The Leeds Teaching Hospitals NHS Trust. Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS



Similar documents
Personal Data Handling and Sharing Policy

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16

CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

Information Governance Strategy 2015/16

How To Share Your Health Records With The National Health Service

Accessing Personal Information on Patients and Staff:

Personal Information in Medical Research. MRC Ethics Series

Information Governance Policy

NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group. Information Governance Strategy 2015/16

Information Sharing Policy

INFORMATION GOVERNANCE POLICY

The Newcastle upon Tyne Hospitals NHS Foundation Trust. Occupational Health Records Management and Retention Operational Policy

Data Protection Policy

Data Protection for the Guidance Counsellor. Issues To Plan For

The EDGE 2014 User Conference Information Governance Workshop

OxCCARE Information Governance Policy

University of Limerick Data Protection Compliance Regulations June 2015

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

Information Governance

The Care Record Guarantee Our Guarantee for NHS Care Records in England

Information Security Policy. Appendix B. Secure Transfer of Information

Why is there a need for nursing documentation

2. Reporting The national clinical audit is on the list of mandatory national audits for inclusion in Trust s Quality Accounts.

Information Governance Policy

The Care Record Guarantee Our Guarantee for NHS Care Records in England

INFORMATION GOVERNANCE POLICY

NHS Commissioning Board: Information governance policy

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE

Personal data - Personal data identify an individual. For example, name, address, contact details, date of birth, NHS number.

Policy Document Control Page

DO CLINICAL AUDIT PROJECTS EVER NEED FORMAL ETHICS APPROVAL?

Research Data Storage Facility Terms of Use

Information Sharing Protocol

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

RD SOP17 Research data management and security

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

The Manitowoc Company, Inc.

PRINCIPLES FOR HIGH QUALITY INTERPRETING AND TRANSLATION SERVICES

Information Governance Policy

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Data Protection Policy June 2014

Information Governance Policy

The best advice before you decide on what action to take is to seek the advice of one of the specialist Whistleblowing teams.

CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY. December 2014

USE OF PERSONAL MOBILE DEVICES POLICY

Safe Haven Policy. Equality & Diversity Statement:

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

Secure Transfer of Information Guidance for staff

Research Governance Standard Operating Procedure

Professional Practice Board. Guidelines on the use of Electronic Health Records

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Subject Access Request, Procedure, Guidance and Information

DATA PROTECTION POLICY

Information Governance Policy

Data Protection Policy

DATA PROTECTION POLICY

A common sense guide to the Data Protection Act 1998 for volunteers

Information Incident Management Policy

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy

Information Governance Policy

Information Governance

DATA PROTECTION POLICY

How To Ensure Privacy In The Uk

NHS Constitution. Access to health services:

Information Governance Policy

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

DATA PROTECTION POLICY

Little Marlow Parish Council Registration Number for ICO Z

JOB DESCRIPTION. Enhanced CRB with Both Barred Lists Check

Protecting Health and Care Information. A consultation on proposals to introduce new Regulations

Data Protection Act Information Governance

Lauren Hamill, Information Governance Officer

Bradley D. Powell, PhD NOTICE OF PRIVACY PRACTICES: Effective June 1, 2004

INFORMATION GOVERNANCE POLICY

Freedom of information guidance Exemptions guidance Section 41 Information provided in confidence

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Data Protection. Policy and Application July 2009

Advanced research computing

ABPI GUIDELINES FOR THE SECONDARY USE OF DATA FOR MEDICAL RESEARCH PURPOSES

SHIP Guiding Principles and Best Practices

Study-wide considerations: identifies the areas of the criterion the lead reviewer should consider when conducting the review

Information Governance policy

Information Governance Strategy & Policy

INFORMATION GOVERNANCE STRATEGY NO.CG02

Child and Adult Services Subject Access Requests Guidance

Policy: Remote Working and Mobile Devices Policy

CHILDREN AND ADULTS SERVICE RESEARCH APPROVAL GROUP

INFORMATION GOVERNANCE POLICY

DATA PROTECTION POLICY

The Manchester College

Scottish Rowing Data Protection Policy

Patient Information Whose information is it anyway? Your health records

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

Information Governance Policy

Health and social care staff members: What you should know about Information Governance

UK Biobank: Fostering public trust through innovative ethical governance. Graeme Laurie

Data Protection Policy

Information Governance White Paper EDGE Programme

Transcription:

The Leeds Teaching Hospitals NHS Trust Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS 1. Introduction The Research Governance Framework for Health & Social Care incorporates the requirements of the Data Protection Act. The Framework requires that patient data used in research should be used fairly, appropriately and according to the law. This guidance summarises the main principles of data protection law (Caldicott Principles 1997 and the Data Protection Act 1998), defines key terms associated with data protection (see appendix 1), and gives practical advice to ensure that researchers are compliant with the law. 2. The Data Protection Act 1998 The Data Protection Act requires that a person should know what personal information about them is held and why. When people give information they should be told what it will be used for, and to whom it will be passed. The Act came into force in 2000 and applies to manual records as well as those held on computers. It states that when personal information is used the 8 principles set out below should be followed to ensure that the information is handled properly. The Trust and its employees are legally obliged to comply with these requirements. The data must be: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive for the purpose Accurate Not kept for longer than necessary Processed in line with a person s rights Secure Not transferred without adequate protection 3. Caldicott Principles The Caldicott Principles were produced by the Caldicott Committee following its review of patient identifiable information in 1997. These place requirements on the Trust and its employees to ensure that identifiable patient information is handled properly. The principles are as follows: Justify the purpose: every proposed use or transfer of personal information should be clearly defined.

Only use if necessary: patient identifiable information should not be used unless there is no alternative. Use the minimum necessary: if it is essential that patient identifiable information is used then the amount used should be kept to an absolute minimum. Access should be restricted to those who need to know: only those who need access to patient identifiable data should have access to it, and they should only have access to the items they need to see. Everyone involved should be aware of their responsibilities: all should be aware of their obligations and principles in relation to these principles. Understand and comply with the law: each time data is used or transferred it must be within the remit of the law. Each Trust must have a designated person, the Caldicott Guardian, who is responsible for ensuring compliance with these requirements. The Caldicott Guardian in this Trust is the Medical Director. 4. Data Protection and Research 4.1 Obtaining Data Fairly 4.1.2 Consent Individual patient consent is not required for collecting personal data for healthcare and audit purposes. However, if the data is needed for research purposes the patient must be fully informed about the use of the data and their written consent obtained for its use, wherever practically possible. Research consent forms that participants sign when consenting to take part in a research project usually include a statement about the use of personal information and are available from research ethics committees. Please note that simply because obtaining consent has practical difficulties, it does not mean that it is not required. Every effort must be made to fully inform and secure the consent of patients involved in a study. In exceptional circumstances it may be possible to use data without individual patient consent. Applications for use of patient-identifiable data without consent must be made to the Secretary of State for Health via the Patient Information Advisory Group, PIAG. The Data Protection Officer can advise on this. If researchers need access to individual medical notes, someone with an existing duty of care to the patient must first contact the patient to obtain their consent. This will normally be done by a health professional who is currently treating, or has recently treated, the patient. 4.1.3 Anonymous Information All information should be coded or anonymised as far as possible and as early as possible after collection. Anonymous data, where the link between the data and the person to whom it refers has been irretrievably broken, can be used for research purposes without seeking individual patient consent. However, the researcher will not necessarily be able to obtain the initial identifiable data. The identifiable data should first be anonymised by the person with a duty of care (see above) to the patients whose data is to be used.

4.2 What Data Can Be Collected? Only personal data that is essential to the research project should be collected, although any personal data may be collected providing the individual has given their consent. Open ended consent is not acceptable, researchers should be able to explain precisely to research participants what data are needed, why they are needed and how they will be used. 4.3 Keeping Data Secure All data collected should be kept confidential and researchers should put in place and maintain good security measures bearing in mind any practical constraints. The principal investigator must take personal responsibility for ensuring that security arrangements are sufficient to prevent unauthorised breaches of confidentiality. The following tips may be helpful: Restrict access to the data to the small number of people who need to know. Personal information should be handled only by health professionals and staff with equivalent duty of confidentiality. Paper based records should be held in a locked filing cabinet and office. Computer files should be accessible via password only. Patient details should not be sent by email except between addresses within the Trust. 4.4 Archiving Data Research data need to be retained for the longer term for a number of reasons: the records may be required for scientific validation of research, for future research or for audit purposes. The Data Protection Act allows for data to be held for as long as is necessary and good research practice (MRC Ethics Series: Good Research Practice) advises that: General research data is held for at least 10 years following completion of a research project. Commercially funded research data must be held for 15 years. Public health study data should be retained for 20 years to provide scope for longer follow up. Anonymised data may be held for as long as the researcher requires. Where the principal investigator leaves the Trust the responsibility for information from his/her research project passes to the Trust and arrangements should be made to hold or archive the records in a secure location. 5. Trust and Research Ethics Committee Approval Data protection is a key consideration for both the Trust and the Research Ethics Committee (REC) when reviewing a project. Neither the Trust nor the REC will give approval for a project to proceed until it is assured that the principal investigator is aware of and compliant with the law. The proper handling of data should be considered by the CMT research lead when reviewing a research proposal.* Researchers should ensure that they consider the requirements of the Data Protection Act and the Caldicott principles in the initial stages of formulating their research proposal. Advice should be sought as early in the research process as possible from the Trust Data Protection Officer (contact details below) to ensure that the research will be compliant with data protection law. *Please note the R&D approval form will shortly be updated to seek confirmation that the principal investigator has considered relevant guidance and is compliant with data protection law.

6. Further Information Further advice can be obtained from the Trust Data Protection Officer. The Data Protection Officer works closely with the Medical Director who is the Trust s Caldicott Guardian, and can also advise on Caldicott requirements. 7. Useful Reading MRC Ethics Series: Personal Information in Medical Research (www.mrc.ac.uk) MRC Ethics Series: Good Research Practice (www.mrc.ac.uk) Research Governance Framework for Health and Social Care (1 st Edition, March 2001) (www.dh.gov.uk)

Appendix 1 Definitions The following definitions are taken from the MRC Ethics Series: Personal Information in Medical Research (October 2000). Personal Information refers to all information about individuals, living or dead. This includes written and electronic records, opinions, images, recordings, and information obtained from samples. Personal Data comprise information about living people who can be identified from the data, or from combinations of the data and other information which the person in control of the data has, or is likely to have in future. Anonymised Data are data prepared from personal information, but from which the person cannot be identified by the recipient of the information. Linked Anonymised Data is anonymous to the people who receive and hold it but contains information or codes that would allow others to identify people from it. Unlinked Anonymised Data contains no information that could reasonably be used by anyone to identify people. Coded Data is identifiable personal information in which the details that could identify people are concealed in a code, but which can be readily decoded by those using it. It is not anonymised data. Confidential Information is any information obtained by a person on the understanding that they will not disclose it to others, or obtained in circumstances where it is expected that they will not disclose it. The law assumes that whenever people give personal information to health professionals caring for them, it is confidential as long as it remains personally identifiable. Sensitive Information refers to information about mental health, sexuality and other areas where revealing confidential information is especially likely to cause embarrassment or discrimination. The Data Protection Act 1998 defines sensitive personal data as all information about physical or mental health or condition, or sexual life.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information