Strategic Research Agreements

"Anonymised Data" is defined in Recital 26 of the GDPR as anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Recital 26 goes on to provide that the GDPR and its principles of data protection does not therefore concern the processing of such anonymous information, including for statistical or research purposes. The ICO defines "anonymisation" as the process of stripping personal data of sufficient elements that mean the individual can no longer be identified.

For the data to be considered anonymous, it should not identify any individual and should be unlikely to allow any individual to be identified through its combination with other data.Sensyne Health manages risk in the processing of data using a certified Quality Management System (ISO13485 - Medical Devices Quality Management Systems and ISO27001- Information Security Management Systems) to ensure the safeguarding of data by implementing physical and digital controls and procedures from the data source through to transport, storage, analysis and disposal of anonymised data. Information Security compliance is ensured by means of external certification to ISO27001, which includes specific requirements dictated by GDPR and by internal procedures that address further defined requirements mandated by data protection legislation and security management system.

Sensyne Health is registered with the ICO (Information Commissioner’s Office) as required by GDPR and DPA 2018 (registration number ZA451278).

At the time that we make a request to an SRA partner health system for anonymised patient data, we submit a document to the health system containing specific key information concerning the request, in accordance with an agreed information governance framework and standard operating procedures. Our governance work with the health system is based upon and designed to satisfy the Caldicott Principles for data sharing and relevant data governance legislation such as GDPR. There are two distinct types of data requests that we can make:

A data processing request (“DPP”) outlines the data we are requesting, our intended purpose for analysing the anonymised patient data, the potential patient benefit we expect to arise from our analysis of the data and clear descriptions of the retention and deletion of the data. If the health systems’ Caldicott Guardian/DPO is satisfied with the information provided, he/she approves the request for transfer of the anonymised patient data. Every approved request is logged and filed within the Sensyne Health Quality Management System, for audit purposes and in the interests of transparency.

Authorised personnel at the health system will then extract the requested data from their systems and undertake an anonymisation process on the data, designed to create an anonymised dataset which contains no patient identifiable information. After the anonymisation is completed by the health system, the anonymised patient data is then transferred to Sensyne Health under encryption.
An Aggregate Information Request (“AIR”) is submitted when we require information about the dataset, such as queries concerning aggregate/summary/metadata information; for example, requests of the number of patient records that contain a measurement of a specific vital sign, or requests of number of patients with a specific condition. These requests do NOT require a signature from the health systems’ Caldicott Guardian/DPO, as the risk from a data protection perspective is minimal and is information that could otherwise be obtained with a simple FOI (Freedom of Information) request. We choose however, to formalise AIRs and log them as part of our own process.

All anonymous patient data transferred to Sensyne Health is stored and processed within ISO 27001 certified secure data center environments.

Network access to such networks is restricted via strict Firewall rules, NACLs (Network Access Control Lists), VPN connection and Bastion jump boxes. All Sensyne Health IT environments have multiple network access controls in place. Access to de-identified and anonymised patient data is managed centrally by our IT Team and governed by our ISO certified QMS (quality management system) and IG (information governance) process. All network activity and network traffic flow within secure environments is monitored and controlled. Specific workstations within Life Sciences have controlled access to such data.

Sensyne Health uses Microsoft Azure for its cloud storage and processing environment, which offers greater flexibility, ease of data sharing and transfers, greater resiliency, and a continued robust security infrastructure.

All data will be de-identified and anonymised and include only the minimum required amount of data necessary. Sensyne will be contractually required to access and use data within the highest standards of responsibility and obligation as per the contractual arrangements within the SRA and DPA.

The Azure environment offers improved speed-to-care, provision of cleansed and standardised datasets to improve clinical decision making for patient pathways. This model also offers:

End-to-end encryption providing a flexible and hyper-secure environment that can scale with Trust data and computation requirements to drive continuous innovation for Clinical Care
Creation of a JITD (Just in Time Data) Model that aligns with your clinical workflows to continuously drive efficient and improved standards of care
Ability to leverage a common data model aligned to OMOP and the common healthcare ontology
Enhance Trust R&D capabilities and catalyse Patient Care and Innovation
Automate and secure data sharing with Azure Data Share to control what you share, gain visibility into your data sharing agreements aligned to an agreed term of use
Common Data Model with improved standardisation promoting flexible analysis and intelligence delivery of own Trust data

In addition to the ISO, Data Protection and NHS Digital Data Protection and Security standards that Sensyne aligns to, Microsoft Azure is compliant with the following UK and global standards:

ISO: 20000-1:2011 | 22301 | 27001: 2013 | 27017 | 27018 | 27701 | 9001 | 13485
Cyber Essentials Plus
DPP
FACT (Federation Against Copyright Theft)
G-Cloud
CIS Benchmark
CSA-STAR Attestation / Certification / Self-Assessment
PCI DSS
SOC
WCAG
CDSA
PCI DSS
Shared Assessments
TruSight

Sensyne’s robust Cyber Security framework, MFA (Multi-factor authentication), conditional access controls and Data Loss Prevention methodologies ensure not only that only permitted employees have access to Healthcare organisation data within the Azure environment but also access is restricted to trusted devices and locations. Sensyne Health is able to ensure service provision continuity and complete end-to-end security and protection built on the robustness and security principles of Microsoft Azure. The advanced infrastructure and security capabilities of Microsoft Azure enable greater flexibility and scalability of services whilst providing cutting edge security capabilities.

Please upgrade your browser

We built this website using the latest browser technologies to deliver the very best experience.

Strategic Research
Agreements

Accelerating discovery through health system partnerships

Total Unique Patient Records 25,500,000

Our current SRA and data sharing partnerships include:

FAQs

Partner with us

Find out how we partner with the Life Sciences industry and understand how we could partner with you