Data Security

Secure Data Environments must comply with laws, codes of practice and standards that already exist to protect the data the NHS holds about us as individual patients.

The existing legal frameworks are there to keep data safe and control access; these apply to Secure Data Environments.

The principle regulatory frameworks for data protection in England are listed below.

Data Protection Act

The Information Commissioner's Office (ICO) upholds information rights in the public interest for the UK.

These responsibilities are based on a range of legislation, including the Data Protection Act.

The Data Sharing Code of Practice is a practical guide for organisations about how to share personal data within the requirements of data protection law.

 

Visit ICO website

Data Ethics Framework

The Data Ethics Framework is a set of principles set out by the Government to ensure appropriate use of data in the public sector.

It also outlines the main pieces of legislation that apply to using data.

Read the Data Ethics Framework

Regulatory bodies

The UK policy framework for health and social care research sets out principles of good practice in the management and conduct of health and social care research that take account of legal requirements and other standards.

National Data Guardian

The National Data Guardian advises the health and adult social care system in England to help ensure that people’s confidential information is kept safe and used properly.

Health Research Authority

The Health Research Authority regulates research involving the NHS and Health and Social Care in England (there are equivalent bodies for the devolved nations of the UK).

Its role is to assesses research in the NHS to make sure that studies comply with relevant legislation and guidelines (such as Clinical Trials Regulations, the Human Tissue Act and the Data Protection Act).

Depending on the type of research and the data that is proposed will be used, it may also fall under the regulations managed by other authorities. Before a research study can start it needs to be approved by all of the relevant bodies and health regulatory organisations.

Research Ethics Committees

Research Ethics Committees  (REC) are independent groups of people who review certain types of research to assess whether studies are ethical. 

Confidentiality Advisory Group

The Confidentiality Advisory Group (CAG) provides advice on specific projects that will be using confidential medical information.

 

Five Safes

The “Five Safes” is a set of guidelines for accessing data in order to carry out research. It was originally developed by the Office of National Statistics in the UK. It is now being used to safeguard access to data for use in research.

The guidelines are used to assess research projects before access to data is allowed.

The "Five Safes" are:

  • Safe People: for example a process to approve researchers 
  • Safe Projects: project proposals are reviewed by a dedicated governance board
  • Safe Settings: access to data is only through a secure environment
  • Safe Data: data is anonymised so that individuals cannot be identified by researchers
  • Safe Output: analysis outputs checked by data custodians prior to release

Read more about Five Safes