DATA PROTECTION AND PATIENT
CONFIDENTIALITY IN RESEARCH
Nic Drew
Data Protection Manager
University Hospital of Wales
( 2074 6677
 2074 5626
: nic.drew@wales.nhs.uk
OVERVIEW
What is the Data Protection Act 1998?
 The 8 Principles
 The Principles in practice
 Obtaining a R&D reference number
 Research not involving patient contact
 UHB information resources

WHAT IS THE DATA PROTECTION ACT?

LAW ON THE USE OF PERSONAL INFORMATION

PROVIDES RIGHTS OF PRIVACY

PROVIDES RIGHTS OF ACCESS

COMPLY WITH THE HUMAN RIGHTS ACT

THERE ARE 8 DATA PROTECTION PRINCIPLES
THE EIGHT PRINCIPLES
PERSONAL DATA MUST BE:1.
PROCESSED FAIRLY AND
LAWFULLY + SCHEDULES 2&3
5.
KEPT FOR AS LONG AS IS
NECESSARY AND NO LONGER
2
PROCESSED FOR SPECIFIED
PURPOSES
6
PROCESSED IN LINE WITH
DATA SUBJECTS RIGHTS
3
ADEQUATE, RELEVANT AND
NOT EXCESSIVE
7
SECURE
ACCURATE AND KEPT UP TO
DATE
8
4
ONLY TRANSFERRED TO
OTHER COUNTRIES THAT HAVE
SUITABLE DATA PROTECTION
CONTROLS
PRINCIPLES IN PRACTICE
PRINCIPLE 1

Fair processing – Provide all relevant information in the
Patient Information Sheet, ‘Confidentiality Statement’;
who disclosed to, what disclosed, who will access, how
long kept for, what security employed. Remember,
consent is not valid unless informed consent.

Identifying patients – If you are using initials and DOB as
well as a study number, you must tell patients.
PRINCIPLES IN PRACTICE
PRINCIPLE 1

Lawful processing – specifically the Human Rights Act,
Article 8 and the Common Law Duty of Confidentiality;
NOTE, if you don’t comply with other related legislation
(e.g. Human Tissue Act) you do not satisfy this Principle!

Schedule 3 – Explicit Consent is required where there is
patient communication or contact, unless you have an
exemption under section 251 of the NHS Act 2006
PRINCIPLES IN PRACTICE
PRINCIPLES 2 - 3 - 5
2, Specified purpose – if you wish to contact patients for
subsequent studies you need to tell them and gain
consent.
 3, Not excessive – only collect personal data that is
necessary e.g. if you only need age, don’t ask for date of
birth.
 5, Retention – tell patients how long you will keep their
personal data; usually 5 years or 15 for clinical trials

PRINCIPLES IN PRACTICE
PRINCIPLES 7 - 8

7, Security – Information Commissioner has made it clear
that all patient identifiable data on laptops or portable
media must be encrypted. C&V UHB only permits emails
with patient identifiable data to be sent between email
addresses ending in wales.nhs.uk

8, Outside EEA – specific informed consent required; this
must be endorsed on the Consent Form.
R&D REFERENCE NUMBER

Who recruits the patient? – Legitimate relationship

Disclosure of identifiable data – Initials+DOB+gender

Identifiable data on a computer – Who’s computer? Encryption!

Disclosures outside the EEA? – Specific consent

GP’s informed? – Medical records accessed?
RESEARCH NOT INVOLVING PATIENT
CONTACT, i.e. NO CONSENT
Permitted, but with strict controls to maintain patient
confidentiality
 Access may be granted to patient medical records if you
are a healthcare professional or hold an honorary contract
with the UHB – this will not give direct access to
electronic records
 No data capable of identifying a patient can be recorded
 Only specimens from UHB patients can be anonymised
by the Labs and made available for research; Principle 7

INFORMATION SOURCE

The UHB’s Intranet site has Data Protection information
and guidance available (unfortunately not on the Internetyet)

‘Data Protection Guidance For Researchers’ available on
the Intranet; Data Protection > Guidance > Research, or
from the R&D Department

National Research Ethics Service guide also available
from above link