Staff undertaking

advertisement
DATA CONFIDENTIALITY IN THE NATIONAL CANCER
REGISTRY
General policy, procedures for release of data and staff guidelines.
Version
Revision date
Revised by
2.2
29 November 2011
Harry Comber
Date approved by Board
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
CONTENTS
1
Introduction ............................................................................................................................................................... 3
2
Summary .................................................................................................................................................................... 4
3
4
5
2.1
Confidential data ............................................................................................................................................... 4
2.2
Restricted data .................................................................................................................................................. 4
2.3
Unrestricted data .............................................................................................................................................. 4
General Principles of Confidentiality in the National Cancer Registry ....................................................................... 6
3.1
Definitions ......................................................................................................................................................... 7
3.2
Operation of the Registry ................................................................................................................................ 10
Procedures for release of National Cancer Registry data ........................................................................................ 13
4.1
General guidelines on information release ..................................................................................................... 13
4.2
Types of information which might be requested ............................................................................................ 14
4.3
Requesting data .............................................................................................................................................. 16
Staff policies on data security and confidentiality ................................................................................................... 21
5.1
Introduction. ................................................................................................................................................... 21
5.2
Data security ................................................................................................................................................... 21
5.3
Laptop Security Policy ..................................................................................................................................... 26
5.4
Breaches of data security or confidentiality ................................................................................................... 28
5.5
Internet, Network and Email Policy................................................................................................................. 29
5.6
Violations and Reporting ................................................................................................................................. 32
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
1 INTRODUCTION
This document sets out the broad principles and practice relating to data confidentiality and security within the Irish
National Cancer Registry. It describes
•
the principles underlying these policies
•
procedures for the release of data
•
methods of achieving data security and confidentiality of data
•
guidelines for staff.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
2 SUMMARY
The Registry will supply data in response to any reasonable or bona fide request, provided that complying with the
request does not conflict with our obligations of confidentiality or with those under the Data Protection Act, 1988
(amended 2003). The use of the data by the applicant must be also consistent with the Data Protection Acts. Data will
be anonymised where feasible, and, if not, consent must be obtained.
The Registry classifies the data held into three categories: confidential, restricted and unrestricted.
2.1 CONFIDENTIAL DATA
Confidential data is any sensitive personal1 information (see section 3.1.2 for definitions) relating to an identified or
identifiable2 person, whether alive or dead. This definition extends to deceased persons many of the protections
available under the Data Protection Acts. Data, by which the persons concerned can no longer be reasonably
identified, are not considered as personal data.
Confidential data held by the Registry on living persons will be released only with the written explicit consent of the
data subject. The only exception to this is where the data is requested by a treating physician of the data subject. A
treating physician is any doctor who is in a direct relationship of medical confidentiality with respect to the patient.
This does not, in general, apply to doctors such as pathologists and radiologists whose relationship is less direct.
Requests for confidential data must be made using a standard application form, and a declaration on use must be
signed. All requests for confidential information must be approved by the Director. Processing and release of
confidential data relating to living persons is subject to the Data Protection Acts.
2.2 RESTRICTED DATA
Restricted data is any data, which is not confidential, but the use and dissemination of which is subject to certain
restrictions by the Registry. Processing and release of restricted data is not subject to the Data Protection Acts but is
governed by the policies of the National Cancer Registry. Any person requesting restricted information must do so in
writing, either by post, fax or email3.
2.3 UNRESTRICTED DATA
All information not classified as confidential or restricted is freely available to any member of the public on request.
However, the Registry reserves the right to refuse requests for information, or to charge for the service, if, in the
Registry’s view, requests involve disproportionate effort, are not made in good faith, have a malicious intent or are
excessive in number. Vague requests, such as “information on breast cancer” cannot be dealt with and will be
returned to the requester. If the amount of data analysis involved is extensive and/or the data is requested for
commercial purposes, a fee may be payable to cover our costs. We attempt to respond to all requests within two
working weeks of receipt and should be able to reply to most within a week.
1
Although the definition of “confidential” information used here is similar to that given for “sensitive personal” data in the Data Protection Acts, the Registry
definition is extended to cover deceased persons, who are not covered by the Acts.
2
An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number, or to one or more factors
specific to his/her physical, physiological, mental, economic, cultural or social identity
3
Simple requests, such as the total number of cases of a particular cancer registered in a specified year, may be dealt with over the telephone.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
This document does not apply to requests for information under the Freedom of Information Acts, which should be
made to our Freedom of Information Officer, Ms Geraldine Finn, at 021-4318014 or to g.finn@ncri.ie.4
4
The Registry’s policies on Freedom of Information are available at http://www.ncri.ie/ncri/foifiles/Manual.pdf
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
3 GENERAL PRINCIPLES OF CONFIDENTIALITY IN THE NATIONAL CANCER REGISTRY
Confidentiality in the use of personal data in medical research is governed both by the ethical guidelines of the
medical profession5 and by the provisions of the Data Protection Acts, 1988 and 2003. Preservation of patient
confidentiality has always been one of the highest priorities of the Registry. Patients, and their doctors, should be
assured that their privacy, dignity and autonomy are central to the operations of the Registry. At the same time, the
statutory duty of the Registry to “identify, collect, classify, record, store and analyse information relating to each
newly diagnosed individual cancer patient and…each tumour which occurs” places an obligation on us to use the
information gathered in a way which maximises its benefit for the public good. For the Registry to withhold
information which could be used to reduce the burden of cancer would be, at best, a waste of public funds and, at
worst, unethical.
The principles of confidentiality must apply, not only within the Registry, but also to any data released by it, whether
for public information, or to individual researchers. In particular, the Registry must take care not to publish data, or to
provide it for publication by others, in a way that would allow any individual to be identified, even indirectly. The
obligations of the Registry to deceased persons and their families are given as much consideration as those of the
living. Against this need to protect the rights of the individual must be balanced the value of accurate cancer
registration data in assessing the causes, treatment and outcome of cancer. 6 7 8
The Board of the Registry, in carrying out its functions, has adhered to the following principles:
a.
Permission for access to confidential information on living persons, which is held by the National Cancer
Registry, must be sought from the patient, except where this information is to be used in the course of his/her clinical
care.
b.
No disadvantage, harm or distress may be caused to the patient by this access;
c.
Appropriate safeguards must be in place to preserve the confidentiality of the information in our custody;
d.
Reports of our work must not contain information which would remove, without consent, the anonymity of a
patient or doctor;
e.
The Registry has a duty to maximise the use of information in its possession to the benefit of all patients.
The National Cancer Registry holds data under two broad headings: registration data, collected as part of the
Registry’s routine data collection; and research data collected in defined research studies. Collection of registration
data is covered by the Health (Provision of Information) Act and does not require consent. Information collected in
research studies is collected and used with consent, and its uses are governed by that consent. The Registry
procedures described here with regard to data release pertain only to the registration data, unless specifically noted.
Data given with consent will be released only as allowed by the consent. Procedures with regard to data security apply
to all data.
Successful cancer registration requires that the Registry uses identifiable information, for a number of reasons:
a.
Information on a single cancer often comes from a variety of sources. This duplication of information would
inevitably lead to multiple registrations of the tumour, and a gross over-estimation of the rate of incidence of cancer,
unless some method were available for linking all information on the same individual.
5
Guide to professional conduct and ethics for registered medical practitioners. Medical Council, 2009.
6
Coleman M, Muir CS Menegoz F. Confidentiality in the Cancer Registry. Br J Cancer 1992; 66: 1138-1149.
7
Responsibility in the use of personal medical information for research: Principles and Guide to Practice. Statement by the Medical Research Council. B.M.J.
1985; 290:1120-1124.
8
Gordis L., Gold E. Privacy, Confidentiality and the use of medical records in research. Science 1980; 207:153-156.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
b.
Information on outcome, and particularly on survival, is essential to the operation of the Registry, and links
between registrations and death certificates can only be achieved by the use of some type of personal identification.
c.
The Registry can carry out assessment of the success and coverage rate of screening programmes only if
individuals screened can later be identified if they develop cancer.
d.
Cancer registries may also contribute to medical research by allowing researchers to identify (with consent
from the patient and appropriate ethical safeguards) individuals with cancer for the purposes of case-control studies
of cancer aetiology, and by helping with the recruitment of individuals to properly conducted clinical trials of cancer
treatment. Because these individuals may have been treated by a number of physicians in different institutions, the
Registry may offer the only method of allowing their identification and follow up.
e
In Ireland, as there is no national identity number or other means of identifying an individual other than
through a combination of name, address and date of birth, the Registry must hold these items of personal information
on each person registered.
The principles of confidentiality can be reconciled with the functions of the Registry by the adoption of a
comprehensive code of practice governing the acquisition, processing, storage and release of identifiable patient data.
Where doubt exists as to the appropriateness of a particular line of action, this code of practice must have as its
highest priority the protection of the rights of the individual patient. As well as guidelines for the use of data within
the Registry, this code of practice must also include guidelines on the use of Registry data by individuals outside the
Registry, and should also protect the rights of the dead as well as living persons.
All Registry staff have responsibility for preserving confidentiality but responsibility for ensuring adherence to the
code of practice will rest ultimately with the Director9, who may ask the Board for guidance on cases which do not
conform to the agreed guidelines.
3.1 DEFINITIONS
3.1.1 REGISTRATION
Registration is the process of acquiring information on an individual considered to have cancer, extracting
demographic and medical information on that individual from medical records (and, when necessary death
certificates), and adding this information to the Registry database. Additional data, if required by the Registry’s
statutory functions, may be added by linkage to other databases (e.g. the Hospital Inpatient Enquiry).
3.1.2 CONFIDENTIAL DATA
Confidential data is any sensitive personal information relating to an identified or identifiable person, whether alive or
dead.
Personal data is data relating to a living individual who is or can be identified either from the data, or in
conjunction with other information that is in, or is likely to come into, the possession of the data controller
(Data Protection (Amendment) Act 2003).
Sensitive personal data includes data that identifies (a) the racial or ethnic origin, the political opinions or the
religious or philosophical beliefs of the data subject,(b) whether the data subject is a member of a trade
union (c) the physical or mental health or condition or sexual life of the data subject,(d) the commission or
alleged commission of any offence by the data subject, or(e) any proceedings for an offence committed or
9
Or one or more other individuals to whom this responsibility has been assigned by the Board
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any
court in such proceedings. (Data Protection (Amendment) Act 2003).
In the case of cancer patients this information will usually have been given in the context of a confidential medical
relationship and in the expectation of confidentiality. For data collected as part of research, informed consent will be
sought from the participant at the outset of the research, for the uses envisaged. Further consent will be obtained if
other uses are made of the data.
Although the definition of “confidential” information used here is similar to that given for “sensitive personal” data in
the Data Protection Acts, the Registry definition is extended to cover deceased persons, who are not covered by the
Acts. This definition extends to deceased persons many of the protections available under the Data Protection Acts.
However, for obvious reasons, the requirement for consent cannot be extended to deceased persons and so
alternative safeguards are needed.
An identifiable person is one who can be identified, either:
a. directly or
b. indirectly, in particular by reference to an identification number, or to one or more factors specific to
his/her physical, physiological, mental, economic, cultural or social identity. 10
Data of such a type by which the person concerned can no longer be reasonably identified are not considered as
personal data.
The Registry may also hold business data (employment records, contracts etc.) which may be subject to confidentiality
provisions for legal or contractual reasons (see section 3.2.5).
3.1.3 RESTRICTED DATA
Restricted data is any data, which is not personal data, but is
1.
Anonymised or aggregate data which applies to a small and/or potentially identifiable group of individuals
(for instance a small geographical area, where other information such as age or occupation are also given).
2.
Anonymised or aggregate data with a level of detail (e.g. electoral division of residence) which might, under
certain circumstances, allow an individual to be identified.
3.
Data, the publication or dissemination of which could cause distress, loss or embarrassment to any individual
or institution.
A very large number of possible combinations of data fields is available from the Registry, and these may be requested
for many different subsets of the population. It is therefore impossible to set out definitive rules to cover all of these
eventualities; each request will need to be dealt with on its merits. In cases of uncertainty, the opinion of the Data
Protection Commissioner will be sought.
3.1.4 UNRESTRICTED DATA
Data which, in the opinion of the Registry, has no potential to identify an individual, is freely available (subject to
certain conditions) from the Registry, as either anonymised records or aggregate data.
3.1.5 TREATING PHYSICIAN
A treating physician is any doctor who is in a relationship of medical confidentiality with respect to the patient. For the
Registry, this could be
10
EU Directive 95/46/EC. As implemented by the Data Protection (Amendment) Act 2003.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
1.
A doctor, either consultant or general practitioner, who was involved with the diagnosis and/or treatment of
the patient at the time of cancer diagnosis,
2.
The physician now responsible for the patient if the above has retired from practice,
3.
A doctor to whom the patient has been referred for further diagnosis or treatment of the cancer,
4.
The patient's current general practitioner, if different from the GP described in (1) above.
In general, confidential information may be shared with the treating physician on the basis that this is information
1.
to which the treating physician already has access within her or his institution, in connection with the process
of patient care and
2.
in respect of which there is already a relationship of confidentiality between treating physician and patient,
with implicit consent for the Registry to share the data.
It is not essential that the information be used in connection with the clinical care of any, or all, of the patients
involved. However, where information is being released to a treating physician, the Data Protection Commissioner has
advised that:
1.
Data should only be released to, and on the request of, the data controller in the institution. This would
normally be the CEO (or his/her representative) of the hospital or of the Health Service Executive in public
hospitals or the responsible consultant in other cases.
2.
Secondary consultants such as pathologists may be involved in the treatment of the patient but the patient
will not be aware of their identity. In the absence of a robust research information policy by that hospital, the
release of data to others not part of the direct treatment team would be a surprise to that patient.
Consequently, consent should be sought for such a release
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
3.2 OPERATION OF THE REGISTRY
3.2.1 DATA COLLECTION.
The Registry obtains data on patients with cancer from a variety of sources:
3.2.1.1
P ATHOLOGY L ABORATORIES .
The majority of notifications come initially from pathology reports. Similar notifications may be received from
haematology, cytology and, on rare cases, radiology departments. These notifications rarely contain sufficient
information for a full registration, and the registration is completed by reference to the patient's medical records.
3.2.1.2
M EDICAL R ECORDS .
A systematic search of medical records from appropriate departments, such as radiotherapy and oncology, yields the
names of patients who had not been notified through pathology reports. The medical records contain all the
information necessary for registration. Other sources based on the medical records (e.g. Hospital Inpatient Enquiry
(HIPE), radiotherapy, pharmacy, oncology and multi-disciplinary team meeting records) may also be used as sources of
data.
3.2.1.3
D EATH C ERTIFICATES .
The diagnosis of cancer may be initially notified to the Registry from death certificates, which are supplied by the
Central Statistics Office. The physician certifying the death is then contacted and can either give the information
necessary for a full registration or can allow the patient to be identified and the medical records retrieved.
3.2.1.4
O THER R EGISTRIES .
Notifications, updates or treatment of patients normally resident within the Registry area are sometimes received
from registries outside of the Republic of Ireland, mainly from the Northern Ireland Cancer Registry and from
registries in England, Scotland and Wales.
3.2.2 PROCESSING OF INFORMATION.
Each notification is checked against the existing Registry database, to see if the cancer has already been registered.
Records can usually be matched on the basis of full name, address and date of birth. If no previous entry exists for the
cancer, it is registered, and the record added to the database. Registrations are made by qualified Tumour
Registration Officers, who are permanent employees of the Registry, and who have signed an undertaking to
safeguard the confidentiality and security of all the information to which they have access. All phases of data
collection, storage and transmission are protected by computer passwords and encoding of the data. Regular external
and internal security reviews are carried out.
On arrival at the Registry central database, these registrations are again checked against the database for duplication.
Patient name, date of birth and address are removed from the database before it is used for analysis, and access to
identifiable information is limited to a small number of named persons within the Registry. For data processing
purposes, identifiable information is essential for elimination of duplicate registrations, for follow-up of patients
through death certificates and linkage to hospital and HIPE databases. Patient addresses are used to allocate cases to
an electoral division of residence.
3.2.3 DATA REPORTING AND ANALYSIS.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
The procedures for data release are set out in more detail in section 4. The section below describes, in outline, the
ways in which data is used by the Registry, including provision of data to third parties.
3.2.3.1
S TATISTICAL REPORTS
The main use of the data is to produce regular statistical reports on cancer incidence, treatment and survival overall
and for particular sub-groups of the population, broken down by cancer type. None of the data is presented in a way
which could allow the identification of individuals.
3.2.3.2
D ETAILED REPORTS
The Registry also produces, on request, specific analyses of the data for researchers and others. These analyses do not
identify individuals, and are governed by safeguards with regard to the use of the data.
3.2.3.3
R ELEASE OF NON - IDENTIFIABLE DATA
The Registry provides aggregate or anonymised individual data for bona fide research purposes, provided this does
not carry any risk of identification of any individual.
3.2.3.4
R ELEASE OF CONFIDENTIAL DATA
3.2.3.5
T O PATIENTS
Under the Data Protection Acts, individuals have a right to see, and to ask to have altered or deleted, any information
held by the Registry in relation to themselves. This right does not extend to family members or others, and does not
apply to applications by third parties on behalf of the deceased, with the exception of applications for information by
recognised clinical genetics services. Release of information on deceased persons, who have not consented to this
prior to death, is covered in section 4.2.5.
3.2.3.6
T O DOCTORS WITH CLINICAL RESPONSIBILITY FOR THE PATIENT
Confidential data may be released, under certain conditions, to the treating physician of the patient (see section 3.1.5)
unless a patient has explicitly prohibited this. The Registry may also provide personally identifiable data for research
purposes, if explicit consent is given to this by the patient. Treating physicians may not give consent, on behalf of their
patients, to the release of their confidential data to a third party.
3.2.3.7
T O OTHER THIRD PARTIES
Apart from the exceptions described in 3.2.3.5 and 3.2.3.6 above, confidential data is released only with the explicit
written consent of the patient. All releases of confidential information must be approved, before release, by the
Director or a member of staff designated by him in his absence. Requests for confidential data on a named patient are
responded to, initially, in a way which does not indicate whether a particular individual is registered or not. The
Director is responsible for assessing if proposed research meets the Registry's criteria for the release of data. The
guidance of the Board, and in some circumstances the Data Protection Commissioner, will be sought for cases which
fall outside these guidelines. The precise procedures to be followed are set out in section 4 "Procedures for release of
National Cancer Registry data".
3.2.4 RESEARCH.
The Registry has an active research programme, some of which entails the collection and storage of confidential data.
Ethical approval is normally sought for research projects. Consent is sought from participants for all data uses, and
data is shared only as permitted by the consent given by participants. Registry staff who are not working on the
specific research project have no access to the data.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
3.2.5 CONFIDENTIALITY RELATING TO EMPLOYEE RECORDS
3.2.5.1
C OLLECTION OF PERSONAL AND SENSITIVE INFORMATION
Personal and sensitive information is collected by human resources (HR) only where it is necessary for the HR function
or any related activity. This information will normally be gathered directly from the individual concerned. At the time
the information is collected the staff member will be advised whether or not the provision of the information is
compulsory. One example of this is the information collected through the disability census each year.
HR staff try to ensure that personal and sensitive information collected is accurate, relevant, up-to-date, complete and
not misleading and will take all reasonable steps to protect these records from misuse, loss, unauthorised access,
modification or disclosure.
3.2.5.2
S TORAGE OF PERSONAL EMPLOYEE INFORMATION
Only staff members who require such information in order to carry out their duties and responsibilities will have
permission to access personnel files. Electronic access to the Human Resource Information System is restricted to staff
who have direct responsibility in that area and the system is password protected. Hard copies of employee personnel
files are stored in locked cabinets and access to this area is restricted to HR staff.
3.2.5.3
U SE AND DISCLOSURE OF PERSONAL EMPLOYEE INFORMATION
HR staff must not disclose personal information unnecessarily. Sensitive information can be disclosed only with
consent. Protection of confidentiality includes ensuring files and work areas are organised so that information is not
inadvertently disclosed. Staff must only access information that they require for legitimate work purposes.
3.2.5.4
H UMAN RESOURCES STAFF – GUIDELINES FOR GOOD PRACTICE IN PROTECTING THE
PRIVACY OF EMPLOYEES
The following are practical, everyday work practices that HR staff should apply in ensuring confidentiality in the
workplace.

When temporarily away from workstations during working hours HR staff must electronically lock their
computer or use an automatic screensaver lock.

Filing cabinets or drawers containing confidential information located at individual work stations are to be
locked when not in use and when the staff member is away from their workstation

HR staff members should maintain awareness when having confidential telephone conversations, or
impromptu meetings at their desks

There should be no discussion of any matter relating to sensitive staff information in social environments

Printed information should be collected promptly from shared printers and photocopiers

Confidential information that must be retained should be archived. If the information is no longer required it
should be shredded.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
4 PROCEDURES FOR RELEASE OF NATIONAL CANCER REGISTRY DATA
The National Cancer Registry contains information on registrations of patients with cancer in Cork and Kerry from
1980 onwards and for the whole of Ireland from 1994. It is a valuable resource, available for use in epidemiological
and clinical research, as well as the planning and evaluation of services. We welcome requests for information for
research, planning and statistical purposes. The Registry also holds information collected as part of research projects
but this, in general, is not available outside the specific project.
However, because of the sensitivity of much of the information we keep on file, we observe certain procedures with
regard to the release of information. These procedures apply both to the supply of data by the Registry and to its
subsequent analysis and publication.
The following section sets out the current guidelines for the release of registration data. If you would like more
information on our procedures, or if you have some special data needs, the Director would be quite happy to amplify
or clarify any of the information below.
4.1 GENERAL GUIDELINES ON INFORMATION RELEASE
The Registry will supply registration data in response to any reasonable or bona fide request, provided that complying
with the request does not conflict with our obligations of confidentiality or with those under the Data Protection Act,
1988 (amended 2003).The use of the data by the applicant must be also consistent with the Data Protection Acts. Data
will be anonymised where feasible, and, if not, consent must be obtained. In the great majority of cases, only
anonymised data will be provided. Sensitive or confidential data can only be supplied under strict restrictions as set
out below.
The Registry classifies the data held into three categories: confidential, restricted and unrestricted. This classification
is based on the potential of the data to identify an individual, and not on the format (aggregate, individual) in which
the data is provided. Requesters will be asked to complete a basic request form, the purpose of which is to ensure
that all requests are responded to in a timely and accurate way. All data requests will be reviewed on receipt and
classified as either restricted (and potentially confidential) or unrestricted. Vague requests, such as “information on
breast cancer” cannot be dealt with and will be returned to the requester. Requests for restricted information will be
followed up with the requester.
Any person requesting restricted information must do so in writing, either by post, fax or email 11. Requests for
restricted data (see section 4.3.2) must be made using the standard application form which is on the Registry website,
and the attached declaration at the end of this form must be signed. Following receipt of this form, the Registry will
decide whether the data requested is confidential; if this is the case the requester will be asked to modify the request
or to obtain consent for data release.
If the amount of data analysis involved is extensive and/or the data is requested for commercial purposes, a fee may
be payable to cover our costs. We attempt to respond to all requests within two working weeks of receipt and should
be able to reply to most within a week. The Registry reserves the right to refuse requests for information, or to charge
for the service, if requests are considered to involve disproportionate effort, are not made in good faith, have a
malicious intent or are excessive in number.
The information available can be broadly classified as:
•
•
general
aggregate
11
Simple requests for aggregate data, such as the total number of cases of a particular cancer registered in a specified year, may be dealt with over the
telephone.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
•
individual
4.2 TYPES OF INFORMATION WHICH MIGHT BE REQUESTED
4.2.1 GENERAL INFORMATION
This describes the total number of cases broken down into broad categories, such as age band, sex, site or county. This
information is of the same general level of detail as that published in the annual reports of the Registry and is also
available on the Registry website at www.ncri.ie. However, the Registry must be identified as the source in any
publication of the data. Requesters are encouraged to check if this information has already been made available
electronically by the Registry before making a request.
4.2.2 AGGREGATE INFORMATION
Aggregate information is that which is analysed in greater detail than described above, at a level which is not routinely
produced and published by the Registry, but which does not allow the direct identification of individuals.
In some cases—for instance, analysis of small geographical areas for uncommon cancers—individuals may be
potentially identifiable. Information of this type is considered “restricted” and is subject to the principles and
procedures as set out below under “Restricted data” (section 4.3.2). Aggregate information will be made available on
tumours by site, by histological type, by age band, and for district electoral division or city ward. Cross-tabulations of
this data will also be made available, subject to the principles and procedures in “Restricted data” (section 4.3.2).
All requests for aggregate data must be made on the detailed application form, which is available on request or can be
downloaded from our website www.ncri.ie.
4.2.3 INDIVIDUAL-LEVEL DATA
Individual-level data may be either identifiable or non-identifiable. Identifiable data is always considered confidential,
as the fact of registration implies a diagnosis of cancer and is considered to be “sensitive personal” data under the
Data Protection Acts if the individual is alive.
Anonymised individual data carries no risk of identification of the individual and its use is not, in general, restricted.
However, there is no clear division between identifiable and non-identifiable data. Some data items considered to
carry a high risk of identification (e.g. name, address, identification number) are always considered confidential (see
below). Others, such as date of birth, do not identify an individual if taken on their own, but have a high probability of
doing so if combined with other data. Other information (e.g. occupation, electoral division of residence) has a very
low potential for identification but this may occur through rare combinations of variables, or by linkage with other
databases. Although this is unlikely in practice, the release of items with any potential for identification is routinely
restricted by the Registry. Release of this data, while not requiring patient consent, is subject to the principles and
procedures as set out below under “Restricted data” (section 4.3.2). If the Registry considers that there is a real risk of
identification from the data requested, then the request must be modified or patient consent sought.
4.2.3.1
P ERSONAL ( IDENTIFIABLE ) DATA .
Data is considered by the Registry to be identifiable if it contains any of the following:
a. Patient’s name and/or full address
b. Date of birth
c. Hospital or other registration number
d. GMS, PPS or other identifying numbers
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
e. If the unit of analysis is sufficiently small to allow the identification of individual patients, using other data
available to the requester.
Identifiable information held by the Registry is always confidential, as it carries the implication of a cancer
diagnosis.
4.2.3.2
I DENTIFIABLE INFORMATION ON DECEASED PATIENTS
Information from death certificates is obtained by the Registry from the Central Statistics Office and the General
Register Office. If an individual is deceased, permission to access information on cause of death must be obtained,
under the Vital Statistics Acts, from the Registrar General at the Department of Health and Children. The date of death
is not considered to be confidential information and is available on request.
Other identifiable information held by the Registry on deceased persons will be released (unless the individual has
previously indicated that they wish to withhold consent) only if approval has been obtained by the applicant from an
appropriate Ethics Committee. 12
4.2.3.3
I DENTIFIABLE DATA FOR GENETIC COUNSELLING .
The National Cancer Registry, while wishing to facilitate people having genetic counselling, takes as its primary
principle the confidentiality of cancer patients, whether living or deceased. Information concerning living cancer
patients will not be released without written consent.
Requests for Registry information from recognised13 genetic counselling clinics regarding suspected cancer diagnoses
in living family members, related to a proband undergoing counselling, should be accompanied by a dated signed
consent form obtained from each family member (or a legal guardian) about whom information is sought. The consent
form should permit the release, to the genetic counselling clinic, of information relating to their cancer diagnoses from
medical records. Information on deceased cancer patients can be provided to recognised genetic counselling services
working within a clear and published set of ethical rules.
Information cannot be released to any genetic counselling services in Ireland which do not conform to the provisions
of the Disability Act.
12
Appropriate Ethics Committees are those (1) which are recognised by the Department of Health and Children under Regulation 7 of the European
Communities (Clinical Trials on Medicinal Products for Human Use) Regulations 2004 or (2) which have been established by an academic, professional or
healthcare body and operate in accordance with the procedures set out in “Operational procedures for research ethics committees: guidance 2004” (Irish
Council for Bioethics, 2004).
13
That is, which form part of a full clinical genetics service provided by a healthcare institution.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
4.3 REQUESTING DATA
The Registry classifies the data held into three categories: confidential, restricted and unrestricted. This classification
is based on the potential of the data to identify an individual, and not on the format (aggregate, individual) in which
the data is provided.
Requesters will be asked to complete a basic request form, the purpose of which is to ensure that all requests are
responded to in a timely and accurate way. All data requests will be reviewed on receipt and classified as either
unrestricted or restricted.
4.3.1 PROCEDURES FOR REQUESTING UNRESTRICTED DATA
The majority of requests will be for unrestricted data, which is considered by the Registry to have no potential to
identify an individual. This is the type of data routinely published by the Registry or available on our website. This data
can be obtained from the Registry by an email or telephone request. Requesters will be asked to complete a basic
request form, the purpose of which is to ensure that all requests are responded to in a timely and accurate way.
If, in the opinion of the Registry, any of the data requested has the potential to identify an individual, it will be dealt
with as restricted data.
4.3.2 PROCEDURES FOR REQUESTING RESTRICTED DATA
If the data requested appears to be potentially identifiable, requesters will be asked to return a detailed request form
(which is on our website). One copy of this form will be kept by the Registry and the other returned to the requester.
All requests should specify:
1.
The scope of the dataset (e.g. years covered, sites, geographical area, cases, deaths or treatments).
2.
The variables required.
3.
The level of specificity for each variable (e.g. year of birth or five-year groups).
4.
The purpose of the study/audit/report.
5.
In general terms, the level of analysis proposed.
6.
The title and job description of the requester, and the names of all other persons who will have access to the
data.
7.
Where hospitals and/or consultants are being identified, the status of the person giving permission for the
data to be released.
8.
A record of the request (the request form), and a copy of the data sent out, should be kept (and should be
relatively easy to retrieve) for Freedom of Information purposes.
9.
For confidential data, the information to be given to the patient and a copy of the consent form. If the patients
are deceased, evidence of ethical approval will also be required.
Following receipt of the request, a member of Registry staff may contact the requester, to discuss the exact data
requirements. In many cases, this will allow us to release data which meets the requirements of the requester but is
not potentially identifiable. The general principles which will apply, with regard to safeguarding confidentiality are:
1.
Aggregated or cross-tabulated data will be offered in preference to individual-level data. In instances where
either patient case numbers or denominator data is small, with a resultant potential for individuals to be
identified, data may be aggregated over a number of years – e.g. data provided in 5 year period blocks (year
of diagnosis 1994-1998, 1999-2003 etc)
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
2.
If the risk of identifying an individual patient is high, either directly or by linkage to other data in the
possession of the requester, the data will be treated as confidential and the request denied unless patient
consent is given or the requester has clinical responsibility for the patient.
3.
If data is being given out as individual records (microdata) or where the denominator population is small,
variables will be re-coded to the lowest level of specificity which will serve the purpose of the study.
Information with the potential to identify individuals will be grouped to prevent identification, as follows: .
a.
Precise dates (birth, death, diagnosis). It is rarely necessary for researchers to have exact dates. In
general, age will be provided aggregated into five-year age groups, but year of birth may provided if
there is a specific need. Year of incidence (diagnosis) will be sufficient for most purposes, but if survival is
being calculated, month of diagnosis (and of death) may be provided. If this is not sufficient, derived data
(e.g. survival in days, rather than precise dates of incidence and death) will be offered, but care is needed
to ensure that this is done appropriately and correctly. In some circumstances, with agreement of the
Director, precise dates of diagnosis and of death may be provided.
b.
Full morphology codes. These are not usually provided; three character (e.g. 804) codes will be given.
Where full codes are essential for the work proposed, less common codes will be grouped to avoid
potential identification.
c.
Full treatment codes. Unless specifically requested, only codes of “surgery”, “radiotherapy” etc. will be
given.
d.
Occupation will always be aggregated to the second digit (of the 3 digit UK SOC90 standard occupational
classification code) if age is also given.
e.
Local area of residence (Electoral Division, ED). A single case occurring in an ED is not in itself a reason
to refuse the data, as long as the other information given (e.g. age, occupation) is not sufficient to
identify someone. It is the size of the denominator population, not the number of cases, which carries
the risk of identification. However, care must be taken, as some EDs have very small numbers of
residents in particular age groups and the identification of individuals in these may be possible. Individual
level data will never be released for the EDs described by the Central Statistics Office as “confidential”.
These change with each census, and are always combined with a neighbouring ED.
f.
Data identifying a hospital. It is not difficult, using other published data, to identify hospitals by
workload, so all such data is treated as restricted.
Data on hospital activity, or which could be used to infer hospital activity, will be given out only if:
g.
1.
Permission is given by, or on behalf of, the chief executive of the hospital; or
2.
The request is made by, or on behalf of, the HSE, the Department of Health and Children or the
Health Information and Quality Authority for a publicly funded hospital; or
3.
The request is made by a body or individual with a legal right to the data; or
4.
Permission is given by a hospital medical consultant acting on behalf of a specific group of
consultants or specialties within the hospital.
Data identifying an individual health care worker. In general, data which could identify the workload or
patterns of care provided by an individual health care worker should not be released without the written
consent of that individual; consent should always be sought. If consent is refused, information may be
released (following consultation with the Data Protection Commissioner) to
1.
Any body or individual with legal right to the data; or
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
2.
The HSE, the Department of Health and Children or the Health Information and Quality Authority in
respect of activity in a publicly funded hospital.
Some restrictions on data use will apply (see section 4.3.3).
If the data request cannot be modified to remove the potential for patient identification, procedures with regard to
release of confidential data (section 4.3.4) will apply. Certain combinations of specific information (street address,
date of birth, occupation to the third digit) when combined with less specific data, may be enough to identify an
individual, and each request will be considered individually. If the risk of identifying an individual patient is high, either
directly or by linkage to other data in the possession of the requester, the data will be treated as confidential. In cases
of doubt, the Director, as responsible person under the Data Protection Act, will be consulted.
4.3.3 GENERAL CONDITIONS OF USE OF RESTRICTED DATA
Unlike confidential data, there is no absolute prohibition on the release of restricted data, but its release is subject to
some conditions. The Registry is subject to Freedom of Information provisions, so any “document” produced by us
could potentially be demanded by any member of the public. The following conditions apply to the release of
restricted data:
1.
The probable benefits of releasing the data must outweigh any potential for damage.
2.
Requesters must undertake:
a.
to use the data only for the purposes specified.
b.
not to pass it to anyone else.
c.
not to link it to other data unless this was specified in the original request, or is specifically agreed by
the Registry at a later time. The National Cancer Registry will have to give consent for the data to be
linked with any other databases.
d.
not to attempt to identify, any individual, family or dwelling, or to publish the data in a way which
would allow any individual, family or dwelling to be identified, either directly or by linkage with
other data.
e.
to take every precaution to avoid the identification of individuals or institutions in any publication.
f.
to delete or destroy the data (all paper and electronic copies) at an agreed date and to inform the
Registry that this has been done (a note should be kept of this data at the time of request and a
reminder automatically set up).
g.
users of the data must ensure that, in complying with the above conditions, they also observe the
relevant provisions of the Data Protection Acts and the Freedom of Information Act.
h.
Data should not be released to users outside the State without the permission of the Director (or
other authorised person). The permission of the Data Protection Commissioner may be required for
some transfers, especially outside the EU.
4.3.4 PROCEDURES FOR RELEASE OF CONFIDENTIAL DATA
Confidential information is not released without patient consent, except to the treating physician (section 3.1.5) of the
patient.
For informed patient consent the patient must have been given, at a minimum,
a.
a brief description of the uses to which the information will be put,
b.
the names and affiliations of the researchers involved,
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
c.
the interventions planned by the researchers (if any),
d.
a clear statement that the patient is completely free not to participate without consequences
e.
a clear statement that the patients may withdraw this consent at any stage, without consequences.
Consent should always be given in writing, but patients are given a contact address and telephone number if they wish
to discuss any aspect of the research or consent further.
The general practitioner should be contacted prior to attempting to contact the patient, to check that the patient is
alive, fit to give consent and aware of the diagnosis.
Information released to the treating physician should be limited to that which is strictly relevant to the research or
audit project. Confidential data should be accessible only to those with an existing relationship of confidentiality to
the patient, as defined in section 3.1.5, and does not extend to others, even if working within the hospital in which the
patient was treated. Enquiries for the purposes of genetic counselling must also adhere to this principle.
Patient name or house/street address and identification numbers of any sort (including National Cancer Registry
registration number, medical record number, pathology reference number) are always treated as confidential.
If an identification number is needed for each case, for quality assurance or other purposes, a substitute number will
be supplied and a lookup table kept at the Registry.
In general, all requests for confidential data must be approved by the Director or a designated person in his absence;
the request must meet the following minimum criteria:
1.
the project will be of some clear benefit.
2.
the data are essential for the purposes described.
4.3.5 GENERAL CONDITIONS OF USE OF CONFIDENTIAL DATA
1.
Individual-level data (other than non-identifiable individual-level data as already downloadable from the
Registry website) will be provided only when no alternative method of investigation is available, and if, in the
view of the Director, the benefits to accrue from the data use outweigh any potential risks. Aggregated or
cross-tabulated data will always be offered in preference to individual-level data.
2.
The data user must work within a recognised institution of some standing (e.g. third level institution, health
service organisation). All individuals who will have access to the data must be named.
3.
The data must be requested by, and released only to, the data controller in the relevant organisation (see
section 3.1.5).
4.
The purposes for which the data are to be used must be clearly set out and the data are not to be used for any
other purpose.
5.
Information which could identify a hospital or health care professional will normally require consent from the
hospital or individual.
6.
Requesters must undertake:
a.
to use the data only for the purposes specified.
b.
not to pass it to anyone else.
c.
not to link it to other data unless this was specified in the original request, or is specifically agreed by
the Registry at a later time. The National Cancer Registry will have to give consent for the data to be
linked with any other databases.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
d.
not to use the data to contact the patient. The data must not be used to identify, or attempt to
identify, any individual, family or dwelling, or to contact any patient or their family, and may not be
published in a way which would allow any individual, family or dwelling to be identified, either
directly or by linkage with other data.
e.
to take every precaution to avoid the identification of individuals or institutions in any publication.
f.
to share any documents based on the data with the Registry prior to publication 13. The National
Cancer Registry will be sent a final draft of any publication or report based on the data, and will have
the right to have any analysis breaching the above conditions removed or modified.
g.
to delete or destroy the data (all paper and electronic copies) at an agreed date and to inform the
Registry that this has been done (a note should be kept of this data at the time of request and a
reminder automatically set up).
h.
users of the data must ensure that, in complying with the above conditions, they also observe the
relevant provisions of the Data Protection Acts and the Freedom of Information Act.
i.
Data should not be released to users outside the State without the permission of the Director (or
other authorised person). The permission of the Data Protection Commissioner may be required for
some transfers, especially outside the EU.
One corollary of the above conditions is that requests which come from outside recognised medical, research
or academic institutions, where the above conditions may be difficult to observe, will be treated with
particular care.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
5 STAFF POLICIES ON DATA SECURITY AND CONFIDENTIALITY
5.1 INTRODUCTION.
This document sets out the procedures for observing confidentiality and security of data within the Registry.
It is meant to offer a series of principles, and cannot cover every possible eventuality. When in doubt in a
situation which may involve confidential information, please contact the Director, or in his absence a
nominated responsible person. All staff are expected to make themselves familiar with the rules contained in
this document, and to re-read them annually. A confidentiality statement is attached, and must be signed by
each staff member on taking up his or her post and annually thereafter. Any breach of these guidelines will
be considered a serious disciplinary matter and may lead to dismissal.
The Registry is in a position of trust. We are trusted by society at large and by doctors and other hospital
workers in particular, to observe the highest standards of security and confidentiality with regard to the very
sensitive information which we have in our possession. Those of us handling this information every day may
sometimes forget the potential consequences its disclosure might have for individuals or their families. We
must also be aware of the disastrous consequences for the Registry, should our sources of information lose
their trust in us. The basic principle of operation of the Registry must be, above all, to protect the rights of
the individual.
The rules set out here govern the handling of confidential or otherwise sensitive personal information. This is
described as any information which could identify an individual (patient, family or health care worker) either
directly or indirectly. The fact that an individual is registered is in itself an item of confidential personal
information. Individuals may be directly identified by name, address, date of birth or personal identification
number (GMS number, PPS number, hospital medical record number), or indirectly through a unique
combination of personal characteristics.
Apart from confidential personal information, the Registry also produces statistical information on cancer.
Many different individuals and groups may request this information. Because cancer incidence information is
not always easily interpretable, the Registry needs to be able to control the uses made of information
supplied by us, at least to the extent of having the users take responsibility for any interpretations. The
Director must first clear all requests for restricted or confidential information, no matter how apparently
innocuous.
Registry staff may, in the course of their work, come across information not pertaining to cancer registration,
or may have access to confidential information on others which might be of interest to them. The same rules
of confidentiality apply to personal information, whether gathered for registration purposes, or come across
accidentally. Staff must not abuse their privileges of access to medical records by seeking information not
relevant to their work.
5.2 DATA SECURITY
5.2.1
BASIC PRINCIPLES
All staff concerned with the collection, processing and output of personal data are employees of the National
Cancer Registry. On taking up duty, and annually thereafter, they are required to

read, agree to and observe the rules set out in "Guidelines for staff on confidentiality within the National
Cancer Registry".
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011

sign an undertaking of confidentiality, which will remain binding even following their departure from Registry
work. This undertaking prohibits staff from disclosing, either directly or indirectly, to any individual outside
the Registry or to other staff within the Registry who do not have access to confidential information, the
identity of any person registered, or any data concerning such an individual, or any other confidential
material they may come across in the course of their work.

To observe the security precautions currently operating within the Registry.
5.2.2
Physical security
The operation of the Registry is largely electronic, and few written documents containing individual identification are
created. Any such written documents are to be shredded immediately after use. Documents which need to be kept for
archival purposes are to be stored securely in areas specifically designated for this purpose and in locked storage
cabinets. Access to these cabinets is limited to authorised Registry personnel.
The Registry door is to be kept locked at all times. Visitors to the Registry must be admitted to the Registry premises
by a staff member. Once admitted they should remain in the outer lobby area until the person they are meeting
arrives. It is the responsibility of the person first admitting them to the premises to ascertain who the visitor is, whom
they are visiting and to ask them to remain in the lobby area. The person they are visiting must ensure they sign in to
the visitors’ book and sign out on departure, are given a visitor’s badge, are accompanied at all times and have no
access to areas where sensitive information could be visible. Unless there is a specific reason for doing otherwise,
visitors should be confined to the non-secure areas of the Registry (meeting rooms, lobby, Director’s office).
The Registry premises are protected by high-security locks and by electronic alarms. Non-Registry staff must never be
given alarm codes. It is the responsibility of every staff member to ensure that these are activated when the offices
are unattended at any time. The last person leaving the premises every day should go through the standard “last
person out” process and sign to indicate that the checklist has been followed.
Confidential documents should be on the desktop only when being used. At all other times they should be stored in a
designated locked cabinet or drawer. Staff should observe a “clean desk” policy when working with confidential
documents; all non-essential documents, whether confidential or otherwise, should be cleared away whenever the
desk is unoccupied, even for brief periods (e.g. coffee breaks) to reduce the risk of inadvertent exposure of a
confidential document.
5.2.3 ELECTRONIC SECURITY
Data collected by Registry staff on laptop computers is password protected and encoded, and must also be encoded
during any transmission to the Registry. Data is stored on laptop computers in a form that would be quite difficult for
the average person to break into. However, it is not impossible, with enough time, determination and technical skill.
The loss or theft of a laptop computer with confidential data is one of the most serious potential threats to the
Registry and all staff are required to comply with the laptop security policy. Details of the Registry’s security policy
specific to laptops are outlined in section 5.3 page 23). Staff should adhere strictly to the laptop security policy
(Section 5.3) If any breach of security is suspected, the Director should be informed immediately. Password policies
with regard to laptop password format and frequency of change must be complied with.
Data within the Registry is protected by passwords and encoding. Each individual within the Registry has a personal
password, which defines their level of access to the computer system. Password policies with regard to password
format and frequency of change must be complied with. Passwords must never be written down anywhere and must
be encrypted if stored in electronic format. A second password is needed for access to the patient database. Access to
all computers is automatically logged by the network system, which records the identity of the person using the
computer, and the times at which they log on and log off. Staff must log off when leaving the Registry, and not to
allow any identifiable data to appear on the screen while leaving their desk. Registry computers which contain
personally identifiable data are not be connected to any outside computer system.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
While regular backups of network data are made, each staff member has a responsibility to ensure that all valuable
data is backed up regularly. Data held locally should be backed up to the network at least weekly.
5.2.3.1
P ASSWORDS
Passwords are an important part of computer security. They are front line protection for user accounts. A poorly
chosen password may result in a hacker breaking into the system. Appropriate steps must be taken to select and
secure passwords.

It is the responsibility of the IT department to assign unique passwords to all staff – the users will be given
their passwords in a sealed envelope – the passwords will include:
o
Power on passwords (Safend password or TrueCrypt password)
o
Log on to Windows password (on laptops with a Windows 2000/XP/2007 Operating System)
o
National Cancer Registry System password
o
Once you have memorised your password the contents of the sealed envelope must be destroyed in
a shredder

Do not reveal your passwords to anyone

Do not write down your passwords

If you suspect your password has been compromised please notify the IT department immediately

If the password is lost the IT department will set a new one
5.2.3.2
S AFEND E NCRYPTOR /T RUE C RYPT S OFTWARE
Safend Encryptor/TrueCrypt software provides a solution for protecting confidential data; it encrypts the data stored
on laptops and the result is that confidential data cannot be read by any unauthorised user in the case of loss or theft.
This software is installed on all Registry laptops.
5.2.3.3
E NCRYPTED M EMORY K EYS - K INGSTON D ATA T RAVELLER
The Registry uses conveniently small, portable, and easy to use encrypted memory keys. These include advanced
security, and high performance without sacrificing ease of use. Without a valid password, unauthorized access to
memory key is blocked, and the data remains encrypted and protected. (National Cancer Registry are using the
“Privacy Edition” keys)
\\gauguin\research\DTVault_Privacy_Users_Manual.PDF
\\gauguin\research\DTVault_VaultPrivacy_WP.PDF
5.2.3.4
PGP S OFTWARE
Each member of the Research Team in the Registry has PGP installed. By default, as a minimum, they will always
encrypt to their own key and this “master” key so that in case of emergency (something happening to them so we
can’t use their private key and pass-phrase) the Director will be able to decrypt the files.
The copy of the private and public keys for this PGP “master” key (you need the private key, along with the passphrase that only the Director knows, to decrypt files) are in the folder \\Gauguin\IT\Infrastructure\Security.
5.2.3.5
V IRUS P ROTECTION
T HINGS TO DO TO PROTECT YOURSELF :
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
Ensure that you have activated anti-virus software on your PC/laptop and that it is configured for automatic update.
Always scan software disks and files with approved anti-virus software.
W HAT TO DO IF YOU SUSPECT A VIRUS :


Immediately stop using your laptop/PC.
Notify your IT department.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
5.2.4 SECURITY DURING DATA COLLECTION AND PROCESSING
a.
The arrangements for security and confidentiality within each hospital must be strictly observed. Medical
records should not be taken from areas assigned to them without the specific permission of a responsible hospital
authority.
b.
All confidential material must be stored out of sight when not personally attended.
c.
Details of cases should be discussed only with the doctors responsible for the case; staff should not assume
that others within the hospital are in possession of the same amount of information as they are.
d.
Material that is not pertinent to Registry work should never be examined.
e.
Data received from other sources in physical format—memory key, CD, tape, printed reports etc. must be
logged in on receipt, labelled, and kept in secure storage until used and then destroyed.
f.
All printed reports, records, questionnaires and interview records which contain identifiable data, should
be treated with the same procedures as patient registrations and should never be left unattended in an open area.
All printed material should be immediately retrieved from the printer area.
g.
All printed records, questionnaires and interviews records with personal data should be shredded as soon
as they are no longer needed.
h.
When printing reports for internal use, avoid the use of identifiers, unless this is essential for the purpose of
the report.
5.2.5 COMMUNICATION
5.2.5.1
E MAIL
a.
The email system is intended for the business purposes of the Registry. The email account is not intended for
personal use (see Internet and email policy) but limited personal use is acceptable. However, the Registry
reserves the right to curtail or prohibit all, or specific, personal usage.
b.
When forwarding emails it is important to check for sensitive, inappropriate or confidential information in the
message being forwarded.
c.
Standard unencrypted email should never be used to transmit confidential data.
5.2.5.2
T ELEPHONE
a.
Information concerning identifiable patients or research subjects should never be given over the telephone to
non-Registry staff.
b.
Calls to medical or para-medical staff concerning registered patients or research subjects should use the
minimum of detail essential for the person being called to identify the patient (e.g. medical record number, date
of birth rather than name and address).
c.
If there is any possibility that confidential information might be overheard in the general office, use the
designated soundproof rooms.
d.
Staff using offices hared with non-Registry staff should not discuss confidential information if the office is
occupied.
e.
Calls from persons identifying themselves as cancer patients and asking for information should be dealt with in
a way which does not disclose if the individual is registered or not. Once the person has identified themselves,
the enquiry may be dealt with by
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
a.
Asking that the person write in for information which can be sent directly, or to a named medical
practitioner
b.
Asking permission to telephone the person’s GP with the information.
On occasion, family members of patients may contact the Registry, usually after receipt of a letter asking the patient
to take part in a research study. It should not be assumed that the person calling has any knowledge of the patient’s
condition, or that they are acting with the patient’s express consent. The response to the call must not reveal if the
patient has cancer.
5.2.5.3
L ETTERS
a.
All letters to consultants, general practitioners, patients or research subjects which contain confidential
information on living individuals should be addressed to them personally and marked "Confidential" and mailed
by registered post. If you are unsure of the person to whom you should address the letter, please confirm their
name and address by telephone before writing. If confidential information is sent out, and you cannot be
certain that this will reach the recipient, check its arrival with the recipient by telephone.
b.
Any communication between Registry staff with regard to patients should use patients' registration numbers,
not names and/or addresses. Material should be sent electronically and encrypted, rather than by post, if
possible.
5.2.5.4
F AX M ACHINES
The use of fax machines to transmit identifiable data should be avoided. However, it may sometimes be necessary to
fax material, for instance TROs may need to forward a list of cases to a hospital medical records department;
research questionnaires may need to be faxed. In this case, the following procedure must be observed:
a.
Send only the information required.
b.
The list should be faxed to a designated person who is aware that it is coming and of its content.
c.
This person should be available to receive the fax and should have adequate security measures in place e.g. the
fax should not be left unattended in an open plan office.
d.
Double check the fax number before dialling.
e.
Ring or email the designated person and confirm that they have received the fax.
f.
Use a cover sheet with recipient’s name clearly entered, this will let anyone know who the information is for
and whether it is confidential or sensitive without having to look at the contents.
g.
The document faxed, and that received, must be shredded after use.
5.3 LAPTOP SECURITY POLICY
The same general provisions apply to laptop use as to computer use at the main Registry offices (see sections 5.2.3
to 5.2.7). The principles below are more specific to off-site use .
5.3.1 PURPOSE
This policy addresses the actions that must be taken by all Registry staff who have a Registry laptop, or who are
temporarily using a “shared” Registry laptop, or the laptop of another employee.
5.3.2 REQUIREMENTS
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
All laptops acquired for, or on behalf of, the Registry shall be deemed to be the property of that organisation. Each
employee issued with a laptop is responsible for the security of that laptop, regardless of whether the laptop is used in
the office, at the employee’s place of residence, or in any location such as a hotel, conference room, car, train or
airport. (Note: This list of potential places is not exhaustive.)
If, for any reason, you find that you cannot comply with the Registry policy on storage and transport of your laptop,
your line manager and the IT department must be informed and alternative arrangements approved.
5.3.3 STORAGE AND TRANSPORT OUTSIDE THE MAIN REGISTRY OFFICES

At the end of the working day the laptop should be placed in a locked cabinet or room.

Kensington locks must be used by tumour registration officers when storing the laptop outside their base
office.

The laptop should always be stored and transported in its carrying case.

While travelling by car the laptop must be stored in the boot and secured against movement.

The laptop must never be left unattended in a parked car.

While travelling, keep the laptop and laptop peripheral equipment with you.

When taking annual leave make sure the laptop is securely locked away in a locked cabinet either in the
Registry offices or (for tumour registration officers) in the base office. If you are unable to do this the IT
Administrator must be notified.

Unaccompanied shipment of laptops to and from the Registry must be arranged by, or with the approval of,
the IT department, using an approved courier.
5.3.4 LAPTOP USAGE OUTSIDE REGISTRY OFFICES

Confidential data should never be held on a laptop without the use of Registry installed encryption software.

Laptops should be used only for Registry work.

Software should be installed only by Registry IT staff.

If you encounter problems with the laptop, do NOT attempt to repair it yourself.

When away from the laptop temporarily during working hours the laptop must be electronically locked by
using the Ctrl+Alt+Delete command followed by left click on lock computer as well as attaching the
Kensington lock supplied by the Registry. If you are unable to use the Kensington lock the IT Administrator
must be notified of this and a log of risk hospitals will be maintained by the IT Administrator.

The laptop display should be positioned to preclude casual viewing by others (as far as is reasonably
practicable), especially when confidential data is shown on the display.

When tumour registration officers use a laptop to connect to the Registry server in Cork, they should connect
only to systems they are authorised to use. Tumour registration officers should always log off the Registry
server during periods of inactivity.
5.3.5 VIOLATION AND PENALTIES

Employees should comply with this policy as far as reasonably possible.

Violation of this policy may be grounds for disciplinary action.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
5.4 BREACHES OF DATA SECURITY OR CONFIDENTIALITY
5.4.1 LOSS OR DISCLOSURE OF CONFIDENTIAL DATA
5.4.1.1
P ROCEDURES BY THE PERSON HOLDING THE DATA OR BECOMING AWARE OF THE BREACH
1.
All breaches of confidentiality, or suspected breaches, must be reported verbally to the responsible person
immediately. The responsible person for each staff member is, in the first instance, their line manager. If
they have no line manager, or the line manager is not available, the Director should be contacted. The
Director will nominate someone to be responsible for data security in his absence
2.
This report should include a clear description of the data lost or revealed, the date, time and the
circumstances under which this occurred and measures taken, if any, to retrieve the data. It should be
followed by a written report with the same information in more detail and giving details of the procedures
which should have applied and why these were either not followed or proved inadequate.
3.
The report should note if any other persons have been informed, or need to be informed (e.g. hospital
management, Garda, Data Protection Commissioner). If any of these need to be informed this should be done
by the responsible person.
4.
If data has been lost or mislaid and it can possibly be retrieved before it is read by anyone outside the
Registry then every possible step should be taken to retrieve it; however, successful retrieval of the
information does not remove the obligation to inform the responsible person.
5.
If data has been misdirected (e.g. through post or email) the person to whom it was mistakenly sent should
be contacted immediately, informed of the confidential nature of the data and asked to destroy it unread.
5.4.1.2
P ROCEDURES FOR THE RESPONSIBLE PERSON
1.
If confidential data has been disclosed to unauthorized persons the Data Protection Commissioner must be
informed.
2.
All breaches of confidentiality, or suspected breaches, must be reported to the Director, or in his absence a
nominated responsible person, as soon as possible.
3.
Risk assessment should be carried out—what type of data is involved, has it been lost or disclosed, to whom,
is this Registry or third party (e.g. pathology report) information?
4.
Has there been a breach of procedure? If so, is there a possibility of disciplinary action?
5.4.2 BREACHES OF SECURITY PROCEDURES
1.
Breaches of data security should be reported by anyone becoming aware of these.
2.
A log of all breaches will be maintained.
3.
The Director, or in his absence a nominated responsible person, should be informed of any breach as soon as
is reasonably possible.
4.
Breaches of security may be followed by disciplinary procedures including verbal and written warnings,
entries in the individual’s personnel file, suspension or dismissal.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
5.5 INTERNET, NETWORK AND EMAIL POLICY
5.5.1 INTRODUCTION
The National Cancer Registry aims to provide you with accessible, up-to-date and reliable information to
support you in your work. This goal requires the Registry to provide access to the information resources of
the Internet to help you do your job and be well-informed. The Internet is a business and research tool for
Registry. Users must understand that any connection to the Internet offers an opportunity for non-authorised
users to view or access corporate information. Therefore, it is important that all connections be secure,
controlled, and monitored to provide you with accessible, up-to-date and reliable information and learning
technology to support Registry activities. The Registry reserves the right to block unacceptable content that
may be dangerous to the network
5.5.2 GENERAL INTERNET USE
5.5.2.1
U SER ACCOUNTABILITY
Users are responsible for their network use (including Internet use) and are accountable for their own work.
5.5.2.2
V IRUS D ETECTION
All files obtained from sources outside the organisation, or downloaded over the Internet should not be opened
without first scanning the material with Registry approved virus checking software which is presently McAfee. If you
suspect that a virus has been introduced into the Registry network, notify the IT group immediately.
5.5.2.3
U NACCEPTABLE C ONTENT
The following content has been deemed to be unacceptable:

Words, images or references that could be viewed as libellous, offensive, harassing, illegal, discriminatory, or
otherwise offensive.

Words, images or references that might be considered inappropriate in the workplace, including, but not
limited to, messages or images that are lewd, obscene, sexually explicit, or pornographic.

Words, images or references that might be considered inappropriate, harassing or offensive due to their
reference to race, sex, age, sexual orientation, marital preference, religion, national origin, physical or mental
disability, or other protected status.
5.5.2.4
P ROHIBITED A CTIVITY

Intentionally downloading, copying or transmitting documents or software protected by third party
copyrights in violation of those copyrights. Any individual with a question concerning a copyright issue should
contact HR.

Viewing content that is illegal or unacceptable over the Internet or any other network.

Creating or transmitting works containing illegal or unacceptable content over the Internet or any other
network.

Using encryption devices that have not been expressly approved by the Registry.

Using software that transmits and receives content over a network which has not been expressly approved by
the Registry. A list of acceptable software is available from the IT Administrator.

Storing works containing unacceptable or illegal content either locally or on any other machine on a network
administered by the Registry.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
5.5.2.5
A CCIDENTAL /U NINTENDED V IOLATIONS
If you find yourself accidentally viewing illegal or unacceptable content over a network as outlined above you must
cease viewing the content immediately, regardless of whether that content provided had been previously deemed
acceptable by any screening or rating program. A user who accidentally views unacceptable content over a network is
encouraged to report the incident to the organisation's IT department without the threat of incurring a violation
penalty.
5.5.3 EMAIL
This sets forth the policy of Registry with respect to email & internet usage. All individuals (including but not limited to
staff, outside consultants and visitors) who use the Registry email system are required to comply with this policy
statement. As email is transmitted over a network all conditions described in the previous sections apply.
5.5.3.1
G ENERAL P RINCIPLES
5.5.3.1.1
A CCEPTABLE USE

The email system is meant to be used for the business purposes of the Registry. Limited personal use is
acceptable provided it complies with Registry policy on content. However, the Registry reserves the right to
curtail or prohibit all, or specific, personal usage. The Registry disclaimer should not be included in personal
emails.

Standard unencrypted email should never be used to transmit any confidential data (i.e. personal or sensitive
data).

When sending emails concerning registered or potential patients or research subjects, the following
precautions must be observed:
o
If un-encrypted, all identifiable details (including hospital name) must be removed before sending
the email. The email should contain the registration number only, if an identifier is needed.
o
Ensure that the email is only sent to the intended recipient. Double-check before sending.
o
Check that the recipient has received the email; if they have not, inform the IT department and your
line manager immediately
o
If you are unsure if the email should be encrypted or password protected, contact your line manager
or the IT department for clarification.
5.5.3.1.2
O WNERSHIP
All email accounts and all information and messages that are created, sent, received or stored on the Registry email
system are the sole property of the Registry and are not the property of the employee or other individuals.
5.5.3.2
E MAIL R EVIEW
All email is subject to the right of the Registry to monitor, access, read, delete, copy, and use such email without prior
notice to the originators and recipients of such email. Email may be monitored and read by authorised individuals on
behalf of the Registry for any violations of law, breaches of Registry policies, communications harmful to the Registry,
or for any other reason. Registry also reserves the right to disclose emails to authorised persons.
5.5.3.3
E MAIL C ONTENT
Emails should be professional, courteous and in compliance with all applicable laws and Registry policies. Emails
should not contain unacceptable content. Users should employ spell check on all emails sent.
5.5.3.4
S ECURITY
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
The email system is only to be used by authorised individuals who have been issued an email password in order to use
the system. Individuals shall not disclose their username or passwords to others and may not use someone else's
username or password without express written authorization from an authorised IT staff member.
5.5.4 IMPLICATIONS OF THE FREEDOM OF INFORMATION (FOI AND DATA PROTECTION (DP) ACTS
It is reasonable to assume that some of the information that may be requested under the FOI or DP Acts will only be
available in email format and more than likely be stored in an individual's personal email account. It is essential that
emails are appropriately filed and easily retrievable. Where information is stored only in email format, it is important
that individuals are aware, so that emails are not deleted inappropriately.
The Freedom of Information and Data Protection Acts cover all information, not just formal documents. Therefore any
individual's work-related emails can effectively become public property under the Act. It is essential that Individuals
know exactly what emails they have sent or received and when to delete them (i.e. when they are no longer needed).
The following should help users make this decision themselves.
5.5.4.1
W HAT IS A RECORD ?
A record is ‘information created, received, and maintained as evidence and information by an organisation or person,
in pursuance of legal obligations or in the transaction of business activity’.
This definition was taken from – International Standards Organisation ISO 15489 Information and documentation:
Records management, Part 1 2001.
5.5.4.2
I DENTIFYING EMAIL RECORDS
Email messages that might constitute a record are likely to contain information relating to business transactions that
have or are going to take place, decisions taken in relation to the business transaction or any discussion that took
place in relation to the transaction. For example, during the decision to put out a tender document for a particular
service, background discussion about what this should and should not include might take place via email and should
be captured as a record.
5.5.4.3
E MAIL R ETENTION P OLICIES
Users must retain copies of email records for inspection under the Freedom of Information Act. At present there is no
maximum limit on a time for which an email record must be retained.
5.5.4.4
W HO IS RESPONSIBLE FOR ELECTRONIC RECORDS ?
As email messages can be sent to multiple recipients there are specific guidelines to indicate who is responsible for
capturing an email as a record:

For internal email messages, the sender of an email message, or initiator of an email dialogue that forms a
string of email messages

For messages sent externally, the sender of the email message

For external messages received by one person, the recipient

For external messages received by more than one person, the person responsible for the area of work
relating to the message. If this is not clear it may be necessary to clarify who this is with the other people who
have received the message.
5.5.4.5
W HEN TO CAPTURE EMAIL AS RECORDS
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
Many email messages will form part of an email conversation string. When this happens it is not necessary to capture
each new part of the conversation, i.e. every reply separately. There is no need to wait until the end of the
conversation before capturing the email string as several discussions may have been covered. Email strings should be
captured at significant points during the conversation rather than waiting until the end of the conversation.
5.5.4.6
W HERE TO KEEP EMAIL RECORDS
Email messages are automatically stored on the Microsoft Exchange email server, and are regularly backed up. So long
as you use email in the standard way, all your messages will be stored. Messages you delete will be stored for 30 days
after deletion
5.5.4.7
M ANAGING EMAIL RECORDS WITH ATTACHMENTS
The decision on whether an email and/or its attachment constitute a record depends on the context within which they
were received. There are circumstances where the attachment would require further work in which case it would be
acceptable to capture the email and the attachment together as a record and keep a copy of the attachment in
another location to be worked on. In these circumstances the copy that was worked on will become a completely
separate record.
5.5.5 DISCLAIMERS
The following disclaimer should be attached to every work-related email message sent from a Registry account. This
needs to be setup by the user.
The contents of this email are intended for the named addressee only. It contains information that may be
confidential. Unless you are the named addressee or an authorised designee, you may not copy or use it, or
disclose it to anyone else. If you have received it in error please notify us immediately and then destroy it. The
Registry does not guarantee the security of any information electronically transmitted and is not liable if the
information contained in this communication is not a proper and complete record of the message as
transmitted by the sender or for any delay in its receipt.
This disclaimer should not be appended to personal email messages.
When sending out a message in response to a request for data or general information, the user must append the
following disclaimer themselves.
Cancer registration is a dynamic process and information is continually updated on our database. As a result,
the figures given here may not correspond exactly to those in previous reports, or to those on our website.
In Outlook Mail and Outlook web-interface you can save this as a signature which you can choose to append to your
messages. This saves you the effort of typing it in every time. A representative of the IT Group will configure this for
you if you wish.
5.6 VIOLATIONS AND REPORTING
Violations will be reviewed on a case-by-case basis. If it is determined that a user has violated one or more use
regulations, standard disciplinary procedures will apply.
The Registry intends to enforce this policy, but reserves the right to change it at any time as circumstances may
require.
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
Data confidentiality in the National Cancer Registry.
General policy, procedures for release of data and staff guidelines.
STAFF UNDERTAKING
All staff are to sign this undertaking annually.
I have read, and will abide by, this policy. I understand that any breach of this policy is a serious
disciplinary matter.
Signed:
Date:
Name in block capitals:
National Cancer Registry confidentiality and data security policy v 2.2; 29 November 2011
Download