NHS Lothian Information Governance and IT Security
In accordance with the Data Protection Act and guidance from the Information Commissioner’s Office (ICO), the Medicines and Healthcare products Regulatory Agency (MHRA) and the Health Research Authority (HRA), the Sponsor is the data controller for a research study; HRA GDPR guidance.
Where NHS Lothian is processing data for a research study e.g. locally sponsored or hosted, the organisation must be assured that there are processes in place to ensure all aspects of the data protection legislation are compliant. These internal processes are documented in an NHS Lothian R&D generic Data Protection Impact Assessment (DPIA).
Additional information on data protection for research studies can be found here.
Data Protection Impact Assessment
A new DPIA is not mandatory for each individual research study.
ACCORD will determine whether the design of a study and how personal identifiable data is processed, complies with local policies and procedures detailed in the NHS Lothian R&D generic DPIA.
Where compliance in all these areas is confirmed, the generic DPIA will apply.
If ACCORD determines that the study doesn’t comply with the generic DPIA, the study team and/or Sponsor will be directed to NHS Lothian Information Governance to seek further advice.
Under these circumstances, NHS Lothian Information Governance will determine if a study specific DPIA is required e.g. where it is considered that processing of personal data is high risk in terms of the data being processed and/or where the data is being stored, who has access to it and for how long.
If a study specific DPIA is required, we will request and can accept an external sponsors DPIA. Alternatively, we can assist the local research team and/or external sponsor complete the NHS Lothian DPIA form.
IT Security Risk Assessment
In accordance with Scottish Government guidance and the NHS Lothian Digital and IT Security policy, NHS Lothian is responsible for ensuring that all IT assets and personal identifiable data under its control is managed with due care and diligence.
When reviewing a research study prior to issuing R&D permission, scrutiny of IT systems/software or other methods used to process NHS Lothian personal data is required e.g. where personal data is being transferred to a non-NHS organisation or a web-based system is being used to capture personal data.
This decision is made by ACCORD when reviewing study documents, and in consultation with NHS Lothian Information Governance & IT Security, where required (see ACCORD SOP GS008 Patient Identifiable Information: Caldicott Approval and Information Governance Review). How this decision is made is summarised in the flow diagram on page 2 of this document.
Where further scrutiny is required, the local research team or external organisation will be asked to complete an NHS Lothian IT Security checklist. This will provide the NHS Lothian Information Governance/IT Security team with more detailed information on the system/software i.e. information that is not already available in the study documents.
The checklist will be provided by the R&D Information Security Project Manager, who will also support completion of the checklist if required.
The completed checklist is then used to inform an IT Security risk assessment, identifying levels of risk associated with the system/software to be used.
Once the risk assessment is complete, NHS Lothian IT Security will approve the system/software for use and/or provide details of the requirements that must be met. The research team and/or Sponsor must provide assurance that these requirements will be met before NHS Lothian R&D Management Approval is issued for a study.
This process is detailed in the Information Governance Approval Process for Research & Development (link provided below), and in ACCORD SOP GS008.
Additional NHS Lothian Information Governance policies, procedures and guidance documents are provided below.