Small Area Health Statistics Unit (SAHSU) Overarching Protocol for use of Data for Research

Transcription

1 Small Area Health Statistics Unit (SAHSU) MRC PHE Centre for Environment and Health School of Public Health, Faculty of Medicine Imperial College London Small Area Health Statistics Unit (SAHSU) Overarching Protocol for use of Data for Research 1

2 Amendment History: Version Date Amendment History 1 24 st January st Draft st February 2012 AH comments st February 2012 PH comments 2 9 st March nd Draft 2.1 2nd April 2012 AH comments 3 19 th Sept rd Draft (RG) 3 10 th October rd Draft (PH). Information Governance Changes th November 2013 Agreeing elements of previous draft, clarifying points, editorial changes to improve document flow (AH) Approvals: One of the following people must approve this document: Name Signature Title / Responsibility Date Version Anna Hansell Assistant Director of SAHSU 2 nd April Paul Elliot Director of SAHSU 2.1 Anna Hansell Assistant Director of SAHSU 13th November

3 Acronyms: Name BINOCAR CAB CCTV DEFRA EA GIS HES HRA HSC IC ICD ICREC IGP ISAB LADUA LAN MINAP MRC MSWIs NCAR NDSCR NGO NIGB NN4B NORCAS NRES ONS OXCAR PCT PHE REC RIF SAHSU SCAR USC WANDA WCISU WHO Title British Isles Network of Congenital Anomaly Registers Community Advisory Board Closed Circuit Television Department for Environment, Food and Rural Affairs Environment Agency Geographic Information System Hospital Episode Statistics Health Research Authority (successor to NIGB) Health and Social Care Information Centre International Classification of Diseases Imperial College Research Ethics Committee Information Governance Policy International Scientific Advisory Board Local Authority Districts and Unitary Authorities Local Area Network Myocardial Infarction National Audit Project Medical Research Council Municipal Solid Waste Incinerators National Congenital Abnormalities Registry National Down s Syndrome Cytogenetic Register Non Governmental Organization National Information Governance Board (predecessor to HRA) NHS Numbers for Babies Northern Congenital Abnormality Survey National Research Ethics Service Office for National Statistics Oxfordshire Congenital Anomaly Register Primary Care Trust Public Health England Research Ethics Committee Rapid Inquiry Facility Small Area Health Statistics Unit Scottish Congenital Anomaly Register University of Southern California Wessex Antenatally Detected Anomalies Register Welsh Cancer Intelligence and Surveillance Unit World Health Organisation 3

4 Contents 1. Background The Small Area Heath Statistics Unit Current data holdings Operations Overall Responsibility Operational Responsibility Patient Consent Sensitive Data held Data extraction Data transfer Data outputs Ethics Health Research Authority Approval Information Governance Security Auditing Data quality Types of Research Observational data subject research Collaborative research Policy on Publication of Research Findings Science APPENDIX A: Blank SAHSU project form APPENDIX B: Blank SAHSU data extract form APPENDIX C: SAHSU Legislative Compliance C.1 Your responsibilities as an employee/student/external collaborator

5 C.2 Relevant Acts of Parliament, NHS guidelines, reports and what they mean APPENDIX D: Private Network Extraction and Transfer Summary

6 1. Background This document details: A Background to the Small Area Health Statistics Unit (SAHSU) and its current data holdings. Operations; who has overall and operational responsibility. How SAHSU legally holds data without patient consent and how a patient s right to confidentiality is protected by the anonymisation of data and through rules for data extraction, transfer off the protecting private network and outputs. The regulatory environment of ethical and Health Research Authority approval is described. The security and auditing environment that underpins the private network allows SAHSU to operate as a safe haven. The types of research carried out by SAHSU. Policy on the publication of research findings. This document is a key part of the Information Governance (IG) toolkit because it details how information is governed from a data user point of view. It allows us to minimise the need to read the core IG policy for non database team and non IG staff. The role of this document is to make sure that key information policies are understood by all SAHSU staff. 1.1 The Small Area Heath Statistics Unit The Small Area Health Statistics Unit was established in 1987 following a recommendation from the Black Enquiry into clusters of leukaemia and lymphoma around the Sellafield nuclear power plant. SAHSUs terms of reference are: To develop and maintain databases of health data, environmental exposures as required to meet a specific need, and social confounding factors at the small area level; and To carry out substantive research studies on environment and health issues including studies of the relationship between socio economic factors and health, in collaboration with other scientific groups as necessary; In collaboration with other scientific groups, to build up reliable background information on the distribution of environmental exposure, socio economic data and disease amongst small areas; To develop the methodology for analysing and interpreting statistics relating to small areas; To respond rapidly, with expert advice, to ad hoc queries from the funding departments about unusual clusters of disease, particularly in the neighbourhood of industrial installations. To act as a centre of expertise, disseminating information on developments in spatial epidemiological methods to national and regional groups. 6

7 SAHSU is a nationally and internationally recognised leading institution for research into environment and health, with over 200 scientific publications ( Examples of SAHSU studies include SAHSU investigations into reproductive health effects associated with living near a landfill site (Elliott et al. 2001), childhood cancers in relation to living near mobile phone masts (Elliott et al. 2010) and hospital admissions and mortality in relation to aircraft noise from London Heathrow airport (Hansell et al. 2013), which have been widely cited in the press and used to inform policy. 1.2 Current data holdings To be able to adequately fulfil its terms of references, SAHSU currently holds: England and Wales Births and Still births from ONS England and Wales Cancer Incidence from ONS and WCISU England and Wales Mortality from ONS National Congenital Anomaly Register (NCAR from ONS) Congenital anomaly data from the local registries associated with the British Isles Network of Congenital Anomaly Registers (BINOCAR) : o CARIS (Wales), o Glasgow Register of Congenital Anomalies, o Merseyside and Cheshire Congenital Anomaly Survey, o North Thames (West) Congenital Malformation Register, o Northern Congenital Abnormality Survey (NORCAS), o Oxfordshire Congenital Anomaly Register (OXCAR), o Scottish Congenital Anomaly Register (SCAR), o East Midlands & South Yorkshire Congenital Anomaly Register (formerly Trent), o West Midlands Congenital Anomaly Register, o Wessex Antenatally Detected Anomalies Register (WANDA)] National Down s Syndrome Cytogenetic Register (NDSCR) England Hospital Episodes (HES) from the HSC IC: o Inpatients o A+E visits England and Wales Myocardial Infarction National Audit Project (MINAP) from National Institute for Clinical Outcomes Research at University College London (in the process of acquiring this dataset) Data holdings are updated regularly on an on going basis, with ONS, WCISU and HES data updated at least annually. Other data are updated as required for specific studies. All data are held at address level, except for Terminations and Hospital episodes, which are held at postcode level. SAHSU holds permissions from NIGB to hold and process postcode and/or address level patient identifiable information in these datasets without consent under 7

8 section 251 of the NHS Act It additionally holds permission under secondary legislation (Statutory Instrument 2002 no. 1438) to hold address level cancer data The Small Area Heath Statistics Unit Research programme Regular meetings are held with Public Health England (the SAHSU PHE Liaison Committee), chaired by the PHE Director of Research and Development or his/her delegate and observed by data providers and Dept of Health representatives, at which potential new and existing projects are discussed. SAHSU and PHE jointly identify new work they wish to be undertaken and agree a forward work programme subject to funding. Both parties agree identification of projects using SAHSU data that are to be adopted as SAHSU studies, which may involve co funding from research bodies. These studies are then either taken to the appropriate PHE programme board for formal and minuted PHE approval or reported annually to the relevant programme board. Further details on the approval process are given in Section 2. 1 Regulation 2 of the Statutory Instrument (SI) on confidentiality No. 1438, The Health Service (Control of Patient Information) Regulations 2002 ( disclosure policy). The regulation was made under Section 60 of the Health and Social Care Act 2001 and continues to have effect under Section 251 of the NHS Act The approval has been subject to annual review by the Patient Information Advisory Group (PIAG). The functions of PIAG were taken over by the Ethics and Confidentiality Committee (ECC) of the National Information Governance Board (NIGB), and thence the Health Research Authority (HRA). 8

9 2. Operations 2.1 Overall Responsibility The director of SAHSU is Professor Paul Elliott, Director of the MRC PHE Centre for Environment and Health, Imperial College London. The assistant director, with day to day responsibility for running of SAHSU, is Dr Anna Hansell, Clinical Senior Lecturer, MRC PHE Centre for Environment and Health. 2.2 Operational Responsibility The research database is managed by SAHSU as part of the national MRC PHE Centre for Environment and Health based at Imperial College London. Currently funding is provided jointly from the PHE and MRC as a five year contract (ending in 2014). The Centre is intended to be a long term collaboration that continues for a minimum of 10 years and SAHSU is a core part of the Centre. This funding supports the salaries of the director and assistant director and provides for infrastructure in terms of database, computing, Geographic Information System (GIS) and statistical support needed to maintain the SAHSU research programme. Most SAHSU studies are large multi disciplinary projects and have cofunding from various research bodies, including research councils and government departments/agencies (Department for Environment, Food and Rural Affairs DEFRA, the Environment Agency EA). The work of SAHSU is overseen by the PHE, with whom regular meetings are held. 2.3 Patient Consent SAHSU research uses very large routinely collected datasets that are pseudonymised before being accessed by researchers; therefore researchers have no sight of identifiable information. We have permission under section 251 of the NHS Act 2006 from the NIGB to acquire these data for which consent would be impractical to collect as: 1) Retrospective data analysis. Our research involves the analysis of routinely collected data for which consent for historical data would not be practical to collect. 2) Large data sets. The SAHSU health database contains approximately 300 million records and it would not be practical to seek consent for each record. Where an individual wishes to withdraw consent SAHSU will rely on the data providers to implement processes to support the refusal of patients to grant consent for the storing or sharing of information. In the case of cancer incidence, the SAHSU cancer incidence database is reloaded annually to ensure that records where data providers have had notice that consent is withdrawn are removed from the database. SAHSU will inform data 9

10 providers if such a request is received from a member of the public. The member of the public will be kept fully informed of our actions. 2.4 Sensitive Data held Sensitive data SAHSU holds are: NHS number Postcodes and addresses (all datasets ethical approval to hold address level data for all datasets was granted by the NRES Committee London South East on 18 th May 2012 as 12/LO/0767. We do not hold names or contact details such as telephone numbers or addresses. It is not possible for researchers to link postcodes, NHS number, addresses or XY co ordinates to databases external to those held within SAHSU as all these fields are pseudonymised. Sensitive data are pseudonymised within SAHSU s highly secure database using encryption which is unique to SAHSU and conforms to government data protection standards (the pseudonymisation process is described in more detail in section 2.11 Security and the Information Governance Policy IGP). 2.5 Study approval and access to Data All SAHSU studies are controlled via the SAHSU PHE Liaison Committee. The study approvals process and data access are summarised in Figure 1 (page 12). All new SAHSU studies must follow this process in order to become an approved SAHSU study. New study concepts must initially be approved by either the Director or Assistant director of SAHSU before an outline study proposal is created using a specific form (in Appendix A). If the study is not 100% SAHSU funded, additional funding will be required; this may involve the submission of a proposal to a funding body involving peer review. Next, consideration needs to be given to whether the study is covered by SAHSU s existing ethical approval (see section 2.8 Ethics for more details) and if not separate ethical approval must be sought. Once ethical approval is confirmed, the outline study proposal is reviewed by the SAHSU PHE liaison committee who, once approved, then take the study for formal minuted approval from the appropriate PHE programme board (attended by a member of the Department of Health). Researchers must have a current contract to Imperial College. A SAHSU study must include a member of the SAHSU research team, which also helps ensure the proper use and reporting of data (to prevent the inadvertent release of identifiable data usually relating to small numbers of a rare disease in an area). Before being able to access the data, researchers 10

11 must sign the SAHSU confidentiality form, which includes a written acceptance of the security controls and guidelines on the processing of patient data and all researchers must be approved by the SAHSU Director or Assistant Director. The SAHSU confidentiality form also requires users to have read the legislative compliance requirements (in Appendix C). The level of data access granted is based on the needs of the researcher, the study and the data providers (see page 14 and also figure 3, page 15). In addition to SAHSU approvals, ethical approval and HRA permission, access to health data are controlled by a series of agreements between SAHSU and data providers. Each user of a dataset must sign to agree to the written terms set by the data provider such as ONS. SAHSU has a microdata release policy as part of its Information Governance policy; this complies fully with all data provider requirements. SAHSU studies or SAHSU studies with cofunding and studies wholly funded by the PHE do not need to apply for separate microdata release approval (Figure 2, page 13). Researchers on studies using SAHSU data but not falling under this remit must apply to ONS to be an approved researcher (this process takes several weeks for approvals to be considered and granted). All researchers must additionally read this document (Overarching Protocol for use of data for Research), undertake an IG training course and have undertaken NHS IG training toolkit courses as directed on the SAHSU Confidentiality form. Members of the database team who have access to confidential data (i.e. postcodes, NHS numbers and addresses) via the pseudonymisation process must additionally read the Information Governance Policy. 11

12 Figure 1: Study Approvals Process and Data Access Study concept must be approved by Director or Assistant Director Outline study proposal (on form in Appendix A) Funding body proposal if not 100% funded by SAHSU (may involve peer review) Ethical approval covered by existing SAHSU ethical approval? YES NO Student study Minor change to already approved research theme study New SAHSU study SAHSU PHE Liaison Committee Approval Needs seperate ethics approval before study can start SAHSU PHE Liaison Committee notification by Annual notification to PHE programme board PHE programme board approval (includes a Department of Health representative) Reseachers handling data read and sign relevant forms 1 Data access granted commensurate with the researchers needs (see figure 3) 1 Forms: 1. SAHSU confidentiality form 2. Data Provider specific forms as appropriate e.g. ONS Microdata Release Panel specific forms (see figure 2) 3. Imperial contract CONDUCT STUDIES Studies must be conducted on the private network if identifiable data used. Must include a member of the SAHSU Research Team 2 SAHSU research team member checks outputs (papers, abstracts etc) to prevent inadvertent identifiability e.g. due to small numbers in a table cell 2 SAHSU Research Team: Director and Assistant Director SAHSU PI s (Lecturers, Senior Lecturers, Readers, Professors leading on SAHSU studies) SAHSU database team SAHSU pre and post doctoral researchers (in epidemiology, statistics, GIS) 12

13 Figure 2: ONS Microdata Release Panel (MRP) exemption SAHSU or SAHSU related project, started before June 2009, using pre 2007 data YES NO You do NOT need MRP approval Project is 100% funded by PHE or DH YES NO You do NOT need MRP approval SAHSU or SAHSU related project, approved by SAHSU liaison committee YES NO You do NOT need MRP approval Your study needs annual MRP approval; you need to become an ONS approved researcher 13

14 Once all appropriate permissions have been granted, SAHSU operates a hierarchy of data access permissions based on user role (see figure 3, page 15): (i) General level access to aggregated health data, such as that available from data providers websites e.g. district level mortality counts (ii) SAHSU researcher with access to small area data that is not sensitive (highly confidential). (iii) SAHSU researcher level access to pseudonymised data where required for specific projects (iv) Database team access to sensitive information supplied by data providers e.g. to pseudonymise the data. Access to sensitive data is password protected. Only the database team have direct access to postcode and address level data. Access is audited internally as required by the project IGP and by department and college. All research involving data with any risk of potential identifiability (e.g. small area level data with low counts) is conducted on the private network, an air gapped stand alone network with no connection to either the internet or to the Imperial College IT network (see figure 4, page 21). 14

15 Figure 3: Data access 0 15

16 2.5 Data extraction The process for obtaining data access and permission to extract data is given in the previous section, and in more detail in section of the Information Governance Policy. Extracting the health data from the database for use in statistical tools is carried out using: a) The Rapid Inquiry Facility (RIF) b) The data extraction tool (part of the new v4.0 RIF) c) The database team on behalf of the user. The new RIF (v4.0) is in development and will progressively rolled out from 2014 with the Disease mapping module and will have integrated Information Governance. Extracts will need to have prior approval by the SAHSU Database Manager or the Assistant Director before the RIF can be used to perform the extract. The rules for data extraction designed to protect patient confidentiality at all times. The rules are complex and form section 14.3 of the Information Governance Policy, with a summary at Appendix D (both IGP and this document) A data extract form must be filled in by the researcher before the database team can perform an extract on behalf of the user. An example of the data extract form is given at Appendix B. This process ensures that all permissions are in place and extract and transfer rules require authorisation by the SAHSU Database Manager or SAHSU Assistant Director. This process is audited. 2.6 Data transfer Data may not be transferred off the private network without the specific written permission of the SAHSU Database Manager, Director or the Assistant Director. Written permission from the data provider will also almost certainly be required unless the data are fully pseudonymised. All identifiable fields listed in table 2 must be pseudonyms; SAHSU pseudonymised fields (full postcode, new NHS number, AddressPoint ID) must be re pseudonymised, any geographic key of local authority level and below must be pseudonymised. Results may be transferred off the private network as long as it is non disclosive or aggregated to Local Authority Districts and Unitary Authorities (LADUA) level or above. Additionally, cells with low cell counts (<5) are considered potentially disclosive and should not be transferred off the private network. Data transfer off the SAHSU Private Network is controlled by the extraction process and is fully audited. Data transfer onto the Private Network has a separate log and is also fully audited. Data transfer is carried out using a special thin client with access to the core of the Private Network. This thin client is located in a locked secure room (534) within the SAHSU 5 th floor offices and uses card key two factor authentication to NHS standards to verify the identity of the user transferring data. All data transferred must use encrypted USB keys; these must be pre registered by the database manager or the system manager. 16

17 2.7 Data outputs Data access is determined by the hierarchy shown in figure 3. SAHSU does not share data with third parties. Researchers are never granted access to sensitive data (e.g. NHS number, postcode or addresses) and all extracts are supervised by the SAHSU database team. All data that are potentially identifiable must remain on the private network. In order to extract potentially identifiable data (below local authority level, or with low cell counts) authorisation in writing by the Database manager, Director or Assistant director must be obtained, as must all transfers of aggregated data off the private network. Data can only be transferred from the private network from a locked cabinet in the secure SAHSU data processing area. In all cases data are extracted using the RIF (providing aggregate data) or by the database team and all transfers are audited. 2.8 Ethics Umbrella ethical approval was, from provided for small area studies by the Imperial College Research Ethics committee (ICREC). Conditions of this approval were that data could not be traced back to individuals (generally interpreted as postcode level data, depending on numbers of cases involved) and that an annual summary of studies should be provided. Separate ethics committee and data provider approval were obtained for studies with special requirements such as data linkage. Some projects are still running (as of November 2013) that may have been started during this time period. In 2012 SAHSU, which is a national resource, moved to oversight by a national research ethics committee. Two separate applications to the National Research Ethics Service (NRES) for ethical endorsement of SAHSU were submitted and obtained approved in May The first application confirmed SAHSU s existing work programme using current data holdings (REF reference 12/LO/0566). The second extended application obtained approval to hold address level data for all datasets where this is possible (REF reference 12/LO/0567). The extended application (12/LO/0567) also sought permission to perform linkage of datasets. Blanket approval to link datasets was not given but SAHSU may submit a substantial amendment form to the ethics committee for each study that requires data linkage. No data linkage can take place until the substantial amendment form for the specific study is approved by the ethics committee. Approved SAHSU studies and SAHSU studies with co funding using SAHSU anonymised data do not require further specific ethical review to conduct studies using address level data but studies requiring data linkage need to submit a further substantial amendment. 2.9Health Research Authority Approval SAHSU is required is hold section 251 authority to hold and process confidential medical data. Section 251 of the NHS Act 2006 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information in specific circumstances, where it is not possible 17

18 to use anonymised information and where seeking consent is not practical, having regard to the cost and technology available. The section 251 powers are vested in HRA which acts as SAHSU s confidentiality regulator. SAHSU holds HRA approval from the secretary of State for Health as ECC 2 06(a)/2009, with amendments a) ECC 7 04(h)/2010 to hold MINAP data and b) 23rd August 2012 for NHS Numbers for Babies (NN4B) data c) 12th October 2012 for the linkage process and d) 19th December 2012 to hold NHS numbers and addresses for all current datasets with these fields and to approve the first three projects for linkage. HRA approval is subject to annual review Information Governance SAHSU is required as part of its HRA approval to be compliant with the NHS Connecting for Health Information Governance toolkit by November 2013, and to provide the assessment score to HRA as part of the annual review report due at the same time. As a result of this requirement an MRC Centre Information Governance And Data Management Policy was created in October 2013 and the System Level Security Policy (SLSP) was converted to an Information Governance Policy (IGP) and all SAHSU data users were from October 2013 required to undertake IG training before being allowed to use SAHSU data. The medium term aim is for SAHSU to become an accredited safe haven to allow SAHSU to continue to hold and process Section 251 confidential data. The term safe haven is term used to explain either a secure physical location or the agreed set of administrative arrangements that are in place within the organisation to ensure confidential personal information is communicated safely and securely. It is a safeguard for confidential information which enters or leaves the organisation. Any members of staff handling confidential information, whether paper based or electronic, must adhere to the safe haven principles. The key pillars of the SAHSU safe haven are: Project approval by a steering committee (the SAHSU PHE liaison committee). Strong audited procedures in the processing and extraction of confidential health data for research. A secure, isolated private network. Strong audited controls on the transfer of data on or off the private network. Separation of duties; only the database can view confidential health data, researchers cannot. A comprehensive pseudonymisation scheme. As part of the IG toolkit requirements SAHSU is also required to create an IG Improvement Plan; this is provided as Appendix H to the IGP. This is a summary of the work required to be 100% compliant with NHS Information Governance requirements. 18

19 2.11 Security SAHSU has multiple and robust systems in place to ensure data security and to ensure individuals are not identifiable (Figure 4, page 21). All potentially identifiable data are held on the private network. As mentioned above, this is an isolated air gapped network not connected to any other network with a mandatory access control system. The private network has no modem, wireless, remote LAN or web access. The private network servers are additionally protected from the clients (i.e. users) by a firewall, and have multiple layered controls to be able to resist penetration. A detailed description of the private network is included in the SAHSU IGP. Access to the SAHSU private network in offices is restricted by the network hardware to known machines at known locations. The network is independently tested to be penetration resistant, which means that there is defence in the unlikely event of any failure in the hardware access control. The network is resistant to physical loss of power and there are multiple backup types both within the network and also as tapes kept in a locked fireproof safe as well as an additional offsite fireproof safe. Physical access to the building is controlled by card key. The building is manned 24 hours a day by security and has extensive CCTV. The sub basement room in which the server sits is in the most secure part of the building, and is controlled by restricted access card key and an additional high security key lock. Data held in SAHSU health databases are separated into sensitive (e.g. NHS number, postcode or addresses) and other data, using SAHSU s own database wide pseudonymisation process. Only the database team have access to the sensitive data, which are pseudonymised. Users are never granted access to the sensitive data and all extracts are supervised by the SAHSU database team. Software interrogation tools such as the SAHSU developed Rapid Inquiry Facility (RIF), use aggregated data. Researchers generally only access the database using the standard administrative geography hierarchies e.g. Census output area and do not need access to X Y grid coordinates, NHS numbers, addresses or postcodes. Access to specific data items (e.g. terminations ICD codes, tables of sensitive data) is further restricted. When research users need access to XY co ordinates for the purpose of adding exposure data the database team decrypt the postcodes or addresses and then link to the co ordinates together with an encrypted record locator, but with no health data attached. Exposure data is then added by users. Finally, the database team then add back the exposure data to the health data, stripping off the encrypted record locator and the XY co ordinates. The GIS team are also members of the database team; so have full access to Address, postcode and co ordinate data as required by their role. Such identifiable data are always kept pseudonymised or separate from the health data. Data can only be transferred by users from the private network from a locked cabinet in the secure SAHSU data processing area. No data will be transferred off the private network unless it adheres to the SAHSU rules outlined in the IGP. In all cases data are extracted either using the RIF (providing aggregate data) or by the database team, so no sensitive data are available to researchers. Individual users are trained in how to transfer data by a member of the database team. Written guidelines are provided to SAHSU staff extracting data from the database to ensure compliance to policy and a paper based audit 19

20 trail is maintained for example, although no sensitive data can be transferred off the private network, low cell counts in tables may pose a disclosure risk (e.g. one case of a rare cancer in a small geographical area) so researchers are asked to suppress counts <5 individuals in a table cell or rates based on such counts. SAHSU does not transfer data to third parties. The SAHSU IGP is written to be compliant with ISO/IEC 17799:2005 & ISO/IEC 27001:2005 and has been internally reviewed and risk assessed in accordance with Imperial College policy and was audited by NIGB in October The pseudonymisation process replaces the NHS number or postcode with a pseudonym. This pseudonym comes from a lookup table where the postcode has been replaced with a one way encrypted lookup value (i.e. it cannot be decrypted). This value can only be generated cryptographically from the original postcode and a password. The advantages of this system are: 1. The high strength derived from having one cryptographically secure key per postcode or NHS number value. 2. The table cannot be accessed without cryptography In the case of addresses, the address is encrypted, and the Ordnance Survey AddressPoint ID is pseudonymised in the health data. This provides a link from the correct address to the 1m precision XY co ordinates held in the Ordnance Survey AddressBase product. To prevent re identification: Data are securely transferred from the external suppliers using password protected files that are also AES256 encrypted (current government standard encryption). Even where data have been pseudonymised we recognise there is a potential risk of disclosure from small numbers (e.g. a rare cancer in a small area), so small number suppression is used for outputs (where counts are less than 5). There is a full audit trail for all data access and data transfer, with paper based controls for access and transfer requests and audit reports to cross check access and transfer requests. The database team are able to re identify postcodes, NHS numbers and addresses to for example allow linkage to X/Y coordinates. Such re identification is kept separate from the health data at all times and uses per project linkage fields (usually a one way encryption of the SAHSU database record locator or SAHSU_ID). Re identification is subject to a minimum of project approval, and additionally data provider, ethical and Health Research Authority (HRA) approval if the purpose is cross health dataset linkage. Identifiable information is not available to researchers. A detailed description of the pseudonymisation process is provided in SAHSU s Information Governance Policy (IGP) 20

21 Figure 4: Private Network Security Topography 21

22 2.12 Auditing Actions of the database team are audited. A paper process controls the transfer of health data on and off the private network. The following key database events are audited: 1. Access to all health tables, logon success or failure, privilege grant and privilege usage. Tables of sensitive data are additionally audited. 2. Start up, shutdown and backup events; backups are additionally ed to the database manager. 3. Operating system and web server (internal to the private network) events. Audit trails and Oracle trace files are ed to the database administrator at intervals. 4. Audit trails are backed up and replicated onto the archive file server. 5. The file transfer system enforces the use of cardkeys to pre registered encrypted USB keys. The keys are encrypted and all file transfers are audited. These are loaded into Oracle at intervals for further analysis. 6. Windows and Linux file access. A monthly audit review will be co ordinated by the Assistant Director and will be reviewed by an appropriate level individual not funded by SAHSU or working on a SAHSU project e.g. database manager for a large cohort study. The review will include a report on any security incidents reported in the last month, with proof of submittal to the Information Governance toolkit. The Assistant Director will oversee an annual review audit on the correct functioning of the SAHSU Information Governance policy. This should also include user Information Governance compliance spot checks; in particular compliance with the Confidentiality Agreement and the physical security of the Private Network Data quality Data are received from data providers and have therefore usually undergone extensive cleaning prior to arrival at SAHSU. On receipt of data downloads, global checks of data are run to look at completeness of fields and consistency of coding. Counts by broad disease groups, geographical regions and age are undertaken and checked against data provider published totals and reasons for discrepancies identified in discussion with data providers. Further data checking is undertaken as part of specific projects and anomalous results are again discussed with data providers. This has been particularly useful in highlighting changes in how records are collected and coded as well as post coding errors. 22

23 SAHSU maintains a high quality annual postcode dataset derived from the quarterly Post Office Address files and before 2001 from the National Statistics Postcode Directory. For years prior to 2003, postcode co ordinates are checked and corrected where necessary to use later co ordinates. SAHSU checks all dates and re computes all ages to remove Year 2000, age calculation and unusual date format (e.g. American) errors. Addresses are matched against the Ordnance Survey AddressPoint database using an in house high throughput program. The programme achieves a better match rate with fewer mismatches than commercial alternates. As of September 2012, SAHSU is extending our holdings and research to: 1. Hold address level for all datasets we currently maintain 2. Perform data linkage for selected studies after a substantial amendment for has been approved by the ethics committee. 23

24 3. Types of Research 3.1 Observational data subject research SAHSU conducts substantive national research studies on environmental factors that may affect health ranging from exposures to electromagnetic fields (such as from electricity powerlines) to traffic related air pollution and noise, using nationally collected patient data including mortality, hospital admissions, cancer registrations and births data. Additional small area analyses may also be conducted that help support the general remit of the unit e.g. investigating differential hospital admission rates in ethnically diverse small areas. Additionally, SAHSU provides national expertise in cluster and small area statistical methods and has close links with the Public Health England including input into their environmental public health tracking programme. SAHSU already holds HRA approval and National Research Ethics Committee (NREC) approval to conduct our current research using address level data (note: we do not hold names). Studies with additional requirements chiefly data linkage and use of termination of pregnancy data are subject to approval a study specific for substantial amendment to SAHSU s main ethics and HRA approvals. As stated above, we have NRES ethical permission to extend our holdings and research to: (i) Hold address level for all datasets we currently maintain (listed below) (ii) Perform linkage across datasets for specific studies provided a substantial amendment form has been submitted and approved by the ethics committee. We have already applied to HRA for permission for both of these extensions to the core SAHSU functions and have received a favourable response. In brief, address level data are required to accurately provide detailed environmental exposure assignment since geographical locations of postcodes are too imprecise to provide accurate information for many exposures, especially where these decay rapidly with distance from source (e.g. noise, air pollution, electromagnetic fields). Permission to perform linkage across datasets is required to add additional information from one dataset to another for example, adding gestational age, ethnicity and birthweight (from HES) to births (the most complete record of all births from ONS) to be able to correctly interpret low birthweight data. It will allow us to identify all cases and provide better estimates of numbers affected and to establish study specific cohorts where we can link exposure earlier in life to later health outcomes taking account of migration. We have performed cross dataset linkage in the past with specific ethical permission for a number of reasons and SAHSU staff have experience doing this in house with cohort studies. SAHSU already holds a HES Deaths link field. SAHSU also already holds a HES Births link where gestational age, ethnicity and birth weight for births recorded in ONS births data 24

25 can be obtained via a link to HES data. However, we are unable to use these links for specific studies without ethical approval. Additional permissions regarding linkage and holding of address level data will be sought from data providers as well as HRA. 3.2 Collaborative research SAHSU works with a multi disciplinary team that collaborates extensively with other departments within Imperial College and with external institutions in the UK, Europe and the USA. In addition, SAHSU is developing links with the Regional Public Health Observatories in England, the Wales Centre for Health and parallel organisations in Scotland and Northern Ireland, and within that context, SAHSU will provides expert advice and assistance to help the new Observatories to develop expertise in small area health analysis. SAHSU responds to additional enquiries on clusters and other potential local environmental health issues at request of PHE as a tertiary level advisory centre. For example, we concluded in 2011 a small area Rapid Inquiry Facility (RIF) study into cancer rates in the years following a chemical fire in October 2000 at a site in Sandhurst at the request of Gloucestershire Primary Care Trust (PCT) and advised Kent PCT on investigation of a potential cluster of gastroschisis cases in We also participate in the Environmental Public Health Tracking initiative led by the Public Health England, which in 2012/13 has included investigation of routine data recording of carbon monoxide poisoning. Internationally, we have been working with the US Communicable Disease Centers for several years to develop tools to use routine data sources such as those we hold at SAHSU to facilitate public health tracking in relation to environmental hazards. SAHSU also has links with the World Health Organization for example, we participated in a WHO workshop meeting in November 2011 on contaminated sites to advise on methods that can be used to help investigate potential health effects. SAHSU does not share small area or individual level data with external collaborators data are accessed by researchers with a current contract to Imperial College, a member of the SAHSU core staff must be included in the research team to ensure the proper use and reporting of data and the project must have been adopted as a SAHSU project by the PHE Liaison Committee. 4. Policy on Publication of Research Findings SAHSU has a long record of publishing its research in high quality peer reviewed journals to inform policy and to empower public debate. The right to publish is enshrined in any contracts with research co funders. SAHSU staff actively participate in national and international conferences and meetings to present and discuss its research, including the International Society for Environmental Epidemiology (the largest such society 25

26 internationally) and at UK Environment and Occupational Health meetings and the annual PHE conference. SAHSU is part of the MRC PHE Centre for Environment & Health ( health.ac.uk), which has a communications strategy and contact with the public via the Community Advisory Board and event organisation. We also keep in touch with local interest groups and organisations for specific studies for example, we have presented methodology and results of the Health effects of aircraft and road traffic noise and air pollution in the vicinity of London Heathrow airport to local public health and council staff by invitation. We are engaging with Sense About Science (a NGO with a remit to promote science to the public) to help develop an Environment and Health Atlas for England and Wales to provide small area maps of major public health conditions and environmental exposures that will be available online. Additionally, a number of SAHSU studies have advisory boards that include representatives of groups likely to make use of the results. Our website ( has information about the unit, our major projects and publication details. We notify the PHE communications office of forthcoming SAHSU reports and publications to help manage media enquiries and communication with the public. We also have informal links with individual journalists. 26

27 5. Science Regular meetings are held with the PHE (the SAHSU PHE Liaison Committee), chaired by the PHE Director of Research and Development or their representative (currently Dr Jill Meara, Deputy Director CRCE at PHE) where SAHSU and the Public Health England jointly identify new work they wish to be undertaken and agree a forward work programme subject to funding (see figure 1, page 12). Most major ongoing SAHSU projects involve co funding from the major UK research funders, which entails successful peer reviewed proposals. Scientific advisory groups are also set up for certain studies, for example where there is particular policy relevance or extra input is needed with respect to environmental exposure estimation. The work of the MRC PHE Centre for Environment and Health, of which SAHSU forms a substantial part, is overseen by monthly meetings of the Centre Executive Committee. The Executive Committee has the following members (as of July 2013): Prof Paul Elliott Centre Director, Director of Small Area Health Statistics Unit (SAHSU), Lead: Small Area Studies And Environment And Health Prof Frank Kelly Deputy Director, Theme Lead: Air Pollution, Noise and Health Prof Ross Anderson St George s University of London Representative Prof Majid Ezzati Lead: Risk Assessment and Policy Evaluation Dr Toby Athersuch Training Programme Coordinator Prof Peter Burney Lead: Cohort studies Drs Rachel Smith and Rebecca Ghosh Researchers Society Prof Elaine Holmes Investigators Committee Representative Prof Jeremy Nicholson Lead: Systems Toxicology Prof Nicky Best Lead: Biostatistics Dr David Stokes Centre Science Manager Prof Paolo Vineis Lead: Exposome and Health The work of the MRC PHE Centre for Environment and Health (including SAHSU) is reviewed annually by an International Scientific Advisory Board (ISAB). This was established to provide independent advice to the Centre s Director about the strategic direction of the Centre, progress and outputs. Membership of the International Scientific Advisory Board was agreed and approved by the MRC and PHE. The Board is chaired by Dr Jonathan Samet (University of Southern California, Director of USC Institute for Global Health) and comprises five full members from both UK and overseas and four observers from the funding agencies as shown below: 27

28 ISAB Members: Prof Jon Ayres (Director, Institute of Occupational and Environmental Medicine, University of Birmingham) Prof Carol Dezateux (Director of MRC Centre of Epidemiology for Child Health) Prof Peter Diggle (Director of Centre for Health Information, Computation and Statistics, University of Lancaster) Prof Martyn Smith (School of Public Health, University of California) ISAB Observers: Dr Paul Colville Nash Programme Manager for Stem Cells, Developmental Biology, Regenerative Medicine and Haematology, Medical Research Council Dr John Harrison Director of Centre for Radiation, Chemical And Environmental Hazards, Public Health England Dr Giovanni Leonardi Epidemiologist, Centre for Radiation, Chemical and Environmental Hazards, Public Health England Dr Simon Bouffler Head of Biological Effects Section, Public Health England One key change resulting from an ISAB recommendation in 2010 was to increase the public involvement with the scientific research conducted and a Community Advisory Board was set up. This provides a permanent consultation forum for the exchange of opinions and ideas on the scientific research conducted by the Centre. The CAB members meet quarterly, and provide a range of lay perspectives on the Centre s research strategy and programmes, input ideas, and provide opinion on ethical issues. SAHSU research projects have been presented at each meeting to date. Membership of the CAB includes representatives from various industries, the general public, local government, and patient groups. SAHSU work has been presented and discussed at several CAB meetings. 28

29 APPENDIX A: Blank SAHSU project form SAHSU Working Title Full Title Co funding Source/s Project Summary SAHSU s role Status Proposed Start Date End Date PI Researchers Technical Support Staff Data Users Data Requirements/ Ethics Approvals status Project Log Project Event Date Actions/Notes Publications/presentations Policy Influence and Stakeholder Engagement Updated: 29

30 APPENDIX B: Blank SAHSU data extract form 30

31 31

32 APPENDIX C: SAHSU Legislative Compliance In the UK there are several Acts of Parliament that deal with issues of security, confidentiality and privacy of personal information. Under these Acts each employee is legally bound to comply with the requirements as individuals can face action for breach of the requirements as there is personal liability specified within some of the legislation. These requirements, and penalties for breaches, are re enforced within your contract of employment and the SAHSU Confidentiality Agreement, and also summarised below. In addition any breach of these requirements could be considered a disciplinary offence that could lead to dismissal/expulsion/withdrawal of collaboration. C.1 Your responsibilities as an employee/student/external collaborator During the time you are working within SAHSU, you may have access to confidential information that can identify an individual in a health record. This type of information should not be disclosed to any person outside of your normal working environment, particularly those not working on your Project. If you need to disclose/share this information in pursuit of your working duties you will have been granted permission to do this by the SAHSU database manager. If you receive a request for information that is not a normal request e.g. someone you work with on the same project, you must seek, prior to any release of information, specific permission on behalf of the SAHSU by the database manager or the Assistant Director. Confidential information includes, but is not limited to, all information of a secret or confidential nature relating to the affairs of any person whose health information is held within the SAHSU private network. This will include: births, deaths, still births, hospital episodes, congenital anomaly and terminations data. C.2 Relevant Acts of Parliament, NHS guidelines, reports and what they mean Term What it covers Personal responsibilities Penalties for breaches Data Protection Act 1998 Human Rights Act Person identifiable information about living individuals manual and automated records (e.g. on computer, video tape, digital images) An individual s right to privacy for Keep all person identifiable information secure and confidential see the SAHSU Overarching Protocol for the process of data for specific details. Further information is available from the Database Manager. Unauthorised disclosure of personal identifiable information could lead to court action and a criminal conviction and/or the payment of compensation to a claimant. 32