NHS staff collect information about patients in order to better understand the health of Scottish people so that the best quality health and care services can be provided. In Scotland, some of the information collected is brought together and managed for NHSScotland by ISD. ISD works to ensure this information is managed, stored and used securely.
Safe and secure use of personal health information
We have published a leaflet ‘Safe and secure use of personal health information’ (December 2012) which explains how ISD ensures information is managed, stored and used securely.
How ISD protects patient confidentiality
Data Protection Act 1998: We follow the principles of the Act which governs how we use personal data. ISD's work is included within the entry for NHS National Services Scotland in the register of data controllers maintained by the Information Commissioner. The Information Commissioner's Web site is www.ico.gov.uk
Information Governance and ISD Staff: From 2013, all our staff will undertake Information Governance training. This training will complement the existing detailed rules that govern the care and release of confidential data. All new staff must read those rules and then sign that they understand and accept, and all staff renew this declaration annually. Our staff contracts also have a clause relating to confidentiality.
Disclosure control: Disclosure is when confidential information is released either directly or indirectly in breach of laws or public trust. We take particular care when supplying tables with small numbers which could potentially lead to disclosure.
Statistical disclosure control is how we reduce the risk of disclosure by suppressing, aggregating or modifying data before release. Our Statistical Disclosure Protocol is based on the guidance released by the Office of National Statistics in 2006 and was introduced in March 2009 - ISD's Statistical Disclosure Control Protocol [620kb].
Privacy Advisory Committee (PAC): PAC advises ISD and General Register Office for Scotland (GROS) on the right balance between protecting personal data and making data available for research and audit. It makes sure that any information releases are carefully controlled. Find out more about PAC
Anonymised form of the national database: Most of our analysis can be carried out on an anonymised form of the national database. Only a limited number of trained staff can access patient identifiable information and only with special permission for a set time period. All access to this information is recorded and audited.
Audits: We regularly audit our confidentiality and security practice. In 2008 we completed a dataset review, which aimed to make sure all our datasets are of business value and contain no unnecessary identifiable data.
Research using personal data: The data that health organisations hold are potentially very useful for research. We are keen to support researchers who want to use our data. However, they must follow current legal and ethical guidelines before they can do this.
A leaflet specifically on cancer registration has also been produced for patient and public information, along with associated information for NHS staff.