Page 2 of 5
Background
The Data Protection Act 1998i came into force in March 2000 and is followed by all NHS
employed staff via their policies and procedures. The act applies to all personal, identifiable information about living individuals and applies to patients in relation to research when collecting this type of data. As all NHS staff comply with the Data Protection Act this SOP will not go into detail of the principles, but will cover aspects particularly important to research. The Freedom of Information Act 2000ii gives a general right of access to all types of recorded
information held by a public authority and is also followed by the NHS and it’s employees, and as such will not be covered in detail in this SOP.
This SOP is an abridged version of CTRU SOP DM001 Data Protection, written specifically for NHS staff as they already comply with data protection principles. Access to DM001 can be provided on request to the CTRU.
Purpose
The purpose of this SOP is to ensure that NHS employees and associated trial staff are both aware of and comply with the requirements of the Data Protection Act and the Freedom of Information Act when working with research data.
Scope
This SOP addresses the requirements of the Data Protection Act for NHS staff in relation to research, specifically research that involves Sheffield CTRU.
The informed consent process does not fall within the scope of this SOP; please refer to SSU001 Informed Consent Procedures. CTRU has various SOPs covering data management which address the responsibility for keeping electronic data secure on CTRU’s servers.
Definitions
Personal data - Personal data identify an individual. For example, name, address, contact details, date of birth, NHS number.
Sensitive personal data - information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life or offences or alleged criminal offences.
Anonymised data - information which does not identify an individual. Anonymisation requires the removal of personal data and any other combination of details that might support identification.
Pseudonymised data - data that have been given a unique identifier, removing the need to refer to personal data. Unlike anonymised data, pseudonymisation is a reversible process; there will be a process to allow the unique identifier to be linked to the personal data.
Unique identifier - A unique identifier is a code used to uniquely identify each participant in a study.
Page 3 of 5
Procedure
Who?
Every individual with responsibility for collecting, processing, storing and transferring participant data must follow the guidelines contained in this standard operating procedure. This applies to both paper and electronic data.
When?
This SOP covers every stage of a study where collection, processing, access and transfer of data are involved.
How?
Study design and data collection (Principles 2 & 3 of The Data Protection Act)
Personal data should only be collected where the study specifically requires it (for instance names and addresses may need to be collected where there is a need to post follow-up questionnaires to a study participant).
It is recommended that unique identifiers be used to identify study participants instead of using names or other personal information. The investigator should keep a “subject identification code list” containing the names of all participants linked to unique identifiers, as stipulated in ICH GCPiii.
Data processing (Principles 1, 4 & 6 of The Data Protection Act)
In order to process personal data fairly and lawfully, it is usually necessary for studies to obtain informed consent before an individual participates in a study. As part of the informed consent process, study participants should be made aware, usually via the participant information sheet, of their rights and of which data are being collected about them and how the data will be used.
Where possible, study teams should take measures to ensure that participants’ contact details are kept up-to-date to ensure that (1) follow-up information can be collected and (2) the possibility of sending the follow-up to the wrong address (which would risk revealing a participant’s sensitive personal information to someone else) is minimised. Equally, to avoid causing any distress, it may be appropriate to check on participants’ mortality status before contacting them.
Data storage and access (Principle 7 of The Data Protection Act)
All data should be held securely in rooms which will be locked when not occupied, and paper data (e.g. CRFs) should be stored in locked cupboards or cabinets where possible. Where collected, personal and sensitive data should be accessible only to study personnel with appropriate authorisation and should not be left unattended at any time.
Electronic data should be held in a password-protected, access-controlled environment, such as a networked server. Any study data stored outside this environment (e.g. on a portable device or a computer’s local hard drive) should be encrypted to prevent access in the event of loss or theft.
Page 4 of 5
All individuals accessing study databases should be aware of their responsibilities to safeguard the data. They should not write down nor share their login credentials with anyone else.
Data and document transfer (Principles 7 & 8 of The Data Protection Act)
Study staff should consider the nature and sensitivity of data or documents to be sent elsewhere, and should ensure that appropriate security measures are taken. Depending on the method of transfer, these may include:
- couriered delivery with sender/recipient signatures - tamper-proof or tamper-evident envelopes
- use of a secure fax machine
-
encrypting and/or password-protecting electronic files
Individuals should retain copies of Air Waybills (AWBs) or other transfer documentation to aid tracking where applicable. Where original material is being transferred, individuals should consider retaining a back-up. To close the transfer process, the recipient should be asked to acknowledge safe arrival of what has been sent.
Where data are to be transferred to a recipient outside the European Economic Area, Principle 8 of the Data Protection Act requires that a standard of security that would apply in the EEA will be maintained outside the EEA. Study participants should be aware of and provide consent to their data being transferred out of the EEA.
Disposal of data
The Data Protection Act requires that data be retained only for as long as necessary. This requirement should be considered in conjunction with the study-specific retention requirements, whereby the study data and documentation will be archived for an agreed number of years after which the study sponsor will give authorisation for the study material to be disposed of.
Please follow your trust’s policies for disposing of confidential waste, both paper and electronic formats need to be considered.
Freedom of Information
NHS trusts will have nominated individuals responsible for dealing with Freedom of Information requests. Please refer any requests for information specific to the research to study manager.
Document history
Version Date approved Reason for change
1 As per signature An abridged version of DM001 written specifically for NHS staff working on CTRU-managed studies.
Page 5 of 5
i Data Protection Act (http://www.ico.gov.uk/for_organisations/data_protection.aspx), last accessed 30/10/2012 ii Freedom of Information Act (http://www.ico.gov.uk/for_organisations/freedom_of_information.aspx), last
accessed 30/10/2012