The Leeds Teaching Hospitals NHS Trust. Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS

Transcription

1 The Leeds Teaching Hospitals NHS Trust Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS 1. Introduction The Research Governance Framework for Health & Social Care incorporates the requirements of the Data Protection Act. The Framework requires that patient data used in research should be used fairly, appropriately and according to the law. This guidance summarises the main principles of data protection law (Caldicott Principles 1997 and the Data Protection Act 1998), defines key terms associated with data protection (see appendix 1), and gives practical advice to ensure that researchers are compliant with the law. 2. The Data Protection Act 1998 The Data Protection Act requires that a person should know what personal information about them is held and why. When people give information they should be told what it will be used for, and to whom it will be passed. The Act came into force in 2000 and applies to manual records as well as those held on computers. It states that when personal information is used the 8 principles set out below should be followed to ensure that the information is handled properly. The Trust and its employees are legally obliged to comply with these requirements. The data must be: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive for the purpose Accurate Not kept for longer than necessary Processed in line with a person s rights Secure Not transferred without adequate protection 3. Caldicott Principles The Caldicott Principles were produced by the Caldicott Committee following its review of patient identifiable information in These place requirements on the Trust and its employees to ensure that identifiable patient information is handled properly. The principles are as follows: Justify the purpose: every proposed use or transfer of personal information should be clearly defined.

2 Only use if necessary: patient identifiable information should not be used unless there is no alternative. Use the minimum necessary: if it is essential that patient identifiable information is used then the amount used should be kept to an absolute minimum. Access should be restricted to those who need to know: only those who need access to patient identifiable data should have access to it, and they should only have access to the items they need to see. Everyone involved should be aware of their responsibilities: all should be aware of their obligations and principles in relation to these principles. Understand and comply with the law: each time data is used or transferred it must be within the remit of the law. Each Trust must have a designated person, the Caldicott Guardian, who is responsible for ensuring compliance with these requirements. The Caldicott Guardian in this Trust is the Medical Director. 4. Data Protection and Research 4.1 Obtaining Data Fairly Consent Individual patient consent is not required for collecting personal data for healthcare and audit purposes. However, if the data is needed for research purposes the patient must be fully informed about the use of the data and their written consent obtained for its use, wherever practically possible. Research consent forms that participants sign when consenting to take part in a research project usually include a statement about the use of personal information and are available from research ethics committees. Please note that simply because obtaining consent has practical difficulties, it does not mean that it is not required. Every effort must be made to fully inform and secure the consent of patients involved in a study. In exceptional circumstances it may be possible to use data without individual patient consent. Applications for use of patient-identifiable data without consent must be made to the Secretary of State for Health via the Patient Information Advisory Group, PIAG. The Data Protection Officer can advise on this. If researchers need access to individual medical notes, someone with an existing duty of care to the patient must first contact the patient to obtain their consent. This will normally be done by a health professional who is currently treating, or has recently treated, the patient Anonymous Information All information should be coded or anonymised as far as possible and as early as possible after collection. Anonymous data, where the link between the data and the person to whom it refers has been irretrievably broken, can be used for research purposes without seeking individual patient consent. However, the researcher will not necessarily be able to obtain the initial identifiable data. The identifiable data should first be anonymised by the person with a duty of care (see above) to the patients whose data is to be used.

3 4.2 What Data Can Be Collected? Only personal data that is essential to the research project should be collected, although any personal data may be collected providing the individual has given their consent. Open ended consent is not acceptable, researchers should be able to explain precisely to research participants what data are needed, why they are needed and how they will be used. 4.3 Keeping Data Secure All data collected should be kept confidential and researchers should put in place and maintain good security measures bearing in mind any practical constraints. The principal investigator must take personal responsibility for ensuring that security arrangements are sufficient to prevent unauthorised breaches of confidentiality. The following tips may be helpful: Restrict access to the data to the small number of people who need to know. Personal information should be handled only by health professionals and staff with equivalent duty of confidentiality. Paper based records should be held in a locked filing cabinet and office. Computer files should be accessible via password only. Patient details should not be sent by except between addresses within the Trust. 4.4 Archiving Data Research data need to be retained for the longer term for a number of reasons: the records may be required for scientific validation of research, for future research or for audit purposes. The Data Protection Act allows for data to be held for as long as is necessary and good research practice (MRC Ethics Series: Good Research Practice) advises that: General research data is held for at least 10 years following completion of a research project. Commercially funded research data must be held for 15 years. Public health study data should be retained for 20 years to provide scope for longer follow up. Anonymised data may be held for as long as the researcher requires. Where the principal investigator leaves the Trust the responsibility for information from his/her research project passes to the Trust and arrangements should be made to hold or archive the records in a secure location. 5. Trust and Research Ethics Committee Approval Data protection is a key consideration for both the Trust and the Research Ethics Committee (REC) when reviewing a project. Neither the Trust nor the REC will give approval for a project to proceed until it is assured that the principal investigator is aware of and compliant with the law. The proper handling of data should be considered by the CMT research lead when reviewing a research proposal.* Researchers should ensure that they consider the requirements of the Data Protection Act and the Caldicott principles in the initial stages of formulating their research proposal. Advice should be sought as early in the research process as possible from the Trust Data Protection Officer (contact details below) to ensure that the research will be compliant with data protection law. *Please note the R&D approval form will shortly be updated to seek confirmation that the principal investigator has considered relevant guidance and is compliant with data protection law.

4 6. Further Information Further advice can be obtained from the Trust Data Protection Officer. The Data Protection Officer works closely with the Medical Director who is the Trust s Caldicott Guardian, and can also advise on Caldicott requirements. 7. Useful Reading MRC Ethics Series: Personal Information in Medical Research ( MRC Ethics Series: Good Research Practice ( Research Governance Framework for Health and Social Care (1 st Edition, March 2001) (

5 Appendix 1 Definitions The following definitions are taken from the MRC Ethics Series: Personal Information in Medical Research (October 2000). Personal Information refers to all information about individuals, living or dead. This includes written and electronic records, opinions, images, recordings, and information obtained from samples. Personal Data comprise information about living people who can be identified from the data, or from combinations of the data and other information which the person in control of the data has, or is likely to have in future. Anonymised Data are data prepared from personal information, but from which the person cannot be identified by the recipient of the information. Linked Anonymised Data is anonymous to the people who receive and hold it but contains information or codes that would allow others to identify people from it. Unlinked Anonymised Data contains no information that could reasonably be used by anyone to identify people. Coded Data is identifiable personal information in which the details that could identify people are concealed in a code, but which can be readily decoded by those using it. It is not anonymised data. Confidential Information is any information obtained by a person on the understanding that they will not disclose it to others, or obtained in circumstances where it is expected that they will not disclose it. The law assumes that whenever people give personal information to health professionals caring for them, it is confidential as long as it remains personally identifiable. Sensitive Information refers to information about mental health, sexuality and other areas where revealing confidential information is especially likely to cause embarrassment or discrimination. The Data Protection Act 1998 defines sensitive personal data as all information about physical or mental health or condition, or sexual life.