BU R&KEO SOP019 V1

Title: Data Management for Clinical Research
Effective Date: / Review Date
Author: Suzy Wignall, Clinical Governance Advisor
Approver:

1.Scope

1.1This Standard Operating Procedure (SOP)outlines the requirements under Good Clinical Practice guidelines, for the provision and availability of source data in studies sponsored by Bournemouth University (BU), in turn ensuring that data collection is valid and collected as set out in the study protocol. This document likewise describes the procedures for data management and the security of data held for research purposes, for BU-sponsored studies.

This SOP also outlines the 2018 General Data Protection Regulation (GDPR) stance on the collection and storage of personal data, and also special categories of personal data (formerly sensitive personal data under the 1998 Data Protection Act [DPA]) for the purposes of research.

2.Responsibilities

The Sponsor is responsible for acting as(one of) the Data Controllers under GDPR and for ensuring Investigators have access to and control of data reported to the Sponsor.

The Chief Investigator (CI/)Researcheris responsible for acting on behalf of the Sponsor in delegating data management. The CI or delegated individual is also responsible for reporting data breaches – see section 3.28.

The Clinical Governance Advisor (CGA) is responsible for ensuring that participating sites adhere to Good Clinical Practice (GCP) guidelines in the completion of data collection documents (Case Report Forms [CRF]), in accordance with the study protocol. The CGA is also responsible for carrying out source data checks, and raising data queries[SW1].

Theparticipating site Principal Investigator (PI) is responsible for delegating appropriate staff to the task of CRF completion.

The participating site research team is responsible for ensuring that CRFs are completed in an indelible way, with no blank sections, and that the source data is easily located and readily available for the purposes of study monitoring.

3.Procedure

Types of data, GDPR and requirements in holding the data

3.1GDPR does not change the common law which is not in statute. Under common law (i.e. confidentiality), any confidential information given whether about living, or deceased people, that is sensitive, identifiable, given with the expectation that it will be kept confidential, or is not in the public domain, can be shared within reasonable expectation (for example, a patient’s GP informing another GP at the practice of their medical history, in order to facilitate an appointment), and can be shared if it’s in the public interest.

3.2An organisation holding data must ensure that they are lawful, fair and transparent. Personal data differs to confidential data in that personal data is structured information, and only applies to living people.
It also depends on content and context. For example, by giving a date of birth, place of birth, postcode and gender, the internet may be used to identify the person in question, rendering it personal information, whereas if given without any means of investigating, the data is not identified as personal.

3.3Special categories of personal data (formerly sensitive personal data under the 1998 Data Protection Act), related to health, DNA etc., and almost all health research, will involve this type of data. The organisation must have a lawful reason to hold personal data and its special categories;however explicit consent for research does not act as a legal basis for this, as this is required through Clinical Trial Regulation and Good Clinical Practice (GCP) guidelines.
The lawful basis for holding this data would be that a reputable organisation that falls under the category of a public authority, is undertaking research in the public interest. The Medical Research Council has provided a guidance note regarding this, available here (and within the references section).

3.4There are safeguards in place according to GDPR (as with the 1998 DPA) as a minimum requirement for holding personal data:

  • There should be a public/legitimate interest in collecting and holding personal data, in the public interest;
  • You should only collect the data you needfor the research purpose, it should be pseudonymisedas a minimum, and collected via appropriate organisational and technical measures in order to meet data protection principles;
  • The research being conducted must not cause distress/damage, or relate to decisions about the data subject, i.e. their interests should be safeguarded/protected.

3.5Participants must be informed as to how the organisation is using their data in accordance with GDPR.They have the following rights, which they should be made aware of:

  1. The right to be informed;
  2. The right of access;
  3. The right to rectification;
  4. The right to erasure;
  5. The right to restrict processing;
  6. The right to data portability;
  7. The right to object;
  8. Rights in relation to automated decision making and profiling.(General Data Protection Regulation (GDPR), 2018)

An institution conducting research will be exempt from most, if not all of these. For example, allowing the rectification of collected data will invalidate the overall study data and the results/publication.
However, the participant has the right to withdraw, and there should be information readily available to them in informing them what will be done with their collected data. According to GDPR, the withdrawal of their consent shall not affect the lawfulness of processing, which was based on their consent before withdrawal.

3.6According to GDPR, there must be a data controller in place. A controller is defined as ‘the natural or legal person, public authority, agency or other body which, alone, or jointly with other data controllers, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’(Vollmer, 2018). Research participants must be informed as to who the data controller is. It is most likely to be the Sponsor, with the researcher as another data controller.

3.7It is recommended that broader consent is sought and obtained at the beginning of a participant’s study journey, in that the participant consents to the future use of their data once the study has ended. This then ensures transparency under GDPR. If the researcher wishes to use the personal data for a further purpose then the participant must be informed prior to this further processing. In all studies, the researcher should consider data minimisation.
3.8Data may be collected directly from a participant via a questionnaire, for example, however it is not permissible to assume consent, and there should be a statement surrounding informing participants that the commencement of activity constitutes their consent to participate.
If the researcher asks for the participant’s consent to receive personal data held by a controller for which the researcher works, then this would count as obtaining data directly from the participant. At the time of collection, the controller must:

  • Inform the participant of the identity and contact of the controller;
  • Give the contact details of the data protection officer where applicable;
  • Outline the purposes of the processing of this personal data, as well as the legal basis for the processing;
  • Inform the participant where the processing is based;
  • Clarify whether the data will be transferred to a third country or international organisation;
  • Clarify how long the personal data will be stored for;
  • Inform them of their rights (see point 3.5);
  • Whether the provision of the personal data is a statutory or contractual requirement;
  • Inform them of their right to lodge a complaint with a supervisory authority.

If a researcher is employed elsewhere, for example at BU, and asks for data held by another controller, e.g. an NHS Trust - then they have not obtained the personal data directly from the participant, even though the consent to access it has been obtained. It has been obtained indirectly.
In this case, the participant will have been supplied with relevant information by the original data controller that is supplying the data to the researcher. The receiving controller must provide information under Article 14(Vollmer, 2018) of GDPR and may do so via a study website, for example.

However, the information need not be providedif the data is being processed using technical and organisational measures, ensuring that the data is psuedonymised and the research activity is conducted without the use of identifiable data

AND
- The provision of information to the participant would be impossible or involve disproportionate effort (e.g. the number of participants to inform), OR

- The provision of the information would significantly impair the achievement of the research objectives, or render it impossible.

Transparency

3.9Information, in order to be transparent, needs to be clear, concise, accessible and layered. The information should also be tailored to the needs of the audience and supplied by appropriate means such as in writing or video.

3.10If data is anonymised, then the organisation does not need to supply information regarding transparency to their research participants. The organisation however must justify their decision around transparency under GDPR.

Data collection for studies sponsored by BU

3.11The study protocol must clearly specify what data is to be collected for the purposes of the research study, through use of Case Report Forms (CRF). The document must also signpost where the data is to be kept, and whether there are any electronic systems to be used for the purposes of the study and data collection.
3.12As with essential documents, the protocol should set out the archiving requirements for collected data and source documents. Identifiable data must not be retained longer than is necessary, as per the study protocol, requirements set out by the funder, the Research Ethics Committee (REC), and other approval or regulatorybodies. See BU R&KEO SOP001.

3.13The participant data should be pseudonymised in accordance with GDPR, with the screening/enrolment log(s) being kept separate to the data used for trial analysis. The data recorded for screening and enrolment purposes within the Investigator Site File (ISF) should include as little identifiable information as feasible.

3.14With regard to data security, electronic systems should have restricted access as required for the study, and in accordance with the delegation log. A full record of those authorised to use the system, should be filed in the Trial Master File (TMF), alongside their access levels.

3.15On paper CRFs, if a mistake is made, then the staff member completing the form should cross out with a single line (so that the original value is visible), initial and date the error. Within electronic systems, there must be an audit trail function, to show any changes made to electronic data, after initial entry.

3.16Paper CRFs must be version controlled, dated and paginated. At the top of each page there should be space for the participant I.D. and the data requested should be in accordance with the study protocol.
3.17Delegated staff members should complete paper CRFs in black ink and the use of correction fluid, or equivalent is not permitted.
On the CRF, no box should be left blank. If the data item is not available, applicable to the participant, or it relates to a test/procedure not carried out, then the box should be completed as N/A, N/D (not done) or N/K (not known). Should any data be missing, inconsistent or implausible, then the Sponsor may raise this as a data query with the site.

3.18CRFs should only be completed and signed by the staff members delegated this duty on the delegation log. An exception to this rule would be in the case of reporting Serious Adverse Events via the dedicated CRF, due to the requirement for immediate notification to the Sponsor, in accordance with GCP guidelines.

3.19Electronic systems should reflect the layout and design of paper-based documents. They should also include functions pertaining to data validations, range checks, and consistency checks.

3.20At the end of a study and once any outstanding data queries have been resolved; the data will then be locked, preventing further changes by the site(s). The data should be quality checked, and will then be analysed by the designated statistician. If the data is being exported for statistical analysis, then the data must be fully anonymised.

Providing information to participants/data subjects

3.21When collecting data from a research participant, the data controller must give them the following information (HRA, 2018):

3.22When a participant’s personal data has been collected but then the controller intends to further process the data, for a different purpose, then the participant must be given information about the further purpose, before any data is processed. For example, the researcher may wish to use the data from a clinical audit for research purposes.

If the information regarding further processing is the same as the information given for the original processing, then the data controller need not give the participant the information again. Information given to participants should be precise, but should not restrict the possibility of further research using their data in the future.

3.23When a researcher is using personal data obtained from other sources, they must provide the participant/data subject with the information in the table above, as well as the source from which the personal data will be obtained. If applicable they should identify whether it came from a publicly available source. An example of this situation would be a postgraduate researcher working on behalf of a university data controller, obtaining data from NHS medical records.

The new data controller should give this information within a reasonable period:

  • within one month;
  • or, if the personal data is to be used in contacting the participant, by the time of contact;
  • or, if disclosure to another recipient is foreseen, by the time the personal data is shared.

Source data
3.24The location(s) from which data is collected must be identified. During monitoring visits, the validity of data is checked, by reviewing CRFs alongside participant medical records.

3.25If the data is collected from the patient directly or via a study diary for example, then this needs to be documented in the medical record. Similarly, if the data is taken from an electronic system, this is the source, and so the information should be signposted within the study visit/procedure written account (in the medical record) to which the CRF corresponds.

3.26Print outs of documents from electronic health record systems are acceptable; however they will be identified as a certified copy of source data rather than source data itself. A certified copy is defined as a copy of the original record that has been verified (e.g. by a dated signature), to have the same information, including data that describe the context, content and structure, of the original.

Data Management

3.27At BU, there are various systems that fall under Research Data Management, and the researcher is responsible for ensuring that the results of their study are made ‘open access’ once their study has come to an end. The Bournemouth Online Research Data Repository (BORDaR ) is a secure and open access system that acts as a home for data arising from individual projects. More inform may be found via BU’s Research Data Policy.

3.28In the event of a data breach, then the CI or delegated individual is responsible for reporting this breach via the BU IT Service Desk mailbox or phone line. This will then be escalated as appropriate to the Data Protection team for escalation to the Information Commissioner’s Office.

4.Abbreviations and definitions

CGAClinical Governance Advisor

CIChief Investigator

CRFCase Report Form

DPAData Protection Act

GCPGood Clinical Practice

GDPRGeneral Data Protection Regulations

GP General Practitioner

ISFInvestigator Site File

PIPrincipal Investigator

RECResearch Ethics Committee

TMFTrial Master File

5.Related documentation and references

BU R&KEO SOP 001 – Archiving Clinical Research Records

BU R&KEO SOP 022 – Case Report Form Design

BU Data Breach link -

BU Research Data Policy -

General Data Protection Regulation (GDPR). (2018). Chapter 3 – Rights of the data subject | General Data Protection Regulation (GDPR). [online] Available at: [Accessed 17 Apr. 2018]

Health Research Authority.(2018).Transparency. [online] Available at: [Accessed 31 May 2018]

Mrc.ukri.org. (2018). [online] Available at: [Accessed 17 Apr. 2018]

Vollmer, N. (2018). Article 4EU General Data Protection Regulation (EU-GDPR). Privacy/Privazy according to plan.. [online] Privacy-regulation.eu. Available at: [Accessed 17 Apr. 2018]
Vollmer, N. (2018). Article 14 EU General Data Protection Regulation (EU-GDPR). Privacy/Privazy according to plan.. [online] Privacy-regulation.eu. Available at: [Accessed 17 Apr. 2018]

Page 1 of 8

[SW1]Or is this the CI/Researcher?