UCLH Criteria for Data Sharing under a Preapprovals Framework
Data protection law puts UCLH under an obligation to perform a Data Protection Impact Assessment whenever "...a type of processing is likely to result in a high risk to the rights and freedoms of individuals..." (ICO).
The UCLH Information Governance team has developed a new process for assuring protections for patients and staff when information from health records is shared for purposes that include direct care, service evaluation, audit and research.
The usual process involves conducting a data protection impact assessment to assess risks for non compliance with Data Protection and other legislation and by default to assure the avoidance of harm to patients and staff.
In order to assure safe use of data that does not pose a risk, either to data subjects or compliance breaches, a generic DPIA can be used to encourage sharing of data within the NHS, or if it leaves the NHS, into assured environments that have published a DSP Toolkit and / or achieved ISO 27001 certification.
Proposals which meet the below criteria from the outset can be preapproved from an IG perspective:
1. The purpose is certain:
Specifically, there is a clear determination that the proposal is for the purposes of care, service evaluation, audit or research.
If this is not the case, advice must be sought from the JRO and / or UCLH IG
2. The data needs have been clearly specified
This includes where personal data is required and whether this is justified, including pseudonymised data where the mode and manner of pseudonymisation has been made clear.
3. Anonymity of data is defensible
Where applications deem that requested data is anonymous, this has been verified by UCLH IG where arrangements need to made to ensure that the anonymity is not time limited (as captured in Criteria 4 or 5 as applicable).
4. Data will remain within NHS managed systems
Where the systems must have a published DSP Toolkit and the declaration is no less than “Standards not met, plan approved”
5. Where data cannot remain in the NHS, the Recipient’s infrastructure meets the following sub-criteria:
i) The infrastructure had a published DSP Toolkit and the declaration is no less than “Standards Met”.
ii) The infrastructure has ISO 27001 Certification in the absence of a DSP Toolkit publication, or a declaration of ISO 27001 compliance from the Recipient where they hold a DSP Toolkit publication to at least “Standards Met”.
iii) The Recipient has routine penetration testing and can produce certificates on request.
6. Data processing is lawful and its lawful provenance is clearly stated and verified
This is dependent on meeting Criterion 1, specifically in the case of Research it has received appropriate Health Research Authority approvals (including Research Ethics and Confidentiality Advisory Group favourable opinions as applicable) or the governing jurisdiction’s equivalent for the devolved nations.
7. Transparency is clear and robust
Specifically that information leaflets, posters and where applicable consent forms have been prepared and comply with HRA templates and work within the UCLH Privacy Notice and the UCL and BRC equivalents.
