PLEASE NOTE:
We are currently in the process of updating this chapter and we appreciate your patience whilst this is being completed.
Information Governance
This section provides an introduction to Information Governance, the general principles for data protection, and some practical issues to consider when using data for public health purposes.
Information Governance - What is it?
Information governance (IG) is the way in which health and health care information, in particular the personal (particularly which allows identification) and sensitive information relating to people (such as patients and employees), is handled. It aims to balance facility of use with security of health information.
Why is it important?
Previous sections of health knowledge have highlighted the importance of information and intelligence, and how it can be used to improve health and healthcare services for the ultimate benefit of patients and the wider public.
Information systems that identify and track individuals (e.g. individual patients) are particularly useful for detailed analysis and research. However such systems can often directly or indirectly identify individuals and as such need to be handled with care. The public rightly expects any health data held on them to be handled properly and sensitively. As a result there is now a range of legal and other requirements around the use of health and other personal data which those who handle the data should be aware of.
The main legislation currently covering the UK is the EU General Data Protection Regulation (GDPR), which is Europe's new framework for data protection laws, and the UK Data Protection Act 2018 which is a United Kingdom Act of Parliament which updates data protection laws in the UK in the light of GDPR. Responsibility for implementing the law in the UK rests with the Information Commissioner’s Office (ICO).
https://eugdpr.org/ (last accessed 5th March 2019)
http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted (last accessed 5th March 2019)
Below is a summary of the general principles for data protection, followed by some practical issues to address and actions to take when handling health data. Further reading is available in the links provided.
General Principles for data protection
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’ which are set out in the Data Protection Act.
http://www.legislation.gov.uk/ukpga/2018/12/part/3/chapter/2/enacted (last accessed 5th March 2019)
In summary they must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damag
There is stronger legal protection for more sensitive information, such as:
- race
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- genetics
- biometrics (where used for identification)
- health
- sex life or orientation
Within health there are areas deemed specially sensitive such as abortions, conceptions and HIV.
The next section sets out some practical issues to consider when dealing with health information.
Practical issues – general
If you are working in an organisation (e.g. academic, NHS) and are likely to be handling sensitive personal data, then as a first step it would be good to understand the policies in place to maintain data confidentiality and security and the proper use of information. Organisations should have a senior person (data controller/protection officer) who is responsible for this. In NHS organisations there will be a Caldicott Guardian (a senior person responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly).
https://www.gov.uk/government/groups/uk-caldicott-guardian-council (last accessed 5th March 2019)
Practical issues – specific
Considering the data protection principles from above:
Has the data you are using been collected lawfully, and is your proposed use consistent with the original collection arrangements? If you are using existing data then you should be able to test this with those responsible for the data set. If you are unsure, then, in the NHS, research ethics committee[1] approval may be necessary for the proposed work. Be clear on the ultimate purpose of your use of the data.
Is the data adequate and relevant for the purpose you have defined? Is it accurate enough for the purpose and does it cover the areas you require?
Is there any unnecessary identification of subjects or use of sensitive data in the data you are using? Bear in mind that people cannot just be identified through names and addresses, but also via, e.g. date of birth, postcode of address and combinations of different data items. Sometimes this detail is necessary for the purpose of analysis, but can you achieve your purpose(s) by (for example) using age groupings instead of date of birth or output areas in place of postcode?
If data extracts are used for specific purposes then they should contain the minimum sensitive information for the work and should not be retained any longer than necessary after the end of the study.
The data should be processed securely in a way that minimises the risk of unauthorised access or accidental release or loss. In particular:
- data should be held on a secure machine with strong password protection
- data access should be limited to identified named individuals who need access for achieving the work objectives. Those individuals should be trained in data protection principles
- the making of copies of the data should be kept to a minimum and documented. The holding of any copies should be subject to the same rules as for the original data. Any data held elsewhere should be strongly encrypted. Be aware that there are significant risks in, e.g. putting data on flash drives or other media that can easily get lost. Also breaches of security have occurred through misuse of email (sending to the wrong person or inappropriate use of ‘reply to all’) and through sending to the wrong or an unattended fax machine (the ICO has published a sobering list of reasons for data breaches that have resulted in fines https://ico.org.uk/media/action-weve-taken/csvs/2553988/civil-monetary-penalties.csv) (last accessed 5th March 2019)
Care needs to be taken when producing outputs. Small numbers (e.g. 1 or 2) can be potentially disclosive in connection with other data. As a result care is required in the release of aggregate data e.g. by combining data cells or several periods of time to make the figures larger. Possible options for tables include:
- Changing table design (e.g. group/aggregate figures, reduce the level of detail, exclude variables, ensure each table is internally consistent - row and column totals do not allow disclosure by differencing, totals are consistent across tables describing the same groups)
- Cell suppression – primary, secondary and marginal totals NB rows and columns dominated by 0s
- Rounding
- Data perturbation e.g. Barnardisation[2] or targeted record swapping.
Be aware that small numbers may be deduced by differencing (from totals) and that zeros are also potentially disclosive. Users of sensitive data should be aware that there are some outside observers who could be deliberately checking for weaknesses in the data and the possible disclosure of an individual’s identity.
Some outputs require a risk assessment for data that is for public release, and NHS Digital has published its own guidance in this area which is helpful
https://digital.nhs.uk/binaries/content/assets/website-assets/publications/publications-admin-pages/related-documents/disclosure-control-procedure.pdf (last accessed 5th March 2019)
In 2006 the office for National Statistics undertook a review of the dissemination of health statistics and its report discusses the issues in some detail
(last accessed 5th March 2019)
Also be wary of ‘intermediate outputs’, i.e. working tables, often produced for checking the validity of the analyses before final publication. If these contain small numbers then there is a small chance of disclosing sensitive information. Those handling the data need to be aware of their duty in handling such data.
Finally, when data are to be published it is often useful to have the outputs Quality Assured, both for their accuracy and for the potential disclosure of personal details.
Other Useful Links
- NHS England
https://www.england.nhs.uk/ig/ (last accessed 5th March 2019) - Wikipedia
https://en.wikipedia.org/wiki/Information_governance (last accessed 5th March 2019) - Information Commissioner’s Office
https://ico.org.uk/ (last accessed 5th March 2019)