Governance

What is CRIS?
CRIS stands for the Clinical Record Interactive Search system. It is a software solution that removes information from an electronic medical record that might identify an individual. It then produces a de-identified database that an NHS organisation can use for research.

What use is the data for research?
Anonymous or de-identified data from medical records can be very useful for research. Significant amounts of information are recorded in these records, particularly the free text notes, and can help organisations better understand how care is being delivered, the causes of disease and the effectiveness of interventions and medications. This de-identified data can help answer all these questions.

For some research face to face meetings are required and CRIS can help in this process too. If for example an NHS Trust wants to speak to patients with schizophrenia who are female and between the ages of 25-45 they can use CRIS to search the anonymous database and find out how many people they have who fit this criteria. If these people have given their consent to be contacted about relevant research projects, a special process can be carried out to allow the researchers to get in contact with these (and only these) individuals.  To find out more about this process and/or about being contacted about relevant research work, get in touch with your local NHS Trust. The home page has a list of all the Trusts involved with links to their websites and where you can find details of how to get in touch.

What is De-identified data?
This is data which has had information removed, masked or modified to protect patient privacy. Items such as name, surname, telephone numbers, addresses and NHS numbers will all be removed or masked to minimise any chance a patient could be identified from the data.  

 

Who will access this information?
Each NHS organisation running CRIS will have a strict process in place to control who can access the database. All end users will need to register to use CRIS, providing any appropriate evidence of contracts and training completed as defined by the host NHS organisation. They will also need to have a project application approved to gain access to any data. 

Does anyone monitor/oversee CRIS?
A local CRIS administrator will oversee the day to day running of the system. The system captures all actions carried out on CRIS via an audit log. This enables the CRIS administrator and the organisation to know exactly how CRIS users are using the system. Additionally, a local oversight committee made up of patient and staff representatives will monitor the use of CRIS, review project applications (you cannot access any data without an approved project) and ensure policies and practices are up to date with the latest legislative and organisational security policies.  

All the Trusts that are part of the CRIS network are also part of a national governance group. The group is in place to oversee the safe running of CRIS and determine the processes and procedures for how federated search works (find out more about federation below). These terms are captured in the UK-CRIS Data Sharing Agreement and each member NHS Trust have signed a copy of the agreement. The group will provide ongoing review of the standard operating procedures for CRIS and the privacy impact assessment (a privacy risk assessment) of the platform to ensure it is kept up to date with developing information governance policies and security standards. You can find out more about this group and the documents mentioned through the contact page on this website.

 

 

How secure is the information?

Each Trust CRIS database is hosted in a state of the art, high security datacentre in the UK. You can find out more about the datacentre on this information leaflet. Each organisation connects to the datacentre via the N3/HSCN network – a private network for the NHS. The datacentre has firewalls configured to only accept connections from the member NHS Trusts, so each Trust can only access their instance of CRIS, and all data is encrypted in transfer using 256bit Advanced Encryption Standards. Data is not pooled. Each Trust has their own CRIS database they own and control. They also have a legal contract in place to manage and control the environment, CRIS and the data. This ensures all processing of data occurs lawfully and in compliance with UK data privacy law including the Data Protection Act (2018), General Data Protection Regulation (2016), the Human Rights Act (1998) and in line with NHS best practice. The systems are regularly audited and risk assessed, with suppliers required to evidence they can meet the necessary standards.  All suppliers are registered with the Information Commissioners Office (ICO) and ISO27001 certified, details of their ICO registration can be found below:

 

Data Processor and (linked) Accreditations

Role in CRIS

ICO Registration Number

Swansea University (UK Secure eResearch Platform)

Data centre

Z6102454

Sirius Open Source

Managed Service Provider

Z9718022

 

Is data ever sold to insurance, pharmaceuticals or any other third party?
No, data is never sold. It is also never used by any external companies.

Sometimes pharmaceutical companies conduct clinical trials in the NHS. These trials are very strictly regulated by the NHS. So the pharmaceutical companies know which parts of the NHS are best to work with for a particular trial, they sometimes ask: “How many patients in your service have disease X?” CRIS may be used to help answer these types of questions. The companies never get to see or use CRIS, and any work carried out to find patients who might be suitable for research will be carried out by approved NHS Trust users only.

Is CRIS an Opt in or an Opt out model? CRIS works on an opt-out model. Data is de-identified and is anonymous when made available for research. However, patients always have the option to opt their record out from being included in CRIS. Details of how this works can be found on your local Trust website.

What is federation and federated search?

Federation relates to how the CRIS databases are set up. Data is not pooled and each Trust have their own CRIS database. At times NHS Trusts and their associates, may wish to work together on a project where having a larger amount of (de-identified) data can help provide a better understanding/comparison of how a treatment or intervention may be working for example. Following a review and approval process the member Trusts wishing to work together can sanction a federated search project. This would allow an authorised researcher to run a query against their own instance of CRIS and the other Trust(s) CRIS database who agreed to work together. This can help add numbers to research projects, which makes findings more reliable and more representative. The national governance group oversee and the terms for using federated search and these are captured in the UK-CRIS Data Sharing Agreement (DSA) for Federated Search.

The DSA has been drafted and ratified by all member Trusts, input from the national governance group was sought during the drafting stage.  The DSA reflects and accounts for any new requirements set out by the General Data Protection Regulation and Data Protection Act 2018, it has also been drafted in accordance with the Information Commissioner’s Office’s ‘Data Sharing Code of Practice’. It clearly defines the scope and propose of any proposed sharing, of de-identified data, between Trusts, it also sets out each Trust’s roles and responsibilities to each other when it comes to sharing de-identified data.   

 

Who has reviewed CRIS and its processes in respect to privacy?
CRIS has been reviewed and approved internally by each member Trust and has also undergone an external review by the Health Research Authority, the Confidentiality Advisory Group and several ethics boards. A Data Protection Impact Assessment (DPIA) has been completed by the UK-CRIS team in addition to each Trust completing one of their own, externally Kaleidoscope Consultants carried out a Privacy Impact Assessment.

Data Security and Continued Improvement 

To ensure the continued security and privacy of patient data being processed in the UK-CRIS system (CRIS), an assessment was carried out to review the technical and organisational controls in place. This included; an independent assessment of the system and its controls before the system was launched, assessments carried out by each individual NHS Trust using CRIS as well as periodic re-assessments to update and reflect any changes in the legislation and account for advances in technology or cyber security. Each assessment has found UK-CRIS to have a robust data security and governance model in place, that ensures data is secured throughout the lifecycle of processing and there are appropriate checks and balances in place to ensure the system is actively monitored (by each Trust and the overarching national governance group) to ensure accountability. Patients and members of the public have been engaged in the implementation of the UK-CRIS system at each NHS Trust and their input has been sought on the design and development of public facing material to ensure the language is consistent and understandable. Alongside this, we encourage active participation, in the governance of each local system, by patient and members of the public, as well as them having representation on each Trust’s CRIS oversight committee.  

In addition, the UK-CRIS system underwent a set of independent security tests (known as ‘penetration tests’) to test the system for any security vulnerabilities. This process found no high-level risks present in the system and recognised that the measures implemented to secure data were of industry standard and met national and international guidance in this space (e.g. ISO 27001 and National Institute for Standards and Technology).

Further details on the Data Protection Impact Assessments and/or security tests can be requested from the UK-CRIS team or the NHS Trusts who are members of the CRIS Network. To find out more, please use the contact form on our contact page: https://crisnetwork.co/contact

Where can I find out more?
Get in touch using the form on the contact page or speak to your local CRIS Network Member NHS Trust. We always welcome feedback and input to continually improve the CRIS Network so please do let us know your thoughts.