DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH

Nic DrewData Protection ManagerUniversity Hospital of Wales 2074 6677 2074 5626 nic.drew@wales.nhs.uk

OVERVIEW

What is the Data Protection Act 1998? The 8 Principles The Principles in practice Obtaining a R&D reference number Research not involving patient contact UHB information resources

WHAT IS THE DATA PROTECTION ACT?WHAT IS THE DATA PROTECTION ACT?

LAW ON THE USE OF PERSONAL INFORMATION

PROVIDES RIGHTS OF PRIVACY

PROVIDES RIGHTS OF ACCESS

COMPLY WITH THE HUMAN RIGHTS ACT

THERE ARE 8 DATA PROTECTION PRINCIPLES

THE EIGHT PRINCIPLESTHE EIGHT PRINCIPLES

PERSONAL DATA MUST BE:-

1. PROCESSED FAIRLY AND LAWFULLY + SCHEDULES 2&3

2 PROCESSED FOR SPECIFIED PURPOSES

3 ADEQUATE, RELEVANT AND NOT EXCESSIVE

4 ACCURATE AND KEPT UP TO DATE

5. KEPT FOR AS LONG AS IS NECESSARY AND NO LONGER

6 PROCESSED IN LINE WITH DATA SUBJECTS RIGHTS

7 SECURE

8 ONLY TRANSFERRED TO OTHER COUNTRIES THAT HAVE SUITABLE DATA PROTECTION CONTROLS

PRINCIPLES IN PRACTICE PRINCIPLE 1

Fair processing – Provide all relevant information in the Patient Information Sheet, ‘Confidentiality Statement’; who disclosed to, what disclosed, who will access, how long kept for, what security employed. Remember, consent is not valid unless informed consent.

Identifying patients – If you are using initials and DOB as well as a study number, you must tell patients.

PRINCIPLES IN PRACTICE PRINCIPLE 1

Lawful processing – specifically the Human Rights Act, Article 8 and the Common Law Duty of Confidentiality; NOTE, if you don’t comply with other related legislation (e.g. Human Tissue Act) you do not satisfy this Principle!

Schedule 3 – Explicit Consent is required where there is patient communication or contact, unless you have an exemption under section 251 of the NHS Act 2006

PRINCIPLES IN PRACTICE PRINCIPLES 2 - 3 - 5

2, Specified purpose – if you wish to contact patients for subsequent studies you need to tell them and gain consent.

3, Not excessive – only collect personal data that is necessary e.g. if you only need age, don’t ask for date of birth.

5, Retention – tell patients how long you will keep their personal data; usually 5 years or 15 for clinical trials

PRINCIPLES IN PRACTICE PRINCIPLES 7 - 8

7, Security – Information Commissioner has made it clear that all patient identifiable data on laptops or portable media must be encrypted. C&V UHB only permits emails with patient identifiable data to be sent between email addresses ending in wales.nhs.uk

8, Outside EEA – specific informed consent required; this must be endorsed on the Consent Form.

R&D REFERENCE NUMBER

Who recruits the patient? – Legitimate relationship

Disclosure of identifiable data – Initials+DOB+gender

Identifiable data on a computer – Who’s computer? - Encryption!

Disclosures outside the EEA? – Specific consent

GP’s informed? – Medical records accessed?

RESEARCH NOT INVOLVING PATIENT CONTACT, i.e. NO CONSENT

Permitted, but with strict controls to maintain patient confidentiality

Access may be granted to patient medical records if you are a healthcare professional or hold an honorary contract with the UHB – this will not give direct access to electronic records

No data capable of identifying a patient can be recorded Only specimens from UHB patients can be anonymised

by the Labs and made available for research; Principle 7

INFORMATION SOURCE

The UHB’s Intranet site has Data Protection information and guidance available (unfortunately not on the Internet-yet)

‘Data Protection Guidance For Researchers’ available on the Intranet; Data Protection > Guidance > Research, or from the R&D Department

National Research Ethics Service guide also available from above link