Access to the data is is controlled on a strict need-to-know basis. Only NHS staff and their approved partners can access the data, once they have been registered and validated on the system, and have a suitable project approved by the organisation’s oversight committee.
Security permissions within the platform are controlled using role-based settings. users can only access the system via a Health Care Organisation’s networked terminal or Virtual Desktop Infrastructure which utilises two factor authentication. All approved users will have their own unique username and password, and all activity is captured in a comprehensive audit log, which is reviewed by the organisation’s oversight group to ensure appropriate use.
Health Care Organisations retain complete control of their de-identified data via technical and procedural controls in place. These are managed by the Platform Administrator at each organisation. Technical controls are security mechanisms enforced by the computer system such as encryption and limiting what a user can access. Procedural controls include contractual controls (e.g. duty of confidentiality), training and oversight bodies that provide a further level of protection.
The system is set up so users can access information from within the secure datacentre via a virtual desktop. When accessing data via the Virtual Desktops, there are robust controls in please that protects the data and doesn’t allow any user to take information out of (or put any in) the controlled environment without explicit permission from the Health Care Organisation.
Each user is vetted by the Health Care Organisation (HCO) before access approval is granted to the database. Part of that requires them to confirm that specific Information Governance and platform training has been completed and there is a suitable contract or agreement in place between the individual and the HCO. All network member organisations will also have strict policies around use of data and users agree to these each time they sign into the platform.
Organisations who deploy the system put in place a robust governance framework to control access to the de-identified data. This allows the Health Care Organisations to retain complete control of data via the technical and procedural controls in place, which are managed by the Platform Administrator. This framework was developed in conjunction with the input from the network Health Care Organisations and the Health Research Authority.
Security of data, how it is stored processed and accessed is of paramount importance. The data centre has an established and implemented Information Security Management System (ISMS) based on, and certififed to ISO 27001 standards to manage risks relating to confidentiality, integrity, and availability of information. This is supported by a robust data Security Model and Information Governance framework.
The Health Care Organisation as the data controller will always be ultimately responsible to ensure that controls are in place to protect the data within the platform. They have put in place robust information governance policies and procedures to support access to the platform and ensure that everyone with access to the data are aware of their responsibilities and obligations.
CRIS stands for the Clinical Record Interactive Search system. It is a software solution that removes information from an electronic medical record that might identify an individual. It then produces a de-identified database that an NHS organisation can use for research.
Anonymous or de-identified data from medical records can be very useful for research. Significant amounts of information are recorded in these records, particularly the free text notes, and can help organisations better understand how care is being delivered, the causes of disease and the effectiveness of interventions and medications. This de-identified data can help answer all these questions.
For some research face to face meetings are required and CRIS can help in this process too. If for example an NHS Trust wants to speak to patients with schizophrenia who are female and between the ages of 25-45 they can use CRIS to search the anonymous database and find out how many people they have who fit this criteria. If these people have given their consent to be contacted about relevant research projects, a special process can be carried out to allow the researchers to get in contact with these (and only these) individuals. To find out more about this process and/or about being contacted about relevant research work, get in touch with your local NHS Trust. The home page has a list of all the Trusts involved with links to their websites and where you can find details of how to get in touch.
This is data which has had information removed, masked or modified to protect patient privacy. Items such as name, surname, telephone numbers, addresses and NHS numbers will all be removed or masked to minimise any chance a patient could be identified from the data.
Each NHS organisation running CRIS will have a strict process in place to control who can access the database. All end users will need to register to use CRIS, providing any appropriate evidence of contracts and training completed as defined by the host NHS organisation. They will also need to have a project application approved to gain access to any data.
A local CRIS administrator will oversee the day to day running of the system. The system captures all actions carried out on CRIS via an audit log. This enables the CRIS administrator and the organisation to know exactly how CRIS users are using the system. Additionally, a local oversight committee made up of patient and staff representatives will monitor the use of CRIS, review project applications (you cannot access any data without an approved project) and ensure policies and practices are up to date with the latest legislative and organisational security policies.
All the Trusts that are part of the CRIS network are also part of a national governance group. The group is in place to oversee the safe running of CRIS and determine the processes and procedures for how federated search works (find out more about federation below). These terms are captured in the UK-CRIS Data Sharing Agreement and each member NHS Trust have signed a copy of the agreement. The group will provide ongoing review of the standard operating procedures for CRIS and the privacy impact assessment (a privacy risk assessment) of the platform to ensure it is kept up to date with developing information governance policies and security standards. You can find out more about this group and the documents mentioned through the contact page on this website.
Each Trust CRIS database is hosted in a state of the art, high security datacentre in the UK. You can find out more about the datacentre on this information leaflet. Each organisation connects to the datacentre via the N3/HSCN network – a private network for the NHS. The datacentre has firewalls configured to only accept connections from the member NHS Trusts, so each Trust can only access their instance of CRIS, and all data is encrypted in transfer using 256bit Advanced Encryption Standards. Data is not pooled. Each Trust has their own CRIS database they own and control. They also have a legal contract in place to manage and control the environment, CRIS and the data. This ensures all processing of data occurs lawfully and in compliance with UK data privacy law including the Data Protection Act (2018), General Data Protection Regulation (2016), the Human Rights Act (1998) and in line with NHS best practice. The systems are regularly audited and risk assessed, with suppliers required to evidence they can meet the necessary standards. All suppliers are registered with the Information Commissioners Office (ICO) and ISO27001 certified.
No, data is never sold. It is also never used by any external companies.
Sometimes pharmaceutical companies conduct clinical trials in the NHS. These trials are very strictly regulated by the NHS. So the pharmaceutical companies know which parts of the NHS are best to work with for a particular trial, they sometimes ask: “How many patients in your service have disease X?” CRIS may be used to help answer these types of questions. The companies never get to see or use CRIS, and any work carried out to find patients who might be suitable for research will be carried out by approved NHS Trust users only.
CRIS works on an opt-out model. Data is de-identified and is anonymous when made available for research. However, patients always have the option to opt their record out from being included in CRIS. Details of how this works can be found on your local Trust website.
Federation relates to how the CRIS databases are set up. Data is not pooled and each Trust have their own CRIS database. At times NHS Trusts and their associates, may wish to work together on a project where having a larger amount of (de-identified) data can help provide a better understanding/comparison of how a treatment or intervention may be working for example. Following a review and approval process the member Trusts wishing to work together can sanction a federated search project. This would allow an authorised researcher to run a query against their own instance of CRIS and the other Trust(s) CRIS database who agreed to work together. This can help add numbers to research projects, which makes findings more reliable and more representative. The national governance group oversee and the terms for using federated search and these are captured in the UK-CRIS Data Sharing Agreement (DSA) for Federated Search.
The DSA has been drafted and ratified by all member Trusts, input from the national governance group was sought during the drafting stage. The DSA reflects and accounts for any new requirements set out by the General Data Protection Regulation and Data Protection Act 2018, it has also been drafted in accordance with the Information Commissioner’s Office’s ‘Data Sharing Code of Practice’. It clearly defines the scope and propose of any proposed sharing, of de-identified data, between Trusts, it also sets out each Trust’s roles and responsibilities to each other when it comes to sharing de-identified data.
CRIS has been reviewed and approved internally by each member Trust and has also undergone an external review by the Health Research Authority, the Confidentiality Advisory Group and several ethics boards. A Data Protection Impact Assessment (DPIA) has been completed by the UK-CRIS team in addition to each Trust completing one of their own, externally Kaleidoscope Consultants carried out a Privacy Impact Assessment.