Privacy and security
How will you protect my data?
The Network partners, and every researcher who uses the Network, followed strict policies and procedures to make sure we always respected and upheld the privacy of people whose information was contained in the data collections. We based our security standards and best practices on five principles:
- secure environments
- safe research projects
- secure data
- safe outputs
- safe people
We continually assessed our security standards in light of the current best practice. Before linking, data collections were encrypted and transferred in accordance with government standards for data handling and security. Once the data collections were de-identified, they were available only to researchers in secure settings that are recognisedd by the Network.
Data was only held in secure environments which passed a rigorous independent accreditation process. The physical and technical security measures required for accreditation meant that researchers using our secure environments were not able to:
- access anyone’s directly identifying details
- copy the data onto their computers
- remove the data from the secure room/environment
- publish raw data
What personal details will be removed?
All data accessed within the Network was de-identified. We had strict procedures to make sure data collections were linked and used securely and ethically.
All directly identifying information was removed. This includes information such as:
- date of birth
- National Insurance number
- passport number
- drivers licence number
Once researchers finished their work, specially trained secure environment staff only released outputs that were ‘safe’ and did not identify individuals.
How do I know that the people using the data were responsible?
- Every research project was assessed by the Approvals Panel of independent experts
- The researcher had a proven track record of research
- Each researcher required an institutional guarantor
- Researchers had to take a compulsory training programme in administrative data management and security standards
- The researcher signed a declaration to confirm that they understood their personal responsibilities and obligations
What happens if someone breaks the rules?
The consequences and legal repercussions of breaking the laws governing data are serious. The Network takes a very hard line on any misuse of data − this is evident in our breaches policy and security incidents policy.
If an individual does not follow the procedures they may face criminal legal repercussions (such as fines or prison sentences) and/or sanctions from data custodians, Research Councils UK and funders. Research funding could be removed from the individual or their entire institution. If a researcher breaks the law or does not follow the proper procedures, they can damage their future career in research significantly and that of the research institute/university they work for. Any breaches of policy and procedure will be taken very seriously and will be pursued in accordance with our policies and the law.
How do you protect the privacy of my data?
People’s privacy is not only important to the Network, but central to everything we do:
- projects are assessed for privacy implications at the approvals stage
- data collections are linked in such a way that identifying information is separate from the rest of the data
- researchers and our staff are assessed rigorously
- data are available in secure environments
The data owners/custodians who collect the data independently consider whether the proposed project has value and whether to provide data for a project or not.
Will my data be for sale?
No. The Network was set up for social benefit and is not a commercial enterprise. We do not own any of the data so cannot sell any of it. We only provide access to data for trained researchers who are carrying out research with a clear potential public benefit.
What is ‘data purchase’?
This is the process where researchers buy business data collected by commercial organisations that is already available for sale, such as supermarket spending patterns. The Administrative Data Research Network is not involved in data purchase. We are interested in administrative and social data, which comes from public bodies, is never for sale, and is subject to strong safeguards.
Will you allow commercial research?
No. The Network was set up for social benefit and not as a commercial enterprise. We expected researchers to be from academia, charities, community, voluntary and social enterprise sector, government or an independent research organisation recognised by our governing board.
We did not consider proposals from researchers from commercial organisations, but it may be possible, for example, for a PhD student sponsored by a business to use the Network if their work has clear public benefit and the findings are going to be published. Likewise projects undertaken by organisations commissioned by government bodies to carry out research on their behalf will be considered, but the research results must be publicly available and owned by the government body. If the research is funded by a business and is not for publication, it would not be eligible.
Who is regulating the safe use and linking of data?
The Network was overseen by a Directors Group consisting of the ADRN Director, directors of the four Administrative Data Research Centres in England, Northern Ireland, Scotland, Wales and the Administrative Data Service, and representatives from the ESRC and the ADRN Board.
This group reports to the Economic and Social Research Council, which itself is accountable to the Department of Business, Energy, Innovation and Skills.
It is managed day to day by its Operations Group, which consists of:
- the project managers of the four Administrative Data Research Centres in England, Northern Ireland, Scotland and Wales and the Administrative Data Service
- the leads of the standing subcommittees
Are you involved by the Scottish Government’s plan to use people’s unique health number to create a tax database?
No. The Scottish Government is consulting people about its plans on this issue at the moment, but it is not something we are involved in.
However, in the future this could become one of the many sources of administrative data that can be de-identified and analysed under secure conditions.
How do I know the data will be used for the public good?
All research projects must have the potential to benefit society and improve quality of life. The individual research projects will go through an approvals process, where each project must show that:
- it is for non-commercial research purposes
- it has a clear potential public benefit
- there is a demonstrable value in using administrative data to answer the research question
- the results of the project will be made public
- it needs to use the Network, and would not be more appropriately served by existing research council investments (for example Farr Institute, UK Data Service, or one of the longitudinal studies support services)
- the project would not usually be undertaken by a government department as part of its operational business
Does the Data Protection Act still apply to ‘de-identified’ data?
Yes. Our principles and ethical values are in line with the Data Protection Act, which is the main piece of legislation governing how we protect personal data in the UK.
If I have unusual characteristics could I be identified, even without directly identifying information?
We had strict statistical disclosure control policies and procedures in place to prevent disclosive outputs being released from our secure environments. The procedures included consideration of outliers (unusual characteristics) to make sure individuals are not identified, and that we met all our legal responsibilities, such as those detailed in the Data Protection Act.
Will linking identify clusters of minority groups?
Researchers may be able to identify clusters. Indeed, investigation into clustering of characteristics is crucial to some research (such as whether there may be local environmental factors at play in relation to health issues). However, our strict statistical disclosure control policies and procedures prevented disclosive outputs being released from our secure environments.
The procedures included consideration of clustering to make sure unique individuals and/or individuals with specific characteristics (such as clusters of minority groups) were not identified in a way that may disclose their location. For example, a research output may show that there are clusters of a minority group across England, but these clusters would not be linked to precise geographical information that would allow identification.
We minimised the risk of cluster and individual identification by:
- considering this risk as part of the privacy risk assessment completed before approving a project
- checking the output of the research for statistical disclosure control
Will my details be passed to other organisations like the police or security services?
No, the Network facilitated research with de-identified administrative data, so there were no personal details in the data.
Do you ask for consent before you use the data?
No, we only processed data that we had a right to access legally.
Can I opt out of having my data linked?
We had no way to remove a particular record from a data collection, because we only had access to data that has all directly identifying information removed.
What is the difference between ‘de-identified’ and ‘anonymous’ data?
Administrative data collections usually contain information that directly identifies individuals, such as names, addresses, exact dates of birth and National Insurance numbers. The trusted third party process used by the Network removes this directly identifying information and replaces it with a linkage key (a number which allows an individual’s attributes to be linked to other attributes for the same individual from a different data collection, without directly identifying them).
It is this link (that de-identified data provides) that allows research to benefit from the richness of the linked data collections − so that, for example, the relationship between birth weight (health data) and educational outcomes (educational data) can be explored and better understood.
Anonymised data collections are stripped of all identifiers so the data could not be linked.
Will all the records be collected into one database?
No, this is about creating linked de-identified data collections for the duration of each research project. The linked, de-identified data collections will only contain the data required for the research, and will be securely destroyed in line with current best practice at the end of each project.
What will stop future governments changing the rules and using the data for their own purposes?
The Administrative Data Taskforce, set up by the ESRC, the Medical Research Council and Wellcome Trust, recommended primary legislation to make it possible to carry out research using administrative data.
If/when this primary legislation is introduced, it will control what can and can’t be done with the data. Organisations with an interest in the field would get the opportunity to shape the legislation. Universities and researchers, for example, will want to make sure that it is possible to use data for research. They, and everyone involved with the Network, want to make sure that access is secure and safe, and doesn’t compromise anyone’s privacy. Privacy groups will also let MPs and ministers know what they want the law to allow and disallow. Once a new law has been established, any future changes will be subject to the same public scrutiny.
What is a trusted third party?
A trusted third party is an organisation with secure facilities to match data, and will usually be independent of the organisations which hold data and of the Network.
If an organisation – such as the Office for National Statistics or Northern Ireland Statistics and Research Agency – holds data and also acts as a trusted third party, there are strict technical and operational controls in place to maintain the separation of roles and the confidentiality of data.
The trusted third party carries out the matching of direct identifiers from different data sources.
In our linking process, a trusted third party typically creates a set of matched reference numbers, or linkage key. The Administrative Data Research Centre uses this linkage key to produce the linked data collection of attributes for the researcher to use.