It is essential that patient data is kept safe and secure, to protect their confidential information; how can you ensure this is implemented in your practice?
CREDIT: This is an edited version of an article that originally appeared on Understanding Patient Data
There are four ways that patient privacy is shielded:
- by removing identifying information;
- using an independent review process;
- ensuring strict legal contracts are in place before data is transferred;
- implementing robust data security standards.
Remove identifying information
The best way to protect someone’s information is to remove details that identify the person and take further steps to ‘anonymise’ it. Anyone wanting to use patient data will only be given the minimum amount necessary to answer a question.
However, what if it isn’t possible to anonymise the data? If this is not possible, there are strict controls on how personally identifiable data can be used and stored. It can only be used if the patient gives permission, or where required by law – and then only with robust safeguards in place.
An independent review process
Any request to use patient data should be assessed by an independent review committee, which will check that the reason for using the data is appropriate. Review committees check that organisations that look after patient data have a clear review process to ensure data is only used appropriately. There are three things that will be checked:
- WHY is the data needed.
- WHO is accessing the data.
- HOW the data will be protected.
What other checks are there?
- Research applications will usually be reviewed by an expert independent scientific committee.
- There are extra controls to access personally identifiable information where it is not possible to ask consent; these requests are reviewed by the Confidentiality Advisory Group.
Strict legal contracts
A legal contract must be signed before data can be transferred or accessed; this sets out strict rules about what an organisation can do with the data and has clear restrictions on what is not allowed.
What does a data sharing contract include?
- what data will be provided, and how;
- the purpose for which the data can be used;
- when and how data must be destroyed after use;
- the data security requirements that must be followed.
What an organisation must not do with the data:
- data cannot be used in any way to re-identify an individual;
- data cannot be linked with any other data, unless explicitly approved in the application;
- data cannot be passed to any third parties, unless explicitly approved in the application;
- the organisation can be audited to check data is being used appropriately.
Robust data security standards
Data must be stored securely, with controlled access and robust IT systems to keep data safe. How is data protected?
- Technology can be used to protect data – for example, by restricting access (using passwords or swipe cards to control access to data) or using encryption so the data can only be read with a code.
- IT systems must be kept up-to-date to protect against viruses and hacking.
- Anyone accessing data must have appropriate training and be approved by the organisation.
- There must be an audit trail that records every time that personally identifiable data is viewed or used.
- NHS Digital provides a toolkit to help organisations assess their performance against the National Data Guardian’s ten data security standards.
Be the first to comment