RD SOP17 Research data management and security



Similar documents
Electrical Safety Policy

Ligature Risk Assessment Policy

DATA MANAGEMENT IN CLINICAL TRIALS: GUIDELINES FOR RESEARCHERS

SOP Number: SOP-QA-20 Version No: 1. Author: Date: (Patricia Burns, Research Governance Manager, University of Aberdeen)

Managing & Validating Research Data

Document Number: SOP/RAD/SEHSCT/007 Page 1 of 17 Version 2.0

Information Governance Policy

R&D Administration Manager. Research and Development. Research and Development

CCG: IG06: Records Management Policy and Strategy

Information Sharing Policy

Control of Asbestos Policy

Document Title: Project Management of Papworth Sponsored Studies

Record Management Policy

ROLES, RESPONSIBILITIES AND DELEGATION OF DUTIES IN CLINICAL TRIALS OF MEDICINAL PRODUCTS

Research Governance Standard Operating Procedure

Data Management and Good Clinical Practice Patrick Murphy, Research Informatics, Family Health International

Document Title: Trust Approval and Research Governance

Safe Bathing, Hot Water and Surface Temperature Policy

Archiving of Research Documentation

1.0 Scope. 2.0 Abbreviations. 3.0 Responsibilities

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September Information Governance Manager

RECORDS MANAGEMENT POLICY

Introduction The Role of Pharmacy Within a NHS Trust Pharmacy Staff Pharmacy Facilities Pharmacy and Resources 6

Standard Operating Procedure on Training Requirements for staff participating in CTIMPs Sponsored by UCL

MANAGEMENT OF POLICIES, PROCEDURES AND OTHER WRITTEN CONTROL DOCUMENTS

What is necessary to provide good clinical data for a clinical trial?

Data Protection Policy

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

CONTROLLED DOCUMENT. Uncontrolled Copy. RDS014 Research Related Archiving. University Hospitals Birmingham NHS Foundation Trust

UNIVERSITY OF LEICESTER, UNIVERSITY OF LOUGHBOROUGH & UNIVERSITY HOSPITALS OF LEICESTER NHS TRUST JOINT RESEARCH & DEVELOPMENT SUPPORT OFFICE

This is a controlled document. The master document is posted on the JRCO website and any print-off of this document will be classed as uncontrolled.

Data Protection Policy

This SOP may also be used by staff from other NHS areas, or organisations, with prior agreement.

Information Governance Strategy. Version No 2.1

GCP INSPECTORS WORKING GROUP <DRAFT> REFLECTION PAPER ON EXPECTATIONS FOR ELECTRONIC SOURCE DOCUMENTS USED IN CLINICAL TRIALS

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Records Management Policy

Concerns and Complaints Policy and Procedure

INFORMATION GOVERNANCE POLICY

Standard Operating Procedures

Information Governance Management Framework

CONTROLLED DOCUMENT- DO NOT COPY STANDARD OPERATING PROCEDURE. STH Investigator

Personal data - Personal data identify an individual. For example, name, address, contact details, date of birth, NHS number.

DATA PROTECTION POLICY

Information Governance Strategy

INFORMATION GOVERNANCE POLICY

SUBJECT ACCESS REQUEST PROCEDURE

Shropshire Community Health Service NHS Trust Policies, Procedures, Guidelines and Protocols

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT

TRIAL MASTER FILE- SPONSORED

RECORDS MANAGEMENT POLICY

Policy: D9 Data Quality Policy

Essential Documentation and the Creation and Maintenance of Trial Master Files

The Study Site Master File and Essential Documents

Information Governance Policy

Data Protection Policy

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

STANDARD OPERATING PROCEDURE FOR DATA RETENTION

Data Protection Policy

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

RECOMMENDATION ON THE CONTENT OF THE TRIAL MASTER FILE AND ARCHIVING

Document Title: Research Database Application (ReDA)

Information Governance Policy

MANAGEMENT OF PERSONAL FILES POLICY

INFORMATION GOVERNANCE POLICY

USE OF PERSONAL MOBILE DEVICES POLICY

Guidance for Industry Computerized Systems Used in Clinical Investigations

INTERIM SITE MONITORING PROCEDURE

Site visit inspection report on compliance with HTA minimum standards. London School of Hygiene & Tropical Medicine. HTA licensing number 12066

INFORMATION GOVERNANCE POLICY

INFORMATION LIFECYCLE & RECORDS MANAGEMENT POLICY

JRO RMG RSS SOP 12. Standard Operating Procedure (SOP) for Study Closedown and Archiving Royal Free site specific SOP

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

The Leeds Teaching Hospitals NHS Trust. Research & Development Department DATA PROTECTION IN RESEARCH GUIDANCE NOTES FOR RESEARCHERS

Essentials of RESEARCH GOVERNANCE

The Newcastle upon Tyne Hospitals NHS Foundation Trust. Occupational Health Records Management and Retention Operational Policy

Data Protection Policy

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

STANDARD OPERATING PROCEDURE FOR RESEARCH. Management of Essential Documents and Trial Folders

DATA PROTECTION AND DATA STORAGE POLICY

Hertsmere Borough Council. Data Quality Strategy. December

NHS Business Services Authority Records Management Audit Framework

Title. Learning from Incidents, Complaints and Claims. Description of Document

Archiving of Clinical Trial Data and Essential Documentation JCTO/CT/SOP 4.0. Joint Clinical Trials Office. Stuart Hatcher, JCTO Archivist

How To Protect Your Personal Information At A College

Informatics Policy. Information Governance. Network Account and Password Management Policy

Nova Southeastern University Standard Operating Procedure for GCP. Title: Electronic Source Documents for Clinical Research Study Version # 1

Data Quality Policy SH NCP 2. Version: 5. Summary:

NEWCASTLE CLINICAL TRIALS UNIT STANDARD OPERATING PROCEDURES

gsop Vendor Assessment SOP page 1 of 10

Information Governance Policy

NHS Commissioning Board: Information governance policy

Transcription:

RD SOP17 Research data management and security Version Number: V2 Name of originator/author: Dr Andy Mee, R&I Manager Name of responsible committee: R&I Committee Name of executive lead: Medical Director & Director of Quality Assurance Date V1 issued: July 2010 Last Reviewed: January 2015 Next Review date: January 2017 Scope: Trust wide MMHSCT Policy Code Page 1 of 12

Document Title / Ref: Lead Executive Director Author and Contact Number Type of Document Document Purpose Document Control Sheet RD SOP17 Research data management and security Medical Director R&I Manager 0161 901 1976 Standard Operating Procedure Broad Category Research Scope Version number Consultation R&I Committee Approving Committee R&I Committee Approval Date July 2010 Ratification Trust Management Board /Operational Date of Ratification July 2010 and Date Management Team / Committee V1 Valid from Date July 2010 Current version is valid from approval date Date of Last Review January 2013 Date of Next Review January 2015 Procedural Documents to be read in None conjunction with this document: Training Needs Analysis Impact There are no Training requirements for this procedural document Click here to enter text. Financial Resource Impact There are no Financial resource impacts Click here to enter text. Document Change History Changes to this document in different versions must be detailed below. Rationale for the change should also be given Version Number / Name of procedural document this supersedes Type of Change i.e. Review / Legislation / Claim / Complaint Date 1.0 Review January 2013 Details of Change and approving group or Executive Lead (if done outside of the formal revision process) External references used in the creation of this document: If these include monitoring duties upon the Trust for this policy the specific details should be recorded on the Monitoring and Compliance Requirements sheet Privacy Impact N/a Any issues? Choose an item. Assessment submitted Fraud Proofing N/a Any issues? Choose an item. submitted If not relevant to this procedural document give rationale: Page 2 of 12

Policy authors are asked to consider each of the nine protected characteristics under the Equality Act 2010. We expect you to demonstrate that throughout the policy process you have had regard to the aims of the Equality Duty: 1. Eliminate unlawful discrimination, harassment and victimisation and any other conduct prohibited by the Act; 2. Advance equality of opportunity between people who share a protected characteristic and people who do not share it; and 3. Foster good relations between people who share a protected characteristic and people who do not share it. Please provide a brief account of how you have done this, further work to be completed and any support you have had in considering the aims and working in compliance with the Equality Duty. If you are unclear on how to do this or would like further advice and support then you may contact quality.admin@mhsc.nhs.uk. It is the responsibility of the approving group to ensure this statement reflects the Trusts objectives and position with compliance as set out within the NHS Equality Delivery System In line with the Trust values we may publish this document on our External Website. Is there any reason you would prefer this is not done? It is the Authors responsibility to ensure all procedural documents comply with the Trust values If you are unclear on any of the requirements in the document control sheet then please email quality.admin@mhsc.nhs.uk before proceeding Page 3 of 12

Monitoring and Compliance Requirements Sheet For audit, Registration and NHSLA purposes all procedural documents must have monitoring requirements or key performance indicators set by the authors, Committees or Lead Directors. This allows the Trust to routinely monitor the effectiveness and impact of their procedural documents on a regular basis. Procedural Document Title: RD SOP17 Research data management and security Does this procedural document offer support or evidence for the Trusts registered activities and outcomes? No Primarily Additional Not Applicable Additional Is this an NHSLA Document? No Which Standard does this relate to? Governance Which Criterion Not Applicable Choose an item. Choose an item. If other Monitoring requirements are necessary i.e. Health & Safety Act and you should include them here and record them in the External References section Specify where the requirement originates Minimum Requirement / Standard / Indicator to be monitored & Section of document it appears Process for monitoring Audit Audit Audit Audit Responsible Individual / Group Additional Details i.e. Section number, Code of Practice Frequency of Monitoring Yearly Yearly Yearly Yearly Responsible Group for review of results / action plan approval / implementation Comments NB: If you have selected audit you should complete the required audit registration form and standards document and submit these with your expected timescales for completing the audit to quality.admin@mhsc.nhs.uk as soon as possible and no later than 4 weeks prior to the audit commencing. The Group / Committee should also ensure the monitoring work is added to their yearly schedule of monitoring and action logs as appropriate. Page 4 of 12

Contents Page Section Title Page Number 1 Introduction 6-7 2 Purpose 7 3 3.1 3.2 4 4.1 4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.2 4.3 4.4 Roles and Responsibilities Duties within the Organisation Specific to this SOP Data Management and Security Procedure Basic Terms Personal data Anonymised data Pseudo-anonymised data Source documents Source data Data Management Data Security Data Transfer 7 7 7 9 9-10 5 Equality Impact Assessment 10 6 6.1 6.2 7 7.1 7.2.1.2 Consultation, Approval and Ratification Process Consultation and Communication with Stakeholders SOP Approval Process Dissemination and Implementation Dissemination Implementation of Procedural Documents Review, Monitoring Compliance With and the Effectiveness of Procedural Documents Process for Monitoring Compliance and Effectiveness Standards and Key Performance Indicators (KPIs) 10 10 10 10 10 10 11 11 11 11 9 References and Bibliography 11 10 Associated Trust Documents 11-12 Page 5 of 12

1 Introduction All data collected for research purposes must comply with the Data Protection Act 199 (DPA). This includes data collected from patients, families and staff. The DPA outlines the conditions that must be met by organisations and individuals who hold or process personal identifiable information about living individuals: Personal data should be fairly and lawfully processed Data should be adequate for the purpose and not excessive Data should be obtained for specified purposes Data should be accurate and up to date Appropriate measures should be taken to ensure confidentiality and security of the data Data should be processed in accordance with the rights of the data subject Data should not be kept longer than is necessary Data should not be transferred outside of the European Economic Area without an adequate level of protection The Research Governance Framework for Health and Social Care (2005) incorporates the conditions laid down in the DPA. The Framework states that: The appropriate use and protection of patient data is also paramount. All those involved in research must be aware of their legal and ethical duties. Particular attention must be given to systems for ensuring confidentiality of personal information and to the security of those systems. Around the same time as the DPA was published, a review was commissioned by the Chief Medical Office of England "owing to increasing concern about the ways in which patient information is being used in the NHS in England and Wales and the need to ensure that confidentiality is not undermined. Such concern was largely due to the development of information technology in the service, and its capacity to disseminate information about patients rapidly and extensively". A committee was established under the chairmanship of Dame Fiona Caldicott, Principal of Somerville College, Oxford, and previously President of the Royal College of Psychiatrists. Its findings were published in December 1997. The 'Caldicott' principles and recommendations apply specifically to patient-identifiable information, and emphasise the need for controls over the availability of such information and access to it. In particular, a Caldicott Guardian, appointed in each NHS organisation, has specific responsibilities to oversee an ongoing process of audit, improvement and control. The six Caldicott principles, applying to the handling of patient-identifiable information, are: Page 6 of 12

Justify the purpose(s) of every proposed use or transfer Don't use it unless it is absolutely necessary, and Use the minimum necessary Access to it should be on a strict need-to-know basis Everyone with access to it should be aware of their responsibilities, and Understand and comply with the law. The 199 Data Protection Act is the key legislation covering all aspects of information processing. This includes security and confidentiality of personal information. The Caldicott requirements provide the framework to put the Data Protection Act into operation. 2 Purpose The purpose of this SOP is to describe the procedures for managing research data and ensuring that research data is stored in a safe and secure manner. 3 Roles and Responsibilities 3.1 Duties within the Organisation 3.1.1 It is the responsibility of the Research Governance co-ordinator (or proxy) to make Trust R&I SOPs available to all research active staff working on Trustapproved research studies. 3.1.2 It is the responsibility of the study Chief Investigator (CI) or local Principal Investigator (PI) to ensure that up-to-date copies of Trust R&I SOPs are available to research staff. 3.1.3 It is the responsibility of the study Chief Investigator or local Principal Investigator to inform the Research Governance Co-ordinator of the names of all research staff involved on a study so that copies of SOPs can be distributed appropriately, and to ensure that up-to-date copies are filed in the Investigator Site file and are available to research staff. 3.1.4 It is the responsibility of the study Chief Investigator or Principal Investigator to designate if the SOPs of another organisation are to be followed for a study. For example those of a Clinical Research Network or commercial sponsor. If there is significant conflict between the external SOP and the Trust R&I SOP it is the responsibility of the CI or PI to resolve these with the Research Office prior to starting the study. 3.1.5 It is the personal responsibility of all staff to follow Trust (or the designated alternative organisations) procedural documents. 3.2 Specific to this SOP 3.2.1 It is the responsibility of the study CI or local PI, to ensure that all data collected for the purposes of a research study complies with the conditions of the DPA (199), with oversight from the Research Office. Page 7 of 12

4 Data Management and Security Procedure 4.1 Basic terms 4.1.1 Personal data. Personal data is any information that may lead to the identification of a living person that if released would put them at significant risk or harm or distress. 4.1.2 Anonymised data. Anonymised data is where all patient or participant identifiers (which can include name or initials, address, date of birth, hospital or NHS number) have been permanently removed. Anonymised data are not covered by the DPA. 4.1.3 Pseudo-anonymised data. Pseudo-anonymised data is where all personal identifiers (which can include name or initials, address, date of birth, hospital or NHS number) are replaced with a unique identifier (e.g. patient study number, patient initials, date of birth). A code should be held separately from patient identifiers, and allow for study un-blinding if required by the protocol. 4.1.4 Source documents. Source documents are original documents, data and records (e.g. hospital records, clinical and office charts, laboratory notes, diaries or evaluation checklists, laboratory results, x-ray or other scan results, pharmacy dispensing records). These are the essential documents as described by ICH GCP that allow the evaluation and verification of the research study and data collected. 4.1.5 Source data. Source data are all information in original records and certified copies of original records of clinical findings, observations, or other activities in a research study necessary for the reconstruction and evaluation of the study. Source data are contained in source documents. 4.2 Data Management 4.2.1 All research data containing personal information about patients or participants should be anonymised. For certain studies, such as clinical trials of an investigational medicinal product, this may not be possible and the data should be pseudo-anonymised. In these instances, un-blinding procedures for safety reasons should be clearly defined in the protocol. 4.2.2 Clinical trial data should be collected onto a Case Report Form (CRF). This can be a printed, optical or electronic document and designed to record all the information detailed in the protocol. All staff completing CRFs should be trained to do so. Corrections to the printed CRF should be initialled and dated by the PI or persons delegated to do so. Correction fluid should never be used. 4.2.3 Clinical trial data from the CRF may be entered onto a database or other data management system. For clinical trials, data entry should be completed by the Data Manager, Data Custodian or other person designated to do so by the Principal Investigator. The data entry process (e.g. single data entry or double data entry methods) should be decided based on the size and complexity of the study. For small single site studies, single data entry (one person) with source verification is usually appropriate. This will involve a Page of 12

visual check between what is recorded on the paper CRF and what is entered onto the data management system. 4.2.4 Missing values, values outside of normal ranges or inconsistencies entered onto CRFs should be reported to the PI. 4.2.5 Source data verification can be conducted by members of the research team or independent monitors. This will involve cross-checking the data entered onto the CRF against source documents for accuracy. 4.2.6 All research staff using a data management system should be trained in its proper operation. A training record should be kept and updated following any software changes or upgrades. 4.2.7 The data management system should be appropriate for the analysis planned, ensure data integrity and be auditable. In the case of certain data management systems (e.g. Microsoft Excel), it may be necessary to save and date older versions of the database or print copies. 4.2. All computer systems used in the conduct of clinical trials of investigational medicinal products (databases, Electronic Data Capture etc), must have their current release number and date of release, last release number and date of release and validation status recorded. 4.2.9 For information on storage and archiving of files, please refer to RDSOP21. 4.3 Data Security 4.3.1 All non- electronic data such as paper CRFs and other documents, audio and video recordings, should be kept in locked filing cabinets in lockable rooms only accessible by authorised personnel. 4.3.2 Electronic data should only be stored on devices that are backed up regularly such as NHS Trust or other servers (e.g. University). This should be confirmed with IT support or by consulting Trust or local policy documents. 4.3.3 Backup electronic copies should be kept in a separate secure location to the master copy. These should be updated daily. 4.3.4 Data should be password protected and access limited to authorised personnel. Authorised users should login with their own account details and should never login to provide access to another user. 4.3.5 A record should be kept of authorised users and their level of access. 4.3.6 Laptops and memory sticks used to store data should be encrypted by Trust, local IT support or the study coordinating centre. 4.4 Data Transfer 4.4.1 Research data transferred within the European Economic Area (EEA) must be fully or pseudo anonymised. Any codes held to unblind or unlock data identity should not be sent. Page 9 of 12

4.4.2 Research data transferred outside the EEA must be fully or pseudo anonymised. An agreement should be in place documenting that the data will be held or processed according to the principles outlined in the DPA (199). Any codes held to unblind or unlock data identity should not be sent. 4.4.3 Participants should be consented for their data to be transferred to a third party. 4.4.4 Approvals from the relevant ethics committee and/or Caldicott Guardian (the Trust Medical Director) should be obtained before data is transferred to a third party. 5 Equality Impact Assessment 5.1 This SOP has been equality impact assessed by the author using the Trust s Equality Impact Assessment (EqIA), which has been submitted to the Equality and Diversity Department for Service Equality Team Sign Off. 5.2 No significant issues in relation to equality, diversity, gender, colour, race or religion are identified as raising a concern. 6 Consultation, Approval and Ratification Process 6.1 Consultation and Communication with Stakeholders All Trust R&I SOPs are written by a member of the Research Office staff with relevant expertise and experience. Additional advice is sought from members of the research community within the Trust, including the Research Committee, or external advisors, as necessary. 6.2 SOP Approval Process All Trust R&I SOPs are subject to approval by the Research Governance Operational Group. The SOP will then be sent to the Trust Management Board for ratification. 7 Dissemination and Implementation 7.1 Dissemination 7.1.1 When approved, this SOP will be posted on the Trust Research Office Intranet site; only the current version will be available. A list of current versions will also be posted on the public Trust website; researchers who do not have access to the intranet should refer to this list and request copies from the Research Office accordingly. 7.1.2 All researchers listed on the Research Office active researcher mailing list will be notified by email when an updated version of an SOP is available. 7.2 Implementation of Procedural Documents 7.2.1 Support and advice on the implementation of this SOP can be obtained via the Research Office or the R&I Manager. Page 10 of 12

Review, Monitoring Compliance With and the Effectiveness of Procedural Documents.1 Process for Monitoring Compliance and Effectiveness.1.1 Review will be undertaken by the Research Office Management. Compliance with the Trust R&I SOPs by researchers will be monitored via the Trust s Research Governance Monitoring Programme where appropriate..1.2 SOP contents will be reviewed against any changes to the applicable guidelines and regulations and taking into account any feedback received from researchers or via the Monitoring Programme..1.3 Review and monitoring will be conducted based on an initial risk assessment of the project. This process may change based on results on any monitoring visit..1.4 The outcome of the review and any resulting amendments - will be reported to the R&I Committee..2 Standards and Key Performance Indicators KPIs.2.1 This SOP will be available on the Trust intranet..2.2 This SOP must be reviewed at least every two years or when there are significant changes to the document. 9 References and Bibliography Data Protection Act (199) http://www.ico.gov.uk/what_we_cover/data_protection.aspx Caldicott Report (1997) http://www.dh.gov.uk/en/publicationsandstatistics/publications/publicationspolicyandguidan ce/dh_406403 Research Governance Framework for Health and Social Care (2005) http://www.dh.gov.uk/en/publicationsandstatistics/publications/publicationspolicyandguidanc e/dh_410962 International Conference on Harmonisation Topic E 6 (R1) Guideline for Good Clinical Practice (2002). http://www.emea.europa.eu/pdfs/human/ich/013595en.pdf 10 Associated Trust Documents Information Governance Policy, version 1 (approved March 2009) Page 11 of 12

Information Security Policy, version 2 (approved March 2010) RDSOP 1: Statistical Management RDSOP21: Retention of Data, Archiving and Destroying Documents Page 12 of 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information