providing data are acknowledged as data sources in all resulting reports and publications. Eg. “We acknowledge the support of the Scottish Health Informatics Programme for managing and supplying the anonymised data and  ‘XXX’, the original data owner ”

Please see the route-map on ‘managing data securing during research project’ for more information on your obligations when using data which has been transferred directly to you.

Return to top of page

What to include in your privacy risk assessment

When conducting your privacy risk assessment you must consider:

  • Whether it is appropriate to use anonymised data rather than identifiable data;
  • Whether existing consent conditions apply to your proposed data use or whether it will be necessary for you to seek further consent;
  • Any risks to confidentiality which could arise from your proposed data use;
  • The public interest in your research project;
  • Whether it is appropriate to use a SHIP Safe Haven to access the data;
  • Whether you have appropriate security safeguards in place if you wish to have data transferred directly to you.

After taking these factors into consideration you should construct your data access request accordingly.

Return to top of page

Return to route-map