In August, the Nuffield Trust was awarded ISO/IEC 27001:2013 registration, recognising that our information systems reach an internationally recognised benchmark of data protection and security. This was the result of two years' work by a number of people in the organisation (not me I hasten to add), who rightly deserve to be congratulated for their hard work and achievement. But what do all those numbers and letters actually mean?
Part of our work at the Nuffield Trust involves exploring patterns of hospital use and outcomes for people in order to evaluate NHS care and understand differences between local areas and groups of patients. The data we use is pseudonymised (records include age rather than date of birth, for example). The nature of this type of data means there is very little chance of being able to identify specific individuals, but to minimise any risks involved we have to demonstrate we have appropriate security systems in place to use such data. This is where ISO registration comes in.
Here I will unpick what data security means for us as a research organisation, and what it might mean for people who may have concerns about how their personal data is used.
Why do people worry about data sharing?
Use of personal data is a highly contentious area. There are well-publicised concerns surrounding data sharing with private companies as part of the (now closed) care.data programme, and whether people who opt out of data sharing are having their requests followed through. This has led to increased scrutiny of how people give consent (or not) to their data being used, whether this is adhered to, and the ways in which personal data is used. For instance, while people may not object to their information being shared to facilitate joined-up care when receiving hospital treatment, they may not want the same data to be made available to private companies.
Burgeoning use of data sharing in the private sector – like the recent furore around WhatsApp sharing users’ personal data with Facebook for marketing purposes – has made people more conscious about their personal information and there is now a spotlight on practices in this area. As a research organisation we do not use individual data for marketing purposes, but instances like the WhatsApp case have had a clear impact on people’s awareness of what happens to their own data.
In response to the concerns regarding data sharing in the NHS, the Department of Health commissioned a review of data security and a review of data sharing and consent. These made a number of recommendations, such as how patients should be able to consent and opt out of data sharing. We are now at the stage of seeing how these recommendations will be taken forward.
What do tightening data security standards mean for researchers?
Researchers face stringent barriers to accessing data, and there is continued uncertainty as to how these requirements will change in the future. Despite this, researchers have a responsibility to use existing data wherever possible to answer research questions rather than duplicate work that already exists. This is particularly important if routinely collected data can be used, as it removes the burden on participants.
As a research organisation, we have to demonstrate we meet general security guidelines as part of the process of accessing data. Data security is an area of growing concern as data breaches have affected a number of public and private organisations, caused by hackers as well as poor internal security processes. Although there are common principles in what security standards research organisations should be expected to demonstrate, there is as yet no universally accepted standard.
ISO/IEC 27001:2013 is comprehensive in its coverage of all aspects of data security. In terms of how meeting this standard will impact on our ability to access data, it provides external recognition of our commitment to good working practices in this area, which one would hope would make data access more straightforward.
Ultimately, in the current research climate it is vital that data security and data protection are a key part of research ethos so that research participants and the public feel able to trust researchers.
Our commitment to data security
For people who are the ‘subjects’ of research, very few will know what ISO registration is, but increasing consciousness of how personal data is used means that people do care about data security.
In practice, obtaining ISO/IEC 27001 registration is beyond the scope of many research organisations and therefore we are fortunate to be able to reach this standard (the National Data Guardian for Health and Care review acknowledges the IT capabilities required and the time taken to receive accreditation as a limiting factor).
We therefore need to make it clear what we do to protect personal data, but also why.
Access to data has allowed us to understand the impact of volunteer services in hospitals on outcomes for older people, and discover inequalities in the way people with mental ill health use hospital services, to name a few. Data sharing has untapped potential to benefit the common good through research, but this requires people feeling confident to participate.
It is therefore up to us to state the case for how our data security standards minimise risk to participants as part of the research process.