Information security measures

Information security is a method that uses a set of different measures to protect computer systems, networks and their data from any accidental or deliberate disclosure, access or damage. A health data user must adopt recognised information security practices to protect the data in their possession and while being used by their research staff.

This includes:

• data access must be limited to staff actually conducting the data analysis activity, not to a wide set of personnel within the organisation

• staff must be trained in good security practices, so that they understand the obligations of good conduct and data protection. This is important because each person has some unique health characteristics. Even if their identifying details have been removed to anonymised or depersonalise the data, it is sometimes possible to have a clue about the identity of the person from their clinical information. For example, if somebody has a rare condition that perhaps only a few people have in their city or country, has an unusual combination of diseases, or has had a pioneering operation which was publicised, this means they could be identified.

• passwords and other login details must be safeguarded and not shared with others

• anonymising the data, if is not already anonymised, for staff to use who do not have any need to know the identity of the individuals within the data

• the data must be held on secure computers and networks

• the organisation must keep audit trails to prove who has accessed and use the data during the research study