SAHSU recognises the legal and ethical responsibility to handle confidential and sensitive data carefully and securely. We are fully committed to doing that in a way that maximises its use while preventing unauthorised or inappropriate use or disclosure. We respect the nature of the data we work with, where it comes from and what it means for individuals.
SAHSU data users are required to manage data, in compliance with information governance requirements and government legislation. Special care is taken with data of a sensitive or confidential information such as health data.
We ensure that the following:
- Appropriate policies, procedures, accountability, management structures, and computing hardware and software are in place to provide a robust governance framework.
- Development of a culture of confidentiality and care when handling data.
- Researcher training - To access data, researchers must complete appropriate Data Security and Information Governance (IG) training with regular refreshers/updates or become an Office for National Statistics (ONS) Approved Researcher.
All our research data are stored, processed, and analysed within the SAHSU Secure Research System (SSRS) facility which sits within the SAHSU secure enclaves that is part of the Imperial College Secure Environment. Personal and sensitive data are held within SAHSU’s secure encrypted database which can only be accessed by the database team. Researchers only have access to pseudonymised data.
We have a robust information governance framework for information management and we have deployed a range of privacy-enhancing technologies, physical security measures, and audit procedures to assure our stakeholders that the data assets entrusted to us for our research programme are handled according to rigorous standards.
All researchers using the data are affiliated with SAHSU. Research study concepts are initially approved by either the Director or Deputy Director of SAHSU, the UK Health Security Agency (UKHSA)-SAHSU Liaison Committee, and have formal minuted approval from the appropriate UKHSA programme board.
Researchers are required to sign the SAHSU Acceptable Use Policy and Agreement, which includes written acceptance of the security controls and guidelines on the processing of personal data before being given access to our research data. The level of data access granted is based on the requirements of the study. Research studies are subject to approval by UKHSA-SAHSU Liaison Committee, Health Research Authority (HRA) - London South East Research Ethics Committee, HRA Confidentiality Advisory Group (CAG) , and UK Health Security Agency Caldicott Advisory Panel. Access to health data is additionally controlled by a series of agreements between SAHSU and our data providers (e.g. Office for National Statistics, NHS England, Welsh Cancer Intelligence & Surveillance Unit, etc.). Data users may be required to sign to agree to the written terms set by specific data providers.
Our data processing policies and procedures ensure that all studies involving data that may be potentially identifiable (e.g. data from small geographical areas or small numbers of cases for a particular disease) are carried out within the SSRS environment. The data are processed in compliance with law, statute, and best practices. SAHSU adheres to and conforms to the Office for National Statistics (ONS), NHS England and other national guidelines to suppress small numbers in all research outputs to ensure that individuals cannot be identified.
SAHSU does not share data with third parties.