Personal data - Personal data identify an individual. For example, name, address, contact details, date of birth, NHS number.



Similar documents
Research Governance Standard Operating Procedure

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

So the security measures you put in place should seek to ensure that:

CORK INSTITUTE OF TECHNOLOGY

University of Limerick Data Protection Compliance Regulations June 2015

Scottish Rowing Data Protection Policy

Personal Data Handling and Sharing Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

This is a controlled document. The master document is posted on the JRCO website and any print-off of this document will be classed as uncontrolled.

Data Protection Policy

Policy Document Control Page

Human Resources Policy documents. Data Protection Policy

Data Compliance. And. Your Obligations

1.0 Scope. 2.0 Abbreviations. 3.0 Responsibilities

Information Governance Policy

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Rick Parsons Information Governance Officer County Hall

DATA PROTECTION ACT 1998 COUNCIL POLICY

Data Protection Guidance

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

John Leggott College. Data Protection Policy. Introduction

Information security incident reporting procedure

RECORDS MANAGEMENT POLICY

Data Protection. Policy and Application July 2009

Data Security and Extranet

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

Data Protection Policy June 2014

RD SOP17 Research data management and security

Incident reporting procedure

The Manitowoc Company, Inc.

Little Marlow Parish Council Registration Number for ICO Z

Information Governance Checklist and Privacy Impact Assessments

HERTSMERE BOROUGH COUNCIL

Summary Electronic Information Security Policy

Data protection policy

Procedures for obtaining informed consent for recordings and images of people to support Data Protection Policy

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

The Leeds Teaching Hospitals NHS Trust. Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS

Data Protection Good Practice Note

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

Data Protection and Data security Policy

A records survey is a systematic exercise to locate and identify all the records held by a particular business area.

Data Protection in Ireland

Data Protection Policy

Data Protection Policy

DATA PROTECTION POLICY

Data Protection and Privacy Policy

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Using Your Personal Information

DATA PROTECTION POLICY

Standard Operating Procedures

Information Security Policy. Appendix B. Secure Transfer of Information

Information Governance Training Booklet for Pharmacy Staff January 2010

Document Number: SOP/RAD/SEHSCT/007 Page 1 of 17 Version 2.0

Managing & Validating Research Data

CONTROLLED DOCUMENT- DO NOT COPY STANDARD OPERATING PROCEDURE. STH Investigator

Quick guide to the employment practices code

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

Dean Bank Primary and Nursery School. Data Protection Policy

Information Circular

KEY, SWIPE CARD AND ELECTRONIC FOB POLICY

Access Control Policy

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Corporate ICT & Data Management. Data Protection Policy

Transcription:

Background The Data Protection Act 1998 i came into force in March 2000 and is followed by all NHS employed staff via their policies and procedures. The act applies to all personal, identifiable information about living individuals and applies to patients in relation to research when collecting this type of data. As all NHS staff comply with the Data Protection Act this SOP will not go into detail of the principles, but will cover aspects particularly important to research. The Freedom of Information Act 2000 ii gives a general right of access to all types of recorded information held by a public authority and is also followed by the NHS and it s employees, and as such will not be covered in detail in this SOP. This SOP is an abridged version of CTRU SOP DM001 Data Protection, written specifically for NHS staff as they already comply with data protection principles. Access to DM001 can be provided on request to the CTRU. Purpose The purpose of this SOP is to ensure that NHS employees and associated trial staff are both aware of and comply with the requirements of the Data Protection Act and the Freedom of Information Act when working with research data. Scope This SOP addresses the requirements of the Data Protection Act for NHS staff in relation to research, specifically research that involves Sheffield CTRU. The informed consent process does not fall within the scope of this SOP; please refer to SSU001 Informed Consent Procedures. CTRU has various SOPs covering data management which address the responsibility for keeping electronic data secure on CTRU s servers. Definitions Personal data - Personal data identify an individual. For example, name, address, contact details, date of birth, NHS number. Sensitive personal data - information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life or offences or alleged criminal offences. Anonymised data - information which does not identify an individual. Anonymisation requires the removal of personal data and any other combination of details that might support identification. Pseudonymised data - data that have been given a unique identifier, removing the need to refer to personal data. Unlike anonymised data, pseudonymisation is a reversible process; there will be a process to allow the unique identifier to be linked to the personal data. Unique identifier - A unique identifier is a code used to uniquely identify each participant in a study. Page 2 of 5

Procedure Who? Every individual with responsibility for collecting, processing, storing and transferring participant data must follow the guidelines contained in this standard operating procedure. This applies to both paper and electronic data. When? This SOP covers every stage of a study where collection, processing, access and transfer of data are involved. How? Study design and data collection (Principles 2 & 3 of The Data Protection Act) Personal data should only be collected where the study specifically requires it (for instance names and addresses may need to be collected where there is a need to post follow-up questionnaires to a study participant). It is recommended that unique identifiers be used to identify study participants instead of using names or other personal information. The investigator should keep a subject identification code list containing the names of all participants linked to unique identifiers, as stipulated in ICH GCP iii. Data processing (Principles 1, 4 & 6 of The Data Protection Act) In order to process personal data fairly and lawfully, it is usually necessary for studies to obtain informed consent before an individual participates in a study. As part of the informed consent process, study participants should be made aware, usually via the participant information sheet, of their rights and of which data are being collected about them and how the data will be used. Where possible, study teams should take measures to ensure that participants contact details are kept up-to-date to ensure that (1) follow-up information can be collected and (2) the possibility of sending the follow-up to the wrong address (which would risk revealing a participant s sensitive personal information to someone else) is minimised. Equally, to avoid causing any distress, it may be appropriate to check on participants mortality status before contacting them. Data storage and access (Principle 7 of The Data Protection Act) All data should be held securely in rooms which will be locked when not occupied, and paper data (e.g. CRFs) should be stored in locked cupboards or cabinets where possible. Where collected, personal and sensitive data should be accessible only to study personnel with appropriate authorisation and should not be left unattended at any time. Electronic data should be held in a password-protected, access-controlled environment, such as a networked server. Any study data stored outside this environment (e.g. on a portable device or a computer s local hard drive) should be encrypted to prevent access in the event of loss or theft. Page 3 of 5

All individuals accessing study databases should be aware of their responsibilities to safeguard the data. They should not write down nor share their login credentials with anyone else. Data and document transfer (Principles 7 & 8 of The Data Protection Act) Study staff should consider the nature and sensitivity of data or documents to be sent elsewhere, and should ensure that appropriate security measures are taken. Depending on the method of transfer, these may include: - couriered delivery with sender/recipient signatures - tamper-proof or tamper-evident envelopes - use of a secure fax machine - encrypting and/or password-protecting electronic files Individuals should retain copies of Air Waybills (AWBs) or other transfer documentation to aid tracking where applicable. Where original material is being transferred, individuals should consider retaining a back-up. To close the transfer process, the recipient should be asked to acknowledge safe arrival of what has been sent. Where data are to be transferred to a recipient outside the European Economic Area, Principle 8 of the Data Protection Act requires that a standard of security that would apply in the EEA will be maintained outside the EEA. Study participants should be aware of and provide consent to their data being transferred out of the EEA. Disposal of data The Data Protection Act requires that data be retained only for as long as necessary. This requirement should be considered in conjunction with the study-specific retention requirements, whereby the study data and documentation will be archived for an agreed number of years after which the study sponsor will give authorisation for the study material to be disposed of. Please follow your trust s policies for disposing of confidential waste, both paper and electronic formats need to be considered. Freedom of Information NHS trusts will have nominated individuals responsible for dealing with Freedom of Information requests. Please refer any requests for information specific to the research to study manager. Document history Version Date approved Reason for change 1 As per signature An abridged version of DM001 written specifically for NHS staff working on CTRU-managed studies. Page 4 of 5

i Data Protection Act (http://www.ico.gov.uk/for_organisations/data_protection.aspx), last accessed 30/10/2012 ii Freedom of Information Act (http://www.ico.gov.uk/for_organisations/freedom_of_information.aspx), last accessed 30/10/2012 iii ICH GCP (E6) (http://ichgcp.net), last accessed 30/10/2012 Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information