HICCPAC: Health Informatics Centre Confidentiality and Privacy Advisory Committee
|Dr David Jolliffe
The remit for this committee is that it is advisory and independent of the
management structure of MEMO or the Health Informatics Centre. Accountability
for confidentiality and security rests with the Health Informatics Centre,
not with its Confidentiality and Security Advisory Committee.
To advise HIC on issues of data protection, privacy and ethics relevant to the work of the Unit
To review current procedures for data collection, transmission and use to ensure
that the best possible standards of data protection, privacy and ethical practice
are being met. In particular, to examine the requirements for implementation of
the Data Protection Act in Scotland.
To review Standard Operating Procedures for data processing and the results of
audits of compliance with SOPs.
To provide advice on key external issues, for example a circumstance under which
explicit consent is not needed for the processing of personal data or the implications
of the Freedom of Information Act.
To provide advice to the HIC Management Committee or the HIC Stakeholder Group, if
relevant to do so, on matters that may affect the work and development of HIC. This may
include proposed research projects being developed from within HIC or requests for
research from outside sources. Members of the Advisory Board should be free to initiate
any discussions with staff or the HIC Management Committee or the HIC NHS Stakeholder
Group if they consider it appropriate to do so.
HICCPAC meets as often as is necessary to carry out its remit but at least twice per year.
Meetings are open to HIC staff. NHS and University Caldicott Guardians and NHS Tayside's
Data Protection Officers are invited to attend each meeting and receive copies of the minutes.
HICCPAC was established in June 2003 to extend the role of an Advisory Board established by
MEMO in December 1999. Membership of the original Advisory Board was also extended to include
an advisor on consumer and patient issues (Wendy Nganasurian) in HICCPAC.
The MEMO Advisory Board was also chaired by Elizabeth Russell, who was then Chair of the Chief
Medical Officer's Privacy Advisory Committee. Professor Russell was a member of the
Confidentiality and Security Advisory Group in Scotland, chaired by Angela Macpherson
and established in September 2000.
The other members of the MEMO Advisory Board were David Gordon (Public Health, Forth Valley
Health Board), David Jolliffe (GP, Edinburgh) and Ian Willock (Legal Adviser, Dundee).
- A list of key questions on confidentiality and security was developed. This was applied first to
all sources of data in MEMO and was then extended to other groups joining the Health Informatics
Centre (e.g. the Dental Health Services Research Unit). In addition the key questions are reviewed
during the annual audit of compliance with SOPs.
- Development of data flow charts.
- Development of SOPs for data handling and research.
- Appointment of a University Caldicott Guardian (in 2002) with responsibility for ensuring that
University staff are compliant with the recommendations of the Caldicott Report and the Data
Protection Act. The current University Caldicott Guardian is Professor David Rowley.
- Establishment of annual external audits of compliance with SOPs and key questions.
Key Questions on Confidentiality and Privacy for the Health Informatics Centre
Responses to these questions are updated annually and reviewed as part of HIC's annual external audit.
- Initial consent to use of personal data for secondary purposes:
- What are the sources of personal data used by the organisation?
- Do you have a record of the consent given you to use the data?
- Do you have a record of the process and content of the primary consent obtained
for the holding and use of the data that are passed on to you (or any primary
personal data that you collect)?
- Do you satisfy yourself that this primary process is compliant with current standards?
- Can your data suppliers satisfy themselves that you are conforming to their
expectations and current standards? And that you are not using the data for new
purposes that require further consent? And that the consent still applies?
- If no consent was obtained, does the secondary use of the data comply with the
Data Protection Act, Caldicott guidance, and the CSAGS categories?
- Is the use of personally identifiable data kept to the minimum necessary to
yield the information that is sought?
- the record open to inspection?
- Do you have Standard Operating Procedures (SOPs) for the processing, storage and,
if relevant, anonymisation of the data that you hold? Do you know who is responsible for
each operating function and to whom they are accountable? Do you know who your Caldicott
Guardian is and does that person know your procedures and data? Do external
collaborators have to work to your procedures? Do you display the 'information padlock'?
- May we see your full list of commercial and non-commercial funding grants and the
outputs from these grants?
- Do you have contracts that ensure your freedom to publish the true findings of your
work without influence from the funding body?
- Are there clear lines of accountability within the organisation and with your employers or funders?
- Do you operate to a code for Good Research Practice that all employees have
access to and is kept up to date?
- Is there an external process of auditing or reviewing your procedures?
- Is there a staff training programme in SOPs and Good Research Practice?