Staff undertaking
advertisement
DATA CONFIDENTIALITY IN THE NATIONAL CANCER REGISTRY General policy, procedures for release of data and staff guidelines. Version Revision date Revised by 2.2 29 November 2011 Harry Comber Date approved by Board National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 CONTENTS 1 Introduction ............................................................................................................................................................... 3 2 Summary .................................................................................................................................................................... 4 3 4 5 2.1 Confidential data ............................................................................................................................................... 4 2.2 Restricted data .................................................................................................................................................. 4 2.3 Unrestricted data .............................................................................................................................................. 4 General Principles of Confidentiality in the National Cancer Registry ....................................................................... 6 3.1 Definitions ......................................................................................................................................................... 7 3.2 Operation of the Registry ................................................................................................................................ 10 Procedures for release of National Cancer Registry data ........................................................................................ 13 4.1 General guidelines on information release ..................................................................................................... 13 4.2 Types of information which might be requested ............................................................................................ 14 4.3 Requesting data .............................................................................................................................................. 16 Staff policies on data security and confidentiality ................................................................................................... 21 5.1 Introduction. ................................................................................................................................................... 21 5.2 Data security ................................................................................................................................................... 21 5.3 Laptop Security Policy ..................................................................................................................................... 26 5.4 Breaches of data security or confidentiality ................................................................................................... 28 5.5 Internet, Network and Email Policy................................................................................................................. 29 5.6 Violations and Reporting ................................................................................................................................. 32 National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 1 INTRODUCTION This document sets out the broad principles and practice relating to data confidentiality and security within the Irish National Cancer Registry. It describes • the principles underlying these policies • procedures for the release of data • methods of achieving data security and confidentiality of data • guidelines for staff. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 2 SUMMARY The Registry will supply data in response to any reasonable or bona fide request, provided that complying with the request does not conflict with our obligations of confidentiality or with those under the Data Protection Act, 1988 (amended 2003). The use of the data by the applicant must be also consistent with the Data Protection Acts. Data will be anonymised where feasible, and, if not, consent must be obtained. The Registry classifies the data held into three categories: confidential, restricted and unrestricted. 2.1 CONFIDENTIAL DATA Confidential data is any sensitive personal1 information (see section 3.1.2 for definitions) relating to an identified or identifiable2 person, whether alive or dead. This definition extends to deceased persons many of the protections available under the Data Protection Acts. Data, by which the persons concerned can no longer be reasonably identified, are not considered as personal data. Confidential data held by the Registry on living persons will be released only with the written explicit consent of the data subject. The only exception to this is where the data is requested by a treating physician of the data subject. A treating physician is any doctor who is in a direct relationship of medical confidentiality with respect to the patient. This does not, in general, apply to doctors such as pathologists and radiologists whose relationship is less direct. Requests for confidential data must be made using a standard application form, and a declaration on use must be signed. All requests for confidential information must be approved by the Director. Processing and release of confidential data relating to living persons is subject to the Data Protection Acts. 2.2 RESTRICTED DATA Restricted data is any data, which is not confidential, but the use and dissemination of which is subject to certain restrictions by the Registry. Processing and release of restricted data is not subject to the Data Protection Acts but is governed by the policies of the National Cancer Registry. Any person requesting restricted information must do so in writing, either by post, fax or email3. 2.3 UNRESTRICTED DATA All information not classified as confidential or restricted is freely available to any member of the public on request. However, the Registry reserves the right to refuse requests for information, or to charge for the service, if, in the Registry’s view, requests involve disproportionate effort, are not made in good faith, have a malicious intent or are excessive in number. Vague requests, such as “information on breast cancer” cannot be dealt with and will be returned to the requester. If the amount of data analysis involved is extensive and/or the data is requested for commercial purposes, a fee may be payable to cover our costs. We attempt to respond to all requests within two working weeks of receipt and should be able to reply to most within a week. 1 Although the definition of “confidential” information used here is similar to that given for “sensitive personal” data in the Data Protection Acts, the Registry definition is extended to cover deceased persons, who are not covered by the Acts. 2 An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity 3 Simple requests, such as the total number of cases of a particular cancer registered in a specified year, may be dealt with over the telephone. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 This document does not apply to requests for information under the Freedom of Information Acts, which should be made to our Freedom of Information Officer, Ms Geraldine Finn, at 021-4318014 or to g.finn@ncri.ie.4 4 The Registry’s policies on Freedom of Information are available at http://www.ncri.ie/ncri/foifiles/Manual.pdf National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 3 GENERAL PRINCIPLES OF CONFIDENTIALITY IN THE NATIONAL CANCER REGISTRY Confidentiality in the use of personal data in medical research is governed both by the ethical guidelines of the medical profession5 and by the provisions of the Data Protection Acts, 1988 and 2003. Preservation of patient confidentiality has always been one of the highest priorities of the Registry. Patients, and their doctors, should be assured that their privacy, dignity and autonomy are central to the operations of the Registry. At the same time, the statutory duty of the Registry to “identify, collect, classify, record, store and analyse information relating to each newly diagnosed individual cancer patient and…each tumour which occurs” places an obligation on us to use the information gathered in a way which maximises its benefit for the public good. For the Registry to withhold information which could be used to reduce the burden of cancer would be, at best, a waste of public funds and, at worst, unethical. The principles of confidentiality must apply, not only within the Registry, but also to any data released by it, whether for public information, or to individual researchers. In particular, the Registry must take care not to publish data, or to provide it for publication by others, in a way that would allow any individual to be identified, even indirectly. The obligations of the Registry to deceased persons and their families are given as much consideration as those of the living. Against this need to protect the rights of the individual must be balanced the value of accurate cancer registration data in assessing the causes, treatment and outcome of cancer. 6 7 8 The Board of the Registry, in carrying out its functions, has adhered to the following principles: a. Permission for access to confidential information on living persons, which is held by the National Cancer Registry, must be sought from the patient, except where this information is to be used in the course of his/her clinical care. b. No disadvantage, harm or distress may be caused to the patient by this access; c. Appropriate safeguards must be in place to preserve the confidentiality of the information in our custody; d. Reports of our work must not contain information which would remove, without consent, the anonymity of a patient or doctor; e. The Registry has a duty to maximise the use of information in its possession to the benefit of all patients. The National Cancer Registry holds data under two broad headings: registration data, collected as part of the Registry’s routine data collection; and research data collected in defined research studies. Collection of registration data is covered by the Health (Provision of Information) Act and does not require consent. Information collected in research studies is collected and used with consent, and its uses are governed by that consent. The Registry procedures described here with regard to data release pertain only to the registration data, unless specifically noted. Data given with consent will be released only as allowed by the consent. Procedures with regard to data security apply to all data. Successful cancer registration requires that the Registry uses identifiable information, for a number of reasons: a. Information on a single cancer often comes from a variety of sources. This duplication of information would inevitably lead to multiple registrations of the tumour, and a gross over-estimation of the rate of incidence of cancer, unless some method were available for linking all information on the same individual. 5 Guide to professional conduct and ethics for registered medical practitioners. Medical Council, 2009. 6 Coleman M, Muir CS Menegoz F. Confidentiality in the Cancer Registry. Br J Cancer 1992; 66: 1138-1149. 7 Responsibility in the use of personal medical information for research: Principles and Guide to Practice. Statement by the Medical Research Council. B.M.J. 1985; 290:1120-1124. 8 Gordis L., Gold E. Privacy, Confidentiality and the use of medical records in research. Science 1980; 207:153-156. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 b. Information on outcome, and particularly on survival, is essential to the operation of the Registry, and links between registrations and death certificates can only be achieved by the use of some type of personal identification. c. The Registry can carry out assessment of the success and coverage rate of screening programmes only if individuals screened can later be identified if they develop cancer. d. Cancer registries may also contribute to medical research by allowing researchers to identify (with consent from the patient and appropriate ethical safeguards) individuals with cancer for the purposes of case-control studies of cancer aetiology, and by helping with the recruitment of individuals to properly conducted clinical trials of cancer treatment. Because these individuals may have been treated by a number of physicians in different institutions, the Registry may offer the only method of allowing their identification and follow up. e In Ireland, as there is no national identity number or other means of identifying an individual other than through a combination of name, address and date of birth, the Registry must hold these items of personal information on each person registered. The principles of confidentiality can be reconciled with the functions of the Registry by the adoption of a comprehensive code of practice governing the acquisition, processing, storage and release of identifiable patient data. Where doubt exists as to the appropriateness of a particular line of action, this code of practice must have as its highest priority the protection of the rights of the individual patient. As well as guidelines for the use of data within the Registry, this code of practice must also include guidelines on the use of Registry data by individuals outside the Registry, and should also protect the rights of the dead as well as living persons. All Registry staff have responsibility for preserving confidentiality but responsibility for ensuring adherence to the code of practice will rest ultimately with the Director9, who may ask the Board for guidance on cases which do not conform to the agreed guidelines. 3.1 DEFINITIONS 3.1.1 REGISTRATION Registration is the process of acquiring information on an individual considered to have cancer, extracting demographic and medical information on that individual from medical records (and, when necessary death certificates), and adding this information to the Registry database. Additional data, if required by the Registry’s statutory functions, may be added by linkage to other databases (e.g. the Hospital Inpatient Enquiry). 3.1.2 CONFIDENTIAL DATA Confidential data is any sensitive personal information relating to an identified or identifiable person, whether alive or dead. Personal data is data relating to a living individual who is or can be identified either from the data, or in conjunction with other information that is in, or is likely to come into, the possession of the data controller (Data Protection (Amendment) Act 2003). Sensitive personal data includes data that identifies (a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,(b) whether the data subject is a member of a trade union (c) the physical or mental health or condition or sexual life of the data subject,(d) the commission or alleged commission of any offence by the data subject, or(e) any proceedings for an offence committed or 9 Or one or more other individuals to whom this responsibility has been assigned by the Board National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings. (Data Protection (Amendment) Act 2003). In the case of cancer patients this information will usually have been given in the context of a confidential medical relationship and in the expectation of confidentiality. For data collected as part of research, informed consent will be sought from the participant at the outset of the research, for the uses envisaged. Further consent will be obtained if other uses are made of the data. Although the definition of “confidential” information used here is similar to that given for “sensitive personal” data in the Data Protection Acts, the Registry definition is extended to cover deceased persons, who are not covered by the Acts. This definition extends to deceased persons many of the protections available under the Data Protection Acts. However, for obvious reasons, the requirement for consent cannot be extended to deceased persons and so alternative safeguards are needed. An identifiable person is one who can be identified, either: a. directly or b. indirectly, in particular by reference to an identification number, or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. 10 Data of such a type by which the person concerned can no longer be reasonably identified are not considered as personal data. The Registry may also hold business data (employment records, contracts etc.) which may be subject to confidentiality provisions for legal or contractual reasons (see section 3.2.5). 3.1.3 RESTRICTED DATA Restricted data is any data, which is not personal data, but is 1. Anonymised or aggregate data which applies to a small and/or potentially identifiable group of individuals (for instance a small geographical area, where other information such as age or occupation are also given). 2. Anonymised or aggregate data with a level of detail (e.g. electoral division of residence) which might, under certain circumstances, allow an individual to be identified. 3. Data, the publication or dissemination of which could cause distress, loss or embarrassment to any individual or institution. A very large number of possible combinations of data fields is available from the Registry, and these may be requested for many different subsets of the population. It is therefore impossible to set out definitive rules to cover all of these eventualities; each request will need to be dealt with on its merits. In cases of uncertainty, the opinion of the Data Protection Commissioner will be sought. 3.1.4 UNRESTRICTED DATA Data which, in the opinion of the Registry, has no potential to identify an individual, is freely available (subject to certain conditions) from the Registry, as either anonymised records or aggregate data. 3.1.5 TREATING PHYSICIAN A treating physician is any doctor who is in a relationship of medical confidentiality with respect to the patient. For the Registry, this could be 10 EU Directive 95/46/EC. As implemented by the Data Protection (Amendment) Act 2003. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 1. A doctor, either consultant or general practitioner, who was involved with the diagnosis and/or treatment of the patient at the time of cancer diagnosis, 2. The physician now responsible for the patient if the above has retired from practice, 3. A doctor to whom the patient has been referred for further diagnosis or treatment of the cancer, 4. The patient's current general practitioner, if different from the GP described in (1) above. In general, confidential information may be shared with the treating physician on the basis that this is information 1. to which the treating physician already has access within her or his institution, in connection with the process of patient care and 2. in respect of which there is already a relationship of confidentiality between treating physician and patient, with implicit consent for the Registry to share the data. It is not essential that the information be used in connection with the clinical care of any, or all, of the patients involved. However, where information is being released to a treating physician, the Data Protection Commissioner has advised that: 1. Data should only be released to, and on the request of, the data controller in the institution. This would normally be the CEO (or his/her representative) of the hospital or of the Health Service Executive in public hospitals or the responsible consultant in other cases. 2. Secondary consultants such as pathologists may be involved in the treatment of the patient but the patient will not be aware of their identity. In the absence of a robust research information policy by that hospital, the release of data to others not part of the direct treatment team would be a surprise to that patient. Consequently, consent should be sought for such a release National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 3.2 OPERATION OF THE REGISTRY 3.2.1 DATA COLLECTION. The Registry obtains data on patients with cancer from a variety of sources: 3.2.1.1 P ATHOLOGY L ABORATORIES . The majority of notifications come initially from pathology reports. Similar notifications may be received from haematology, cytology and, on rare cases, radiology departments. These notifications rarely contain sufficient information for a full registration, and the registration is completed by reference to the patient's medical records. 3.2.1.2 M EDICAL R ECORDS . A systematic search of medical records from appropriate departments, such as radiotherapy and oncology, yields the names of patients who had not been notified through pathology reports. The medical records contain all the information necessary for registration. Other sources based on the medical records (e.g. Hospital Inpatient Enquiry (HIPE), radiotherapy, pharmacy, oncology and multi-disciplinary team meeting records) may also be used as sources of data. 3.2.1.3 D EATH C ERTIFICATES . The diagnosis of cancer may be initially notified to the Registry from death certificates, which are supplied by the Central Statistics Office. The physician certifying the death is then contacted and can either give the information necessary for a full registration or can allow the patient to be identified and the medical records retrieved. 3.2.1.4 O THER R EGISTRIES . Notifications, updates or treatment of patients normally resident within the Registry area are sometimes received from registries outside of the Republic of Ireland, mainly from the Northern Ireland Cancer Registry and from registries in England, Scotland and Wales. 3.2.2 PROCESSING OF INFORMATION. Each notification is checked against the existing Registry database, to see if the cancer has already been registered. Records can usually be matched on the basis of full name, address and date of birth. If no previous entry exists for the cancer, it is registered, and the record added to the database. Registrations are made by qualified Tumour Registration Officers, who are permanent employees of the Registry, and who have signed an undertaking to safeguard the confidentiality and security of all the information to which they have access. All phases of data collection, storage and transmission are protected by computer passwords and encoding of the data. Regular external and internal security reviews are carried out. On arrival at the Registry central database, these registrations are again checked against the database for duplication. Patient name, date of birth and address are removed from the database before it is used for analysis, and access to identifiable information is limited to a small number of named persons within the Registry. For data processing purposes, identifiable information is essential for elimination of duplicate registrations, for follow-up of patients through death certificates and linkage to hospital and HIPE databases. Patient addresses are used to allocate cases to an electoral division of residence. 3.2.3 DATA REPORTING AND ANALYSIS. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 The procedures for data release are set out in more detail in section 4. The section below describes, in outline, the ways in which data is used by the Registry, including provision of data to third parties. 3.2.3.1 S TATISTICAL REPORTS The main use of the data is to produce regular statistical reports on cancer incidence, treatment and survival overall and for particular sub-groups of the population, broken down by cancer type. None of the data is presented in a way which could allow the identification of individuals. 3.2.3.2 D ETAILED REPORTS The Registry also produces, on request, specific analyses of the data for researchers and others. These analyses do not identify individuals, and are governed by safeguards with regard to the use of the data. 3.2.3.3 R ELEASE OF NON - IDENTIFIABLE DATA The Registry provides aggregate or anonymised individual data for bona fide research purposes, provided this does not carry any risk of identification of any individual. 3.2.3.4 R ELEASE OF CONFIDENTIAL DATA 3.2.3.5 T O PATIENTS Under the Data Protection Acts, individuals have a right to see, and to ask to have altered or deleted, any information held by the Registry in relation to themselves. This right does not extend to family members or others, and does not apply to applications by third parties on behalf of the deceased, with the exception of applications for information by recognised clinical genetics services. Release of information on deceased persons, who have not consented to this prior to death, is covered in section 4.2.5. 3.2.3.6 T O DOCTORS WITH CLINICAL RESPONSIBILITY FOR THE PATIENT Confidential data may be released, under certain conditions, to the treating physician of the patient (see section 3.1.5) unless a patient has explicitly prohibited this. The Registry may also provide personally identifiable data for research purposes, if explicit consent is given to this by the patient. Treating physicians may not give consent, on behalf of their patients, to the release of their confidential data to a third party. 3.2.3.7 T O OTHER THIRD PARTIES Apart from the exceptions described in 3.2.3.5 and 3.2.3.6 above, confidential data is released only with the explicit written consent of the patient. All releases of confidential information must be approved, before release, by the Director or a member of staff designated by him in his absence. Requests for confidential data on a named patient are responded to, initially, in a way which does not indicate whether a particular individual is registered or not. The Director is responsible for assessing if proposed research meets the Registry's criteria for the release of data. The guidance of the Board, and in some circumstances the Data Protection Commissioner, will be sought for cases which fall outside these guidelines. The precise procedures to be followed are set out in section 4 "Procedures for release of National Cancer Registry data". 3.2.4 RESEARCH. The Registry has an active research programme, some of which entails the collection and storage of confidential data. Ethical approval is normally sought for research projects. Consent is sought from participants for all data uses, and data is shared only as permitted by the consent given by participants. Registry staff who are not working on the specific research project have no access to the data. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 3.2.5 CONFIDENTIALITY RELATING TO EMPLOYEE RECORDS 3.2.5.1 C OLLECTION OF PERSONAL AND SENSITIVE INFORMATION Personal and sensitive information is collected by human resources (HR) only where it is necessary for the HR function or any related activity. This information will normally be gathered directly from the individual concerned. At the time the information is collected the staff member will be advised whether or not the provision of the information is compulsory. One example of this is the information collected through the disability census each year. HR staff try to ensure that personal and sensitive information collected is accurate, relevant, up-to-date, complete and not misleading and will take all reasonable steps to protect these records from misuse, loss, unauthorised access, modification or disclosure. 3.2.5.2 S TORAGE OF PERSONAL EMPLOYEE INFORMATION Only staff members who require such information in order to carry out their duties and responsibilities will have permission to access personnel files. Electronic access to the Human Resource Information System is restricted to staff who have direct responsibility in that area and the system is password protected. Hard copies of employee personnel files are stored in locked cabinets and access to this area is restricted to HR staff. 3.2.5.3 U SE AND DISCLOSURE OF PERSONAL EMPLOYEE INFORMATION HR staff must not disclose personal information unnecessarily. Sensitive information can be disclosed only with consent. Protection of confidentiality includes ensuring files and work areas are organised so that information is not inadvertently disclosed. Staff must only access information that they require for legitimate work purposes. 3.2.5.4 H UMAN RESOURCES STAFF – GUIDELINES FOR GOOD PRACTICE IN PROTECTING THE PRIVACY OF EMPLOYEES The following are practical, everyday work practices that HR staff should apply in ensuring confidentiality in the workplace. When temporarily away from workstations during working hours HR staff must electronically lock their computer or use an automatic screensaver lock. Filing cabinets or drawers containing confidential information located at individual work stations are to be locked when not in use and when the staff member is away from their workstation HR staff members should maintain awareness when having confidential telephone conversations, or impromptu meetings at their desks There should be no discussion of any matter relating to sensitive staff information in social environments Printed information should be collected promptly from shared printers and photocopiers Confidential information that must be retained should be archived. If the information is no longer required it should be shredded. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 4 PROCEDURES FOR RELEASE OF NATIONAL CANCER REGISTRY DATA The National Cancer Registry contains information on registrations of patients with cancer in Cork and Kerry from 1980 onwards and for the whole of Ireland from 1994. It is a valuable resource, available for use in epidemiological and clinical research, as well as the planning and evaluation of services. We welcome requests for information for research, planning and statistical purposes. The Registry also holds information collected as part of research projects but this, in general, is not available outside the specific project. However, because of the sensitivity of much of the information we keep on file, we observe certain procedures with regard to the release of information. These procedures apply both to the supply of data by the Registry and to its subsequent analysis and publication. The following section sets out the current guidelines for the release of registration data. If you would like more information on our procedures, or if you have some special data needs, the Director would be quite happy to amplify or clarify any of the information below. 4.1 GENERAL GUIDELINES ON INFORMATION RELEASE The Registry will supply registration data in response to any reasonable or bona fide request, provided that complying with the request does not conflict with our obligations of confidentiality or with those under the Data Protection Act, 1988 (amended 2003).The use of the data by the applicant must be also consistent with the Data Protection Acts. Data will be anonymised where feasible, and, if not, consent must be obtained. In the great majority of cases, only anonymised data will be provided. Sensitive or confidential data can only be supplied under strict restrictions as set out below. The Registry classifies the data held into three categories: confidential, restricted and unrestricted. This classification is based on the potential of the data to identify an individual, and not on the format (aggregate, individual) in which the data is provided. Requesters will be asked to complete a basic request form, the purpose of which is to ensure that all requests are responded to in a timely and accurate way. All data requests will be reviewed on receipt and classified as either restricted (and potentially confidential) or unrestricted. Vague requests, such as “information on breast cancer” cannot be dealt with and will be returned to the requester. Requests for restricted information will be followed up with the requester. Any person requesting restricted information must do so in writing, either by post, fax or email 11. Requests for restricted data (see section 4.3.2) must be made using the standard application form which is on the Registry website, and the attached declaration at the end of this form must be signed. Following receipt of this form, the Registry will decide whether the data requested is confidential; if this is the case the requester will be asked to modify the request or to obtain consent for data release. If the amount of data analysis involved is extensive and/or the data is requested for commercial purposes, a fee may be payable to cover our costs. We attempt to respond to all requests within two working weeks of receipt and should be able to reply to most within a week. The Registry reserves the right to refuse requests for information, or to charge for the service, if requests are considered to involve disproportionate effort, are not made in good faith, have a malicious intent or are excessive in number. The information available can be broadly classified as: • • general aggregate 11 Simple requests for aggregate data, such as the total number of cases of a particular cancer registered in a specified year, may be dealt with over the telephone. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 • individual 4.2 TYPES OF INFORMATION WHICH MIGHT BE REQUESTED 4.2.1 GENERAL INFORMATION This describes the total number of cases broken down into broad categories, such as age band, sex, site or county. This information is of the same general level of detail as that published in the annual reports of the Registry and is also available on the Registry website at www.ncri.ie. However, the Registry must be identified as the source in any publication of the data. Requesters are encouraged to check if this information has already been made available electronically by the Registry before making a request. 4.2.2 AGGREGATE INFORMATION Aggregate information is that which is analysed in greater detail than described above, at a level which is not routinely produced and published by the Registry, but which does not allow the direct identification of individuals. In some cases—for instance, analysis of small geographical areas for uncommon cancers—individuals may be potentially identifiable. Information of this type is considered “restricted” and is subject to the principles and procedures as set out below under “Restricted data” (section 4.3.2). Aggregate information will be made available on tumours by site, by histological type, by age band, and for district electoral division or city ward. Cross-tabulations of this data will also be made available, subject to the principles and procedures in “Restricted data” (section 4.3.2). All requests for aggregate data must be made on the detailed application form, which is available on request or can be downloaded from our website www.ncri.ie. 4.2.3 INDIVIDUAL-LEVEL DATA Individual-level data may be either identifiable or non-identifiable. Identifiable data is always considered confidential, as the fact of registration implies a diagnosis of cancer and is considered to be “sensitive personal” data under the Data Protection Acts if the individual is alive. Anonymised individual data carries no risk of identification of the individual and its use is not, in general, restricted. However, there is no clear division between identifiable and non-identifiable data. Some data items considered to carry a high risk of identification (e.g. name, address, identification number) are always considered confidential (see below). Others, such as date of birth, do not identify an individual if taken on their own, but have a high probability of doing so if combined with other data. Other information (e.g. occupation, electoral division of residence) has a very low potential for identification but this may occur through rare combinations of variables, or by linkage with other databases. Although this is unlikely in practice, the release of items with any potential for identification is routinely restricted by the Registry. Release of this data, while not requiring patient consent, is subject to the principles and procedures as set out below under “Restricted data” (section 4.3.2). If the Registry considers that there is a real risk of identification from the data requested, then the request must be modified or patient consent sought. 4.2.3.1 P ERSONAL ( IDENTIFIABLE ) DATA . Data is considered by the Registry to be identifiable if it contains any of the following: a. Patient’s name and/or full address b. Date of birth c. Hospital or other registration number d. GMS, PPS or other identifying numbers National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 e. If the unit of analysis is sufficiently small to allow the identification of individual patients, using other data available to the requester. Identifiable information held by the Registry is always confidential, as it carries the implication of a cancer diagnosis. 4.2.3.2 I DENTIFIABLE INFORMATION ON DECEASED PATIENTS Information from death certificates is obtained by the Registry from the Central Statistics Office and the General Register Office. If an individual is deceased, permission to access information on cause of death must be obtained, under the Vital Statistics Acts, from the Registrar General at the Department of Health and Children. The date of death is not considered to be confidential information and is available on request. Other identifiable information held by the Registry on deceased persons will be released (unless the individual has previously indicated that they wish to withhold consent) only if approval has been obtained by the applicant from an appropriate Ethics Committee. 12 4.2.3.3 I DENTIFIABLE DATA FOR GENETIC COUNSELLING . The National Cancer Registry, while wishing to facilitate people having genetic counselling, takes as its primary principle the confidentiality of cancer patients, whether living or deceased. Information concerning living cancer patients will not be released without written consent. Requests for Registry information from recognised13 genetic counselling clinics regarding suspected cancer diagnoses in living family members, related to a proband undergoing counselling, should be accompanied by a dated signed consent form obtained from each family member (or a legal guardian) about whom information is sought. The consent form should permit the release, to the genetic counselling clinic, of information relating to their cancer diagnoses from medical records. Information on deceased cancer patients can be provided to recognised genetic counselling services working within a clear and published set of ethical rules. Information cannot be released to any genetic counselling services in Ireland which do not conform to the provisions of the Disability Act. 12 Appropriate Ethics Committees are those (1) which are recognised by the Department of Health and Children under Regulation 7 of the European Communities (Clinical Trials on Medicinal Products for Human Use) Regulations 2004 or (2) which have been established by an academic, professional or healthcare body and operate in accordance with the procedures set out in “Operational procedures for research ethics committees: guidance 2004” (Irish Council for Bioethics, 2004). 13 That is, which form part of a full clinical genetics service provided by a healthcare institution. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 4.3 REQUESTING DATA The Registry classifies the data held into three categories: confidential, restricted and unrestricted. This classification is based on the potential of the data to identify an individual, and not on the format (aggregate, individual) in which the data is provided. Requesters will be asked to complete a basic request form, the purpose of which is to ensure that all requests are responded to in a timely and accurate way. All data requests will be reviewed on receipt and classified as either unrestricted or restricted. 4.3.1 PROCEDURES FOR REQUESTING UNRESTRICTED DATA The majority of requests will be for unrestricted data, which is considered by the Registry to have no potential to identify an individual. This is the type of data routinely published by the Registry or available on our website. This data can be obtained from the Registry by an email or telephone request. Requesters will be asked to complete a basic request form, the purpose of which is to ensure that all requests are responded to in a timely and accurate way. If, in the opinion of the Registry, any of the data requested has the potential to identify an individual, it will be dealt with as restricted data. 4.3.2 PROCEDURES FOR REQUESTING RESTRICTED DATA If the data requested appears to be potentially identifiable, requesters will be asked to return a detailed request form (which is on our website). One copy of this form will be kept by the Registry and the other returned to the requester. All requests should specify: 1. The scope of the dataset (e.g. years covered, sites, geographical area, cases, deaths or treatments). 2. The variables required. 3. The level of specificity for each variable (e.g. year of birth or five-year groups). 4. The purpose of the study/audit/report. 5. In general terms, the level of analysis proposed. 6. The title and job description of the requester, and the names of all other persons who will have access to the data. 7. Where hospitals and/or consultants are being identified, the status of the person giving permission for the data to be released. 8. A record of the request (the request form), and a copy of the data sent out, should be kept (and should be relatively easy to retrieve) for Freedom of Information purposes. 9. For confidential data, the information to be given to the patient and a copy of the consent form. If the patients are deceased, evidence of ethical approval will also be required. Following receipt of the request, a member of Registry staff may contact the requester, to discuss the exact data requirements. In many cases, this will allow us to release data which meets the requirements of the requester but is not potentially identifiable. The general principles which will apply, with regard to safeguarding confidentiality are: 1. Aggregated or cross-tabulated data will be offered in preference to individual-level data. In instances where either patient case numbers or denominator data is small, with a resultant potential for individuals to be identified, data may be aggregated over a number of years – e.g. data provided in 5 year period blocks (year of diagnosis 1994-1998, 1999-2003 etc) National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 2. If the risk of identifying an individual patient is high, either directly or by linkage to other data in the possession of the requester, the data will be treated as confidential and the request denied unless patient consent is given or the requester has clinical responsibility for the patient. 3. If data is being given out as individual records (microdata) or where the denominator population is small, variables will be re-coded to the lowest level of specificity which will serve the purpose of the study. Information with the potential to identify individuals will be grouped to prevent identification, as follows: . a. Precise dates (birth, death, diagnosis). It is rarely necessary for researchers to have exact dates. In general, age will be provided aggregated into five-year age groups, but year of birth may provided if there is a specific need. Year of incidence (diagnosis) will be sufficient for most purposes, but if survival is being calculated, month of diagnosis (and of death) may be provided. If this is not sufficient, derived data (e.g. survival in days, rather than precise dates of incidence and death) will be offered, but care is needed to ensure that this is done appropriately and correctly. In some circumstances, with agreement of the Director, precise dates of diagnosis and of death may be provided. b. Full morphology codes. These are not usually provided; three character (e.g. 804) codes will be given. Where full codes are essential for the work proposed, less common codes will be grouped to avoid potential identification. c. Full treatment codes. Unless specifically requested, only codes of “surgery”, “radiotherapy” etc. will be given. d. Occupation will always be aggregated to the second digit (of the 3 digit UK SOC90 standard occupational classification code) if age is also given. e. Local area of residence (Electoral Division, ED). A single case occurring in an ED is not in itself a reason to refuse the data, as long as the other information given (e.g. age, occupation) is not sufficient to identify someone. It is the size of the denominator population, not the number of cases, which carries the risk of identification. However, care must be taken, as some EDs have very small numbers of residents in particular age groups and the identification of individuals in these may be possible. Individual level data will never be released for the EDs described by the Central Statistics Office as “confidential”. These change with each census, and are always combined with a neighbouring ED. f. Data identifying a hospital. It is not difficult, using other published data, to identify hospitals by workload, so all such data is treated as restricted. Data on hospital activity, or which could be used to infer hospital activity, will be given out only if: g. 1. Permission is given by, or on behalf of, the chief executive of the hospital; or 2. The request is made by, or on behalf of, the HSE, the Department of Health and Children or the Health Information and Quality Authority for a publicly funded hospital; or 3. The request is made by a body or individual with a legal right to the data; or 4. Permission is given by a hospital medical consultant acting on behalf of a specific group of consultants or specialties within the hospital. Data identifying an individual health care worker. In general, data which could identify the workload or patterns of care provided by an individual health care worker should not be released without the written consent of that individual; consent should always be sought. If consent is refused, information may be released (following consultation with the Data Protection Commissioner) to 1. Any body or individual with legal right to the data; or National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 2. The HSE, the Department of Health and Children or the Health Information and Quality Authority in respect of activity in a publicly funded hospital. Some restrictions on data use will apply (see section 4.3.3). If the data request cannot be modified to remove the potential for patient identification, procedures with regard to release of confidential data (section 4.3.4) will apply. Certain combinations of specific information (street address, date of birth, occupation to the third digit) when combined with less specific data, may be enough to identify an individual, and each request will be considered individually. If the risk of identifying an individual patient is high, either directly or by linkage to other data in the possession of the requester, the data will be treated as confidential. In cases of doubt, the Director, as responsible person under the Data Protection Act, will be consulted. 4.3.3 GENERAL CONDITIONS OF USE OF RESTRICTED DATA Unlike confidential data, there is no absolute prohibition on the release of restricted data, but its release is subject to some conditions. The Registry is subject to Freedom of Information provisions, so any “document” produced by us could potentially be demanded by any member of the public. The following conditions apply to the release of restricted data: 1. The probable benefits of releasing the data must outweigh any potential for damage. 2. Requesters must undertake: a. to use the data only for the purposes specified. b. not to pass it to anyone else. c. not to link it to other data unless this was specified in the original request, or is specifically agreed by the Registry at a later time. The National Cancer Registry will have to give consent for the data to be linked with any other databases. d. not to attempt to identify, any individual, family or dwelling, or to publish the data in a way which would allow any individual, family or dwelling to be identified, either directly or by linkage with other data. e. to take every precaution to avoid the identification of individuals or institutions in any publication. f. to delete or destroy the data (all paper and electronic copies) at an agreed date and to inform the Registry that this has been done (a note should be kept of this data at the time of request and a reminder automatically set up). g. users of the data must ensure that, in complying with the above conditions, they also observe the relevant provisions of the Data Protection Acts and the Freedom of Information Act. h. Data should not be released to users outside the State without the permission of the Director (or other authorised person). The permission of the Data Protection Commissioner may be required for some transfers, especially outside the EU. 4.3.4 PROCEDURES FOR RELEASE OF CONFIDENTIAL DATA Confidential information is not released without patient consent, except to the treating physician (section 3.1.5) of the patient. For informed patient consent the patient must have been given, at a minimum, a. a brief description of the uses to which the information will be put, b. the names and affiliations of the researchers involved, National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 c. the interventions planned by the researchers (if any), d. a clear statement that the patient is completely free not to participate without consequences e. a clear statement that the patients may withdraw this consent at any stage, without consequences. Consent should always be given in writing, but patients are given a contact address and telephone number if they wish to discuss any aspect of the research or consent further. The general practitioner should be contacted prior to attempting to contact the patient, to check that the patient is alive, fit to give consent and aware of the diagnosis. Information released to the treating physician should be limited to that which is strictly relevant to the research or audit project. Confidential data should be accessible only to those with an existing relationship of confidentiality to the patient, as defined in section 3.1.5, and does not extend to others, even if working within the hospital in which the patient was treated. Enquiries for the purposes of genetic counselling must also adhere to this principle. Patient name or house/street address and identification numbers of any sort (including National Cancer Registry registration number, medical record number, pathology reference number) are always treated as confidential. If an identification number is needed for each case, for quality assurance or other purposes, a substitute number will be supplied and a lookup table kept at the Registry. In general, all requests for confidential data must be approved by the Director or a designated person in his absence; the request must meet the following minimum criteria: 1. the project will be of some clear benefit. 2. the data are essential for the purposes described. 4.3.5 GENERAL CONDITIONS OF USE OF CONFIDENTIAL DATA 1. Individual-level data (other than non-identifiable individual-level data as already downloadable from the Registry website) will be provided only when no alternative method of investigation is available, and if, in the view of the Director, the benefits to accrue from the data use outweigh any potential risks. Aggregated or cross-tabulated data will always be offered in preference to individual-level data. 2. The data user must work within a recognised institution of some standing (e.g. third level institution, health service organisation). All individuals who will have access to the data must be named. 3. The data must be requested by, and released only to, the data controller in the relevant organisation (see section 3.1.5). 4. The purposes for which the data are to be used must be clearly set out and the data are not to be used for any other purpose. 5. Information which could identify a hospital or health care professional will normally require consent from the hospital or individual. 6. Requesters must undertake: a. to use the data only for the purposes specified. b. not to pass it to anyone else. c. not to link it to other data unless this was specified in the original request, or is specifically agreed by the Registry at a later time. The National Cancer Registry will have to give consent for the data to be linked with any other databases. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 d. not to use the data to contact the patient. The data must not be used to identify, or attempt to identify, any individual, family or dwelling, or to contact any patient or their family, and may not be published in a way which would allow any individual, family or dwelling to be identified, either directly or by linkage with other data. e. to take every precaution to avoid the identification of individuals or institutions in any publication. f. to share any documents based on the data with the Registry prior to publication 13. The National Cancer Registry will be sent a final draft of any publication or report based on the data, and will have the right to have any analysis breaching the above conditions removed or modified. g. to delete or destroy the data (all paper and electronic copies) at an agreed date and to inform the Registry that this has been done (a note should be kept of this data at the time of request and a reminder automatically set up). h. users of the data must ensure that, in complying with the above conditions, they also observe the relevant provisions of the Data Protection Acts and the Freedom of Information Act. i. Data should not be released to users outside the State without the permission of the Director (or other authorised person). The permission of the Data Protection Commissioner may be required for some transfers, especially outside the EU. One corollary of the above conditions is that requests which come from outside recognised medical, research or academic institutions, where the above conditions may be difficult to observe, will be treated with particular care. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 5 STAFF POLICIES ON DATA SECURITY AND CONFIDENTIALITY 5.1 INTRODUCTION. This document sets out the procedures for observing confidentiality and security of data within the Registry. It is meant to offer a series of principles, and cannot cover every possible eventuality. When in doubt in a situation which may involve confidential information, please contact the Director, or in his absence a nominated responsible person. All staff are expected to make themselves familiar with the rules contained in this document, and to re-read them annually. A confidentiality statement is attached, and must be signed by each staff member on taking up his or her post and annually thereafter. Any breach of these guidelines will be considered a serious disciplinary matter and may lead to dismissal. The Registry is in a position of trust. We are trusted by society at large and by doctors and other hospital workers in particular, to observe the highest standards of security and confidentiality with regard to the very sensitive information which we have in our possession. Those of us handling this information every day may sometimes forget the potential consequences its disclosure might have for individuals or their families. We must also be aware of the disastrous consequences for the Registry, should our sources of information lose their trust in us. The basic principle of operation of the Registry must be, above all, to protect the rights of the individual. The rules set out here govern the handling of confidential or otherwise sensitive personal information. This is described as any information which could identify an individual (patient, family or health care worker) either directly or indirectly. The fact that an individual is registered is in itself an item of confidential personal information. Individuals may be directly identified by name, address, date of birth or personal identification number (GMS number, PPS number, hospital medical record number), or indirectly through a unique combination of personal characteristics. Apart from confidential personal information, the Registry also produces statistical information on cancer. Many different individuals and groups may request this information. Because cancer incidence information is not always easily interpretable, the Registry needs to be able to control the uses made of information supplied by us, at least to the extent of having the users take responsibility for any interpretations. The Director must first clear all requests for restricted or confidential information, no matter how apparently innocuous. Registry staff may, in the course of their work, come across information not pertaining to cancer registration, or may have access to confidential information on others which might be of interest to them. The same rules of confidentiality apply to personal information, whether gathered for registration purposes, or come across accidentally. Staff must not abuse their privileges of access to medical records by seeking information not relevant to their work. 5.2 DATA SECURITY 5.2.1 BASIC PRINCIPLES All staff concerned with the collection, processing and output of personal data are employees of the National Cancer Registry. On taking up duty, and annually thereafter, they are required to read, agree to and observe the rules set out in "Guidelines for staff on confidentiality within the National Cancer Registry". National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 sign an undertaking of confidentiality, which will remain binding even following their departure from Registry work. This undertaking prohibits staff from disclosing, either directly or indirectly, to any individual outside the Registry or to other staff within the Registry who do not have access to confidential information, the identity of any person registered, or any data concerning such an individual, or any other confidential material they may come across in the course of their work. To observe the security precautions currently operating within the Registry. 5.2.2 Physical security The operation of the Registry is largely electronic, and few written documents containing individual identification are created. Any such written documents are to be shredded immediately after use. Documents which need to be kept for archival purposes are to be stored securely in areas specifically designated for this purpose and in locked storage cabinets. Access to these cabinets is limited to authorised Registry personnel. The Registry door is to be kept locked at all times. Visitors to the Registry must be admitted to the Registry premises by a staff member. Once admitted they should remain in the outer lobby area until the person they are meeting arrives. It is the responsibility of the person first admitting them to the premises to ascertain who the visitor is, whom they are visiting and to ask them to remain in the lobby area. The person they are visiting must ensure they sign in to the visitors’ book and sign out on departure, are given a visitor’s badge, are accompanied at all times and have no access to areas where sensitive information could be visible. Unless there is a specific reason for doing otherwise, visitors should be confined to the non-secure areas of the Registry (meeting rooms, lobby, Director’s office). The Registry premises are protected by high-security locks and by electronic alarms. Non-Registry staff must never be given alarm codes. It is the responsibility of every staff member to ensure that these are activated when the offices are unattended at any time. The last person leaving the premises every day should go through the standard “last person out” process and sign to indicate that the checklist has been followed. Confidential documents should be on the desktop only when being used. At all other times they should be stored in a designated locked cabinet or drawer. Staff should observe a “clean desk” policy when working with confidential documents; all non-essential documents, whether confidential or otherwise, should be cleared away whenever the desk is unoccupied, even for brief periods (e.g. coffee breaks) to reduce the risk of inadvertent exposure of a confidential document. 5.2.3 ELECTRONIC SECURITY Data collected by Registry staff on laptop computers is password protected and encoded, and must also be encoded during any transmission to the Registry. Data is stored on laptop computers in a form that would be quite difficult for the average person to break into. However, it is not impossible, with enough time, determination and technical skill. The loss or theft of a laptop computer with confidential data is one of the most serious potential threats to the Registry and all staff are required to comply with the laptop security policy. Details of the Registry’s security policy specific to laptops are outlined in section 5.3 page 23). Staff should adhere strictly to the laptop security policy (Section 5.3) If any breach of security is suspected, the Director should be informed immediately. Password policies with regard to laptop password format and frequency of change must be complied with. Data within the Registry is protected by passwords and encoding. Each individual within the Registry has a personal password, which defines their level of access to the computer system. Password policies with regard to password format and frequency of change must be complied with. Passwords must never be written down anywhere and must be encrypted if stored in electronic format. A second password is needed for access to the patient database. Access to all computers is automatically logged by the network system, which records the identity of the person using the computer, and the times at which they log on and log off. Staff must log off when leaving the Registry, and not to allow any identifiable data to appear on the screen while leaving their desk. Registry computers which contain personally identifiable data are not be connected to any outside computer system. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 While regular backups of network data are made, each staff member has a responsibility to ensure that all valuable data is backed up regularly. Data held locally should be backed up to the network at least weekly. 5.2.3.1 P ASSWORDS Passwords are an important part of computer security. They are front line protection for user accounts. A poorly chosen password may result in a hacker breaking into the system. Appropriate steps must be taken to select and secure passwords. It is the responsibility of the IT department to assign unique passwords to all staff – the users will be given their passwords in a sealed envelope – the passwords will include: o Power on passwords (Safend password or TrueCrypt password) o Log on to Windows password (on laptops with a Windows 2000/XP/2007 Operating System) o National Cancer Registry System password o Once you have memorised your password the contents of the sealed envelope must be destroyed in a shredder Do not reveal your passwords to anyone Do not write down your passwords If you suspect your password has been compromised please notify the IT department immediately If the password is lost the IT department will set a new one 5.2.3.2 S AFEND E NCRYPTOR /T RUE C RYPT S OFTWARE Safend Encryptor/TrueCrypt software provides a solution for protecting confidential data; it encrypts the data stored on laptops and the result is that confidential data cannot be read by any unauthorised user in the case of loss or theft. This software is installed on all Registry laptops. 5.2.3.3 E NCRYPTED M EMORY K EYS - K INGSTON D ATA T RAVELLER The Registry uses conveniently small, portable, and easy to use encrypted memory keys. These include advanced security, and high performance without sacrificing ease of use. Without a valid password, unauthorized access to memory key is blocked, and the data remains encrypted and protected. (National Cancer Registry are using the “Privacy Edition” keys) \\gauguin\research\DTVault_Privacy_Users_Manual.PDF \\gauguin\research\DTVault_VaultPrivacy_WP.PDF 5.2.3.4 PGP S OFTWARE Each member of the Research Team in the Registry has PGP installed. By default, as a minimum, they will always encrypt to their own key and this “master” key so that in case of emergency (something happening to them so we can’t use their private key and pass-phrase) the Director will be able to decrypt the files. The copy of the private and public keys for this PGP “master” key (you need the private key, along with the passphrase that only the Director knows, to decrypt files) are in the folder \\Gauguin\IT\Infrastructure\Security. 5.2.3.5 V IRUS P ROTECTION T HINGS TO DO TO PROTECT YOURSELF : National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 Ensure that you have activated anti-virus software on your PC/laptop and that it is configured for automatic update. Always scan software disks and files with approved anti-virus software. W HAT TO DO IF YOU SUSPECT A VIRUS : Immediately stop using your laptop/PC. Notify your IT department. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 5.2.4 SECURITY DURING DATA COLLECTION AND PROCESSING a. The arrangements for security and confidentiality within each hospital must be strictly observed. Medical records should not be taken from areas assigned to them without the specific permission of a responsible hospital authority. b. All confidential material must be stored out of sight when not personally attended. c. Details of cases should be discussed only with the doctors responsible for the case; staff should not assume that others within the hospital are in possession of the same amount of information as they are. d. Material that is not pertinent to Registry work should never be examined. e. Data received from other sources in physical format—memory key, CD, tape, printed reports etc. must be logged in on receipt, labelled, and kept in secure storage until used and then destroyed. f. All printed reports, records, questionnaires and interview records which contain identifiable data, should be treated with the same procedures as patient registrations and should never be left unattended in an open area. All printed material should be immediately retrieved from the printer area. g. All printed records, questionnaires and interviews records with personal data should be shredded as soon as they are no longer needed. h. When printing reports for internal use, avoid the use of identifiers, unless this is essential for the purpose of the report. 5.2.5 COMMUNICATION 5.2.5.1 E MAIL a. The email system is intended for the business purposes of the Registry. The email account is not intended for personal use (see Internet and email policy) but limited personal use is acceptable. However, the Registry reserves the right to curtail or prohibit all, or specific, personal usage. b. When forwarding emails it is important to check for sensitive, inappropriate or confidential information in the message being forwarded. c. Standard unencrypted email should never be used to transmit confidential data. 5.2.5.2 T ELEPHONE a. Information concerning identifiable patients or research subjects should never be given over the telephone to non-Registry staff. b. Calls to medical or para-medical staff concerning registered patients or research subjects should use the minimum of detail essential for the person being called to identify the patient (e.g. medical record number, date of birth rather than name and address). c. If there is any possibility that confidential information might be overheard in the general office, use the designated soundproof rooms. d. Staff using offices hared with non-Registry staff should not discuss confidential information if the office is occupied. e. Calls from persons identifying themselves as cancer patients and asking for information should be dealt with in a way which does not disclose if the individual is registered or not. Once the person has identified themselves, the enquiry may be dealt with by National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 a. Asking that the person write in for information which can be sent directly, or to a named medical practitioner b. Asking permission to telephone the person’s GP with the information. On occasion, family members of patients may contact the Registry, usually after receipt of a letter asking the patient to take part in a research study. It should not be assumed that the person calling has any knowledge of the patient’s condition, or that they are acting with the patient’s express consent. The response to the call must not reveal if the patient has cancer. 5.2.5.3 L ETTERS a. All letters to consultants, general practitioners, patients or research subjects which contain confidential information on living individuals should be addressed to them personally and marked "Confidential" and mailed by registered post. If you are unsure of the person to whom you should address the letter, please confirm their name and address by telephone before writing. If confidential information is sent out, and you cannot be certain that this will reach the recipient, check its arrival with the recipient by telephone. b. Any communication between Registry staff with regard to patients should use patients' registration numbers, not names and/or addresses. Material should be sent electronically and encrypted, rather than by post, if possible. 5.2.5.4 F AX M ACHINES The use of fax machines to transmit identifiable data should be avoided. However, it may sometimes be necessary to fax material, for instance TROs may need to forward a list of cases to a hospital medical records department; research questionnaires may need to be faxed. In this case, the following procedure must be observed: a. Send only the information required. b. The list should be faxed to a designated person who is aware that it is coming and of its content. c. This person should be available to receive the fax and should have adequate security measures in place e.g. the fax should not be left unattended in an open plan office. d. Double check the fax number before dialling. e. Ring or email the designated person and confirm that they have received the fax. f. Use a cover sheet with recipient’s name clearly entered, this will let anyone know who the information is for and whether it is confidential or sensitive without having to look at the contents. g. The document faxed, and that received, must be shredded after use. 5.3 LAPTOP SECURITY POLICY The same general provisions apply to laptop use as to computer use at the main Registry offices (see sections 5.2.3 to 5.2.7). The principles below are more specific to off-site use . 5.3.1 PURPOSE This policy addresses the actions that must be taken by all Registry staff who have a Registry laptop, or who are temporarily using a “shared” Registry laptop, or the laptop of another employee. 5.3.2 REQUIREMENTS National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 All laptops acquired for, or on behalf of, the Registry shall be deemed to be the property of that organisation. Each employee issued with a laptop is responsible for the security of that laptop, regardless of whether the laptop is used in the office, at the employee’s place of residence, or in any location such as a hotel, conference room, car, train or airport. (Note: This list of potential places is not exhaustive.) If, for any reason, you find that you cannot comply with the Registry policy on storage and transport of your laptop, your line manager and the IT department must be informed and alternative arrangements approved. 5.3.3 STORAGE AND TRANSPORT OUTSIDE THE MAIN REGISTRY OFFICES At the end of the working day the laptop should be placed in a locked cabinet or room. Kensington locks must be used by tumour registration officers when storing the laptop outside their base office. The laptop should always be stored and transported in its carrying case. While travelling by car the laptop must be stored in the boot and secured against movement. The laptop must never be left unattended in a parked car. While travelling, keep the laptop and laptop peripheral equipment with you. When taking annual leave make sure the laptop is securely locked away in a locked cabinet either in the Registry offices or (for tumour registration officers) in the base office. If you are unable to do this the IT Administrator must be notified. Unaccompanied shipment of laptops to and from the Registry must be arranged by, or with the approval of, the IT department, using an approved courier. 5.3.4 LAPTOP USAGE OUTSIDE REGISTRY OFFICES Confidential data should never be held on a laptop without the use of Registry installed encryption software. Laptops should be used only for Registry work. Software should be installed only by Registry IT staff. If you encounter problems with the laptop, do NOT attempt to repair it yourself. When away from the laptop temporarily during working hours the laptop must be electronically locked by using the Ctrl+Alt+Delete command followed by left click on lock computer as well as attaching the Kensington lock supplied by the Registry. If you are unable to use the Kensington lock the IT Administrator must be notified of this and a log of risk hospitals will be maintained by the IT Administrator. The laptop display should be positioned to preclude casual viewing by others (as far as is reasonably practicable), especially when confidential data is shown on the display. When tumour registration officers use a laptop to connect to the Registry server in Cork, they should connect only to systems they are authorised to use. Tumour registration officers should always log off the Registry server during periods of inactivity. 5.3.5 VIOLATION AND PENALTIES Employees should comply with this policy as far as reasonably possible. Violation of this policy may be grounds for disciplinary action. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 5.4 BREACHES OF DATA SECURITY OR CONFIDENTIALITY 5.4.1 LOSS OR DISCLOSURE OF CONFIDENTIAL DATA 5.4.1.1 P ROCEDURES BY THE PERSON HOLDING THE DATA OR BECOMING AWARE OF THE BREACH 1. All breaches of confidentiality, or suspected breaches, must be reported verbally to the responsible person immediately. The responsible person for each staff member is, in the first instance, their line manager. If they have no line manager, or the line manager is not available, the Director should be contacted. The Director will nominate someone to be responsible for data security in his absence 2. This report should include a clear description of the data lost or revealed, the date, time and the circumstances under which this occurred and measures taken, if any, to retrieve the data. It should be followed by a written report with the same information in more detail and giving details of the procedures which should have applied and why these were either not followed or proved inadequate. 3. The report should note if any other persons have been informed, or need to be informed (e.g. hospital management, Garda, Data Protection Commissioner). If any of these need to be informed this should be done by the responsible person. 4. If data has been lost or mislaid and it can possibly be retrieved before it is read by anyone outside the Registry then every possible step should be taken to retrieve it; however, successful retrieval of the information does not remove the obligation to inform the responsible person. 5. If data has been misdirected (e.g. through post or email) the person to whom it was mistakenly sent should be contacted immediately, informed of the confidential nature of the data and asked to destroy it unread. 5.4.1.2 P ROCEDURES FOR THE RESPONSIBLE PERSON 1. If confidential data has been disclosed to unauthorized persons the Data Protection Commissioner must be informed. 2. All breaches of confidentiality, or suspected breaches, must be reported to the Director, or in his absence a nominated responsible person, as soon as possible. 3. Risk assessment should be carried out—what type of data is involved, has it been lost or disclosed, to whom, is this Registry or third party (e.g. pathology report) information? 4. Has there been a breach of procedure? If so, is there a possibility of disciplinary action? 5.4.2 BREACHES OF SECURITY PROCEDURES 1. Breaches of data security should be reported by anyone becoming aware of these. 2. A log of all breaches will be maintained. 3. The Director, or in his absence a nominated responsible person, should be informed of any breach as soon as is reasonably possible. 4. Breaches of security may be followed by disciplinary procedures including verbal and written warnings, entries in the individual’s personnel file, suspension or dismissal. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 5.5 INTERNET, NETWORK AND EMAIL POLICY 5.5.1 INTRODUCTION The National Cancer Registry aims to provide you with accessible, up-to-date and reliable information to support you in your work. This goal requires the Registry to provide access to the information resources of the Internet to help you do your job and be well-informed. The Internet is a business and research tool for Registry. Users must understand that any connection to the Internet offers an opportunity for non-authorised users to view or access corporate information. Therefore, it is important that all connections be secure, controlled, and monitored to provide you with accessible, up-to-date and reliable information and learning technology to support Registry activities. The Registry reserves the right to block unacceptable content that may be dangerous to the network 5.5.2 GENERAL INTERNET USE 5.5.2.1 U SER ACCOUNTABILITY Users are responsible for their network use (including Internet use) and are accountable for their own work. 5.5.2.2 V IRUS D ETECTION All files obtained from sources outside the organisation, or downloaded over the Internet should not be opened without first scanning the material with Registry approved virus checking software which is presently McAfee. If you suspect that a virus has been introduced into the Registry network, notify the IT group immediately. 5.5.2.3 U NACCEPTABLE C ONTENT The following content has been deemed to be unacceptable: Words, images or references that could be viewed as libellous, offensive, harassing, illegal, discriminatory, or otherwise offensive. Words, images or references that might be considered inappropriate in the workplace, including, but not limited to, messages or images that are lewd, obscene, sexually explicit, or pornographic. Words, images or references that might be considered inappropriate, harassing or offensive due to their reference to race, sex, age, sexual orientation, marital preference, religion, national origin, physical or mental disability, or other protected status. 5.5.2.4 P ROHIBITED A CTIVITY Intentionally downloading, copying or transmitting documents or software protected by third party copyrights in violation of those copyrights. Any individual with a question concerning a copyright issue should contact HR. Viewing content that is illegal or unacceptable over the Internet or any other network. Creating or transmitting works containing illegal or unacceptable content over the Internet or any other network. Using encryption devices that have not been expressly approved by the Registry. Using software that transmits and receives content over a network which has not been expressly approved by the Registry. A list of acceptable software is available from the IT Administrator. Storing works containing unacceptable or illegal content either locally or on any other machine on a network administered by the Registry. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 5.5.2.5 A CCIDENTAL /U NINTENDED V IOLATIONS If you find yourself accidentally viewing illegal or unacceptable content over a network as outlined above you must cease viewing the content immediately, regardless of whether that content provided had been previously deemed acceptable by any screening or rating program. A user who accidentally views unacceptable content over a network is encouraged to report the incident to the organisation's IT department without the threat of incurring a violation penalty. 5.5.3 EMAIL This sets forth the policy of Registry with respect to email & internet usage. All individuals (including but not limited to staff, outside consultants and visitors) who use the Registry email system are required to comply with this policy statement. As email is transmitted over a network all conditions described in the previous sections apply. 5.5.3.1 G ENERAL P RINCIPLES 5.5.3.1.1 A CCEPTABLE USE The email system is meant to be used for the business purposes of the Registry. Limited personal use is acceptable provided it complies with Registry policy on content. However, the Registry reserves the right to curtail or prohibit all, or specific, personal usage. The Registry disclaimer should not be included in personal emails. Standard unencrypted email should never be used to transmit any confidential data (i.e. personal or sensitive data). When sending emails concerning registered or potential patients or research subjects, the following precautions must be observed: o If un-encrypted, all identifiable details (including hospital name) must be removed before sending the email. The email should contain the registration number only, if an identifier is needed. o Ensure that the email is only sent to the intended recipient. Double-check before sending. o Check that the recipient has received the email; if they have not, inform the IT department and your line manager immediately o If you are unsure if the email should be encrypted or password protected, contact your line manager or the IT department for clarification. 5.5.3.1.2 O WNERSHIP All email accounts and all information and messages that are created, sent, received or stored on the Registry email system are the sole property of the Registry and are not the property of the employee or other individuals. 5.5.3.2 E MAIL R EVIEW All email is subject to the right of the Registry to monitor, access, read, delete, copy, and use such email without prior notice to the originators and recipients of such email. Email may be monitored and read by authorised individuals on behalf of the Registry for any violations of law, breaches of Registry policies, communications harmful to the Registry, or for any other reason. Registry also reserves the right to disclose emails to authorised persons. 5.5.3.3 E MAIL C ONTENT Emails should be professional, courteous and in compliance with all applicable laws and Registry policies. Emails should not contain unacceptable content. Users should employ spell check on all emails sent. 5.5.3.4 S ECURITY National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 The email system is only to be used by authorised individuals who have been issued an email password in order to use the system. Individuals shall not disclose their username or passwords to others and may not use someone else's username or password without express written authorization from an authorised IT staff member. 5.5.4 IMPLICATIONS OF THE FREEDOM OF INFORMATION (FOI AND DATA PROTECTION (DP) ACTS It is reasonable to assume that some of the information that may be requested under the FOI or DP Acts will only be available in email format and more than likely be stored in an individual's personal email account. It is essential that emails are appropriately filed and easily retrievable. Where information is stored only in email format, it is important that individuals are aware, so that emails are not deleted inappropriately. The Freedom of Information and Data Protection Acts cover all information, not just formal documents. Therefore any individual's work-related emails can effectively become public property under the Act. It is essential that Individuals know exactly what emails they have sent or received and when to delete them (i.e. when they are no longer needed). The following should help users make this decision themselves. 5.5.4.1 W HAT IS A RECORD ? A record is ‘information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business activity’. This definition was taken from – International Standards Organisation ISO 15489 Information and documentation: Records management, Part 1 2001. 5.5.4.2 I DENTIFYING EMAIL RECORDS Email messages that might constitute a record are likely to contain information relating to business transactions that have or are going to take place, decisions taken in relation to the business transaction or any discussion that took place in relation to the transaction. For example, during the decision to put out a tender document for a particular service, background discussion about what this should and should not include might take place via email and should be captured as a record. 5.5.4.3 E MAIL R ETENTION P OLICIES Users must retain copies of email records for inspection under the Freedom of Information Act. At present there is no maximum limit on a time for which an email record must be retained. 5.5.4.4 W HO IS RESPONSIBLE FOR ELECTRONIC RECORDS ? As email messages can be sent to multiple recipients there are specific guidelines to indicate who is responsible for capturing an email as a record: For internal email messages, the sender of an email message, or initiator of an email dialogue that forms a string of email messages For messages sent externally, the sender of the email message For external messages received by one person, the recipient For external messages received by more than one person, the person responsible for the area of work relating to the message. If this is not clear it may be necessary to clarify who this is with the other people who have received the message. 5.5.4.5 W HEN TO CAPTURE EMAIL AS RECORDS National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 Many email messages will form part of an email conversation string. When this happens it is not necessary to capture each new part of the conversation, i.e. every reply separately. There is no need to wait until the end of the conversation before capturing the email string as several discussions may have been covered. Email strings should be captured at significant points during the conversation rather than waiting until the end of the conversation. 5.5.4.6 W HERE TO KEEP EMAIL RECORDS Email messages are automatically stored on the Microsoft Exchange email server, and are regularly backed up. So long as you use email in the standard way, all your messages will be stored. Messages you delete will be stored for 30 days after deletion 5.5.4.7 M ANAGING EMAIL RECORDS WITH ATTACHMENTS The decision on whether an email and/or its attachment constitute a record depends on the context within which they were received. There are circumstances where the attachment would require further work in which case it would be acceptable to capture the email and the attachment together as a record and keep a copy of the attachment in another location to be worked on. In these circumstances the copy that was worked on will become a completely separate record. 5.5.5 DISCLAIMERS The following disclaimer should be attached to every work-related email message sent from a Registry account. This needs to be setup by the user. The contents of this email are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorised designee, you may not copy or use it, or disclose it to anyone else. If you have received it in error please notify us immediately and then destroy it. The Registry does not guarantee the security of any information electronically transmitted and is not liable if the information contained in this communication is not a proper and complete record of the message as transmitted by the sender or for any delay in its receipt. This disclaimer should not be appended to personal email messages. When sending out a message in response to a request for data or general information, the user must append the following disclaimer themselves. Cancer registration is a dynamic process and information is continually updated on our database. As a result, the figures given here may not correspond exactly to those in previous reports, or to those on our website. In Outlook Mail and Outlook web-interface you can save this as a signature which you can choose to append to your messages. This saves you the effort of typing it in every time. A representative of the IT Group will configure this for you if you wish. 5.6 VIOLATIONS AND REPORTING Violations will be reviewed on a case-by-case basis. If it is determined that a user has violated one or more use regulations, standard disciplinary procedures will apply. The Registry intends to enforce this policy, but reserves the right to change it at any time as circumstances may require. National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011 Data confidentiality in the National Cancer Registry. General policy, procedures for release of data and staff guidelines. STAFF UNDERTAKING All staff are to sign this undertaking annually. I have read, and will abide by, this policy. I understand that any breach of this policy is a serious disciplinary matter. Signed: Date: Name in block capitals: National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
