STANDARD OPERATING PROCEDURE
Confidentiality and Protection of Personal Data
SOP Number
Insert SOP Reference Number
Version Number
1.0
NAME
TITLE
SIGNATURE
DATE
Author
Reviewer
Authoriser
Issue Date:
Effective Date:
Review Due:
VERSION HISTORY
Previous
version
Significant changes from previous version
Author
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 1 of 13
Date
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:
1.
PURPOSE
The purpose of this SOP is to describe the systems and processes for managing personal data in
the course of clinical research activities. Compliance with this SOP will ensure that all information
collected during the research process is recorded, handled and stored in such a way that
maintains appropriate confidentiality but allows access and use as applicable, whilst satisfying the
requirements of the Data Protection Act (1998)(1).
2.
SCOPE
This SOP applies to CTU staff and other researchers who deal with personal identifiable data of
any kind (i.e. paper notes, electronic records etc.) at any time during the process of collection,
handling, storing and analysis of research data.
3.
INTRODUCTION
The Research Governance Framework(2) which incorporates the stipulations of the Data
Protection Act 1998, stipulates the appropriate use and protection of participants’ data in research
settings by establishing secure systems to ensure the confidentiality of personal information.
The Data Protection Act (1998) legislates for the control and protection of personal data by
the implementation of administrative, technical, or physical measures to guard against
unauthorised access to data. The Act protects personal privacy, requires fair and lawful
processing of personal information and restricts what can be done with it, and to whom it may be
disclosed. The Act lists eight principles of data protection which state that:
1.
Personal data shall be processed fairly and lawfully.
2.
Personal data shall be obtained only for one or more specified and lawful purpose(s)
and shall not be further processed in any manner incompatible with that purpose or
those purposes.
3.
Personal data shall be adequate, relevant and not excessive in relation to the
purpose(s) for which they are processed.
4.
Personal data shall be accurate and where necessary kept up to date.
5.
Personal data processed for any purpose shall not be kept for longer than is
necessary for that purpose.
6.
Personal data shall be processed in accordance with the rights of data subjects under
the Act.
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 2 of 13
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:
7.
Appropriate
technical and organisational measures
shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss or
destruction.
8.
Personal data shall not be transferred to a country or territory outside the European
Economic Area (EEA) unless that country or territory ensures an adequate level of
protection for the rights and freedoms of data subjects in relation to the processing of
personal data.
 Data must not be transferred to any country that lies outside the European
Economic Area (EEA) without the express consent of the participant. (For information
on countries which are within the EEA consult the Home Office UK Border Agency (3)).
The use of patient data for research in England is also governed by the Human Rights Act
(1998)(4), the Common Law Duty of Confidentiality(5), Section 60 of the Health and Social Care Act
(2001)(6) and Section 251 of the NHS Act (2006)(7). Section 251 of the NHS Act (2006) permits the
common law duty of confidentiality “to be set aside in specific circumstances for medical
purposes”, where it is not possible to use anonymised information and where seeking individual
consent is not practicable. The Ethics and Confidentiality Committee, part of the National
Information Governance Board (NIGB) for Health and Social Care(8), is responsible for assessing
applications for the sharing of identifiable patient information in such circumstances.
For legislation in Scotland refer to the NHS Scotland Information Governance(9) website.
For Northern Ireland refer to the Northern Ireland Department of Health, Social services and
Public Safety website(10), and the Code of Practice on Protecting the Confidentiality of Service
User Information.(11)
Under the Data Protection Act, an individual is entitled to be informed by any data
controller whether his personal data are being processed by or on behalf of that data controller,
and if so, the source and nature of the personal data and the purposes for which they are being
used or processed, and to whom they will be disclosed(12). Furthermore, an individual has a right
to require an organisation to stop (or not to begin) processing of his personal data only if he has
(a) not consented to the processing, and (b) processing is likely to cause unwarranted and
substantial damage or distress.
Under the right of subject access, an individual has a right to see the information contained
in their own personal data, rather than a right to see the documents that include that information.
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 3 of 13
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:
4.
ABBREVIATIONS
4.1
Acronyms and abbreviations
CD
Compact disk
CRF
Case report form
CTIMP
Clinical trial of an investigational medicinal product
EEA
European Economic Area
GP
General Practitioner
ICF
Informed consent form
NIGB
National Information Governance Board
PIS
Participant information sheet
4.2
Definitions
Anonymous
Data for which it is impossible to identify the participant from the information or
any other information held.
Caldicott
Guardian
A senior person responsible for protecting the confidentiality of patient and
service user information and enabling appropriate information sharing. General
practices are required by regulations to have a confidentiality lead.
Coded data
Identifiable personal data in which the details that could identify someone are
concealed in a code, but which can readily be decoded by those using the
personal data. Such coded data are not anonymised data.
Confidential
information
Information obtained by a person on the understanding that they will not disclose
it to others, or obtained in circumstances where it is expected that they will not
disclose it. The law assumes that whenever people give personal information to
health professionals/members of a clinical research team caring for them; it is
confidential as long as it remains personally identifiable.
Data
Information as numerical or text values found within paper and electronic records
(including images and sound) e.g. trial reports, case report forms, faxed
documents, emails and attachments, trial databases, photographs and x-rays.
Data controller
A person who (either alone or jointly or in common with other persons)
determines the purposes for which and the manner in which any personal data
are, or are to be, processed.
Data
custodian
The person responsible for the safekeeping of data and control of their use, and
eventual disposal (if required), all in accordance with legislation and the terms of
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 4 of 13
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:
the consent given by the donor.
Data
processor
In relation to personal data, means any person (other than an employee of the
data controller) who processes the data on behalf of the data controller.
Data subject
An individual who is the subject of personal data.
Patient
identifiable
data
Any information that may be used to identify a patient directly or indirectly. Key
identifiable information includes patient name, address, and date of birth, full
post code, images, tapes, NHS number and local identifiable codes.
Personal data
Data which relate to a living individual who can be identified from those data, or
from those data in combination with other accessible information. This includes
names, addresses, NHS numbers, dates of birth, as well as combinations of data
which together might identify an individual (e.g. a dataset containing hospital,
gender, age, dates).
Processing
data
Processing data includes any procedure from obtaining, recording or holding the
data to carrying out any operation on the data, such as altering, using, disclosing
or deleting it.
Pseudoanonymised
data
Study participants are given an identifier by which they are known in a system
(e.g. Case Record Form, computer database), which is typically a number, but
may also be an identifier. One master list with the identifier and patients’ details
must be kept separately in order to link the patient to their data
Sensitive data
A category of personal information that is usually held in confidence and the loss,
misdirection or loss of integrity of which could impact adversely on individuals,
the organisation, or on the wider community, e.g. racial or ethnic origin, religious
or political beliefs, trade union membership, physical or mental health or
condition, sexual life, offences (alleged or committed).
Transfer of
data
In this SOP, transfer of data means the transmission of data from a sender to a
recipient or the removal of data from one location to another.
5.
RESPONSIBILITIES
The protection of research participants’ data is the responsibility of the Sponsor, Chief Investigator
(CI), Principal Investigator (PI) and all members of the research team.
As part of the research approval process the CI will be responsible for providing the
Sponsor’s Information Governance team with details of the collection, processing and storage of
personal information, and ensuring that they comply with the Data Protection Act.
Specific data protection responsibilities may be delegated to the research team.
All staff:
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 5 of 13
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:

must be aware of their legal and ethical duties in protecting personal data, and
ensuring its confidentiality

are responsible for working within the Data Protection Act and relevant codes of
practice

are responsible for ensuring that they are appropriately trained

are responsible for notifying their line manager of any changes to the way personal
research data are processed or stored
In NHS based research, additional responsibility for data protection issues will lie with the NHS
Trust’s Information Governance Officer and the Caldicott Guardian(13).
6.
PROCEDURE
6.1
Data Custodian
When personal data are being processed a “data owner” or data custodian should be identified
(this would usually be the CI but may be delegated to the CTU or its host organisation), that has
the responsibility to ensure that the security and access arrangements for the database comply
with the Data Protection Act (1998), and that all data processing and locally held personal data
are registered with the host institution according to their employer’s processes.
Every organisation that processes personal information must notify the Information
Commissioner’s Office(12) (ICO), unless they are exempt. Notification is a statutory requirement
and failure to notify is a criminal offence. The ICO publishes certain details in the Register of Data
Controllers, which should be checked to ensure the relevant organisation is registered (this will
usually be the CTUs host institution rather than the CTU itself).
6.2
Access to personal data
Personal data will only be processed by CTU staff when:

a justified purpose for doing so is clearly documented;

informed consent has been obtained from each data subject*; and

protective measures have been taken to allow access to personal data only to
authorised individuals.
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 6 of 13
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:
* Or, where anonymised information (data where any links to the identity of a living individual has
been permanently removed) is not sufficient and patient consent is not practicable, approval has
been obtained from the NIGB Ethics and Confidentiality Committee(8).
6.2.1
Non-NHS staff
Where research involves NHS patients, data or facilities, members of the study team may need to
be covered by an appropriate Human Resource agreement with the NHS organisation hosting
their research. The NHS Research Passport System Resource Pack(14) provides guidance on
whether researchers will require an honorary NHS contract or Letter of Access depending on the
level of patient contact they are likely to have during the trial. This is in addition to any other Data
Protection requirements (e.g. Caldicott Guardian approval). Staff working on NHS premises must
be familiar with the local NHS Trust data protection policies and attend information governance
training where it is available.
6.3
Study protocol
When planning the study the CI and research team must check that data protection issues are
clearly described in the study protocol, and include:
6.4

the data to be collected

how the data are to be collected

who will have access to the data

how and where the data are to be stored and for how long

how the data are to be transferred (if applicable)

how the data are to be analysed
Participant Information Sheet and Informed Consent Form
In addition to the above, and in order to comply with the Data Protection Act (1998), the
Participant Information Sheet (PIS) and Informed Consent Form (ICF) should contain the following
information:

How the data will be used (research data collected will not be used for anything
additional to what is specified at the time of consent)

Details of the organisation(s) which will collect store and process data
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 7 of 13
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:

Details of the type and form of any data transfer, and whether participants could be
identified

Intended duration of record retention and that this would be confidential
If data collected for research purposes are not anonymised, explicit consent from the data subject
is required.
6.4.1
Informing the General Practitioner
When a participant’s GP is informed that their patient has been recruited into a study the
participant must be told that the GP will be informed and give their explicit consent. This
information must therefore be included on the PIS and ICF.
6.4.2
Transfer outside the European Economic Area
Written consent to transfer data outside of the EEA should be sought during the informed consent
process.
6.4.3
Identification of potential participants from health records
If potential participants are to be identified through some form of health record this must be explicit
in the protocol and PIS.
The Wellcome Trust briefing ‘Towards consensus for best practice’(15) provides guidance on
the use of GP records for research.
6.5
Pseudo-anonymous and anonymous data
In most research studies it is not always possible to completely anonymise data as source data
verification is required, and data must be ‘pseudo-anonymised’. When data are pseudoanonymised, one master list with the identifier/ codes and the participants’ details is kept
separately in order to link the patients to their data (and should be kept in a locked
cabinet/office/password protected file); no copies of this list should be made. Pseudo-anonymised
data qualifies as personal data under the Data Protection Act (1998). The study monitor will
usually access the master list at site, or there may be a master list in the CTU for trial specific
purposes, or blinding codes may be kept for access etc.
For studies in which source data verification is not required, it will be possible to keep
completely anonymised data (e.g. epidemiological research). In these cases the Data Protection
Act does not apply, as anonymised data is not considered to be personal data.
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 8 of 13
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:
6.6
Paper based data
All data not received in a anonymised form must be collected with the permission of study
participants, stored securely in a locked cabinet, locked away if unattended and retained for only
as long as is necessary. It should be clear in the protocol, PIS and ICF that personal data with the
potential to identify research participants will be kept separate from the study data and CRFs, with
the exception of essential study documents required to be kept as part of the Trial Master File and
Study Site File e.g. signed ICFs. Access to this data will be restricted to members of the research
team, unless authorised by the Investigator, a member of the research team or the Caldicott
Guardian.
6.7
Electronic data
Files containing electronic data must be password protected and stored on a secure network (not
a ‘C’ drive) and security of the data protected. Workstations should be locked if the user is leaving
the computer unattended.
If electronic files containing personal data are saved in folders on a shared network, access
should be restricted to authorised individuals who have been allocated a password to allow
access to the data. Logins and passwords should never be shared, even with team members or
line managers, as this is a breach of the Computer Misuse Act (1990)(16).
If handling electronic files with direct identifiers, such as names and addresses, the following
should be observed:
a) Files containing direct identifiers should be separated from other trial data and saved in a
folder with access only to individuals who strictly need to see it for the purposes of
managing the trial.
b) Files containing direct identifiers should remain in only one location in a secure area of
the server and not be copied and saved elsewhere.
c) Files containing direct identifiers should not be transferred via e-mail or by other means,
except with the explicit consent of the participants (e.g. letters to their GP).
Patients’ identifiable data must not be stored on home computers, personal laptops, unencrypted
memory sticks, CDs, hand held devices, digital cameras or other imaging equipment even if they
are password protected. An encrypted memory stick may be used if required.
All personal data (whether pseudo-anonymised or anonymised) should be centrally backed
up on a secure server.
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 9 of 13
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:
6.8
Transfer of data
All data transfers should be approved by the Trial Management Team and must be logged and
accompanied by a Data Transfer Form signed by the CTU staff member transferring the data and
then returned to the CTU countersigned by the recipient.
6.8.1
By post
Personal information being sent or received by post should be in a sealed envelope; it must be
clearly addressed to indicate who the recipient is (it could be a team of people). Audio or video
recordings of consultations or interviews should be labelled with unique study identifiers and sent
by registered post.
The transfer and receipt of paper based data should be documented to ensure a clear
audit trail is maintained.
6.8.2
Electronic data on CD or USB stick
If it is necessary to transfer data using CD or USB stick, the data sent on CD/USB stick should be
password protected and encrypted (e.g.: 256 bit encryption with WinZip 12.0), and sent by
registered post. (For further advice consult your local Data Management or Information
Technology team as appropriate).
A robust system logging the receipt of sent items must be in place either for a CD/USB
stick coming into the CTU or leaving the CTU – for example, by registered mail or courier,
requiring signature on delivery. As with electronic data, the data on the CD/USB stick should be
encrypted and password protected (e.g.: 256 bit encryption with WinZip 12.0).
Please refer to the NHS Information Governance Toolkit Good Practice Guidelines(17) for
further information regarding the encryption of data and management of removable media.
6.8.3
By e-mail
Identifiable data must not be transferred by e-mail unless the e-mail has been encrypted.
University e-mail is not encrypted by default. It is, however, possible to send queries/information
to sites provided that no identifiable data is included and patients can only be identified by a
unique study number.
Where data is to be transferred by e-mail, records of the transfer (purpose, date, time data
provided, and format) should be kept in the study documentation in order to provide a clear audit
trail.
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 10 of 13
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:
The electronic transfer of data should only be done with the research participant’s explicit
consent and over secure channels. Data that are transferred over the Internet must be encrypted
and password protected to maintain security. The mechanism for transferring data must allow
secure transfer of data either via a client software application or via the World Wide Web.
Identifiable information that is not encrypted must not be sent via e-mail.
6.8.3.1 NHS e-mail
Users of NHS e-mail should check the security of their local system with their Caldicott Guardian.

Internal e-mail should be secure if it stays on the local servers

NHS net to NHS net e-mail (which ends with nhs.net) is secure as it stays behind the
firewall

Any mail coming to or going to a @....nhs.uk account is not secure as it goes
through public servers
The sender should limit identifiable information to a minimum, and consider the need to send by email. Care needs to be taken with the addresses or and numbers of recipients, and the likelihood
of it being forwarded.
6.9
Breach of confidentiality
Occasionally records containing personal data which should not have been disclosed, e.g. a fax
containing hospital notes with a visible name attached, or an e-mail with a data file containing
identifiable details may be received by a member of CTU staff from an internal or external source.
In such situations, the member of CTU staff should contact the person who sent the data and
make them aware of the breach of confidentiality. The records received should be either promptly
deleted or any identifying details thoroughly erased (ensuring details on paper are not still visible
by holding the paper to light for example). Reference should be made to confidentiality
agreements for the relevant organisations.
All suspected breaches should be investigated, documented in the study file and reported to
the sponsor as appropriate.
6.10 Archiving
Source documents, and trial-related electronic and other data must be stored safely and in
accordance with the requirements of the Data Protection Act (1998), for a minimum of five years
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 11 of 13
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:
or as stipulated by the Sponsor’s requirements, and the applicable regulations. (Reference to
CTUs Archiving SOPs).
7.
SUPPORTING DOCUMENTS
Number
Title
Data Transfer Form
8.
REFERENCES
(1) Data Protection Act (1998)
http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1
(2) Research Governance Framework for Health and Social care. 2nd Edition, (2005)
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/D
H_4108962
(3) Home Office UK Border Agency
http://www.ukba.homeoffice.gov.uk/workingintheuk/eea/
(4) Human Rights Act (1998)
http://www.opsi.gov.uk/acts/acts1998/ukpga_19980042_en_1
(5) Common Law Duty of Confidentiality
http://webarchive.nationalarchives.gov.uk/+/www.dh.gov.uk/en/publicationsandstatistics/publicatio
ns/publicationspolicyandguidance/browsable/DH_5803173
(6) Section 60 of the Health and Social Care Act (2001)
http://www.opsi.gov.uk/acts/acts2001/ukpga_20010015_en_9#pt5-pb1-l1g60
(7) Section 251 of the NHS Act (2006)
http://www.opsi.gov.uk/acts/acts2006/ukpga_20060041_en_19#pt13-pb4-l1g251
(8) National Information Governance Board for Health and Social Care
http://www.nigb.nhs.uk/
(9) NHS Scotland Information Governance
http://www.knowledge.scot.nhs.uk/ig.aspx
(10) Northern Ireland Department of Health, Social services and Public Safety,
http://www.dhsspsni.gov.uk/
(11) Northern Ireland Department of Health, Social services and Public Safety, Code of Practice
on Protecting the Confidentiality of Service User Information.
http://www.dhsspsni.gov.uk/confidentiality-code-of-practice0109.pdf
(12) Information Commissioner’s Office
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 12 of 13
SOP Title:
Confidentiality and protection of personal data
SOP No:
SOP Version: 1.0
Effective:
http://www.ico.gov.uk/
(13) Caldicott Guardians
http://www.dh.gov.uk/en/Managingyourorganisation/Informationpolicy/Patientconfidentialityandcal
dicottguardians/DH_4100563
(14) Research Passport System Resource pack
http://www.nihr.ac.uk/files/Research%20Passport%20Mar%202010/Research_Passport_Algorith
m_of_Research_Activity_and_pre-engagement_checks.pd
(15) Wellcome Trust briefing: Towards consensus for best practice: Use of patient records from
general practice for research (June 2009)
http://www.wellcome.ac.uk/stellent/groups/corporatesite/@policy_communications/documents/we
b_document/wtx055661.pdf
(16) Computer Misuse Act (1990)
http://www.opsi.gov.uk/acts/acts1990/plain/ukpga_19900018_en_1
(17) NHS Information Governance Good Practice Guidelines for the transfer of batched person
identifiable data by means of portable electronic media
https://www.igt.connectingforhealth.nhs.uk/WhatsNewDocuments/GPG%20for%20the%20transfer
%20of%20batched%20patient-identifiable%20data.doc
9.
APPENDICES
UKCRC CTU SOP Template V1.0
THIS IS A CONTROLLED DOCUMENT. DO NOT COPY
Page 13 of 13