EIDF's approach to data security is built on three principal foundations: data protection law; the Five Safes model; and the Scottish Government Charter for Safe Havens.
The GDPR and data confidentiality
Our first goal in enabling research with any data is to ensure we don't break the law. The guiding legislation for EIDF is the EU's General Data Protection Regulation (2016) and its incorporation into UK law as the UK Data Protection Act (2018). An excellent resource is the UK Information Commisioner's Office (see Links).
EIDF provides data processing services for research and so, where personal data are concerned, we follow the key principles laid down in the GDPR:
- Lawfulness, fairness and transparency. Research in the public interest is a lawful purpose compatible with GDPR, but maintaining public trust is vital. In designing and running our secure services we work day-to-day with the designated information governance authorities.
- Purpose limitation. The scopes of the research projects that use our services are tightly specified by researchers and approved by the designated information governance authorities. For public-benefit research using Scottish health data, for instance, research projects are approved by the Public Benefit and Privacy Panel for Health and Social Care (see Links).
- Data minimisation. As far as possible we process only "de-identified" data within our secure services. Personally identifiable data are removed from research datasets by information governance teams before the datasets enter our Safe Haven environments. Within these environments we only provide researchers with the de-identified datasets they have explicit approval for. No other data are allowed in, to reduce the risk of re-identification by linkage.
- Accuracy. We provide whatever technical support we can to our information governance colleagues to ensure the accuracy of any data supplied to researchers.
- Storage limitation. We maintain research datasets within secure environments for only as long as the research project has approval. After that they are taken off line, with their ultimate fate determined by individual project governance requirements.
- Integrity and confidentiality. We provide whatever technical suport we can to maintain the confidentiality of personal data entrusted to us.
The “Five Safes” model
We design EIDF's secure services within the framework of the Fife Safes model, developed originally at the UK Office for National Statistic in 2003. Fife Safes is an excellent framework for thinking about secure data processing services like EIDF in the broader context of information governance.
“The Five Safes is a framework for helping make decisions about making effective use of data which is confidential or sensitive. The Five Safes model also places statistical disclosure control (SDC) in its proper context, as part of a system approach to data security.”
The Five Safes model breaks down the decisions surrounding data access and use into five related but separate principles, usually framed as questions.
|Safe projects||Is this use of the data appropriate, lawful, ethical and sensible?|
|Safe people||Can the users be trusted to use it in an appropriate manner?|
|Safe data||Does the data itself contain sufficient information to allow confidentiality to be breached?|
|Safe settings||Does the access facility limit unauthorised use or mistakes?|
|Safe outputs||Is the confidentiality maintained for the outputs of the management regime?|
“A data management solution considers all of these, but may decide to make some elements 'safer' than others. The point is that, overall, the design protects confidentiality through a mix of statistical and non-statistical solutions.”
EIDF's Safe Haven Services provide safe settings in the sense above, and running them supports elements of the other “safes” too (eg, the training of service operators adds to "safe people"). The Five Safes model makes it clear, though, that a Safe Haven service must be supported by additional information governance procedures.
Scottish Government Charter for Safe Havens
The Scottish Government Charter for Safe Havens, originally created specifically for the processing of health data, builds on the Five Safes model. From it we derive the following operating principles:
Division of responsibilities: the information governance team providing data to EIDF and the EIDF technical staff shall be in separate organisational management units and accountable to different line managers to minimise conflicts of interest arising within these roles. Other than where agreed explicitly for purposes of data sensitivity or quality, linkage and analysis should be undertaken by individuals in different roles.
Information governance authority: EIDF technical staff shall comply with the instructions and mandate agreed with the Data Controller(s), as communicated by the information governance team.
Data safety: where a Safe Haven service processes personal data, these data can neither be sold nor transferred to a commercial organisation either by the information governance team or EIDF staff. Neither can they be transferred, nor access provided, to a third party (i.e. researchers or others) unless specified explicitly by the Data Controller(s) and unless the third party operates to, at minimum, equivalent standards and with equivalent safeguards.
Data sensitivity reduction: at each stage of a research study, data shall be processed in such a way as to ensure that no individual other than the initial data provider can link identifiable information to personal data or other confidential information.
Data separation: datasets within EIDF are separated such that each user shall only have access to the minimum information required for the purposes of creating or using a dataset for a research study.
Staff training: all staff working within EIDF's Safe Haven Services team shall be trained in safe information handling and the law relating to the protection of individuals’ privacy (such as the Data Protection Act) and will be trained on, and work to, written standard operating procedures. Both staff and operating procedures will be subject to monitoring as well as regular review and audit.
Managed collaborations: where a Safe Haven service is providing access to public data for commercial or industrial firms to conduct research in the public interest, the firms shall work as part of a managed collaboration with the information governance team.
Certification: EIDF falls within the scope of EPCC’s ISO 27001 information security management accreditation and our NHS Digital Data Security and Privacy Toolkit accreditation.
The UK Information Commissioners's Office
Scotland's Public Benefit and Privacy Panel for Health and Social Care.
The Scottish Government Charter for Safe Havens