SAIL Databank does not receive or handle identifiable data. We make anonymised data available for genuine research purposes only where there is a potential for benefit.
Commonly recognised identifying details are removed before datasets come to SAIL Databank and once anonymised they cannot be reconstructed. Because SAIL holds only anonymised data, researchers carry out their work without knowing the identities of the individuals represented in the data.
Datasets are split into:
The demographic component is transported to our Trusted Third Party (TTP), NHS Wales Informatics Service (NWIS), whilst the clinical component goes to SAIL Databank using a web based secure file upload and switching service.
The TTP anonymise and encrypt the demographic data which is then subjected to quality assurance to ensure content anonymity. Each individual record is assigned an Anonymous Linking Field (ALF) or a Residential Anonymous Linking Field (RALF) for places of residence.
These anonymised demographic elements of the datasets are then sent to SAIL Databank ready to be loaded. They contain only the ALF, week of birth, gender code and area of residence (Lower Super Output Area of approximately 1500 head of population). They are then recombined with the clinical/event component of the dataset making them ready for linkage to other datasets for use.
As an added layer of security and in addition to the standard anonymization process, SAIL Databank carries out further encryption of the ALF to form an ALF-E before loading. Linkage across datasets is conducted using the ALF-E.
For instances where only a small number of individuals are being studied such as in the case of a rare disease, then the data is aggregated ready for statistical analysis to avoid any possibility of identification.
Once a project is completed all datasets are archived.
The Information Governance Review Panel (IGRP) provides independent guidance and advice on Information Governance policies, procedures and processes for SAIL Databank. The Panel reviews all proposals to use SAIL Databank to ensure that they are appropriate and in the public interest, and it comprises representatives from various organisations and sectors including:
All access to SAIL Databank is monitored closely and before any data can be accessed, approval must be given by the independent IGRP.
The IGRP gives careful consideration to each project to ensure the proper and appropriate use of SAIL Databank data. When access has been granted, the requested data can be viewed using the SAIL Gateway, a privacy-protecting safe haven and remote access system.
This means that research can be carried out in a secure and protected environment and it safeguards the data from external linkage (jigsaw) attacks that may risk individual privacy. SAIL’s unique remote access system provides time-limited access to the datasets and is subject to researcher verification, a data access agreement, and physical and procedural controls.
SAIL Gateway has a number of levels of security that ensure its safe and effective operation
When presenting the linked data views to researchers for analysis via the SAIL Gateway we employ a variety of measures that help maximise utility whilst minimising any risk of disclosure. These include:
Once a researcher has completed their analysis they are only able to remove their results from the SAIL Gateway following scrutiny by a SAIL Data Guardian. The SAIL Data Guardian assesses the proposed outputs to ensure that any risk of disclosure has been mitigated. Once scrutinised and satisfied, the results can then be released to the researcher.
SAIL Databank remains compliant with complex and evolving legislative and regulatory frameworks giving researchers complete confidence to focus purely on the research.
ISO 27001 is an internationally recognised best practice standard for an information Security Management System (ISMS). An ISMS is a framework of policies and procedures that include all legal, physical and technical controls that an organisation has in place to secure information / data throughout its lifetime.
The SAIL Programme has implemented an ISO 27001 Information Security Management System (ISMS), which was externally certified by independent industry assessors in December 2015.
An externally certified ISO 27001 ISMS demonstrates an organisations commitment to both securing data and the continuous improvement of its information security management system and associated controls. This commitment helps develop and maintain trust with our various data providers, and gives reassurance to researchers and the general public alike.