Home.. Legal.. Advisory Board


Advisory Board

HICCPAC: Health Informatics Centre Confidentiality and Privacy Advisory Committee
Members Location Role
Wendy Nganasurian Inverness Chair
Stuart Cross Dundee Legal
Dr David Jolliffe Edinburgh General Practice
Jennifer Waterton Edinburgh CSO
Cairns Smith Aberdeen Public Health
Diana Campbell Dundee Non-Executive Member


The remit for this committee is that it is advisory and independent of the management structure of MEMO or the Health Informatics Centre. Accountability for confidentiality and security rests with the Health Informatics Centre, not with its Confidentiality and Security Advisory Committee.

To advise HIC on issues of data protection, privacy and ethics relevant to the work of the Unit

To review current procedures for data collection, transmission and use to ensure that the best possible standards of data protection, privacy and ethical practice are being met. In particular, to examine the requirements for implementation of the Data Protection Act in Scotland.

To review Standard Operating Procedures for data processing and the results of audits of compliance with SOPs.

To provide advice on key external issues, for example a circumstance under which explicit consent is not needed for the processing of personal data or the implications of the Freedom of Information Act.

To provide advice to the HIC Management Committee or the HIC Stakeholder Group, if relevant to do so, on matters that may affect the work and development of HIC. This may include proposed research projects being developed from within HIC or requests for research from outside sources. Members of the Advisory Board should be free to initiate any discussions with staff or the HIC Management Committee or the HIC NHS Stakeholder Group if they consider it appropriate to do so.


HICCPAC meets as often as is necessary to carry out its remit but at least twice per year.

Meetings are open to HIC staff. NHS and University Caldicott Guardians and NHS Tayside's Data Protection Officers are invited to attend each meeting and receive copies of the minutes.


HICCPAC was established in June 2003 to extend the role of an Advisory Board established by MEMO in December 1999. Membership of the original Advisory Board was also extended to include an advisor on consumer and patient issues (Wendy Nganasurian) in HICCPAC.

The MEMO Advisory Board was also chaired by Elizabeth Russell, who was then Chair of the Chief Medical Officer's Privacy Advisory Committee. Professor Russell was a member of the Confidentiality and Security Advisory Group in Scotland, chaired by Angela Macpherson and established in September 2000.

The other members of the MEMO Advisory Board were David Gordon (Public Health, Forth Valley Health Board), David Jolliffe (GP, Edinburgh) and Ian Willock (Legal Adviser, Dundee).


  1. A list of key questions on confidentiality and security was developed. This was applied first to all sources of data in MEMO and was then extended to other groups joining the Health Informatics Centre (e.g. the Dental Health Services Research Unit). In addition the key questions are reviewed during the annual audit of compliance with SOPs.
  2. Development of data flow charts.
  3. Development of SOPs for data handling and research.
  4. Appointment of a University Caldicott Guardian (in 2002) with responsibility for ensuring that University staff are compliant with the recommendations of the Caldicott Report and the Data Protection Act. The current University Caldicott Guardian is Professor David Rowley.
  5. Establishment of annual external audits of compliance with SOPs and key questions.

Key Questions on Confidentiality and Privacy for the Health Informatics Centre

Responses to these questions are updated annually and reviewed as part of HIC's annual external audit.

  1. Initial consent to use of personal data for secondary purposes:
    1. What are the sources of personal data used by the organisation?
    2. Do you have a record of the consent given you to use the data?
    3. Do you have a record of the process and content of the primary consent obtained for the holding and use of the data that are passed on to you (or any primary personal data that you collect)?
    4. Do you satisfy yourself that this primary process is compliant with current standards?
    5. Can your data suppliers satisfy themselves that you are conforming to their expectations and current standards? And that you are not using the data for new purposes that require further consent? And that the consent still applies?
    6. If no consent was obtained, does the secondary use of the data comply with the Data Protection Act, Caldicott guidance, and the CSAGS categories?
    7. Is the use of personally identifiable data kept to the minimum necessary to yield the information that is sought?
    8. the record open to inspection?
  2. Do you have Standard Operating Procedures (SOPs) for the processing, storage and, if relevant, anonymisation of the data that you hold? Do you know who is responsible for each operating function and to whom they are accountable? Do you know who your Caldicott Guardian is and does that person know your procedures and data? Do external collaborators have to work to your procedures? Do you display the 'information padlock'?
  3. May we see your full list of commercial and non-commercial funding grants and the outputs from these grants?
  4. Do you have contracts that ensure your freedom to publish the true findings of your work without influence from the funding body?
  5. Are there clear lines of accountability within the organisation and with your employers or funders?
    1. Do you operate to a code for Good Research Practice that all employees have access to and is kept up to date?
    2. Is there an external process of auditing or reviewing your procedures?
    3. Is there a staff training programme in SOPs and Good Research Practice?