1 / 19

Secure Data Usage Guidelines for Research Projects

Learn about responsible data management in research projects, including privacy considerations, legal frameworks, and ethical practices. Understand the importance of IT security, confidentiality, and compliance with regulations.

inezsmith
Download Presentation

Secure Data Usage Guidelines for Research Projects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Safe Data Usage Carol Mackenzie eHealth R&D Project Manager Pamela Linksted eResearch Lead ACCORD

  2. Patient Data • NHS Lothian responsibilities • To patients and staff • To support research

  3. Privacy Impact Assessment • IT Security • Information Asset Registration • Caldicott Approval • Data Sharing/Processing Agreement

  4. IT Security • How is data captured and held • Any new kit/software

  5. Secure eMail?

  6. Privacy by Design Privacy Notices NHSL ACCORD Data Sharing and/or Processing Agreements Research Governance, R&D and Ethics Information Asset Register CALDICOTT Approval IT Security Check ...required for Storage on Portable devices Sending data out with NHSL computers Use of Patient Data without consent Email to patient in exceptional circumstances

  7. Safe Data Usage Research context

  8. Research Governance Review Clinical research conducted in compliance with principles of GCP, regulatory requirements and UK Policy Framework for Health and Social Care Research Nationally agreed processes built into the design: • Guidance on study design and conduct • Standard templates for documentation and transparency • Standard review/approval/monitoring of processes • Data Processing Agreements (model agreements) • Defined responsibilities e.g. Sponsors, CI, PI Protection of data: collection, storage and/or transfer of identifiable or potentially identifiable data is checked to ensure adhered to: • Common Law Duty • Data Protection Act • ICH-GCP Confidentiality requirements • Local IG/IT policies

  9. Legal Framework Data Protection Act • Processing needs to be lawful, fair and transparent The new legislation require research organisation to be specific about which Legal Basis they are using to process and use personal data. • task carried out in the public interest • legitimate interests Additional conditions for special categories of data (e.g. Health) • research purposes in accordance with safeguards Common Law of Confidentiality • For disclosure outside of duty of confidence requires: • Explicit Consent • Other legal bases for - public interest test – PBPP/Caldiott (CAG)

  10. Legal Framework Data Protection Act • Processing needs to be lawful, fair and transparent The new legislation require research organisation to be specific about which Legal Basis they are using to process and use personal data. • task carried out in the public interest • legitimate interests Additional conditions for special categories of data (e.g. Health) • research purposes in accordance with safeguards Common Law of Confidentiality • For disclosure outside of duty of confidence requires: • Explicit Consent • Other legal bases for - public interest test – PBPP/Caldiott (CAG) Consent • Cornerstone of ethical research & requirement of clinical trial – but generally not the legal basis!

  11. What is looked at: As part of Research Governance review: • Is patient identifiable information being collected, and justified? • Is explicit consent in place? • Where and how is the data processed/transferred/stored? • Measures in place to protect confidentiality and security? • Who will access this data? • Is data (incl. CHI) being transferred out of NHSL or the NHS, or out of the UK? Is data processing compliant with DPA, Caldicott principles, And NHSL eHealth security policies? Is additional scrutiny required? Is Caldicott or PBPP approval required? Is additional IG/IT Security review required?

  12. When is Caldicott review/approval required? If Identifiable information (living or deceased): • Access for research purposes other than by the direct care team • Transfer out with NHS without patient knowledge or consent Without the patient’s knowledge or consent, • Caldicott or PBPP approval must be sought. With the patient’s knowledge or consent, and details are explicit in the PIS and the ICF (including explicit consent for CHI, if required) anddetailed in the study protocol and IRAS forms • Caldicott or PBPP approval generally not required In both cases - security arrangements for transfer and storage of data must still be considered/documented

  13. Caldicott & Information Governance – Delegated review by ACCORD • Application form • Section A: General Information • Section B: Caldicott Principles • Section C: Data Security • Review • Ascertain compliance with Caldicott principles, NHSL eHealth Security Policy and DPA • May also require additional NHSL IG/IS risk assessment (requiring completion of IT security checklist). • Approval • Approval on behalf of NHSL Caldicott Guardian • (Or may require escalation to NHSL CG)

  14. When is additional scrutiny/approval required? Examples include: Caldicott approval: • Removable or portable media • Disclosure of identifiable data outside of the care team without consent • Identifiable (includes CHI) leaving NHSL Lothian without explicit consent IG/IT Security: • Web application/portals • App on mobile phones, particularly on patient own device • Portable media • Wearable tech • Transfer mechanisms (non-NHSemail, SFTP) • Cloud services • Data outside EEA

  15. Key Message Engage with Research Governance team and NHSL IG/IT Security as early as possible! ACCORD@nhslothian.scot.nhs.uk Log via e85050 or call 85050 security

  16. Thank you Any Questions?

  17. Requirement for Caldicott Approval and Information Security Review (Consent for use of patients identifiable information for research) Researcher to seek advice from R&D asap in developing project Is identifiable data being used? Caldicott review is notrequired Review of Information security arrangements is notrequired R&D Log for audit No Is that consent explicit * and within reasonable expectation? Yes Consent for identifiable data to leave the NHS? Caldicott review is notrequired*** Information security arrangements for transfer and storage of data must still be agreed. Demonstrate compliance with safe people, safe places, safe data. Is identifiable data leaving the NHS? Yes Yes Yes No No** No** • R&D Log of projects with: • Delegated Caldicott review undertaken and outcome of IG/IS review • Escalated to NHSL Caldicott Guardian • Report Annually to NHS Lothian Caldicott Guardian and IG lead Caldicott review is required Information security arrangements for transfer and storage of data must still be agreed. Demonstrate compliance with safe people, safe places, safe data. Consent for identifiable to be used within the NHS? Caldicott review is required Information security arrangements for transfer and storage of data within the NHS must be agreed. Demonstrate compliance with safe people, safe places, safe data. No Yes **Options open to researcher/trialists in addressing requirement for explicit consent for confidential data leaving the NHS (see below) ***Caldicott Review not required unless required for other reasons • *Explicit Consent: • e.g. PIS/Consent form mentions • CHI • ‘personal identifiable information’ or ‘NHS number’ when the CHI is required and there is reasonable expectation that the persons knows what this means • Use of identifiable information is for specified purpose only Caldicott review is notrequired*** Information security arrangements for transfer and storage of data within the NHS must still be considered. Demonstrate compliance with safe people, safe places, safe data.

  18. if you have created an information asset (for example a series of spreadsheets regarding a research study) and you manage it then you will have to register it. http://intranet.lothian.scot.nhs.uk/Directory/eHealth/operationsandinfrastructure/InformationGovernance/Pages/InformationAssetRegister.aspx

More Related