You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

>about us> library and resources>IG confidentiality and data protection policy

remove bits after box, replace with section 5.0 onwards from the above document, icnlude caldiccott principles

In order to comply with the consent that 100,000 Genomes Project participants have given, it is of paramount importance that users of the Research Environment take the security of the platform and its data very seriously. Genomics England will not tolerate users abusing their access, breaching any safeguards put in place, or otherwise endangering the security of confidential participant data.

Genomics England can ban the institution and all their researchers from accessing the Research Environment if a user deliberately breaches the security of the system. Any deliberate attempt by a researcher to reveal the identity of a 100,000 Genomes Project participant is a breach of the Data Protection Act, and could result in a criminal charge or heavy fine.

Your Security Obligations

Having completed Information Governance training prior to getting access to the research dataset you should remember that:

  1. You must not share your login details with others;
  2. Only carry out research on the research dataset - clinicians with access to the identifiable clinical data should join GeCIP to carry out research;
  3. Do not 'screenshot' the Research Environment or otherwise shortcut the Airlock;
  4. Prepare any material for airlock import or export with consideration of its impact on data security (see the guidelines in the airlock section of this site);
  5. Do not carry out any activity on 100,000 Genomes Project research data that may reveal any participant's identity;
  6. Inform Genomics England Service Desk immediately if you:
    1. observe other users endangering the security of the environment or dataset;
    2. fear you have breached the security of the environment or dataset;
    3. think your login details have been compromised.

The information below on the obligations of those providing, accessing and sharing research data is taken from pages on the UK Data Service's website, if you have specific questions about how the below relates to 100,000 Genomes Project, then please don't hesitate to get in contact.

Duty of Confidentiality

In the UK there is a ‘duty of confidentiality’ that is based in common law and that occurs where confidential information comes to the knowledge of a person in circumstances where it would be unfair if it were then to be disclosed to others.

It applies only to information not already in the public domain. If an explicit statement of agreement has been made on the extent of the confidentiality to be afforded to the provider of the information, for example, in a consent form, this may constitute a contract. This need not be in writing. Disclosure of information subject to such a confidentiality agreement would constitute a breach of the duty of confidentiality and possibly a breach of contract.

The duty of confidentiality is not absolute and is not protected by legal privilege. Exceptions occur when:

  • The informant has consented to the information being used in specific ways, for agreed purposes, and by certain people
  • Researchers may be required to give up research data in response to a court subpoena, or to the police as part of an on-going investigation

Some relevant sections from the 100,000 Genomes Project consent form and supporting literature are:

...Once we’ve received your health information from the organisations holding it, only your clinical team and people who are involved in the project team have your name and other personal details. We need these so we can return your results to you. We may let your GP, or other medical staff who look after you, know you are taking part...

...We at Genomics England protect your data and control who has access to it. We will own all the data from this project...

...Researchers can only look at your data for approved scientific and healthcare purposes. Before they see data, we ‘de-identify’ it. This means we take out all names, dates of birth, NHS numbers and other personal details. We will monitor researchers looking at your de-identified data to check that they’re doing what they asked to do and no more...

...If anyone reveals your data on purpose in a way that identifies you, it is a legal breach (in other words, they have broken their contract with us or they have broken the law). Any person, institution or company that does this could face criminal charges or substantial fines. They could have their research funding stopped. We would also ban them from accessing the project again...

...Researchers may publish the results of their research in medical journals. They may also present their results at scientific meetings. It is important for scientists and doctors to share results to help research advance as quickly as possible. You will not be identified in any of this...

Data Protection Act

Researchers must adhere to data protection requirements when managing or sharing personal data. However, not all research data obtained from people count as personal data. If data are anonymised then the Act will not apply as they no longer constitute 'personal data'.

The Data Protection Act 1998 (DPA) provides some exceptions for research data and applies only to personal or sensitive personal data, and not to all research data in general, nor to anonymised data. The new EU General Data Protection Regulation will come into effect in 2018 and will also play a key role in managing and sharing research data.

The DPA defines 8 principles that deal with the processing of personal data relating to identifiable living people. All such data must be:

  • Processed fairly and lawfully
  • Obtained and processed for a specified purpose
  • Adequate, relevant and not excessive for the purpose
  • Accurate
  • Not kept longer than necessary
  • Processed in accordance with the rights of data subjects, for example, the right to be informed about how data will be used, stored, processed, transferred, destroyed; and the right to access information and data held
  • Kept secure
  • Not transferred abroad without adequate protection

Ethical Obligations

Ethical guidelines for research involving people are typically issued by professional bodies, host institutions and funding organisations. The six key principles of UK social science research ethics from the ESRC Framework for Research Ethics are:

  1. Research should aim to maximise benefit for individuals and society and minimise risk and harm
  2. The rights and dignity of individuals and groups should be respected
  3. Wherever possible, participation should be voluntary and appropriately informed
  4. Research should be conducted with integrity and transparency
  5. Lines of responsibility and accountability should be clearly defined
  6. Independence of research should be maintained and where conflicts of interest cannot be avoided they should be made explicit

 

  • No labels