Information Governance and Data Management Policy

1. Summary

The Centre carries out substantive research on environment and health, including studies of the relationship between socio-economic and environmental factors and health, in collaboration with other scientific groups as necessary. The Centre also develops statistical methodology for analysing and interpreting complex datasets, advances understanding of health risks and provides expert advice on policy. The types of study and data collected vary between the various programmes in the Centre, and therefore this Information Governance and Data Management Plan represents a common policy that is to be applied to a broad range of research studies, and approaches.

Primarily, all data collected and held within the Centre will comply with the General Data Protection Regulation (GDPR) and all personal information will be processed in accordance with the following six Data Protection Principles.

When processing personal information, data must:

  1. be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met
  2. be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
  3. be adequate, relevant and not excessive for those purposes
  4. be accurate and kept up to date
  5. not be kept in a form which permits identification of data subjects longer than is necessary for that purpose
  6. be kept safe from unauthorised access, accidental loss or destruction

The Centre is responsible for complying with these principles, and to have appropriate processes and records in place to demonstrate this compliance.

Across the Centre our researchers hold quantitative and qualitative data; generated from surveys, clinical measurements, interviews, medical records, electronic health records, administrative records, genotypic data, tissue samples, address data, and environmental measurements. These data originate from data collection centres, cohort studies and direct scientific research, and includes UK and international data.

We therefore recognise the importance of ensuring that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management.

2. Principles

The Centre recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. The Centre fully supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information. The Centre recognises the need to share patient and research information with other health organisations and other agencies in a controlled manner, and only consistent with the interests of the patient and, in some circumstances, the public interest.

The Centre believes that accurate, timely and relevant information is essential to deliver the highest quality research. As such it is the responsibility of all researchers and managers to ensure and promote the quality of information and to actively use information in decision making processes.

There are 4 key interlinked strands to the information governance policy:

  • Openness
  • Legal compliance
  • Information security
  • Quality assurance

2.1. Openness

  • Non-confidential information on the Centre and its services should be available to the public through a variety of media, in line with the Centre ’s code of openness
  • The Centre will establish and maintain policies to ensure compliance with the Freedom of Information Act, acting through local hosting institutions as appropriate
  • The Centre will have clear procedures and arrangements for liaison with the press and broadcasting media
  • The Centre will have clear procedures and arrangements for handling queries from public
  • The Centre’s researchers will ensure that they have received all necessary ethical approvals prior to commencing the use of existing data, or the collection of new data

2.2. Legal Compliance

  • The Centre regards all identifiable personal information relating to patients and research subjects as confidential
  • The Centre will undertake or commission regular assessments and audits of its compliance with legal requirements
  • The Centre regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise
  • The Centre will establish and maintain policies to ensure compliance with the GDPR, Human Rights Act and the common law confidentiality
  • The Centre will establish and maintain policies for the controlled and appropriate sharing of research information with other agencies, taking account of the specific ethical review and approval of a given dataset, according to the project type, funding source, and the local rules and regulations governing the specific project in the relevant Centre institution

2.3. Information Security

  • The Centre’s researchers will establish and maintain policies for the effective and secure management of project information assets and resources
  • The Centre will undertake or commission regular assessments and audits of its information and IT security arrangements
  • The Centre will promote effective confidentiality and security practice to its staff through policies, procedures and training
  • The Centre’s researchers will follow institutional incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security. Any breeches will also be reported to the Centre’s management for follow up
  • The Centre will support researchers in developing security policies, that are ISO/IEC 17799:2005 & ISO/IEC 27001:2005

2.4. Information Quality Assurance

  • The Centre’s researchers will follow and maintain the appropriate policies and procedures for information quality assurance and the effective management of records
  • The Centre’s researchers will undertake or commission regular assessments and audits of its information quality and records management arrangements
  • Research leaders and managers are expected to take ownership of, and seek to improve, the quality of information within their area of the Centre
  • Wherever possible, information quality should be assured at the point of collection/ acquisition 
  • Data standards will be set through clear and consistent definition of data items, in accordance with national standards.
  • The Centre will promote information quality and effective records management through policies, procedures/user manuals and training

3. Responsibilities

It is the role of the Centre Executive Committee to define the Centre’s policy in respect of Information Governance, taking into account legal and individual institutional requirements. The Centre Executive is also responsible for ensuring that sufficient resources are provided to support the requirements of the policy.

The local Information Governance managers are responsible for overseeing day to day Information Governance issues; developing and maintaining policies, standards, procedures and guidance, coordinating Information Governance in the Centre and raising awareness of Information Governance. Across the Centre’s institutions, these Information Governance managers will refer to the existing Information Governance policies established by the Information Governance committees of Imperial College and King’s College London.

Managers within the Centre are responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is on-going compliance.

All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis.

4. Policy Approval

The MRC Centre for Environment and Health acknowledges that information is a valuable asset, therefore it is wholly in its interest to ensure that the information it holds, in whatever form, is appropriately governed, protecting the interests of all of its stakeholders.

This policy, and its supporting standards and work instruction, are fully endorsed by the Centre’s Steering Committee through the production of these documents and their minuted approval.

We trust that all staff, contractors and other relevant parties will, therefore, ensure that these are observed in order that we may contribute to the achievement of the MRC Centre for Environment and Health objectives and the delivery of effective healthcare to the local population.