What is CRIS?
CRIS stands for the Clinical Record Interactive Search system. It is a software solution that removes information from an electronic medical record that might identify an individual. It then produces a de-identified database that an NHS organisation can use for research.
What use is the data for research?
Anonymous or de-identified data from medical records can be very useful for research. Significant amounts of information are recorded in these records, particularly the free text notes, and can help organisations better understand how care is being delivered, the causes of disease and the effectiveness of interventions and medications. This de-identified data can help answer all these questions.
For some research face to face meetings are required and CRIS can help in this process too. If for example an NHS Trust wants to speak to patients with schizophrenia who are female and between the ages of 25-45 they can use CRIS to search the anonymous database and find out how many people they have who fit this criteria. If these people have given their consent to be contacted about relevant research projects, a special process can be carried out to allow the researchers to get in contact with these (and only these) individuals. To find out more about this process and/or about being contacted about relevant research work, get in touch with your local NHS Trust. The home page has a list of all the Trusts involved with links to their websites and where you can find details of how to get in touch.
What is De-identified data?
This is data which has had information removed, masked or modified to protect patient privacy. Items such as name, surname, telephone numbers, addresses and NHS numbers will all be removed or masked to minimise any chance a patient could be identified from the data.
Who will access this information?
Each NHS organisation running CRIS will have a strict process in place to control who can access the database. All end users will need to register to use CRIS, providing any appropriate evidence of contracts and training completed as defined by the host NHS organisation. They will also need to have a project application approved to gain access to any data.
Does anyone monitor/oversee CRIS?
A local CRIS administrator will oversee the day to day running of the system. The system captures all actions carried out on CRIS via an audit log. This enables the CRIS administrator and the organisation to know exactly how CRIS users are using the system. Additionally, a local oversight committee made up of patient and staff representatives will monitor the use of CRIS, review project applications (you cannot access any data without an approved project) and ensure policies and practices are up to date with the latest legislative and organisational security policies.
All the Trusts that are part of the CRIS network are also part of a national governance group. The group is in place to oversee the safe running of CRIS and determine the processes and procedures for how federated search works (find out more about federation below). These terms are captured in the UK-CRIS Data Sharing Agreement and each member NHS Trust have signed a copy of the agreement. The group will provide ongoing review of the standard operating procedures for CRIS and the privacy impact assessment (a privacy risk assessment) of the platform to ensure it is kept up to date with developing information governance policies and security standards. You can find out more about this group and the documents mentioned through the contact page on this website.
How secure is the information?
Each Trust CRIS database is hosted in a state of the art, high security datacentre in the UK. You can find out more about the datacentre at the Equinix website. Each organisation connects to the datacentre via the N3 network – a private network for the NHS. The datacentre has firewalls configured to only accept connections from the member NHS Trusts, so each Trust can only access their instance of CRIS, and all data is encrypted in transfer using 256bit Advanced Encryption Standards. Data is not pooled. Each NHS organisation has their own CRIS database they own and control. They also have a legal contract in place to manage and control the environment, CRIS and the data. This ensures all processing of data occurs lawfully and in compliance with UK data privacy law including the Data Protection Act (1998), the Human Rights Act (1998) and in line with NHS terms and conditions. The systems are regularly audited and risk assessed, with suppliers required to evidence they can meet the necessary standards. All suppliers are registered with the Information Commissioners Office (ICO) and detailed below are the suppliers and links to their accreditations:
Data Processor and (linked) Accreditations
Role in CRIS
NHS Information Governance Tool Kit Score 2015-16
ICO Registration Number
Managed Service Provider
Is data ever sold to insurance, pharmaceuticals or any other third party?
No, data is never sold. It is also never used by any external companies.
Sometimes pharmaceutical companies conduct clinical trials in the NHS. These trials are very strictly regulated by the NHS. So the pharmaceutical companies know which parts of the NHS are best to work with for a particular trial, they sometimes ask: “How many patients in your service have disease X?” CRIS may be used to help answer these types of questions. The companies never get to see or use CRIS, and any work carried out to find patients who might be suitable for research will be carried out by approved NHS Trust users only.
Is CRIS an Opt in or an Opt out model?
CRIS works on an opt out model. Data is deidentified and effectively anonymous. However, patients always have the option to opt their record out from being included in CRIS. Details of how this works can be found on your local Trust website.
What is federation and federated search?
Federation relates to how the CRIS databases are set up. Data is not pooled and each Trust have their own CRIS database. At times NHS Trusts and their associates, may wish to work together on a project where having a larger amount of (deidentified) data can help provide a better understanding/comparison of how a treatment or intervention may be working for example. Following a review and approval process the member Trusts wishing to work together can sanction a federated search project. This would allow an authorised researcher to run a query against their own instance of CRIS and the Trust(s) CRIS database who agreed to work together. This can help add numbers to research projects, which makes findings more reliable and more representative. The national governance group look after the terms for using federated search and these are captured in the UK-CRIS Data Sharing Agreement for Federated Search.
Who has reviewed CRIS and its processes in respect to privacy?
CRIS has been reviewed and approved internally by each member Trust and has also undergone an external review by the Health Research Authority, the Confidentiality Advisory Group and several ethics boards. A privacy impact assessment has also been carried out by Kaleidoscope Consultants.
Data Security and Continued Improvement
To ensure the continued security and privacy of patient data processed in the UK-CRIS system, a risk assessment process (known as a Data Protection Impact Assessment) is carried out to review the technical and organisational controls in place. This included an independent assessment of the system and its controls before the system was launched, assessments by each individual NHS organisation using CRIS, and periodic assessments to update these reflecting any changes in the legislation and advances in technology and cyber security. Each of these assessments has found UK-CRIS to have a robust data security and governance model in place, that ensures data is secured throughout the lifecycle of processing, and there are checks and balances in place to ensure the system is actively monitored, (by each Trust and the overarching national governance group) and held accountable. It is evident patients and the public have been engaged in the implementation of the UK-CRIS system at each NHS site, and input has been given on the design and development of public facing material to ensure the language is consistent and understandable, alongside active participation in the governance of each local system with patient and public representation on each Trust CRIS oversight committee.
In addition, the UK-CRIS system underwent a set of independent security tests (known as ‘penetration tests’) to test the system for any security vulnerabilities. This process found no high-level risks present in the system and recognised that the measures implemented to secure data were of industry standard and met national and international guidance in this space (e.g. ISO 27001 and National Institute for Standards and Technology).
Further details on the Data Protection Impact Assessments and/or security tests can be requested from the UK-CRIS team or the NHS Trusts who are members of the CRIS Network. To find out more, please use the contact form on our contact page: https://crisnetwork.co/contact
Where can I find out more?
Get in touch using the form on the contact page or speak to your local CRIS Network Member NHS Trust. We always welcome feedback and input to continually improve the CRIS Network so please do let us know your thoughts.