Data security practices are essential to meeting legal requirements and public expectations

Data security and management practices are key to meeting legal requirements and public expectations for the protection of their health information. They ensure that data held by national custodians is safe, that it is safe during any transfers and that it remains safe when it is shared with others. Countries provided excellent examples of how data are kept safe through strong internal policies and guidelines and practices and a set of data governance mechanisms that provide a strong protection against re-identification and breach risks. These include secure channels for data transfers; data sharing agreements and contracts binding data recipients to the rules they need to follow to protect data privacy and confidentiality; mechanisms to ensure compliance with data sharing agreements and contracts including follow-ups and audits; and penalties for non-compliance. Further, countries provided examples of how access to microdata for approved projects can be provided without transferring data to third parties. These mechanisms are secure supervised research data centres and secure remote data access facilities. These secure mechanisms for data access are particularly promising for the future of national and multi-country statistics and research projects.

The Advisory Panel of Experts on Health Information Infrastructure identified the following data security and management practices as key elements of privacy-protective data use:

7. Best practices in data security and management should are applied to reduce re-identification

and breach risks

Data security and management practices should provide for:

• a) Controlling and monitoring physical and IT data security within data custodians and processors.
• b) Controlling and monitoring to ensure that access to and use of personal health data within data custodians or processors is performed by staff subject to confidentiality rules/regulations.
• c) Limiting data transfers to and from data custodians or processors to secure channels.
• d) Requiring legally binding contracts with recipients of personal health data or de-identified person- level data from custodians or processors that specify the data confidentially and security requirements to be respected.
• e) Ensuring data custodian staff, data processor staff and third-party data recipients of personal health data or de-identified person-level data have mandatory and periodic training on data privacy and security protection through on-line training or other means.
• f) Before transferring data, reviewing the physical security and security policies and practices of data recipients and any parties mediating data transfers.
• g) Conducting independent and random data security audits of data recipients and any parties mediating data transfers.
• h) Following-up with data recipients to verify data destruction requirements and any other end of contract requirements have been met.
• i) Offering alternatives to transferring data, such as providing data access within a research data centre or through a secure data portal, or analysing the data within a certified/accredited organisation.
• j) Implementing penalties for data misuse by any party, such as contractual, financial or criminal penalties.