RD SOP17 Research data management and security

Transcription

1 RD SOP17 Research data management and security Version Number: V2 Name of originator/author: Dr Andy Mee, R&I Manager Name of responsible committee: R&I Committee Name of executive lead: Medical Director & Director of Quality Assurance Date V1 issued: July 2010 Last Reviewed: January 2015 Next Review date: January 2017 Scope: Trust wide MMHSCT Policy Code Page 1 of 12

2 Document Title / Ref: Lead Executive Director Author and Contact Number Type of Document Document Purpose Document Control Sheet RD SOP17 Research data management and security Medical Director R&I Manager Standard Operating Procedure Broad Category Research Scope Version number Consultation R&I Committee Approving Committee R&I Committee Approval Date July 2010 Ratification Trust Management Board /Operational Date of Ratification July 2010 and Date Management Team / Committee V1 Valid from Date July 2010 Current version is valid from approval date Date of Last Review January 2013 Date of Next Review January 2015 Procedural Documents to be read in None conjunction with this document: Training Needs Analysis Impact There are no Training requirements for this procedural document Click here to enter text. Financial Resource Impact There are no Financial resource impacts Click here to enter text. Document Change History Changes to this document in different versions must be detailed below. Rationale for the change should also be given Version Number / Name of procedural document this supersedes Type of Change i.e. Review / Legislation / Claim / Complaint Date 1.0 Review January 2013 Details of Change and approving group or Executive Lead (if done outside of the formal revision process) External references used in the creation of this document: If these include monitoring duties upon the Trust for this policy the specific details should be recorded on the Monitoring and Compliance Requirements sheet Privacy Impact N/a Any issues? Choose an item. Assessment submitted Fraud Proofing N/a Any issues? Choose an item. submitted If not relevant to this procedural document give rationale: Page 2 of 12

3 Policy authors are asked to consider each of the nine protected characteristics under the Equality Act We expect you to demonstrate that throughout the policy process you have had regard to the aims of the Equality Duty: 1. Eliminate unlawful discrimination, harassment and victimisation and any other conduct prohibited by the Act; 2. Advance equality of opportunity between people who share a protected characteristic and people who do not share it; and 3. Foster good relations between people who share a protected characteristic and people who do not share it. Please provide a brief account of how you have done this, further work to be completed and any support you have had in considering the aims and working in compliance with the Equality Duty. If you are unclear on how to do this or would like further advice and support then you may contact quality.admin@mhsc.nhs.uk. It is the responsibility of the approving group to ensure this statement reflects the Trusts objectives and position with compliance as set out within the NHS Equality Delivery System In line with the Trust values we may publish this document on our External Website. Is there any reason you would prefer this is not done? It is the Authors responsibility to ensure all procedural documents comply with the Trust values If you are unclear on any of the requirements in the document control sheet then please quality.admin@mhsc.nhs.uk before proceeding Page 3 of 12

4 Monitoring and Compliance Requirements Sheet For audit, Registration and NHSLA purposes all procedural documents must have monitoring requirements or key performance indicators set by the authors, Committees or Lead Directors. This allows the Trust to routinely monitor the effectiveness and impact of their procedural documents on a regular basis. Procedural Document Title: RD SOP17 Research data management and security Does this procedural document offer support or evidence for the Trusts registered activities and outcomes? No Primarily Additional Not Applicable Additional Is this an NHSLA Document? No Which Standard does this relate to? Governance Which Criterion Not Applicable Choose an item. Choose an item. If other Monitoring requirements are necessary i.e. Health & Safety Act and you should include them here and record them in the External References section Specify where the requirement originates Minimum Requirement / Standard / Indicator to be monitored & Section of document it appears Process for monitoring Audit Audit Audit Audit Responsible Individual / Group Additional Details i.e. Section number, Code of Practice Frequency of Monitoring Yearly Yearly Yearly Yearly Responsible Group for review of results / action plan approval / implementation Comments NB: If you have selected audit you should complete the required audit registration form and standards document and submit these with your expected timescales for completing the audit to quality.admin@mhsc.nhs.uk as soon as possible and no later than 4 weeks prior to the audit commencing. The Group / Committee should also ensure the monitoring work is added to their yearly schedule of monitoring and action logs as appropriate. Page 4 of 12

5 Contents Page Section Title Page Number 1 Introduction Purpose Roles and Responsibilities Duties within the Organisation Specific to this SOP Data Management and Security Procedure Basic Terms Personal data Anonymised data Pseudo-anonymised data Source documents Source data Data Management Data Security Data Transfer Equality Impact Assessment Consultation, Approval and Ratification Process Consultation and Communication with Stakeholders SOP Approval Process Dissemination and Implementation Dissemination Implementation of Procedural Documents Review, Monitoring Compliance With and the Effectiveness of Procedural Documents Process for Monitoring Compliance and Effectiveness Standards and Key Performance Indicators (KPIs) References and Bibliography Associated Trust Documents Page 5 of 12

6 1 Introduction All data collected for research purposes must comply with the Data Protection Act 199 (DPA). This includes data collected from patients, families and staff. The DPA outlines the conditions that must be met by organisations and individuals who hold or process personal identifiable information about living individuals: Personal data should be fairly and lawfully processed Data should be adequate for the purpose and not excessive Data should be obtained for specified purposes Data should be accurate and up to date Appropriate measures should be taken to ensure confidentiality and security of the data Data should be processed in accordance with the rights of the data subject Data should not be kept longer than is necessary Data should not be transferred outside of the European Economic Area without an adequate level of protection The Research Governance Framework for Health and Social Care (2005) incorporates the conditions laid down in the DPA. The Framework states that: The appropriate use and protection of patient data is also paramount. All those involved in research must be aware of their legal and ethical duties. Particular attention must be given to systems for ensuring confidentiality of personal information and to the security of those systems. Around the same time as the DPA was published, a review was commissioned by the Chief Medical Office of England "owing to increasing concern about the ways in which patient information is being used in the NHS in England and Wales and the need to ensure that confidentiality is not undermined. Such concern was largely due to the development of information technology in the service, and its capacity to disseminate information about patients rapidly and extensively". A committee was established under the chairmanship of Dame Fiona Caldicott, Principal of Somerville College, Oxford, and previously President of the Royal College of Psychiatrists. Its findings were published in December The 'Caldicott' principles and recommendations apply specifically to patient-identifiable information, and emphasise the need for controls over the availability of such information and access to it. In particular, a Caldicott Guardian, appointed in each NHS organisation, has specific responsibilities to oversee an ongoing process of audit, improvement and control. The six Caldicott principles, applying to the handling of patient-identifiable information, are: Page 6 of 12

7 Justify the purpose(s) of every proposed use or transfer Don't use it unless it is absolutely necessary, and Use the minimum necessary Access to it should be on a strict need-to-know basis Everyone with access to it should be aware of their responsibilities, and Understand and comply with the law. The 199 Data Protection Act is the key legislation covering all aspects of information processing. This includes security and confidentiality of personal information. The Caldicott requirements provide the framework to put the Data Protection Act into operation. 2 Purpose The purpose of this SOP is to describe the procedures for managing research data and ensuring that research data is stored in a safe and secure manner. 3 Roles and Responsibilities 3.1 Duties within the Organisation It is the responsibility of the Research Governance co-ordinator (or proxy) to make Trust R&I SOPs available to all research active staff working on Trustapproved research studies It is the responsibility of the study Chief Investigator (CI) or local Principal Investigator (PI) to ensure that up-to-date copies of Trust R&I SOPs are available to research staff It is the responsibility of the study Chief Investigator or local Principal Investigator to inform the Research Governance Co-ordinator of the names of all research staff involved on a study so that copies of SOPs can be distributed appropriately, and to ensure that up-to-date copies are filed in the Investigator Site file and are available to research staff It is the responsibility of the study Chief Investigator or Principal Investigator to designate if the SOPs of another organisation are to be followed for a study. For example those of a Clinical Research Network or commercial sponsor. If there is significant conflict between the external SOP and the Trust R&I SOP it is the responsibility of the CI or PI to resolve these with the Research Office prior to starting the study It is the personal responsibility of all staff to follow Trust (or the designated alternative organisations) procedural documents. 3.2 Specific to this SOP It is the responsibility of the study CI or local PI, to ensure that all data collected for the purposes of a research study complies with the conditions of the DPA (199), with oversight from the Research Office. Page 7 of 12

8 4 Data Management and Security Procedure 4.1 Basic terms Personal data. Personal data is any information that may lead to the identification of a living person that if released would put them at significant risk or harm or distress Anonymised data. Anonymised data is where all patient or participant identifiers (which can include name or initials, address, date of birth, hospital or NHS number) have been permanently removed. Anonymised data are not covered by the DPA Pseudo-anonymised data. Pseudo-anonymised data is where all personal identifiers (which can include name or initials, address, date of birth, hospital or NHS number) are replaced with a unique identifier (e.g. patient study number, patient initials, date of birth). A code should be held separately from patient identifiers, and allow for study un-blinding if required by the protocol Source documents. Source documents are original documents, data and records (e.g. hospital records, clinical and office charts, laboratory notes, diaries or evaluation checklists, laboratory results, x-ray or other scan results, pharmacy dispensing records). These are the essential documents as described by ICH GCP that allow the evaluation and verification of the research study and data collected Source data. Source data are all information in original records and certified copies of original records of clinical findings, observations, or other activities in a research study necessary for the reconstruction and evaluation of the study. Source data are contained in source documents. 4.2 Data Management All research data containing personal information about patients or participants should be anonymised. For certain studies, such as clinical trials of an investigational medicinal product, this may not be possible and the data should be pseudo-anonymised. In these instances, un-blinding procedures for safety reasons should be clearly defined in the protocol Clinical trial data should be collected onto a Case Report Form (CRF). This can be a printed, optical or electronic document and designed to record all the information detailed in the protocol. All staff completing CRFs should be trained to do so. Corrections to the printed CRF should be initialled and dated by the PI or persons delegated to do so. Correction fluid should never be used Clinical trial data from the CRF may be entered onto a database or other data management system. For clinical trials, data entry should be completed by the Data Manager, Data Custodian or other person designated to do so by the Principal Investigator. The data entry process (e.g. single data entry or double data entry methods) should be decided based on the size and complexity of the study. For small single site studies, single data entry (one person) with source verification is usually appropriate. This will involve a Page of 12

9 visual check between what is recorded on the paper CRF and what is entered onto the data management system Missing values, values outside of normal ranges or inconsistencies entered onto CRFs should be reported to the PI Source data verification can be conducted by members of the research team or independent monitors. This will involve cross-checking the data entered onto the CRF against source documents for accuracy All research staff using a data management system should be trained in its proper operation. A training record should be kept and updated following any software changes or upgrades The data management system should be appropriate for the analysis planned, ensure data integrity and be auditable. In the case of certain data management systems (e.g. Microsoft Excel), it may be necessary to save and date older versions of the database or print copies All computer systems used in the conduct of clinical trials of investigational medicinal products (databases, Electronic Data Capture etc), must have their current release number and date of release, last release number and date of release and validation status recorded For information on storage and archiving of files, please refer to RDSOP Data Security All non- electronic data such as paper CRFs and other documents, audio and video recordings, should be kept in locked filing cabinets in lockable rooms only accessible by authorised personnel Electronic data should only be stored on devices that are backed up regularly such as NHS Trust or other servers (e.g. University). This should be confirmed with IT support or by consulting Trust or local policy documents Backup electronic copies should be kept in a separate secure location to the master copy. These should be updated daily Data should be password protected and access limited to authorised personnel. Authorised users should login with their own account details and should never login to provide access to another user A record should be kept of authorised users and their level of access Laptops and memory sticks used to store data should be encrypted by Trust, local IT support or the study coordinating centre. 4.4 Data Transfer Research data transferred within the European Economic Area (EEA) must be fully or pseudo anonymised. Any codes held to unblind or unlock data identity should not be sent. Page 9 of 12

10 4.4.2 Research data transferred outside the EEA must be fully or pseudo anonymised. An agreement should be in place documenting that the data will be held or processed according to the principles outlined in the DPA (199). Any codes held to unblind or unlock data identity should not be sent Participants should be consented for their data to be transferred to a third party Approvals from the relevant ethics committee and/or Caldicott Guardian (the Trust Medical Director) should be obtained before data is transferred to a third party. 5 Equality Impact Assessment 5.1 This SOP has been equality impact assessed by the author using the Trust s Equality Impact Assessment (EqIA), which has been submitted to the Equality and Diversity Department for Service Equality Team Sign Off. 5.2 No significant issues in relation to equality, diversity, gender, colour, race or religion are identified as raising a concern. 6 Consultation, Approval and Ratification Process 6.1 Consultation and Communication with Stakeholders All Trust R&I SOPs are written by a member of the Research Office staff with relevant expertise and experience. Additional advice is sought from members of the research community within the Trust, including the Research Committee, or external advisors, as necessary. 6.2 SOP Approval Process All Trust R&I SOPs are subject to approval by the Research Governance Operational Group. The SOP will then be sent to the Trust Management Board for ratification. 7 Dissemination and Implementation 7.1 Dissemination When approved, this SOP will be posted on the Trust Research Office Intranet site; only the current version will be available. A list of current versions will also be posted on the public Trust website; researchers who do not have access to the intranet should refer to this list and request copies from the Research Office accordingly All researchers listed on the Research Office active researcher mailing list will be notified by when an updated version of an SOP is available. 7.2 Implementation of Procedural Documents Support and advice on the implementation of this SOP can be obtained via the Research Office or the R&I Manager. Page 10 of 12

11 Review, Monitoring Compliance With and the Effectiveness of Procedural Documents.1 Process for Monitoring Compliance and Effectiveness.1.1 Review will be undertaken by the Research Office Management. Compliance with the Trust R&I SOPs by researchers will be monitored via the Trust s Research Governance Monitoring Programme where appropriate..1.2 SOP contents will be reviewed against any changes to the applicable guidelines and regulations and taking into account any feedback received from researchers or via the Monitoring Programme..1.3 Review and monitoring will be conducted based on an initial risk assessment of the project. This process may change based on results on any monitoring visit..1.4 The outcome of the review and any resulting amendments - will be reported to the R&I Committee..2 Standards and Key Performance Indicators KPIs.2.1 This SOP will be available on the Trust intranet..2.2 This SOP must be reviewed at least every two years or when there are significant changes to the document. 9 References and Bibliography Data Protection Act (199) Caldicott Report (1997) ce/dh_ Research Governance Framework for Health and Social Care (2005) e/dh_ International Conference on Harmonisation Topic E 6 (R1) Guideline for Good Clinical Practice (2002) Associated Trust Documents Information Governance Policy, version 1 (approved March 2009) Page 11 of 12

12 Information Security Policy, version 2 (approved March 2010) RDSOP 1: Statistical Management RDSOP21: Retention of Data, Archiving and Destroying Documents Page 12 of 12