Protecting Individual’s Identities
SAIL Databank does not receive or handle identifiable data. We make anonymised data available for genuine research purposes only where there is a potential for benefit.
Commonly recognised identifying details are removed before datasets come to SAIL Databank and once anonymised they cannot be reconstructed. Because SAIL holds only anonymised data, researchers carry out their work without knowing the identities of the individuals represented in the data.
The Anonymisation Process
1
Stage 1
Splitting the Datasets
Datasets are split into:
- a demographic component (comprising commonly-recognised identifiers), and
- a clinical or event component (such as medication records and procedures).
The demographic component is transported to our Trusted Third Party (TTP), NHS Wales Informatics Service (NWIS), whilst the clinical component goes to SAIL Databank using a web based secure file upload and switching service.
2
Stage 2
Anonymisation and Encryption
The TTP anonymise and encrypt the demographic data which is then subjected to quality assurance to ensure content anonymity. Each individual record is assigned an Anonymous Linking Field (ALF) or a Residential Anonymous Linking Field (RALF) for places of residence.
3
Stage 3
Re-Combining the Datasets
These anonymised demographic elements of the datasets are then sent to SAIL Databank ready to be loaded. They contain only the ALF, week of birth, gender code and area of residence (Lower Super Output Area of approximately 1500 head of population). They are then recombined with the clinical/event component of the dataset making them ready for linkage to other datasets for use.
4
Stage 4
Additional Safeguards
As an added layer of security and in addition to the standard anonymization process, SAIL Databank carries out further encryption of the ALF to form an ALF-E before loading. Linkage across datasets is conducted using the ALF-E.
For instances where only a small number of individuals are being studied such as in the case of a rare disease, then the data is aggregated ready for statistical analysis to avoid any possibility of identification.
Once a project is completed all datasets are archived.
How We Secure Data Access
Information Governance Review Panel (IGRP)
The Information Governance Review Panel (IGRP) provides independent guidance and advice on Information Governance policies, procedures and processes for SAIL Databank. The Panel reviews all proposals to use SAIL Databank to ensure that they are appropriate and in the public interest, and it comprises representatives from various organisations and sectors including:
- British Medical Association (BMA) Cymru Wales
- The Welsh Government
- Public Health Wales
- National Research Ethics Service
- NHS Wales Information Service
- Abertawe Bro Morgannwg University Health Board
- The public
All access to SAIL Databank is monitored closely and before any data can be accessed, approval must be given by the independent IGRP.
The SAIL Gateway – Secure Remote Access
The IGRP gives careful consideration to each project to ensure the proper and appropriate use of SAIL Databank data. When access has been granted, the requested data can be viewed using the SAIL Gateway, a privacy-protecting safe haven and remote access system.
This means that research can be carried out in a secure and protected environment and it safeguards the data from external linkage (jigsaw) attacks that may risk individual privacy. SAIL’s unique remote access system provides time-limited access to the datasets and is subject to researcher verification, a data access agreement, and physical and procedural controls.
SAIL Gateway has a number of levels of security that ensure its safe and effective operation
- fire-walled Virtual Private Network (VPN)
- enhanced user authentication
- auditing of all SQL commands
- configuration controls to ensure that data cannot be removed or transferred unless authorised.
When presenting the linked data views to researchers for analysis via the SAIL Gateway we employ a variety of measures that help maximise utility whilst minimising any risk of disclosure. These include:
- masking of practitioner codes
- aggregation and suppression
- limiting the numbers of variables provided
- project-specific encryption of the ALF-E to prevent cross-linkage where data users are involved in multiple projects.
Using the Results Following Analysis
Once a researcher has completed their analysis they are only able to remove their results from the SAIL Gateway following scrutiny by a SAIL Data Guardian. The SAIL Data Guardian assesses the proposed outputs to ensure that any risk of disclosure has been mitigated. Once scrutinised and satisfied, the results can then be released to the researcher.
ISO27001 Certification
SAIL Databank remains compliant with complex and evolving legislative and regulatory frameworks giving researchers complete confidence to focus purely on the research.
ISO 27001 is an internationally recognised best practice standard for an information Security Management System (ISMS). An ISMS is a framework of policies and procedures that include all legal, physical and technical controls that an organisation has in place to secure information / data throughout its lifetime.
The SAIL Programme has implemented an ISO 27001 Information Security Management System (ISMS), which was externally certified by independent industry assessors in December 2015.
An externally certified ISO 27001 ISMS demonstrates an organisations commitment to both securing data and the continuous improvement of its information security management system and associated controls. This commitment helps develop and maintain trust with our various data providers, and gives reassurance to researchers and the general public alike.
