Assess privacy risk of data request

This page provides specific guidance on:

Seeking advice from the national Privacy Advisory Committee

In addressing any of the decisions outlined below you may seek the advice of colleagues with responsibility for information governance and ethical oversight within your own organisation.  However, for data requests mediated by SHIP involving national datasets you will also be able to seek the advice of the national Privacy Advisory Committee (PAC) if you have questions or concerns about providing access to data for a particular project.

Consent conditions

When deciding whether to provide access to patient data for secondary use in research it is essential that you take into account the consent conditions which attach to these data when deciding whether you as a data controller may lawfully do so.  However, this does not mean that you can never lawfully provide access to data for research purposes without explici consent.

  • Some research does not require person identifiable data and can proceed with anonymised data. Consent is not required for the use of anonymised data as such data is not, legally speaking, ‘personal data.’  Please see the next station of this route map which explains the conditions, including anonymisation, that you may set for research uses of data.
  • Sometimes research cannot rely on anonymised data, and it is impractical or otherwise undesirable for fresh consent to be sought for research.  Nevertheless, consent is only one of several possible justifications for the processing of personal data under the Data Protection Act and is not always legally required (please see the guidance page on conditions for processing personal data for more information).  Under the SHIP model - provided that researchers have (i) justified why they need to use the data and the public interest in this; (ii) have demonstrated why is it not practicable or productive to use anonymised data or to seek consent;  and (iii) have satisfied the conditions for processing data under the Data Protection Act - then the Privacy Advisory Committee (the authorising body to whom the SHIP Research Coordinator may refer the access request) may authorise the use of data without consent.
  • In exceptional circumstances it may be possible for fresh consent to be sought for the specific research purpose, though this will itself raise confidentiality issues.  The SHIP Research Coordinator will be able to help advise researchers on the best way to obtain new consent should this be deemed necessary and appropriate.

For further detailed information, please see the guidance page on autonomy and consent and the route map designed to support researchers in navigating consent issues.

return to top of page

Safe people

You will only receive a data access request via SHIP if the research applicant has SHIP Approved Researcher Status.  This means they will:

  1. Be associated with a bona fide research organisation.  SHIP maintains a register of approved organisations on which to base decisions.  The list of approved organisations can be found here
  2. Either be an experienced researcher, or, if they are a junior researcher, they must be working under the supervision of an experienced researcher from their own institution, for example, a principal investigator, their line manager or supervisor.
  3. They must have successfully completed the SHIP distance learning module within the last two years.

In addition, for any particular project approved researchers will also need:

Safe data and safe environments

  • It is the responsibility of the researcher to demonstrate in their data access request the measures that they will take to protect the confidentiality of any data they are seeking to use or to generate in their research.  These measures may include:
    • proposals to receive only anonymised or pseudonymised data;
    • requests to access data through a SHIP safe haven rather than have it transferred directly to them;
    • or if researchers do request that the data be directly transferred to them without using a safe haven, a description of the  kinds of security measures for transferring, storing, archiving and disposal of the data they wish to access and that generated by the research.
  • It is your responsibility as a data controller under the terms of the Data Protection Act to ensure that these measures are adequate to meet the requirements of the Data Protection Principles, wider legal and ethical requirements for optimal information governance as set out in this toolkit, and the information governance policies of your own organisation.
  • You are not alone in conducting this assessment of privacy risks.  Whether the researcher’s proposals to manage risks to patient confidentiality are sufficient will (alongside any conditions yourself set) also form part of the SHIP's assignation of a privacy risk category to a researcher’s data access request.  This in turn will determine whether the request is subject to further review by PAC and whether any additional conditions on data use are set.

The next station on this route map explains the kinds of conditions you may set to ensure that data for which you are responsible is accessed in a secure way and in safe environments, including requiring the use of a SHIP safe haven.

return to top of page

Balancing confidentiality and public interest

Scientifically sound and ethically robust research is in the interest of protecting the health of the public.

The common law of confidentiality, the Data Protection Act and the Human Rights Act all permit the balancing of privacy concerns against considerations of public interest – so you should avoid being disproportionately restrictive in setting conditions for access to data where the proposed research uses are lawful and bring recognised public benefits.

In the absence of any of three possible conditions - that patient consent exists for the proposed research use of the data, or that the data has been anonymised, or that there exists a particular obligation under the law (for example for the purposes of a criminal investigation) - any decision as to whether patient identifiable information can be disclosed must be made on a case by case basis and must be justified by being in the public interest. 

  • It is the researcher’s responsibility to make a case for the public interest in their proposed research. 
  • It is your responsibility to take public interest in secondary uses of patient data into account and to weigh this against potential risks to confidentiality when making a decision about whether to provide access to data for which you are responsible. 

In order to determine whether identifiable information may be disclosed without the consent of an individual, we must determine whether it serves the interests of the public to disclose or not to disclose. This determination involves the balancing of two public interests: the public interest in maintaining confidentiality and the public interesting in disclosing information to further medical research.

The decision as to what is in the public interest must be made on a case by case basis, by taking into consideration the specific qualities and risks of the proposed research project. As such, it is not possible to provide definitive guidance on which way the balance should be struck. However, generally you must consider:

  • The nature and sensitivity of the information to be disclosed;
  • The use to be made of the information;
  • The context in which the information was generated;
  • The reasonable expectations of the individual whose information it is;
  • Any harm which could be caused to the individual or others;
  • The purpose of the request for information;
  • The number of people to have access to the information;
  • The confidentiality and security arrangements in place to protect the information from further disclosure;
  • The advice of a Caldicott Guardian or similar expert advisor who is not directly connected with the use for which the disclosure is being considered;
  • The advice of a Research Ethics Committee;
  • The advice of the Privacy Advisory Committee;
  • The potential for harm or distress to patients;
  • The importance of the information to be obtained from the research output.

If, after considering these factors, it is decided that the information should be disclosed, you as data custodian must only agree to disclose the minimum of information necessary to achieve the objective of the research project.

You are not alone in conducting this balancing exercise.  Whether the appropriate balance has been struck will also form part of the SHIP' assignation of a privacy risk category to a researcher’s data access request.  This in turn will determine whether the request is subject to further review by PAC and whether any additional conditions are set.

Please see the guidance page on public interest for further information.

Return to top of page

Return to route map