Recording Clinical Data Richard Oliver Head of Information Governance Newcastle upon Tyne Hospitals NHS Trust Additional slides: Professor Rob Pickard Introduce myself

Plan General points to consider Documentation Storage Sharing What I will be talking about

General points to consider Compliance with Data Protection Act General Data Protection Regulations (May 2018) Necessary approvals (REC, NHS Trusts) Where NHS patients, data or facilities are involved: Compliance with policies and standards of NHS organisation (inc. Caldicott) Status of data collector with NHS organisation . Will need R&D approval plus Caldicott guardian.

Points to consider: study specific REC submission and study protocol Patient information sheets and consent forms REC asks to set out: what data will be collected, how it will be stored, who can access, how long it will be stored for (need to justify if longer than 12 months)

Consent Forms

GDPR & Research A data controller must have a legal basis for collection and use of data. Research is not in itself a legal basis. Consent is key. Consent must be explicit and affirmative.

Caldicott Principles 1) Justify the purpose for which the information is needed. 2) Only use personally identifiable information when absolutely necessary. 3) Use the minimum personal identifiable information possible – if possible use an identifier number rather than a name. 4) Access to the information should be on a strict need to know basis. 5) Everyone should be aware of his/her responsibilities to respect clients confidentiality. 6) Understand and comply with the law. The most relevant legislation is the GDPR 2018, the Police & Criminal Evidence Act 1984 and the Human Rights Act 1998.

Documentation – What data to record? Collect enough but no more From NHS records (can include name, address to contact patient) Data collected during study From NHS records – remains their property, cannot share with 3rd party

Documentation Legible Accurate and complete Date, time, signature, name and designation Corrections made with single line strike-through, initialled and dated

Storage Medium Identifiers Paper, electronic, audio, samples – BACK-UP Anonymous (no audit trail) Pseudoanonymous (audit trial) – most usual Patient-identifiable data (to be avoided if possible) PID = names, numbers or other details sufficient enough to identify them. Keep in separate location

Storage: University Policy Adequate, relevant and not excessive Accurate Not kept for longer than is necessary Kept safe from unauthorised access, accidental loss or destruction Secure rooms/lockable cabinets Password protected Lockable filing cabinet/drawer; secure room; password protected; if on disk then disk must be kept securely

Sharing – You need permission! The patient (consent) Research Ethics Committee Caldicott Guardian HTA: anything that contains cells Caldicott – protection of PID in health service. May allow us to access data but agreement generally not to share with any third party!

Key Point Know what you are allowed to do REC application / protocol Patient information sheets / consent forms Agreements with NHS bodies University Policy and legislation: http://www.ncl.ac.uk/res/research/ethics_governance/ethics/toolkit/data/

Questions?