The GDPR and health research

St George’s researchers will already be aware of the EU General Data Protection Regulation (GDPR) and the new UK Data Protection Bill, which will govern how we handle personal data after 25 May 2018. While we have learnt a lot about our obligations under the new regulations, researchers may not be clear about what these obligations mean for research. The SGUL Joint Research and Enterprise Services (JRES), Governance and Legal Assurance Services and the Research Data Management Service have come together to clear up a number of misconceptions about what the new regulations may mean for health and social care research. Read on!

It is not clear how the GDPR relates to health and social care research

GDPR has a broad scope beyond clinical research but does relate to all personal data which includes web search engines, social media, and much more.  Specifically, data required in research (and the way it is managed) would be within its remit. Identifiers such as name, addresses, date of birth, and electronic medical numbers all constitute personal information. However, the GDPR expands the personal data definition to include information such as location information, genetic data and IP addresses. In sum, any data that could potentially be used to directly or indirectly identify a person is considered personal data. In addition, pseudonymised data will now be considered personal data and therefore governed by the GDPR.

We will have to change all of our research processes to meet the requirements of the GDPR

As many, including the Medical Research Council, have already acknowledged, the GDPR reiterates many of the key principles of good research practice when handling personal data. Research, particularly health research, is governed by very strict guidelines and many of the mechanisms currently in place for assuring good practice can provide the safeguards needed to comply with the GDPR, for example, our ethics procedures and data management plans already address many of the requirements for privacy impact assessments and privacy by design. What we need to ensure is that all of our research is included in these processes, not just our funded research.

The GDPR will stifle research innovation

The GDPR ensures that innovation in health research can continue, but with the appropriate safeguards for data subjects. The new Data Protection Bill (which will replace the current Data Protection Act 1998) is currently going through parliament. This will direct the way the GDPR is implemented within the UK and any specific exemptions or “derogations”. It is widely accepted, but yet to be confirmed, that clinical research will have a number of related derogations to ensure that we are able to carry on normally with the business of improving and transforming health.

The research community will not be able to re-use/re-purpose data for future research

We are aware that it is not always possible to know all the ways research data could be processed when we are collecting it. The legislation also recognises this. Article 6(4) allows for further processing of personal data beyond the purposes for which it was collected, as long as those operations are considered ‘compatible’ with the original purpose under which consent was given, for example, medical research.

Further, secondary processing of data not collected for research, can subsequently be used for research, as long as appropriate safeguards are met and the processing is in the public interest. This means we can continue to access health data to better understand and treat health conditions.

I am going to have to re-consent participants every few years if I want to continue to hold their personal data

Consent is not the lawful basis on which our researchers hold and process personal data. As a public authority, we will usually process personal data for health and social care research as a ‘task in the public interest’, as such your participants may not need to be re-consented under the GDPR. However, under GDPR you will need to ensure you have been lawful, fair and transparent about the personal data you have collected and how it is managed. It is important to understand what information has been provided to your participants already and does this meet the GDPR requirements for transparency and accountability. This may require updates to your participant information sheet, or the addition of an information leaflet. The Health Research Authority (HRA) is working on consistent templates and wording to support researchers and sponsors have confirmed, if required, this would be a non-substantial amendment, that is, one not requiring formal ethics approval.

Even though consent is not the legal basis for processing personal data for research, the common law duty of confidentiality is not changing, so consent is still needed for people outside the care team to access and use confidential patient information for research. Therefore, consent continues to be required to meet the high ethical and research governance expectations we place on our researchers.

How can I be fair and transparent?

Being fair and transparent with research participants means respecting their rights and wishes, and ensuring their personal data is used in line with their expectations.  The GDPR requires that the information provided should be concise and easy to understand. If you want to retain information you should state the reason and allow the participant to make that judgement.

Organisations should also display corporate level privacy information about their research in locations where it will be noticed, for example links on website homepages and in waiting rooms. Linking this to your information sheets is a good way of ensuring participants are aware of our institutional role in research.

The JRES is working on updating template documents such as protocol templates and information sheets, to ensure appropriate guidance is provided and considered during the development of our research.

My funder expects me to make my data openly available at the end of my project, the GDPR will prevent me from doing this

The GDPR does not preclude data sharing, it only requires that data is shared responsibly and robustly. This has always been the case with data sharing. The GDPR only covers data that personally identifies a living person. Research that does not involve personal data is not covered under the GDPR and can be shared. The legislation also does not cover data that has been appropriately anonymised according to the ICO’s Anonymisation Code. This is what the ICO calls de-identified data for publication. There are also options to share de-identified data for limited disclosure or access. The ICO Anonymisation Code covers different forms of data publication and the Research Data Management Service is available to discuss your options.

A participant has requested to withdraw from the study but my data has already been anonymised and analysed; I have to start all over

In exceptional circumstances research participants are exempted from erasure if it is “likely to render impossible or seriously impair the achievement of the objectives of that processing” (Article 17(3)(d)). So you can continue to use this data in some circumstances. For data that has already been thoroughly anonymised, the GDPR does not apply.

The responsibility for GDPR compliance falls solely on project teams

The responsibility for compliance is corporate, that is, the organisation is accountable to the ICO, so it is important that researchers do not make decisions about legal compliance alone.

For St George’s University initiated research, we will usually be the data controller. This means we are responsible for outlining what data needs to be collected, why and how it is to be used/managed. For studies we collaborate in (where we are not the lead) we may be the data processor. In this instance, we are being directed on the data requirements and management.

If you are in doubt you should check as this is particularly important if a research participant asks you about their personal data rights.

 

We hope this post has helped you to get better acquainted with how the new legislation will affect our research activities. With regards to health and social care research, the GDPR maintains existing best practice and we should use this opportunity to evaluate our systems and procedures to ensure that we are indeed engaging in good practice.

Queries about the GDPR not covered here can be emailed to dataprotection@sgul.ac.uk.


If you are interested receiving updates from the Library on all things open access, open data and scholarly research communications, you can subscribe to the Library Blog using the Follow button or click here for further posts from us.

Advertisements

Library ♥ Wellbeing

June Wellbeing image just title

Tying in with 10 Days of Wellbeing programme (SGUL login required) run by St George’s Staff Development team, we are running a book swap in the library foyer from  Monday 20 June to Friday 1 July, to promote reading for relaxation and pleasure, as well introducing a new collection of books.

Book Swap in the library foyer from 20 June – 1st July

From 20 June – 1 July, we’ll be putting out a trolley of fiction books in library for you to enjoy.  St George’s staff and student are free to pick a book to read (initial collection kindly donated by Library staff)  and to drop off a book on the trolley for sharing with others.

Mood-boosting books – available from 20 June

We have also added a brand new collection of mood-boosting books for our users. This collection includes poetry, novels, essays and more, picked  from a list suggested by the Reading Agency. Keep an eye out for the display in the Library, the mood-boosting books collection will be available for borrowing from 20 June 2016.

moodboosting books horizontal
Some of the items in our new mood-boosting books collection

What books do you read for rest and relaxation? If you’re on Twitter, use #sgulwellbeing to let us know on Twitter . If you enjoyed a book from the book trolley we’d love to hear your comments.

AppSwap #04: Come and share an app – Weds 10 Feb at 10am

SGUL App Swap logoOur popular App Swap event is returning, giving students and staff the chance to come together to talk about apps that they like and use.

We’re delighted to have Dr Hamed Khan coming along to talk to us about Consult, a doctor’s reference app that he worked on with Univadis.

Here are some comments from our previous App Swap event in December where attendees came along to talk about ECG Genius, MedShr, OSCEasy and more:

“Very informative and thought provoking session”

“Engaging, learned a lot.”

“Thank you for a fantastic event. Thoroughly enjoyed it!”

When and where will it take place?

Time: Wednesday 10 February 10-11am

Location: John Parker Lecture Theatre, Atkinson Morley Wing

Who can join in?

All staff and students at St George’s and St George’s Trust staff who want to share or learn about apps.

Anatomy 4D on an iPad
Anatomy 4D on iPad

What kind of apps will be shared?

This depends on what attendees bring on the day. Previous apps that have been shared include: AIM, Anatomy 4D, RevisePsych, MedEdEthics, Forest: Stay Focused, The Genetics Counselling App, ManchEWS. Read our App Swap round up blog posts for more details.

Do I need to prepare a presentation?

No, the App Swap event is quite informal; just bring your own device along to show us the app you like.

How do I sign up?

Send an e-mail to kpang@sgul.ac.uk with the subject heading App Swap event. If you already have an app in mind, please mention the app. Places are limited to 15, so please book ahead.

Will there be refreshments?

Tea, coffee and water will be provided.

I can’t make the date but I’m interested in finding out about apps

We will be live-Tweeting the event from our @sgullibrary account using the hashtags #sgul #appswap and we’ll also archive the tweets in a Storify afterwards.

You can also visit our Mobile Resources Blog for app reviews.

Follow us on Twitter and Like us on Facebook to enter the Prize Draw

fresher's competition banner

The Library uses Facebook and Twitter to give you the latest Library news and promotions, join us to get the most up-to-date information about the Library services.  To give students a bit more of an incentive to follow us on Facebook and Twitter, we’re holding a competition.

*NEW PRIZE ADDED!    2 x £25  Honest Burger Vouchers*

To enter the draw: follow @sgullibrary on Twitter or like our SGUL Library Facebook page.  Double your chances of winning by doing both.

 

Terms and Conditions

1. One prize draw will take place.

2. Entry to the prize draw is restricted to one entry per student for liking the SGUL Library Facebook Page, and one entry per student for following @sgullibrary on Twitter.

3. Multiple entries will be disqualified.

4. The prize draw is open to St George’s, University of London students only.

5. The prize can only be collected in person from St George’s Library on production of a valid St George’s University ID card.

6. Winners will be chosen at random from all valid entries once the competition has closed on Monday 13th Oct 2014.

7. Winners will be contacted via Facebook or Twitter.

8. The Judges’ decision is final and no correspondence will be entered in to.

9. Winners will have their photos taken to be used in publicity on Library social media channels.

10. The competition will run from Tuesday 2 Sept 2014 until  Monday 13 Oct 2014.

BMJ Best Practice App – now available for Android

BMJ have released the Best Practice App on Android

To download as an Android app, click here.

If you want to download iOS (Apple) app, click here.

*Please note full content via the Best Practice app is only available to SGUL staff and students.

The BMJ Best Practice app provides access to:

  • Over 1,000 diagnoses and diagnostic tests
  • Clinical guidelines and research evidence, even when offline
  • Expert opinion to back up your decisions
  • Topics structured around the patient consultation, including prevention, diagnosis and treatment, with clear references and images
  • Personalisation features including options to add notes and bookmarks

***

The BMJ have changed the login page for the Best Practice App where it now asks for an ‘Institutional No’. This is an alternative way to log in which St George’s, University of London does not use. Please ignore this and log in to the app using your username and password as usual.

 

SGUL students get a chance to win a £20 Amazon Voucher

Win a £20 amazon voucher

The Library uses Facebook and Twitter to give you the latest Library news and promotions, join us to get the most up-to-date information about the Library services.  To give students a bit more of an incentive to follow us on Facebook and Twitter, we’re holding a competition.

To enter the draw: follow @sgullibrary on Twitter or like our SGUL Library Facebook page.  Double your chances of winning by doing both.

info on how to enter the prize draw

Terms and Conditions

1. One prize draw will take place.

2. Entry to the prize draw is restricted to one entry per student for liking the SGUL Library Facebook Page, and one entry per student for following @sgullibrary on Twitter.

3. Multiple entries will be disqualified.

4. The prize draw is open to St George’s, University of London students only.

5. The prize can only be collected in person from St George’s Library on production of a valid St George’s University ID card.

6. Winners will be chosen at random from all valid entries once the competition has closed on Monday 7th Oct 2013.

7. Winners will be contacted via Facebook or Twitter.

8. The Judges decision is final and no correspondence will be entered in to.

9. The competition will run from 3rd Sept 2013 until 7th Oct 2013.