DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales   

OVERVIEW  What is the Data Protection Act 1998?  The 8 Principles  The Principles in practice  Obtaining a R&D reference number  Research not involving patient contact  UHB information resources

WHAT IS THE DATA PROTECTION ACT?  LAW ON THE USE OF PERSONAL INFORMATION  PROVIDES RIGHTS OF PRIVACY  PROVIDES RIGHTS OF ACCESS  COMPLY WITH THE HUMAN RIGHTS ACT  THERE ARE 8 DATA PROTECTION PRINCIPLES

THE EIGHT PRINCIPLES PERSONAL DATA MUST BE:- 1. PROCESSED FAIRLY AND LAWFULLY + SCHEDULES 2&3 2 PROCESSED FOR SPECIFIED PURPOSES 3 ADEQUATE, RELEVANT AND NOT EXCESSIVE 4 ACCURATE AND KEPT UP TO DATE 5. KEPT FOR AS LONG AS IS NECESSARY AND NO LONGER 6 PROCESSED IN LINE WITH DATA SUBJECTS RIGHTS 7 SECURE 8 ONLY TRANSFERRED TO OTHER COUNTRIES THAT HAVE SUITABLE DATA PROTECTION CONTROLS

PRINCIPLES IN PRACTICE PRINCIPLE 1  Fair processing – Provide all relevant information in the Patient Information Sheet, ‘Confidentiality Statement’; who disclosed to, what disclosed, who will access, how long kept for, what security employed. Remember, consent is not valid unless informed consent.  Identifying patients – If you are using initials and DOB as well as a study number, you must tell patients.

PRINCIPLES IN PRACTICE PRINCIPLE 1  Lawful processing – specifically the Human Rights Act, Article 8 and the Common Law Duty of Confidentiality; NOTE, if you don’t comply with other related legislation (e.g. Human Tissue Act) you do not satisfy this Principle!  Schedule 3 – Explicit Consent is required where there is patient communication or contact, unless you have an exemption under section 251 of the NHS Act 2006

PRINCIPLES IN PRACTICE PRINCIPLES  2, Specified purpose – if you wish to contact patients for subsequent studies you need to tell them and gain consent.  3, Not excessive – only collect personal data that is necessary e.g. if you only need age, don’t ask for date of birth.  5, Retention – tell patients how long you will keep their personal data; usually 5 years or 15 for clinical trials

PRINCIPLES IN PRACTICE PRINCIPLES  7, Security – Information Commissioner has made it clear that all patient identifiable data on laptops or portable media must be encrypted. C&V UHB only permits s with patient identifiable data to be sent between addresses ending in wales.nhs.uk  8, Outside EEA – specific informed consent required; this must be endorsed on the Consent Form.

R&D REFERENCE NUMBER  Who recruits the patient? – Legitimate relationship  Disclosure of identifiable data – Initials+DOB+gender  Identifiable data on a computer – Who’s computer? - Encryption!  Disclosures outside the EEA? – Specific consent  GP’s informed? – Medical records accessed?

RESEARCH NOT INVOLVING PATIENT CONTACT, i.e. NO CONSENT  Permitted, but with strict controls to maintain patient confidentiality  Access may be granted to patient medical records if you are a healthcare professional or hold an honorary contract with the UHB – this will not give direct access to electronic records  No data capable of identifying a patient can be recorded  Only specimens from UHB patients can be anonymised by the Labs and made available for research; Principle 7

INFORMATION SOURCE  The UHB’s Intranet site has Data Protection information and guidance available (unfortunately not on the Internet- yet)  ‘Data Protection Guidance For Researchers’ available on the Intranet; Data Protection > Guidance > Research, or from the R&D Department  National Research Ethics Service guide also available from above link