In order to comply with the consent that 100,000 Genomes Project participants have given, it is of paramount importance that users of the Research Environment take the security of the platform and its data very seriously. Genomics England will not tolerate users abusing their access, breaching any safeguards put in place, or otherwise endangering the security of confidential participant data.
Genomics England can ban the institution and all their researchers from accessing the Research Environment if a user deliberately breaches the security of the system. Any deliberate attempt by a researcher to reveal the identity of a 100,000 Genomes Project participant is a breach of the Data Protection Act, and could result in a criminal charge or heavy fine.
Having completed Information Governance training prior to getting access to the research dataset you should remember that:
|
The following is taken from the Genomics England IG Confidrentiality and Data Protection Policy which can be found in the Library and Resources section of the website .
The Data Protection Act 1998 (The Act) came into force in March 2000. The Act sets out standards which must be satisfied when processing data relating to living individuals. Processing includes recording, obtaining, holding, using, generating derived data, analysing, disclosing and destroying personal data. The Act covers information on any media stored on computers and also within manual records.
Under the Act an individual has a right to see personal information held about them. This is normally referred to as a Subject Access Request (SAR).
The Act regulates the use of two types of data, “personal data” and “sensitive personal data”. The definitions of those under the Act are as follows:
Where staff are processing personal data, whether permanent, temporary or contractors then they are responsible for ensuring that the 8 principles of this Act are adhered to. These are as follows:
Appropriate care must be taken to protect personal data or sensitive personal data when it is transferred in whatever format. The Data Protection Act 1998 (DPA) requires that:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing or personal data and against accidental loss or destruction of, or damage to, personal data.
The British Standard for Information Security (BS7799) and the International Organization for Standardization Information Security standard ISO27001 also require that appropriate controls are in place to maintain the security of information exchanged with external organisations, requiring procedures and standards to be established to protect information in transit.
These procedures must be applied at all times whenever personal data or sensitive personal data is transferred either within Genomics England, or externally. Methods of transfer refer to the transfer of information via any form, examples include:
A duty of confidence arises when sensitive information is obtained and/or recorded in circumstances where it is reasonable for the subject of the information to expect that the information will be held in confidence. For information to have a quality of confidence it is generally accepted that:
However, the right to confidentiality is a qualified right. This means that Genomics England is able to override a duty of confidence when it is required by law, or if it is in the public interest to do so.
The original Caldicott Report on the Review of Patient Identifiable Information was published in 1997. It found that the issues of patient confidentiality and the security measures in place across the NHS lacked national consistency and as a result of the Caldicott Review, seven key principles have been provided as a guide for the NHS.
Genomics England is a company wholly owned by the Department of Health as such is bound by the Caldicott Principles.
The Caldicott Principles are:
For further information and to review the Caldicott Report see: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf