Data security and you¶
In order to comply with the consent that 100,000 Genomes Project participants have given, it is of paramount importance that you take the security of the platform and its data very seriously. Genomics England will not tolerate you abusing your access, breaching any safeguards put in place, or otherwise endangering the security of confidential participant data.
Genomics England can ban the institution and all their researchers from accessing the Research Environment if a user deliberately breaches the security of the system. Any deliberate attempt by a researcher to reveal the identity of a 100,000 Genomes Project participant is a breach of the Data Protection Act, and could result in a criminal charge or heavy fine.
Your Security Obligations
Having completed Information Governance training prior to getting access to the research dataset you should remember that:
- You must not share your login details with others;
- Only carry out research on the research dataset - clinicians with access to the identifiable clinical data should join the Research Network to carry out research;
- Do not 'screenshot' the Research Environment or otherwise shortcut the Airlock;
- Prepare any material for airlock import or export with consideration of its impact on data security (see the guidelines in the airlock section of this site);
- Do not carry out any activity on 100,000 Genomes Project research data that may reveal any participant's identity;
- Inform Genomics England Service Desk immediately if you:
- observe other users endangering the security of the environment or dataset;
- fear you have breached the security of the environment or dataset;
- think your login details have been compromised.
The following is taken from the Genomics England IG Confidentiality and Data Protection Policy which can be found in the Library and Resources section of the website.
The Data Protection Act 2018 (The Act) and the General Data Protection Regulations (GDPR) came into force in May 2018. Together, these data protection legislation set out standards which must be satisfied when processing data relating to living individuals. Processing includes collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying personal data. The legislation covers information on any media stored on computers and also within manual records.
Under this legislation an individual has a right to see personal information held about them. This is normally referred to as a Subject Access Request (SAR).
The legislation regulates the use of two types of data, “personal data” and “special category personal data”. The definitions of these are as follows:
- Personal data means any information relating to an identified or unidentifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Special category personal data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Where staff are processing personal data, whether permanent, temporary or contractors then they are responsible for ensuring that the data protection principles are adhered to. These are as follows:
- Personal data shall be processed in a lawful, fair and transparent manner in relation to the data subject (lawful, fairness and transparency).
- Personal data should be obtained for one or more specified, explicit and legitimate and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes (purpose limitation).
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed (data minimisation).
- Personal data shall be accurate and, where necessary, kept up-to-date (accuracy).
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes (storage limitation).
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data (integrity and confidentiality).
Appropriate care must be taken to protect personal data or special category personal data when it is transferred in whatever format.
The British Standard for Information Security (BS7799) and the International Organization for Standardization Information Security standard ISO27001 also require that appropriate controls are in place to maintain the security of information exchanged with external organisations, requiring procedures and standards to be established to protect information in transit.
These procedures must be applied at all times whenever personal data or special category personal data is transferred either within Genomics England, or externally. Methods of transfer refer to the transfer of information via any form, examples include:
- Electronic file transfer
- CD or DVD
- USB Memory Sticks
- By Post / Fax
Duty of confidence¶
A duty of confidence arises when sensitive information is obtained and/or recorded in circumstances where it is reasonable for the subject of the information to expect that the information will be held in confidence. For information to have a quality of confidence it is generally accepted that:
- it is not “trivial” in its nature;
- it is not in the public domain or easily available from another source;
- it has a degree of sensitivity; and
- it has been communicated for a limited purpose and in circumstances where the individual or organisation is likely to assume an obligation of confidence. For example, information shared between a solicitor and client or health practitioner and patient.
This means, in practice, that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of a professional, must not normally be disclosed without the consent of the patient.
However, the right to confidentiality is a qualified right. This means that Genomics England is able to override a duty of confidence when it is required by law, or if it is in the public interest to do so.
The Caldicott Report¶
The original Caldicott Report on the Review of Patient Identifiable Information was published in 1997. It found that the issues of patient confidentiality and the security measures in place across the NHS lacked national consistency and as a result of the Caldicott Review, seven key principles have been provided as a guide for the NHS.
Genomics England is a company wholly owned by the Department of Health as such is bound by the Caldicott Principles.
The Caldicott Principles are:
- Justify the purpose(s) for using confidential information.
- Don't use personal confidential data unless it is absolutely necessary.
- Use the minimum necessary personal confidential data.
- Access to personal confidential data should be on a strict need-to-know basis.
- Everyone with access to personal confidential data should be aware of their responsibilities.
- Comply with the law.
- The duty to share information can be as important as the duty to protect patient confidentiality.
For further information and to review the Caldicott Report see: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf