The legal basis: ethics, controls and building trust
- Posted:
- Written by:
- Categories:
This article is part of a series: The Past, Present and Future of OpenSAFELY
- The past, present and future of OpenSAFELY: Introduction
- How OpenSAFELY works
- Co-pilots give newcomers a helping hand
- Standard tools for data preparation, and federated analytics
- Output checking helps to keep private data safe
- The legal basis: ethics, controls and building trust
- Earning and maintaining trust: PPIE and more
Information governance (IG) is the term given to a set of rules about how researchers access patient data. They exist to help us maintain the highest standards of patient privacy, whilst still adhering to the necessary legal frameworks and best-practice ethical principles. IG is a vital component of OpenSAFELY – without those rules, and a system for maintaining and checking that they’re adhered to, OpenSAFELY simply couldn’t function. It would no longer be considered ‘safe.’
The governance of OpenSAFELY is a complex and, above all, collaborative process. NHS England is the Data Controller for the service as a whole. The GP practices themselves remain the Data Controller for the raw GP data that the OpenSAFELY tools operate on.
Day-to-day, our IG team supports researchers from one end of the process to the other – from applying to use OpenSAFELY, to publishing a paper. We help to make sure that researchers are properly trained; have the correct permissions to access data; and are given access to the relevant policies. We also check that every project using the rules for COVID-19 data access meets the relevant criteria.
We work across the whole platform to ensure that all relevant permissions are in place. This entails close work with NHS England and other external bodies such as the Health Research Authority (HRA), ONS and the Department of Health and Social Care (DHSC).
We help to identify the legal basis (under UK GDPR and Common Law) for processing patient data, supporting NHS England to complete all the necessary documentation, including the Data Protection Impact Assessment (DPIA); Data Processing Agreements (DPAs) with EMIS and TPP; Data Sharing Agreements (DSAs) with data providers; and the Data Provision Notice to GP practices explaining the legal obligation they are under to share patient data to OpenSAFELY. Yes, there are a lot of important forms.
We work with colleagues across the Bennett Institute – for example, with OpenSAFELY co-pilots – to explain the controls and checks applied to OpenSAFELY applications. And with developers, to check that everyone’s clear about agreements with external data providers regarding access to specific datasets, and help develop new OpenSAFELY features for auditing and monitoring data access and processing activities.
A lot of our time is spent talking to GPs, patients and the public, policymakers and other groups, to learn about their concerns, and to collaboratively develop solutions that will manage their concerns around data access and maintain support for OpenSAFELY across the wider community.
Lastly, we work closely with the BMA, the RCGP, NHS England and privacy campaigners (such as medConfidential) to provide OpenSAFELY with the legal basis and wider stakeholder support to expand analyses beyond COVID-19, that will bring benefits to patients, clinicians and the wider NHS across all of human health.
The clue is in the name when we’re talking about “information governance”. We’re here to help govern access to data, because the rules exist for good reasons. Someone has to check that the rules make sense, that they are workable, and that everyone’s sticking to them. That’s our job.