Data standards & regulatory compliance
At NorthWest EHealth, data protection and privacy is critical to our business and a top priority for our organization.
We value the confidence of those who have entrusted us with their data and have robust procedures and practices to regularly review and monitor the use of personal information to ensure that our data processing practices comply with internationally recognized standards of personal data protection.
GDPR at NorthWest EHealth
As of May 25, 2018, new data protection rules in the European Union (EU) known as the General Data Protection Regulation (GDPR) are in effect. Focused on data privacy, GDPR is the new EU legal framework for the protection of personal data. It includes several key changes to existing EU data protection law, including data breach notification, accountability and enhanced individual rights.
Northwest EHealth takes data protection very seriously and our quality management team are focused on ensuring that our systems, processes, and policies comply with GDPR’s requirements. We’ve undertaken extensive preparations for this, building on our existing practices and controls.
Data standards are the rules by which data are collected, described, categorised and presented in a common format.
Data is extracted into our Data Platform from multiple heterogeneous sources and must be transformed into standard formats for analysis, exchange and archiving.
Our standards include: CDISC: STDM, ODM and SNOMED CT.
How we protect data
In-built technical and operational safeguards;
- Stringent system level security policies
- Good clinical practice (GCP) standards
- Regulatory compliance
- Reviewed by the National Information Governance Board
- Certified against the ISO 9001 & 27001 Standards
- ISO 27001
- ISO 9001
- Quality and Information Security Management Policy
- QISMS Manual
How we collect, store and use healthcare data
Data is extracted into our ConneXon Data Platform from multiple varied sources and must be transformed into standard formats for analysis, exchange and archiving.
SNOMED CT (Systematised Nomenclature of Medicine Clinical Terms) is a standard vocabulary of clinical terminology used for electronic exchange of health data. NorthWest EHealth map all coded data to SNOMED CT codes for improved data analytics and exchange.
CDISC (Clinical Data Interchange Standards Consortium) Operational Data Model (ODM) is a vendor-neutral, platform-independent format for exchanging, auditing and archiving clinical study data.
Consented data collected by NorthWest EHealth during clinical trials using its configurable Electronic Case Report Form application conforms to ODM standard (v1.3.2) CDISC Study Data Tabulation Model (SDTM) is a standard for organising and formatting data for analysis and reporting. It is one of the required standards specified in the FDA’s Data Standards Catalogue (section II.C) for new drug applications (NDAs). We transform coded and collected data into SDTM standard domains for electronic regulatory submissions.
Depending on the nature of the study, consented patient's data may be extracted from GP practices by either: the local NHS data host; the GP System Supplier (e.g. EMIS); or Wellbeing Software (formerly Apollo Medical Systems Ltd). This data is transmitted over a secure network using high grade encryption. The study may require this data to be linked, by NHS number, to national data sets provided by NHS Digital. All transmissions of identifiable data between NWEH and NHS Digital will be over a network that is compliant with NHS Digital's security policies.
Consented patient data is processed according to the relevant legal basis as defined in The General Data Protection Regulation (GDPR) and following the Health Research Authority (HRA) guidelines. The legal basis may vary depending on the nature of the study, but will typically be either:
- GDPR Article 6(1)(a) 'the data subject has given consent to the processing of his or her personal data for one or more specific purposes' or
- GDPR Article 6(1)(f) 'processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child'
Farsite and The Data Protection Act (DPA) 2018
There are 6 principles of the DPA that we adhere to:
1. Data processing must be lawful and fair.
The processing of personal data in an anonymised format for research purposes is lawful under the Data Protection Act 2018 According to schedule 11 and specific processing situations part 2, chapter 2 section 19 “processing for archiving, research and statistical purposes: safeguards”.
2. Personal data must be processed in a manner which matches the reason for its collection.
FARSITE enables GPs to fulfil their responsibilities to offer patients an opportunity to engage in research, whilst preserving patient confidentiality. The GP responsibility is specified in Section 3a of the NHS Constitution and matches the criteria specified there. “The NHS commits to inform you of research studies in which you may be eligible to participate.” This pledge aims to give people better access to the potential benefits of participating in research studies including clinical trials. Information that identifies you will not be given to researchers unless you have given your consent or the research has been given approval under the Health Service (Control of Patient Information) Regulations 2002. FARSITE is used by researchers to locate potential research study cohorts on behalf of academic and commercial organisations. The processing of patient data in FARSITE is dependent on an explicit data sharing agreement between the Data Processors (NWEH, Salford Royal Foundation Trust) and the Data Controller for that patient data (the patient’s GP).
3. Personal data processed must be adequate, relevant and not excessive in relation to the purpose for which it is processed.
FARSITE allows GPs to minimise the processing of Patient Identifiable Information (PII) by presenting patient information and population characteristics to researchers in an anonymised format, preserving their rights under the Data Protection Act 2018 to have their personal information safeguarded whilst being processed. Participating surgeries display fair processing notices to enable patients to opt out of their data being shared for processing in FARSITE.
4. Personal data processed must be accurate and, where necessary, kept up to date, and every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purpose for which it is processed, is erased or rectified without delay.
The data contained within FARSITE is refreshed regularly and extracted from the source data retained by the GP, therefore, the data is accurate and any changes or updates to the data made are reflected in the system.
5. Personal data processed must be kept for no longer than is necessary for the purpose for which it is processed. Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data.
The data refresh allows the GPs to control whose data appears in the extract, if people wish to withdraw from research their data will not be processed. GP surgeries can opt out of sharing their data with the FARSITE system at any point in time. Out of date information is removed from the system, it is not retained.
6. Personal data processed must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).
NWEH operates within the strict IG controls of the NHS N3 network and ISO 27001 requirements. The system demonstrates a high level of Information Security compliance in line with NWEH’s ISO 27001 certification.
FARSITE has been designed to ensure minimal access to personal data; the architecture of the system ensures that only a handful of NWEH and SRFT technical staff have access to personal identifiable information (PII). This access is granted by exception only, and logged. Researchers never have visibility of PII, this remains in the control of the Data Controller (GP) at all times. NWEH, SRFT and the Data Suppliers (EMIS and Apollo) have in place Data Processing Contracts and Agreements which clearly detail responsibilities to maintain Information Security of the data processed within FARSITE.
Our Quality and Information Security Management System is certified against the ISO 9001 and 27001 standards. We are fully committed to ensuring data confidentiality, integrity and availability and our Master Data Management System incorporates the best of both national and international standards for data collection and presentation.
John McCrae - Chief Technology Officer - NorthWest EHealth