GDPR Update 1 May 2018
Transparency - HRA Guidance
The Health Research Authority has now issued new guidance on its requirements in relation to transparency - one of the key principles of the GDPR. The guidance has changed in that HRA now advise that the transparency arrangements will apply to all data processing after 25 May 2018. This includes data which is simply stored.
The guidance can be found on the NHS HRA website, but here are the key points:
· The guidance applies to all data after 25 May 2018 including that which is simply held or stored. Note if the data is pseudonymised and the key is held by a different organisation e.g. the site then it unlikely that you will be required to issue transparency notices to participants. Studies recruiting patients or collecting new data after 25 May 2018 should be given priority.
· The Study sponsor will usually be the Data Controller. So, the guidance applies to UCL and UCLH sponsored studies.
· If the recommended text is used verbatim, no formal amendment or ethics approval is required.
· There are variety of ways that investigators can make the information required available to research subjects - leaflets in clinics, website, mailouts etc.
· The flow diagram below provides an outline of different requirements for subject information depending on:
o whether the data is collected directly from research subjects or the study involves secondary data analysis.
o whether the data will be pseudonymised and UCL does not possess the key.
o whether the data will be used for future research.
· In one of the scenarios where information is collected indirectly from patient records or a database, where the source e.g. Trust or GP practise has means of contacting the data subject, then information should be provided to participants by the source.
· Unfortunately, the guidance does not cover all complex scenarios. Discussions are currently underway in UCL about how to deal with these.
· The JRO is discussing ways of facilitating individual investigators to implement the guidance.
Other GDPR matters
Secondary data analysis or "processing"
· You may not have to tell patient about further processing data within UCL, if in doing so, the data subject receives the same information as they received when the data was first collected. For example, the broad uses of the data remain unchanged and so on. The HRA has guidance about the wording for any future PIS.
· When UCL or UCLH receives data from a different Data Controller then a Data Transfer Agreement will be required, (presuming that UCL or UCLH are the new Data Controllers and not just processing the information for original data controller). As the new Data Controller, UCL or UCLH, depending who sponsors the study, should to inform data subjects of what data they have and how their data will be used - but there are get out clauses. If it is impossible to inform the data subject or it requires disproportionate effort, then the Data Controller is exempt from the requirements. If data is transferred in a pseudonymised form where the original data controller holds the key rather transferring the key to UCL then it is not possible for UCL to contact the data subjects.
· Where the data is transferred from a UCL or UCLH sponsored study to another Data Controller then the obligations in 2 rests with the new Data Controller.
· Very few data subjects rights apply to research provided
o "appropriate safeguards" are in place and
o the research findings are not published in a way where any individual can to identified.
Safeguards refer to ethics approval, processing in the public interest, data minimisation and data security.
· If a data subject withdraws from a research study, then data need not be erased if it would seriously impair the achievement of the research object.
GDPR Update 26 March 2018
GDPR Issues which have been clarified
Data Controller and Sponsorship alignment. The Health Research Authority has indicated that it would best to align Data Controller and Sponsorship. This means that if UCL sponsors a study then in the vast majority of cases it will also be the Data Controller. Similarly, where UCLH is the sponsor, it will also be the Data Controller. Clearly, where the study is a joint collaboration with another University or Commercial company there is room for the parties to be Data Controller in common. That is they will be using the same dataset for different purposes. However, where a hospital Trust just collects data for a study ie it is a site in that study, it will be a Data Processor for that study NOT a Data Controller.
Legal basis for processing. Consent should not be used as the legal basis for processing under the GDPR. For public authorities, undertaking research like Universities the legal basis for processing should be stated as "public task". The EU has stated that it is inappropriate for public bodies like Universities to use consent as the legal basis for processing. However, there are other legal and ethical considerations when undertaking clinical research which mean that consent will still be required. As well as the GDPR, investigators and sponsors also need to comply with the common law duty of confidence and ethical requirements. To comply with these, consent will be still required for clinical research. The MRC has produced some extremely clear guidance which explains the consent issue - see http://www.mrc.ac.uk/documents/pdf/gdpr-prep-gn3-gdpr-consent-in-research-and-confidentiality-v010318-pdf/.
NHS Digital has written to all investigators who have obtained data from them to request that they declare the legal basis for processing. As noted above, this should be declared as public task.
Transparency, privacy notices and participant information sheets
One of the key principles of the GPDR is transparency - this means that data subjects must be fully of aware of what data about them will be collected, what it will be used for and who it will be shared with. The consent process and the traditional participant information sheet will remain important for providing such information to potential participants. In GDPR terms, they are one way providing transparency and can fulfil the requirements of a "a privacy notice". However, good practise for GDPR also means that studies will need to communicate with participants using other modalities like websites, notices in clinics and leaflets. Information can be layered, so there are opportunities for participants to find out more. Currently, this information does not need to be approved by an ethics committee. Transparency is particularly important if you intend to share the data with third parties after consent has been obtained. Broad statements in participant's information sheets will no longer suffice. Where the data collected present a high risk to rights and freedom of data subjects, there is also an expectation that researchers will obtain the views of participant group before the data is collected. This will form part of the "risk" assessment for the study or in GDPR terms the "Data Privacy Impact Assessment (DPIA)".
Useful Websites. The best source of guidance about the GDPR is Health Research Authority https://www.hra.nhs.uk/about-us/news-updates/gdpr-guidance-researchers/. http://www.ucl.ac.uk/jro. For those who require a more in depth look at the general requirements or topics not yet covered by HRA. We suggest the ICO website. This will lead you to EU Working Party 29 which is fleshing out the requirements in a series of recommendations.
GDPR Update 14 March 2018
As you may know, the General Data Protection Regulation comes into force in late May this year. The Regulation places many more responsibilities on organisations like UCL and UCLH as Data Controllers. Both institutions have projects planned or in progress to comply with the requirements, in particular both are working on compiling a Data Inventory. At the same time, the Health Research Authority is requesting that sponsors decide the legal basis of processing the data collected for the studies they are conducting and document this in a non substantial amendment - the Joint Research Office is handling this. So, in the next few weeks investigators may be subject to slightly differing requests for information from these different sources. We are currently working to ensure that in future requests from the three organisations are co-ordinated but in the meantime here are the current requests.
UCLH Data Inventory. Information about this has appeared on Insight. The form to be completed by Divisions is also on Insight. Investigators should only include the study in the inventory if it is sponsored by UCLH. If your Division is completing the inventory then you should advise the Division to include your study. However, you should ensure that the legal basis for processing is "public task" (previously referred as "public interest").
UCL Data Inventory. This is still being planned but in the next month you may be asked to provide information about all studies sponsored by UCL. The Joint Research Office does not necessary hold all the information that UCL requires - therefore your department or JRO may need to request this from investigators.
Health Research Authority. The HRA requires that all studies recruiting subjects after 25 May 2018 complete a non substantial amendment to declare the legal basis for processing the information collected in studies sponsored by UCL and UCLH. The JRO will be writing to you shortly to request information about whether you will be recruiting after this date. As above the legal basis will need to be "public task".
The best source of guidance about the GDPR is Health Research Authority https://www.hra.nhs.uk/about-us/news-updates/gdpr-guidance-researchers/