Data Protection

How to guide: Data protection

It is understandable to be nervous about data issues around research, including GDPR  (now UK GDPR). Research can often require the sharing of information and it can be difficult to know what you can and cannot do. This guide attempts to summarise some of the key points but there is a lot of other guidance available (links below in Appendix 1) if you want to read more. You can also contact research@bradford.nhs.uk and we will be able to advise you.

Key information you should be aware of:

• A practice is the data controller for its patient record system. However, data can also have a second controller (the research sponsor) when extracted for use in research, and when data is created for a research project (e.g. a new measurement is taken or a research activity is recorded on a research document), then the sponsor is the data controller for this data.

• Practices must be transparent and open with patients about how patient data is used and shared.

• If you are undertaking research in your practice, you should mention this (and give detail) in your privacy notice.

• You must support and respect the national data opt out. Practices have been required to comply since 31 July 2022. Automated services are available to make this easier to implement. There are cases where the opt-out does not apply, for example where a patient has consented to participate in a particular study.

• You should only undertake research studies which have Health Research Authority (HRA) approval. This means any data sharing has been considered and agreed to be acceptable.

• Studies must be conducted according to the approved study protocol, which should ensure compliance with applicable data protection and confidentiality laws.

• Studies which are not ‘research’ but service evaluation or quality improvement, do not require HRA approval, so in these cases you may wish to seek advice (contact research@bradford.nhs.uk in the first instance).

• You may have access to a Data Protection Officer (DPO) from the ICB and/or federation who can provide advice.

• It is worth noting that DPOs may not be familiar with research and the national approval processes. The HRA guidance will be the best place to consult for research-specific advice: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-detailed-guidance/.

Full guide

This guide relates to research which has approval from the HRA. The HRA takes responsibility for reviewing and approving, amongst other things, the use and sharing of data. A practice can be assured that the data activities described in the approved study documentation have been confirmed as acceptable – so a researcher (or any members of the practice team) acting in accordance with the study protocol is approved by the national body.

In this guide, we address key points you should know and what actions you must take. We also give links to read more, and practices can always contact us to ask any questions. This guide also gives information about projects which are not managed as research.

Some useful training can be found here: https://byglearning.com/mrcrsc-lms/course/view.php?id=71 (an account is required but can be created via this link for free).

Data controller

Although the practice is the data controller of the patient record system, if data is extracted for or by a research study or created in the process of the research, then the research sponsor of the study is the data controller of this data for the purposes of research. If data is created by a member of the practice team (e.g. for completing a case report form (CRF)) for the purposes of research, then the research sponsor is the data controller and the person completing the form is the data processor.

You can read more at: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/data-controllers-and-personal-data-health-and-care-research-context/

Privacy notice

If you are undertaking research in your practice you should mention this in your privacy notice, to be displayed on your practice website as well as in your practice, particularly if you produce information for new patients joining the practice. The law says that you must be transparent about data that you collect from patients. You should explain what you are collecting and sharing, why and how, and how patients can object (it is not sufficient to just say ‘research’ – e.g. the practice team may look at your record to determine whether you are suitable to be invited for a research study.) The notice should explain enough that the patient can understand what is being done and there should be no surprises. If someone other than practice staff will have access to any records, then this should be mentioned in the privacy notice.

The practice should think about means of communicating the privacy notice to patients – for example a text message campaign or recorded message on the phone system, which could direct patients to read the notice on the practice website.

The BMA produces templates and posters you can use, so you can be confident that these meet legal requirements: https://www.bma.org.uk/advice-and-support/ethics/confidentiality-and-health-records/gdpr-privacy-notices-for-gp-practices.

Action: Make sure research is mentioned in your privacy notice and displayed/communicated to patients. You should clearly explain what will be done with a patient record.

National data opt-out

The national data opt-out gives patients the opportunity to opt out of the use of confidential patient information for use in planning and research. That means that if you share data for research, the practice is responsible for ensuring that people who have opted out are removed from that data. You must exclude patients who have indicated an opt-out. The data opt-out does not apply where the patient has individually consented to take part in a particular study (and in some other circumstances). Patients who have opted out of their data being shared for research can still be invited to participate in studies by the practice team, however you must not disclose patient data to a third party (e.g. research team) without excluding patients who have opted out. 

The national data opt-out is now mandatory (from 31 July 2022).

The national data opt-out is now the primary means of patients opting out of data sharing for research and planning, rather than type 1 and type 2 opt-outs. People who expressed a previous Type 2 opt-out have been converted to the new system. Type 1 opt-outs can still be applied at practice level.

Parents/guardians can also make the same choice on behalf of a child under 13. Children over 13 can opt out for themselves.

Opt-outs do not apply in the following cases:

• For a patient’s direct care;

• Where a patient has given their consent to the specific research and to the sharing of data [this does not extend beyond what they have consented to in the specific study];

• In a small number of cases using section 251 approval (see below);

• For data which has been fully anonymised under ICO guidance (see section on anonymisation below);

• For aggregated data.

Opt-outs do apply where:

• Data is being shared for purposes outside of direct care and none of the above applies;

• Section 251/CAG approval is in place (see section below).

Opt-outs continue to apply after death, but do not apply retrospectively, so will not need to be applied for data that has been previously shared.

Action: Practices must:

• Put in place a system for applying data opt-outs. Even if you do not currently have any data which requires checking of the opt-out, you need to be ready to implement a solution in case a situation occurs for which the opt-out check is needed.

Practices are recommended to:

• Register for MESH , a system which allows NHS numbers in any data request to be checked against national data opt-outs held in the SPINE: https://digital.nhs.uk/services/message-exchange-for-social-care-and-health-mesh

Implementing the data opt out:

• Every time you are asked to share confidential patient information, you will need to use a service like MESH to compare NHS numbers with the opt-out list. When you send a list via MESH to the National Data Opt-out Service, you will receive back a list with the opt-outs removed.

• You must remove the entire record of any patient who has an opt-out from any data you share or use for research or planning purposes.

• Practices must check all requests against the opt-out list.

• Researchers asking to view a patient record with consent, should share with the practice a copy of the consent form or other evidence of consent (consent overrides any opt-out).

• If you re-run a search for any reason (e.g. follow up mail-outs) you may need to re-check against the opt-out list.

You can read more about the technical solution for implementing the opt-out online: link

See https://digital.nhs.uk/services/national-data-opt-out/compliance-with-the-national-data-opt-out for details on complying with the opt-out.

The following training from e-Learning for Healthcare is useful if you have any further concerns. You need to register for an e-LFH account if you don’t already have one: https://www.e-lfh.org.uk/programmes/national-data-opt-out-training/

Participating in a research study

Your practice may be invited to be involved in research studies and should bear in mind the following:

• Studies are reviewed and approved by the Health Research Authority (HRA) and Research Ethics Committee (REC) where applicable. If you receive a study you should ask to see the HRA approval letter and an approved study protocol which will detail all activities.

• The HRA considers all issues relating to data, including data sharing.

• The HRA recommends that studies use template agreements, including data sharing agreements. Practices can be confident in the use of template agreements as these agreements have been reviewed by legal representatives and approved.

• Studies must be conducted in accordance with the study protocol (this is an HRA-approved document) and practices and study team who are working in line with an approved protocol can be assumed to be acting in accordance with all legislation.

• If a study does not have a letter of HRA approval, practices should contact the WY R&D team (research@bradford.nhs.uk) for advice.

Access to patient data

If any researchers ask to access your practice or practice record system, it is the practice’s decision whether to allow this. You should bear in mind the following:

• A researcher should have a Letter of Access (see staff guide), issued by the ICB WY R&D team. This provides assurance that the researcher has appropriate qualifications and approvals for accessing data.

• A researcher should only have access to the data which allows them to carry out the research, so should be restricted.

• A researcher may need a smart card to access the system, which can usually allow their access to be restricted.

• Researchers may not use another practice staff member’s smart card.

• When allowing access, you should ensure that any researcher is aware of, and willing to comply with, NHS Information Governance requirements. Researchers should be held to the same standards as any NHS staff when it comes to information governance, so practices may wish to use the same training as they use with any new staff member, or ask them to read this guidance and/or undertake training such as: https://www.e-lfh.org.uk/programmes/information-sharing.

• Contact https://digital.nhs.uk/services/registration-authorities-and-smartcards/care-identity-service for advice on smart cards.

• Researchers should return smart cards after the research project finishes, and/or their access to patient records should be terminated.

• Information on allowing access to electronic patient records for researchers can be found here: https://www.gov.uk/guidance/on-site-access-to-electronic-health-records-by-sponsor-representatives-in-clinical-trials

Action: Ask to see all researchers’ letters of access if accessing patients or data.

Patient Identifiable Data before/without consent

In most cases, where studies involve accessing patient identifiable data before consent (e.g. for the purposes of inviting a patient to participate in a study), then this may only be accessed by someone who is a member of a patient’s direct care team.

‘Member of the direct care team’ usually means a member of staff at the practice, or in some cases where there are groups of practices, it could be a member of staff at another practice in the Primary Care Network (PCN), or someone employed by the federation, if they can meet the following criteria:

• A person who has a legitimate relationship with the patient;

• Someone who has access to the patient’s record as part of their existing role.

In these cases, there should be a formal employment contract or data sharing arrangement between the person and their employing organisation, and this access should be mentioned in the practice's privacy notice.

A study’s plans for any access to patient data before consent should be outlined in the study protocol, and this has been reviewed and approved by an ethics committee and the HRA – so by following the study protocol practices can be assured that the way of working is approved. In case of any concerns, contact WY R&D. If a study team requests to access data using methods not outlined in the study protocol, then you can also contact WY R&D for advice.

Projects which aren’t managed as research

Projects may (under specific conditions) be managed as service evaluation, audit or quality improvement, which may mean they do not require formal research approvals.

• If a project is only assessing existing care, rather than introducing a new treatment, or testing a hypothesis, then it can class as evaluation or audit.

• If a project randomises participants, then it must be managed as a research project and apply for HRA approval.

• If you would like reassurance that a project is not research, you can direct the project leaders to contact WY R&D (research@bradford.nhs.uk) and we will assess the project and can issue a letter confirming this. Any questions you may have feel free to contact us or direct the team to contact us.

Freedom of information (FOI) legislation

ICB FOI requests can be made here: https://www.westyorkshire.icb.nhs.uk/contact/submit-information-request. Research information may be exempt from Freedom of Information legislation, if the release of the information may prejudice the continuing research and/or publication. If you receive a freedom of information request, contact the ICB governance lead for further advice.

Appendix 1

Further information to help with queries or concerns about data for research

You may get queries from patients or staff about participating in research studies, so below is some further information. It is not expected that practices need to be familiar with the below, but practices may have concerns and queries, so this information is provided for reassurance. In addition, the HRA, WY R&D and CRN are all available for any further queries. Your practice may also have access to advice from a DPO (usually provided by the federation or ICB) – please bear in mind that research is a specific case in terms of data protection law, so DPOs may not be familiar with all of the detail in research and you may wish to seek advice from research@bradford.nhs.uk.

Section 251 (also known as Confidentiality Advisory Group or CAG approval)

• Section 251/CAG approval may apply to research projects which need to access patient identifiable data without or before consent. Researchers have to apply for this approval alongside their other applications.

• Most research projects cannot get this approval, if the Confidentiality Advisory Group considers that they could access the data in another way. Section 251 is there for the purposes of enabling research which cannot feasibly be achieved if there was a requirement to obtain consent from every participant.

• A section 251 exemption does not require a practice to process/share the data, but gives a legal basis to enable your practice to participate in the research.

• You should ask to see a copy of the CAG approval letter.

• This is something that the research study would undertake, rather than something the practice needs to do. It will form part of study approvals and usually would need to be put in place at the planning stage.

Anonymised/de-identified or pseudonymised data

It is best practice to minimise the sharing of personal confidential data and this will mean using anonymised data where possible or reducing the number of identifiers shared.

Data which is truly anonymised is not subject to GDPR, but care should be taken when referring to data as ‘anonymised’ as it is often not fully anonymous and can be reidentified with either existing knowledge or if in conjunction with other information. The term ‘de-identified’ is sometimes used to denote data which has had identifiers removed.

If asked to produce de-identified data, practices must:

• Be confident that the risk of being able to reidentify any participant is very small (note the risk is never zero but should be as low as possible)

• Consider suppressing numbers of 5 or less

• Follow guidance from the ICO.

Anonymisation/de-identification should happen in the practice and be carried out by someone legitimately allowed to view/process the data (usually a member of the direct care team) before it is sent to an external researcher.

• Data are often pseudonymised – which applies to any data which has a pseudonym applied to allow data to be matched up with other sources. The NHS number is an example of a pseudonym, or a study ID number.

• Pseudonymised data does not class as anonymised under ICO guidance.

• Often it is necessary for a study team to be able to reidentify participants, for example when if there is a safety concern, there needs to be a way for the research team to identify which treatment(s) a patient has received. Or if a patient requests to be withdrawn from a study, their record will need to be identified in order to remove it.

• If someone has access to the pseudonymisation ‘key’, or other additional information (for example postcode), they could feasibly identify the person. Access to the pseudonymisation key must be closely restricted – this should be detailed in the protocol.

• A practice should be assured that the security measures used will reduce the possibility for re-identification. 

COPI notice

The Control of Patient Information (COPI) notice, which allowed organisations to share patient data to support the COVID-19 response, including research, has now expired. Any research which was using this notice as its legal basis for sharing, must now have an alternative legal basis for this. Practices must ensure that any data they share has a legal basis for doing so. If they are not sure they should query this with the study team, the ICB Data Protection Officer, or the ICB research team: research@bradford.nhs.uk.

A new notice has been issued under COPI regarding COVID-19 information through the OpenSAFELY data analytics platform https://www.gov.uk/government/publications/covid-19-notification-to-gps-and-nhs-england-to-share-information.

Sharing data between the UK and other countries

There may be cases where personal data is shared with other countries as part of a research project – for example storing data in another country including perhaps using servers located in another country. This is permitted with other EU countries, and also Andorra, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay. If the project is sharing data with any other countries, you may wish to read more about this.

There is a more problematic issue, if your practice is involved in any research projects which involve receiving data from the EU (or other countries). This is unlikely as most of the time practices are involved with the use of their own data.

The EU and UK have come to a ‘data adequacy decision’ which allows the free flow of data between the UK and EU. This means that the EU has agreed that the UK data protection safeguards are enough to allow data to flow between the EU and UK the same as between EU member states.

You can read more at:

• https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/guidance-health-and-social-care-researchers-end-transition-period/

• https://www.gov.uk/guidance/using-personal-data-in-your-business-or-other-organisation

• https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/

Glossary of Acronyms and Terms

• CRN - Clinical Research Network

• ETC - Excess Treatment Costs

• PIC - Participant Identification Centre

• OID - Organisation Information Document

• GDPR - General Data Protection Regulation

• DPO - Data Protection Officer

• ICO - Information Commissioner's Office

• COPI - Control of Patient Information

• LoA - Letter of Access

• PCN - Primary Care Network