Data Protection and Confidentiality
Download
Report
Transcript Data Protection and Confidentiality
DATA PROTECTION AND PATIENT
CONFIDENTIALITY IN RESEARCH
Nic Drew
Data Protection Manager
University Hospital of Wales
( 2074 6677
2074 5626
: [email protected]
OVERVIEW
What is the Data Protection Act 1998?
The 8 Principles
The Principles in practice
Obtaining a R&D reference number
Research not involving patient contact
UHB information resources
WHAT IS THE DATA PROTECTION ACT?
LAW ON THE USE OF PERSONAL INFORMATION
PROVIDES RIGHTS OF PRIVACY
PROVIDES RIGHTS OF ACCESS
COMPLY WITH THE HUMAN RIGHTS ACT
THERE ARE 8 DATA PROTECTION PRINCIPLES
THE EIGHT PRINCIPLES
PERSONAL DATA MUST BE:1.
PROCESSED FAIRLY AND
LAWFULLY + SCHEDULES 2&3
5.
KEPT FOR AS LONG AS IS
NECESSARY AND NO LONGER
2
PROCESSED FOR SPECIFIED
PURPOSES
6
PROCESSED IN LINE WITH
DATA SUBJECTS RIGHTS
3
ADEQUATE, RELEVANT AND
NOT EXCESSIVE
7
SECURE
ACCURATE AND KEPT UP TO
DATE
8
4
ONLY TRANSFERRED TO
OTHER COUNTRIES THAT HAVE
SUITABLE DATA PROTECTION
CONTROLS
PRINCIPLES IN PRACTICE
PRINCIPLE 1
Fair processing – Provide all relevant information in the
Patient Information Sheet, ‘Confidentiality Statement’;
who disclosed to, what disclosed, who will access, how
long kept for, what security employed. Remember,
consent is not valid unless informed consent.
Identifying patients – If you are using initials and DOB as
well as a study number, you must tell patients.
PRINCIPLES IN PRACTICE
PRINCIPLE 1
Lawful processing – specifically the Human Rights Act,
Article 8 and the Common Law Duty of Confidentiality;
NOTE, if you don’t comply with other related legislation
(e.g. Human Tissue Act) you do not satisfy this Principle!
Schedule 3 – Explicit Consent is required where there is
patient communication or contact, unless you have an
exemption under section 251 of the NHS Act 2006
PRINCIPLES IN PRACTICE
PRINCIPLES 2 - 3 - 5
2, Specified purpose – if you wish to contact patients for
subsequent studies you need to tell them and gain
consent.
3, Not excessive – only collect personal data that is
necessary e.g. if you only need age, don’t ask for date of
birth.
5, Retention – tell patients how long you will keep their
personal data; usually 5 years or 15 for clinical trials
PRINCIPLES IN PRACTICE
PRINCIPLES 7 - 8
7, Security – Information Commissioner has made it clear
that all patient identifiable data on laptops or portable
media must be encrypted. C&V UHB only permits emails
with patient identifiable data to be sent between email
addresses ending in wales.nhs.uk
8, Outside EEA – specific informed consent required; this
must be endorsed on the Consent Form.
R&D REFERENCE NUMBER
Who recruits the patient? – Legitimate relationship
Disclosure of identifiable data – Initials+DOB+gender
Identifiable data on a computer – Who’s computer? Encryption!
Disclosures outside the EEA? – Specific consent
GP’s informed? – Medical records accessed?
RESEARCH NOT INVOLVING PATIENT
CONTACT, i.e. NO CONSENT
Permitted, but with strict controls to maintain patient
confidentiality
Access may be granted to patient medical records if you
are a healthcare professional or hold an honorary contract
with the UHB – this will not give direct access to
electronic records
No data capable of identifying a patient can be recorded
Only specimens from UHB patients can be anonymised
by the Labs and made available for research; Principle 7
INFORMATION SOURCE
The UHB’s Intranet site has Data Protection information
and guidance available (unfortunately not on the Internetyet)
‘Data Protection Guidance For Researchers’ available on
the Intranet; Data Protection > Guidance > Research, or
from the R&D Department
National Research Ethics Service guide also available
from above link