in a nutshell
British Institute of Health Research (HRA) has released new guidance outlining three essential steps for accessing health and care data for research purposes. This guidance delves into areas that researchers often overlook. Common-law confidentiality obligations run parallel to data privacy laws, and each regime must be considered separately to ensure that data access requests stand up to regulatory scrutiny.
Step 1: Scoping – What are the project data requirements?
The GDPR principle of “data minimization” is important when examining data requirements. In other words, it should only process the minimum amount of data necessary to achieve its purpose. Whenever possible, only anonymous or synthetic data should be accessed. If identifiable data must be used, it should be pseudonymized (direct identifiers have been removed, but linking that dataset with other available datasets may allow individuals to be re-identified). possible).
This guidance distinguishes the legal basis for disclosure based on each of the following: (b) UK GDPR.
- Common law obligations of confidentiality apply to the sharing of identifiable patient or service user information. The legal basis for justifying disclosure for research is usually consent, but there are certain legal basis available, such as section 251 of the NHS Act 2006.
- In addition to requirements under customary confidentiality obligations, the UK GDPR also requires a legal basis for processing personal data under Article 6 of the UK GDPR and a basis for health data under Article 9. . UK GDPR consent is the legal basis described in Articles 6 and 9, but other provisions are available (and often more appropriate).
Step 2: Clearly document how data is managed
In this step, we map the documents that need to be placed, such as:
- A data management plan that should be incorporated into the study protocol. This should account for data processing and management activities throughout the research study lifecycle.
- A data protection impact assessment may be required to help systematically analyze, identify, and minimize the data protection risks of a project or plan.
- Data flow diagrams that can support research applications (especially for Section 251 support).
- Data Sharing Agreement/Data Processing Agreement. Address the rights and obligations between two or more parties that process personal data (controller to controller or controller to processor, as applicable).
Step 3: Contact your data provider
It’s important to interact with the data provider whenever possible. This helps you manage timelines and assess missing variables in your dataset that might (for example) cause problems for your project.
A new streamlined process for accessing health data?
In parallel, HRA is piloting a streamlined process for accessing health data for research (see here).
All research studies requiring advice from the Confidentiality Advisory Group (CAG), and a research ethics committee is also required (RECs) opinion. Traditionally, these applications have always been two separate processes. However, HRA is trialing a new approach that coordinates both CAG and REC reviews in his single electronic submission, saving researchers time and making communication easier to manage (study Great news for everyone!).