How we are run

Information security and data

Nuffield Trust is dedicated to protecting all data it holds using industry best standards. 

Nuffield Trust is dedicated to protecting all data it holds using industry best standards. It is the policy of Nuffield Trust that information assets are protected from all threats, whether internal or external, deliberate or accidental.

We have achieved the ISO/IEC 27001:2013 Information Security standard. Appropriate and secure management of data is included within the scope of the ISMS. This certification validates that Nuffield Trust has implemented the internationally recognised information security controls defined in ISO/IEC 27001:2013. Specifically:

  • Risk assessment and risk treatment
  • Information will be protected against unauthorised access
  • Confidentiality of information will be assured
  • Integrity of information will be maintained
  • Regulatory and legislative requirements will be met
  • Business continuity plans will be produced, maintained and tested
  • Information security requirements will be communicated to all staff
  • IT systems will not be misused.

Data provided to the Nuffield Trust will be processed in accordance with all applicable privacy and data protection legislation. See our Terms and conditions and Privacy notice for more information. For details of our ISO/IEC 27001:2013 certification scope please request a copy of our Information Security Policy.

NHS Digital data access request service (DARS)

A core part of our work at the Nuffield Trust is providing evidence-based research to inform health care policy and generate debate. Analysis of health service data plays an essential part of our work, and we make extensive use of data from NHS Digital.  These data are an essential source of information on patient activity and outcomes, which allows comparisons across different parts of the NHS and over time.

We place a very high priority on ensuring that we protect the patient and other information we use in our work and maintain compliance with the internationally recognised ISO 27001 information security standard.  We have worked closely with NHS Digital during 2019 to develop a data sharing agreement which covers our research programmes, and sets out the purposes and processes which the Trust follows in the use of data.  This approach means that we can also respond effectively to new health policy issues, and undertake rapid analysis.

For further information, please refer to the purpose statement.

Using patient data in research

Our work uses data provided by patients and collected by the NHS as part of their care and support. Using patient data is vital to improve health and care for everyone. There is huge potential to make better use of information from people’s patient records, to understand more about disease, develop new treatments, monitor safety, and plan NHS services. Patient data should be kept safe and secure, to protect everyone’s privacy, and it’s important that there are safeguards to make sure that it is stored and used responsibly. The Nuffield Trust takes this responsibility seriously and, as stated above, has achieved the ISO27001 Information Security Standard. The Trust is also committed to ensuring that everyone is able to find out about how patient data is used and publish details of the Trust’s processing activities in our privacy statement.