Data Protection Act and research SOP

Contents

1 Aim

To ensure all research projects within the trust are conducted in accordance with the Data Protection Act (DPA) 2018 and the General Data Protection Regulations (GDPR).

This SOP should be read in conjunction with the guidelines on the trust website.

Where advice is required the data protection officer (DPO) should be contacted via:

• Telephone: 03000211189
• Email: rdash.dpo@nhs.net

2 Scope

All staff internal or external to the trust who are involved in research

This SOP is always applicable when dealing with patient or participant data of any kind, for example:

• electronic records
• paper notes

3 Link to overarching policy

• Research governance policy

4 Procedure

4.1 Data Protection Act 2018

RDaSH NHS FT holds and processes information in relation to research. To comply with the Data Protection Act 2018 information must be collected and used fairly, stored safely and not disclosed to any unauthorised person. This applies to both manual and electronically held data.

The Data Protection Act 2018 has seven principles:

1. lawful, fair and transparent processing, when the data is collected, it must be clear as to why that data is being collected and how the data will be used
2. purpose limitation, this principle means that organisations need to have a lawful and legitimate purpose for processing the information in the first place
3. data minimisation, this principle instructs organisations to ensure the data they capture is adequate, relevant and limited
4. accurate and up-to-date processing, this principle requires data controllers to make sure information remains accurate, valid and fit for purpose
5. limitation of storage in the form that permits identification, this principle discourages unnecessary data redundancy and replication. It limits how the data is stored and moved, how long the data is stored, and requires the understanding of how the data subject would be identified if the data records were to be breached.
6. integrity, confidential and secure, this principle protects the integrity and privacy of data by making sure it is secure (which extends to IT systems, paper records and physical security)
7. accountability and liability, this principle ensures that organisations can demonstrate compliance

4.2 UK GDPR

The UK GDPR is the UK General Data Protection Regulation. It is a UK law which came into effect on 01 January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.

It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it work more effectively in a UK context,

The spirit of GDPR is to ensure organisations are lawful, fair and transparent when holding and using personal data. Scientific research has a natural route through the law which depends on specific safeguards being in place.

In research most of these safeguards in place already in the processes and procedures that form accepted good practice for scientific research using personal data. For example:

• research ethics committee approval
• governance checks, including health research authority (HRA) assessment
• peer review from public funders
• data minimisation and minimisation of recruitment numbers
• pseudonymisation and other technical safeguards against accidental disclosure and loss or corruption of research data, and so on.

Such safeguards are necessary to assure data subjects (research participants) that your organisation takes its legal and ethical responsibilities towards them, and their data, seriously.

4.3 Lawful basis in research

Data protection law allows organisations to hold and use (process) personal data if they have a legal reason to do so (for example, if they have a lawful basis). The law demands that organisations specify the lawful basis they are using to process personal data and are explicit about this. In other words, DPOs need to identify the acceptable reasons (defined in law) to process personal data and make research participants aware of this. These legally acceptable reasons are defined in GDPR and listed in appendix A. Organisations must specify one of the reasons given in article 6 to process personal data and an additional reason provided in article 9 to process special category personal data. The intention of the law is to allow organisations that need personal data to support their legitimate activities, to do so.

Public authorities (for example, universities, NHS, research council institutes) are funded by the public purse to conduct tasks that are in the public interest. Therefore, the legal reason public authorities will have to process personal data is most likely to be:

Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested the controller.

Research participants are normally given the option to consent to participate in the project, therefore the legal reason for these studies would be Article 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

By using either ‘public task’ or ‘legitimate interests’ you assure research participants that your organisation has a genuine reason to process personal data.

Most health research uses special category personal data, this covers personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; and the processing of genetic data or biometric data for the purpose of uniquely identifying a person; data concerning health or data concerning sex life or sexual orientation.

Research organisations that hold and use (process) special category personal data must ensure that they have a lawful basis to process personal data (GDPR article 6), and an additional condition to process special category personal data (GDPR article 9).

The legal reason that public authorities will have to process special category personal data is most likely to be article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of union or member state law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.

Research participants are normally given the option to consent to participate in the project, therefore the legal reason for these studies would be article 9(2)(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where union or member state law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject.

For further information see:

• GDPR key facts for research, accord (opens in new window)

4.4. Implementation for research staff

• All study patient data should be stored in a secure room.
• All study patient data must be locked away if unattended.
• No one should access study patient data unless authorised via study delegation logs or by formal association with the sponsor (for example, a sponsor’s representative).
• Patient confidentiality should be maintained by use of initials and, or study specific ID numbers only on research material.
• Best practice is to password protect databases or software containing patient identifiable information. Spreadsheets or word documents do not require this protection providing they are held securely.
• Personal data that has the potential to identify research subjects should be kept in a secure place, separate from the study files and case report forms (CRFs), except for essential study documents required to be kept as part of the study file for example, signed consent forms.
• Some documents are retained in the case report forms to facilitate trial management. It is agreed that this will be kept to a minimum, and that all such documents will be removed prior to archiving unless specifically directed by the study office.
• All staff should be familiar with the trust data protection policies and have completed mandatory training in information governance.
• Medical notes should be stored in accordance with trust policy.
• Any data that is required to be shared should be done via secure means; either encrypted or password protected.

Sponsor responsibility the research sponsor is the organisation that takes on overall responsibility for proportionate, effective arrangements being in place to set up, run and report a research project. All health and social care research should have a sponsor.

As a sponsor RDaSH have a responsibility to ensure transparency in use of data for research. The health research authority provide guidance on what information must be made available publicly and what must be included in information provided to research participants. Grounded research comply with this requirement on our public website here: GDPR and research RDaSH NHS Foundation Trust.

Further guidance from the HRA, and wording for participant information can accessed at the HRA website transparency wording for all sponsors (opens in new window).

4.5 Procedure for RDaSH led research

The chief investigator (CI) and Research team ensures that identifiable data is to be collected (prospectively or retrospectively) with consent given by the data subject, except for research conducted with Section 251 approval.

The CI or Research team documents in the protocol what data is to be collected and how it will be analysed.

The CI or Research team ensures that data will not be used for anything additional to what is specified at the time of consent.

The CI or Research team ensures appropriate security arrangements for both electronic (back up or password protection) and paper (locked cupboard) files.

The CI or Research team assesses if any data will be sent externally by post or electronically.

The CI or Research team assess the safety of the data transfer (ensures adequate data protection regulations).

The CI or Research team assesses if the data is anonymised, if the data is not anonymised:

• the CI or Research team obtains explicit consent from the data subject using a HRA approved Informed Consent Form. Further guidance guidance and a template consent form can be accessed at the HRA website HLP templates (opens in new window)
• the CI or Research team contacts the Information Governance (IG) team (email: rdash.dpo@nhs.net) if explicit consent is not possible, to discuss the next step
• the CI or Research team determines the method of data storage and takes appropriate action
• the CI or Research team ensures compliance with DPA is documented in the clinical trial agreement (Contract) by using the national model contracts

In the event that a request is received for release of data under the Freedom of Information Act 2000, or a subject access request under the Data Protection Act 2018 the CI must contact the IG team and Caldicott guardian as quickly as possible, and always within three working days to agree appropriate arrangements for possible data release.

The CI or Research team determines whether a data protection impact assessment (DPIA) is required. Where the study deviates from the established processes (for example, where it is intended that a project uses a new technology for the processing of personal data or requires that safeguards set out in standing policies cannot be applied), the sponsor should consider whether a study specific DPIA is appropriate to address the level of risk, or whether updating existing DPIA(s) will be sufficient.

Participating NHS organisations are not responsible for the DPIA of the processing activities that they will undertake on behalf of research sponsors. They are responsible for ensuring that they process data only in accordance with appropriate technical and organisational measures.

Further guidance guidance is provided by the health research authority here, data protection impact assessments, Health research authority (opens in new window).

The trust’s DPIA process has now been digitalised and is available,

5 Appendices

5.1 Appendix A GDPR article 6 lawfulness of processing, (lawful bases)

Processing shall be lawful only if and to the extent that at least one of the following applies:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes
• processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract
• processing is necessary for compliance with a legal obligation to which the controller is subject
• processing is necessary to protect the vital interests of the data subject or of another natural person
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested the controller
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks

Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; and the processing of genetic data or biometric data for the purpose of uniquely identifying a person; data concerning health or data concerning sex life or sexual orientation.

5.2 Route to work experience

5.2.1 Useful links for further information

• UK policy framework for health and social care research (opens in new window)
• Using data in the NHS: the implications of the opt-out and GDPR, The King’s fund (opens in new window)
• GDPR key facts for research, Accord (opens in new window)
• ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018 | ICO (opens in new window)

5.2.2 Health research authority guidance

• HRA guidance on the general data protection regulation, Health research authority (opens in new window)
• Patient data and research leaflet, Health research authority (opens in new window)
• Transparency wording for all sponsors, Health research authority (hra.nhs.uk) (opens in new window)
• GDPR: technical guidance, Health research authority (opens in new window)
• Data subject rights and research exemptions, Health research authority (opens in new window)

---

Document control

• Version: 2.1.
• Unique reference number: 429.
• Date ratified: 29 January 2024.
• Ratified by: Clinical policy approvals group.
• Name of originator: Research governance manager.
• Name of responsible individual: Executive medical director.
• Date issued: 9 February 2024.
• Review date: June 2025.
• Target audience: All staff involved in research.

Page last reviewed: April 15, 2024
Next review due: April 15, 2025

Feedback

Report a problem