130 likes | 259 Views
DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH. Nic Drew Data Protection Manager University Hospital of Wales ( 2074 6677 2074 5626 : nic.drew@wales.nhs.uk. OVERVIEW. What is the Data Protection Act 1998? The 8 Principles The Principles in practice
E N D
DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales ( 2074 6677 2074 5626 :nic.drew@wales.nhs.uk
OVERVIEW • What is the Data Protection Act 1998? • The 8 Principles • The Principles in practice • Obtaining a R&D reference number • Research not involving patient contact • UHB information resources
WHAT IS THE DATA PROTECTION ACT? • LAW ON THE USE OF PERSONAL INFORMATION • PROVIDES RIGHTS OF PRIVACY • PROVIDES RIGHTS OF ACCESS • COMPLY WITH THE HUMAN RIGHTS ACT • THERE ARE 8 DATA PROTECTION PRINCIPLES
PERSONAL DATA MUST BE:- PROCESSED FAIRLY AND LAWFULLY + SCHEDULES 2&3 PROCESSED FOR SPECIFIED PURPOSES ADEQUATE, RELEVANT AND NOT EXCESSIVE ACCURATE AND KEPT UP TO DATE KEPT FOR AS LONG AS IS NECESSARY AND NO LONGER PROCESSED IN LINE WITH DATA SUBJECTS RIGHTS SECURE ONLY TRANSFERRED TO OTHER COUNTRIES THAT HAVE SUITABLE DATA PROTECTION CONTROLS THE EIGHT PRINCIPLES
PRINCIPLES IN PRACTICE PRINCIPLE 1 • Fair processing – Provide all relevant information in the Patient Information Sheet, ‘Confidentiality Statement’; who disclosed to, what disclosed, who will access, how long kept for, what security employed. Remember, consent is not valid unless informed consent. • Identifying patients – If you are using initials and DOB as well as a study number, you must tell patients.
PRINCIPLES IN PRACTICE PRINCIPLE 1 • Lawful processing – specifically the Human Rights Act, Article 8 and the Common Law Duty of Confidentiality; NOTE, if you don’t comply with other related legislation (e.g. Human Tissue Act) you do not satisfy this Principle! • Schedule 3 – Explicit Consent is required where there is patient communication or contact, unless you have an exemption under section 251 of the NHS Act 2006
PRINCIPLES IN PRACTICE PRINCIPLES 2 - 3 - 5 • 2, Specified purpose – if you wish to contact patients for subsequent studies you need to tell them and gain consent. • 3, Not excessive – only collect personal data that is necessary e.g. if you only need age, don’t ask for date of birth. • 5, Retention – tell patients how long you will keep their personal data; usually 5 years or 15 for clinical trials
PRINCIPLES IN PRACTICE PRINCIPLES 7 - 8 • 7, Security – Information Commissioner has made it clear that all patient identifiable data on laptops or portable media must be encrypted. C&V UHB only permits emails with patient identifiable data to be sent between email addresses ending in wales.nhs.uk • 8, Outside EEA – specific informed consent required; this must be endorsed on the Consent Form.
R&D REFERENCE NUMBER • Who recruits the patient? – Legitimate relationship • Disclosure of identifiable data – Initials+DOB+gender • Identifiable data on a computer – Who’s computer? - Encryption! • Disclosures outside the EEA? – Specific consent • GP’s informed? – Medical records accessed?
RESEARCH NOT INVOLVING PATIENT CONTACT, i.e. NO CONSENT • Permitted, but with strict controls to maintain patient confidentiality • Access may be granted to patient medical records if you are a healthcare professional or hold an honorary contract with the UHB – this will not give direct access to electronic records • No data capable of identifying a patient can be recorded • Only specimens from UHB patients can be anonymised by the Labs and made available for research; Principle 7
INFORMATION SOURCE • The UHB’s Intranet site has Data Protection information and guidance available (unfortunately not on the Internet-yet) • ‘Data Protection Guidance For Researchers’ available on the Intranet; Data Protection > Guidance > Research, or from the R&D Department • National Research Ethics Service guide also available from above link
ANY QUESTIONS