Data Security

Data security, integrity and quality

As a specialist consultancy in this field, we have over 25 years’ experience in working with all aspects of data supply and analysis. Recently, the implementation of the General Data Protection Regulations (GDPR) have introduced a clearer distinction between the respective roles and responsibilities of Data Controllers, and Data Processors – and the need for formal signing of data processing agreements, and data privacy impact assessments, whenever personal data is to be transferred to a third-party organisation.

We are wholly familiar with these requirements. We are ISO 27001:2013 certified for our information governance systems. This is the relevant international standard for such matters, and provides assurance of our good governance of data handling. The ISO standard addresses all aspects of information governance, including policies, quality standards, handling non-conformances, and data security. We have detailed documentary procedures for all aspects of information governance and we develop data processing agreements as routine business with our clients. This is sometimes within the context of evaluation projects, but also necessitated by our simulation modelling work (which requires very large data transfers, typically of three years’ data at the individual pseudonymised episode level) and our serious incident investigations, which handle highly sensitive and identifiable patient data.

As regards the processes for data transfer and storage, we have an NHS.net account, which is a secure means of electronic data transfer. We would then upload to our own secure ‘cloud’ based document archive using the Huddle platform. No data is transferred out of the UK. If there are client requirements for this, we can set up shared access to a secure project-specific Huddle account, for upload of project documentation.

All of our electronic data devices (fixed or portable) are encrypted and access to both the device and to our server is double password protected. Our passwords are updated regularly and data is shared even within the Niche team on a need-to-know basis only.

If we are inadvertently sent patient-identifiable data by a client, our staff follow a clear protocol to:

• delete permanently all the identifiable data from our servers;
• notify the client lead that there has been an information governance breach, with the details of that breach; and
• notify our own Director responsible for Information governance, and log this as a breach in our ISO 27001 and ISO 9001:2015 non-conformance registers.

On completion of the project, all client sites will be asked whether they wish us to delete their data, or to retain it in the event of follow-up enquiries. In the former event, we will confirm deletion to the client; in the latter, we will archive file copies of the data on our secure server for no longer than a 2-year period.  For investigations, all information we control (interviews and transcripts) we are required to save for seven years from completion of the investigation. For all other data, where we are the data processors, we are required to either destroy the information or return to the organisation concerned (such as policies meeting minutes or clinical records).

For most projects, records of interviews with either staff or with service users will be made as contemporaneous paper notes, within a template devised for this project. These notes will include details of the site, date, and interviewee(s). Written notes will be reviewed by two members of our team, who will individually and then together propose and agree the themes arising. This thematic analysis will then be recorded and presented as part of our reports.

For investigations, they are most often recorded and transcribed, with a copy of the transcript sent to the interviewee for additional comment and their signature as a factual record of the interview. Where they are not recorded and transcribed, a summary of the questions and key points is drafted and sent to the interviewee for their additional comment and signature as a factual record.

Paper notes for all projects other than investigations will be stored securely in our offices (as also verified by ISO 27001) and retained for a period of two years after completion of the project, to permit checking of queries arising. They will then be securely destroyed by our confidential waste contractor.

We have worked with health and social care datasets for over 25 years, including very substantial national census work with many millions of data items. During that period we have never been the cause of any breach of data confidentiality. Our data analysts are employed directly by ourselves, and we do not outsource any aspect of data analysis, either within the UK or further afield.

Statements on Confidentiality

When we work with clients, we ensure that we are clear about the terms through which we are ‘engaging’ in conversations or interviews which are related to our work. On the whole, we will use four main types of conversation:

• An investigation interview: It is important to note that no interview can ever be considered completely confidential in absolute terms. This is because we will need to use the information in some way to derive conclusions related to the job we are doing. Also, we may often transcribe interviews, and this is done by a specialist third party organisation. However, when we do use the words ‘confidential’ this means that we do not expect the detail of the information that you are providing to be shared with anyone (unless certain conditions of disclosure apply- see below). This means that we will not share interview transcripts with your organisation, and we will not tell your colleagues anything you have said. We will keep your information on our secure, encrypted files for two years, before it is confidentially destroyed.

• A non-investigation interview: We interview many hundreds of people each year as part of our strategic, evaluative and governance work and we understand the importance of ensuring that people feel that they are able to talk in a candid and non-prejudicial manner with us. At the start of each of our interview type conversations we are clear about whether we are having a confidential, non-attributable or open conversation with someone. We also describe what we will do with their information and how it will be kept. Generally, non-investigation conversations are not recorded and we simply take notes as an aid-memoire. These notes are kept on client files for up to two years and then confidentially destroyed.

• A ‘non-attributable’ interview – This again means, that we do not expect to share any of the detail of what you have said as if you have directly said it. However, we do need to place reliance upon interview matter and so we are clear that we will use your information, but we will use it very carefully. Where we feel that something would be useful for our work but in using the information it will make it attributable to you, we will ask your permission before we proceed, or, we will try to find other ways to anonymise the information.

• An ‘open interview’ – This is where we are very clear that your information is accessible and attributable (i.e. we do not have the sole discretion to protect information in that setting). This might occur when interviewed in an open forum such as a focus group or whether you are interviewed on camera for the express purpose of collating a visual document. We will still be clear with you in open interview or forum, how your information will be used and kept.