Legal framework and institutional responsibilities
The SAIL Databank does not receive or handle identifiable data. Commonly recognised identifying details are removed from data sources before they are acquired and linked into the SAIL Databank, and are encrypted and anonymised through a standard split file approach so they cannot be reconstructed.
https://saildatabank.com/saildata/bringing-new-data-into-sail/
Data within the SAIL TRE is legally anonymised and therefore it outside the remit of data protection law. SAIL follows the information Commissioners Code on Anonymisation. As data guardians, protecting the identity of each anonymised individual-level person’s data, as well as the overall security of the data stored within SAIL Databank is the number one priority. All proposals to use SAIL Databank data are subject to review by an independent Information Governance Review Panel (IGRP). SAIL’s processes and procedures ensure total anonymity at all times whilst allowing research to proceed for the benefit of society. The IGRP provides independent guidance and advice on Information Governance policies, procedures and processes for SAIL Databank. The Panel reviews all proposals to use SAIL Databank to ensure that they are appropriate and in the public interest, and it comprises representatives from various organisations and sectors including: British Medical Association (BMA) Cymru Wales, The Welsh Government, Public Health Wales, National Research Ethics Service, Digital Health and Care Wales, Swansea Bay University Health Board and The public. All access to SAIL Databank is monitored closely and before any data can be accessed, approval must be given by the independent IGRP. The SAIL Programme has implemented an ISO 27001 Information Security Management System (ISMS), which was externally certified by independent industry assessors in December 2015. ISO 27001 is an internationally recognised best practice standard for an information Security Management System (ISMS). An ISMS is a framework of policies and procedures that include all legal, physical and technical controls that an organisation has in place to secure information / data throughout its lifetime. SAIL and its infrastructure SeRP are also Cyber Essentials certified and are accredited under the Digital Economy Act 2017 and the NHS Data Security Toolkit.
Health information strategy
There is no single UK health information strategy in the UK. Each of the four nations: England, Scotland, Wales and Northern Ireland have devolved responsibility for health and health information. The strategies vary a little between jurisdictions but much is common.
In Wales, health information strategy is within the remit of the newly established Digital Health and Care Wales (DHCW) which is setting up a national data resource (NDR) to support acute care and health planning. See https://dhcw.nhs.wales/files/publications/an-introduction-to-digital-health-and-care-wales/
For research uses Health and Care Research Wales (Welsh Government) funds the Secure Anonymised Information Linkage (www.saildatabank.com) at Swansea University which provides globally accessible remote access to linked de-identified data on the Welsh population from many health and non-health sources. For a list of all approved projects, including users and projects across the UK and wider accessing and using the SAIL Databank for a variety of research studies and activities please see the following: https://saildatabank.com/saildata/projects-using-sail/
The Secure eResearch Platform (SeRP) which provides the technology and services underpinning SAIL is also used for many UK and international projects.
