Personal data: electronic capture, storage and security Dr David W. Evans Centre of Precision Rehabilitation for Spinal Pain School of Sport, Exercise and Rehabilitation Sciences

Researchers are professional data generators! In the eyes of the ICO, we are also: Data controllers Data processors In the health, life and social sciences, most data is: From / about living people Potentially identifiable

Is the data ‘personal’? Question 1 Can a living individual be identified from the data, or, from the data and other information in your possession, or likely to come into your possession? No - The data is not ‘personal data’ for the purposes of the DPA  Yes - Go to question 2 Information Commissioner’s Office

Is the data ‘personal’? Question 2 Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession?  No - The data is not ‘personal data’ for the purposes of the DPA Yes - The data is ‘personal data’ for the purposes of the DPA Information Commissioner’s Office

Personal data Most data in the health, life and social sciences is ‘personal’

Personal data Data Protection Act (1998) currently applies From May 2018, the GDPR will add (amongst others): Bigger £££ fines for non-compliance The subject’s ‘right to be forgotten’ Legal obligation to maintain records of both personal data and processing activities Appropriate ‘safeguards’ must be in place

Appropriate safeguards Only necessary personal data may be processed Principle of ‘data minimisation’ Data protection / privacy ‘by design and default’ Data Protection Impact Assessments (DPIAs) Data Management Plans (DMPs) ‘Pseudonymisation’ Data should not be attributable to a specific subject without the use of ‘additional information’ This additional information must be kept separately and subject to technical and organisational measures to ensure non-attribution to an individual

Electronic data storage Electronic data storage is now commonplace Local or remote Can be very secure

Electronic data storage Birmingham Environment for Academic Research (BEAR) Research Data Store (RDS) Research Data Archive (RDA)

Electronic data capture Electronic data capture is becoming more attractive:

Electronic data capture Electronic data capture is becoming more attractive: Saves trees More secure than paper? Data ultimately ends up in electronic format For analysis, reporting and archiving More time efficient 1-step vs 2-step process Can be ‘smarter’ than paper questionnaires Branching logic Can utilise sensors onboard / linked to the device ‘Active task’ data

Electronic data capture REDCapTM data collection and storage software www.project-redcap.org

REDCap Developed at Vanderbilt University, Tennessee Locally hosted Server hosted Free license, not open-source Currently used at 2752 institutions in 119 countries Active user forum / community Locally hosted Requires local server installation and IT support Phil Dimmock, IT Services Fully compliant with DPA & GDPR User privileges and rights can be controlled Can keep identifiable data separate from research data Exports anonymised research data in analysable format All interactions are logged and auditable

REDCap Encrypted data transit Uploaded to local secure database HTTPS transfer to server via ‘private’ browser ‘REDCap app’ transfers encrypted datafile to server Uploaded to local secure database Hosted on UoB servers Appropriate security measures Participant-hosted app under development MyCap Utilises ‘ResearchKit’ and ‘ResearchStack’ open-source frameworks

MyCap: participant-hosted app

MyCap: participant-hosted app

Thank you for listening!