Call us on: 0161 785 1000
Data security, integrity and quality
As a specialist consultancy in this field, we have over 25 years’ experience in working with all aspects of data supply and analysis. Recently, the implementation of the General Data Protection Regulations (GDPR) have introduced a clearer distinction between the respective roles and responsibilities of Data Controllers, and Data Processors – and the need for formal signing of data processing agreements, and data privacy impact assessments, whenever personal data is to be transferred to a third-party organisation.
We are wholly familiar with these requirements. We are ISO 27001:2013 certified for our information governance systems. This is the relevant international standard for such matters, and provides assurance of our good governance of data handling. The ISO standard addresses all aspects of information governance, including policies, quality standards, handling non-conformances, and data security. We have detailed documentary procedures for all aspects of information governance and we develop data processing agreements as routine business with our clients. This is sometimes within the context of evaluation projects, but also necessitated by our simulation modelling work (which requires very large data transfers, typically of three years’ data at the individual pseudonymised episode level) and our serious incident investigations, which handle highly sensitive and identifiable patient data.
As regards the processes for data transfer and storage, we have an NHS.net account, which is a secure means of electronic data transfer. We would then upload to our own secure ‘cloud’ based document archive using the Huddle platform. No data is transferred out of the UK. If there are client requirements for this, we can set up shared access to a secure project-specific Huddle account, for upload of project documentation.
All of our electronic data devices (fixed or portable) are encrypted and access to both the device and to our server is double password protected. Our passwords are updated regularly and data is shared even within the Niche team on a need-to-know basis only.
If we are inadvertently sent patient-identifiable data by a client, our staff follow a clear protocol to:
On completion of the project, all client sites will be asked whether they wish us to delete their data, or to retain it in the event of follow-up enquiries. In the former event, we will confirm deletion to the client; in the latter, we will archive file copies of the data on our secure server for no longer than a 2-year period. For investigations, all information we control (interviews and transcripts) we are required to save for seven years from completion of the investigation. For all other data, where we are the data processors, we are required to either destroy the information or return to the organisation concerned (such as policies meeting minutes or clinical records).
For most projects, records of interviews with either staff or with service users will be made as contemporaneous paper notes, within a template devised for this project. These notes will include details of the site, date, and interviewee(s). Written notes will be reviewed by two members of our team, who will individually and then together propose and agree the themes arising. This thematic analysis will then be recorded and presented as part of our reports.
For investigations, they are most often recorded and transcribed, with a copy of the transcript sent to the interviewee for additional comment and their signature as a factual record of the interview. Where they are not recorded and transcribed, a summary of the questions and key points is drafted and sent to the interviewee for their additional comment and signature as a factual record.
Paper notes for all projects other than investigations will be stored securely in our offices (as also verified by ISO 27001) and retained for a period of two years after completion of the project, to permit checking of queries arising. They will then be securely destroyed by our confidential waste contractor.
We have worked with health and social care datasets for over 25 years, including very substantial national census work with many millions of data items. During that period we have never been the cause of any breach of data confidentiality. Our data analysts are employed directly by ourselves, and we do not outsource any aspect of data analysis, either within the UK or further afield.
Statements on Confidentiality
When we work with clients, we ensure that we are clear about the terms through which we are ‘engaging’ in conversations or interviews which are related to our work. On the whole, we will use four main types of conversation: