Part of A guide to confidentiality in health and social care: references
Section 13: Accredited Safe Havens
An Accredited Safe Haven (ASH) is an accredited organisation, or a designated part of an organisation, which is contractually and legally bound to process data in ways that prevent the identity of individuals to whom the data relates from being identified. As part of new accountability arrangements across the new health and care system in England, a specific group has been established to consider information governance issues. One of the options that will be considered by this group (the Information Services Commissioning Group (ISCG) Information Governance Subgroup) is the establishment of accredited safe havens as suggested by the Information Governance Review.
Data stewardship requirements for accredited safe havens
Accredited Safe Havens should be required to meet the following requirements for data stewardship
- attributing explicit responsibility for authorising and overseeing the anonymisation process e.g. through a Senior Information Risk Officer
- appropriate techniques for de-identification of data, the use of ‘privacy enhancing technologies’ and re-identification risk management
- the use of ‘fair processing notices’
- a published register of data flowing into or out of the safe haven including a register of all data sets held
- robust governance arrangements that include, but are not limited to, policies on ethics, technical competence, publication, limited disclosure/access, regular review process and a business continuity plan including disaster recovery
- clear conditions for hosting researchers and other investigators who wish to use the safe haven
- clear operational control including human resources procedures for information governance, use of role-based access controls, confidentiality clauses in job descriptions, effective education and training and contracts
- achieving a standard for information security commensurate with ISO2700 and the Information Governance Toolkit
- clear policies for the proportionate use of data including competency at undertaking privacy impact assessments and risk and benefit analysis
- standards that are auditable
- a standard template for data sharing agreements and other contracts that conforms to legal and statutory processes
- appropriate knowledge management including awareness of any changes in the law and a joined-up approach with others working in the same domain
- explicit standard timescales for keeping data sets including those that have been linked, which should be able to support both cohort studies and simple ‘one-off’ requests for linkage
Last edited: 17 January 2022 1:37 pm