NICOR security only allows access to authorised users
NICOR data collection system
NICOR uses IBM Lotus Notes® and IBM Lotus Domino® in its software infrastructure. Users of the system connect to the data collection system via the N3 net (a private data network which provides the entire NHS with fast broadband networking services) or the internet via an internet service provider through Port: 1352.
Each hospital user can access the NICOR data collection system and has the ability to create a locally encrypted replica of the database; response times are not subject to local network performance. This replication occurs automatically every time the local replica is opened or closed.
Opening a database allows users to see all the documents they are authorised to, create new documents, or edit existing information. Once data has been entered it is synchronised with the central system, it is then analysed to provide feedback, and subsequently reported back to the user.
NICOR has designed security mechanisms that allow only authorised users to access information on the NICOR data collection and reporting system. Users are only able to see records submitted by their own organisation and published information contains only comparative analysis figures.
Several levels of security are built into the system:
- ID security: each audit database is accessed through an IBM Lotus Notes® ID, the ID can be set to expire or have its access terminated, preventing unauthorised users from accessing the system. A complex password is required to access the IBM Lotus Notes® ID and the password can be set to expire after a given period, forcing the user to change it regularly.
- Server security: the central (server-based) audit application database replicas are protected by server security, preventing unauthorised access to the database or replication of data to it.
- Application security: access to the IBM Lotus Notes® database is controlled by a database Access Control List (ACL). This records when users have accessed data. Users and organisations only have access to their own records. Users may be given ‘read only’ or editing rights. Users can only delete records if they have the correct permissions.
- The application is encrypted, an authorised ID file (and knowledge of its password) must be present on the computer requiring access to the application.
- All system database accesses are recorded in a system log file that can be audited in the event of suspected security threats or data misuse.
The information recorded and managed by NICOR about patients and the clinical care they have received is confidential. Strict security measures are in place to safeguard patient information.
NICOR conforms to legislation within Data Protection Act for the collection and use of patient identifiable data. We work with the Confidentiality Advisory Group (CAG) of the NHS Health Research Authority (HRA) and the Care Quality Commission (CQC) and the Healthcare Quality Improvement Partnership (HQIP) to ensure support is provided under section 251 of the NHS Act 2006.
Section 251 of the NHS Act 2006 allows the common law duty of confidentiality to be set aside in specific circumstances where anonymised information is not sufficient and where patient consent is not practicable. All current NICOR audits have section 251 approval.
NICOR does not publish information that can identify individual patients. We maintain the confidentiality and security of patient information in the following ways:
- Once captured, data is only accessible to people who store the data. Patients can choose to opt-out of the audit, such that their details will not be stored or used for any purpose by the audit.
- The patient forename and surname are not extracted from the database or used in any analysis.
- No NHS numbers, or other information that can be used to identify individuals (such as postcode, date of birth, hospital case record number) are included in analyses or reports, or released to third party research groups.
- To this end, a number of data transformations are in place to reduce the identifiability and sensitivity of data items. For example postcode is converted to deprivation index and date of birth is converted to age at admission.
- The NHS number is validated and retained as a unique identifier for conducting data linkage to other data sets (e.g. life status information from the Office of National Statistics).
- All reports are produced at an aggregate level (national, LAT, CCG, Trust, hospital), never at patient level.
- A statistical risk assessment is completed for each publication of data and small number suppression techniques are used to ensure that analysis is not disclosive. This is in line with ONS guidelines - Review of the Dissemination of Health Statistics: Confidentiality Guidance (PDF).