Introduction
The purpose of this guideline is to help trials teams understand the issues relating to collecting patient identifiable information, and explain what types of information could be justifiably collected under what circumstances. Note the Research Ethics Committee is to approve the types of patient identifiable information scheduled to be collected for each individual trial, and their vision may differ from that captured in this guideline.
Definitions
AnonymisedInformation / This is information which does not identify an individual directly, and which cannot reasonably be used to determine identity. Anonymisation requires the removal of name, address, full post code and any other detail or combination of details that might support identification.
Confidential data / In the University of Birmingham, confidential data is defined as information likely to cause significant harm to the University’s reputation, assets or ability to meet its legal and contractual obligations if revealed outside of the intended audience. Usually available only to a small number of identified individuals. See also the IT governance guidelines for information handling (reference below).
Patient identifiable
information / Key identifiable information includes:
patient’s name, address, full post code, date of birth;
pictures, photographs, videos, audio-tapes or other images of patients;
NHS number and local patient identifiable codes e.g. hospital number;
anything else that may be used to identify a patient directly or indirectly. For example, rare diseases, drug treatments or statistical analyses which have very small numbers within a small population may allow individuals to be identified.
Personal data / Data which relate to a living individual who can be identified—
from those data, or
from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual
Pseudonymised
Information / This is like anonymised information in that in the possession of the holder it cannot reasonably be used by the holder to identify an individual. However it differs in that the original provider of the information may retain a means of identifying individuals. This will often be achieved by attaching codes or other unique references to information so that the data will only be identifiable to those who have access to the key or index. Pseudonymisation allows information about the same individual to be linked in a way that true anonymisation does not.
Rare disease / In the EU, a life-threatening or chronically debilitating diseases – mostly inherited – affecting fewer than 5 people in 10 000.
Governance framework relating to data protection
Data protection is governed via a large framework of statutory provisions. The key areas of law are listed below:
Common Law of Confidentiality:
This is built up from case law and the key principle is that information confided should not be disclosed or used without the confider’s permission unless as originally understood by the confider. In exceptional circumstances legislation and judgements can be made which override confidentiality.
Administrative Law:
The Administrative Law governs the actions of public authorities ensuring they possess the power to carry out their intended actions and that actions are undertaken for the purpose for which that power was created.
Data Protection Act 1998:
The Data Protection Act provides a structure which governs the processing of information that can identify living individuals and that covers all types of media including paper and images.The Act contains 8 principles which define the standards for information handling.
The Human Rights Act 1998:
The Human Rights Act establishes the duty to protect the privacy of individuals and the confidentiality of their health records. Compliance with the Data Protection Act 1998 and the Common Law of confidentiality should satisfy Human Rights requirements. Any proposal for setting aside requirements of confidentiality through legislation must comply with the Human Rights Act 1998.
Health and Social Care Act 2001: Section 60:
Makes it lawful to disclose and use confidential patient information in specified circumstances where it is not feasible to satisfy common law confidentiality obligations. This is intended as a transitory measure until recorded consent or anonymisation can be established.
The Caldicott Principles
In 1997 the Caldicott Report was published to make recommendations regarding patient confidentiality and ways the NHS can improve its handling of patient identifiable information. The Committee produced six principles which all NHS organisations must adhere to and which govern the use of patient identifiable information. All organisations are also required to have a Caldicott Guardian who oversees access to patient identifiable information.
The six principles are:
Justify the purpose
Do not use patient identifiable information unless absolutely necessary
Use the minimum necessary patient identifiable information
Access to patient identifiable information should be on a strict need to know basis
Everyone should be aware of their responsibilities
Understand and comply with the law
Guidelines
Information sheet and consenting
The trial specific information sheet must address the types of patient identifiable data that may be collected from the subject, where it will be sent to (including any third parties) and what will happen with it thereafter. It is important to ensure explicit consent has been obtained for this information to be collected, and that the Research Ethics Committee has been made aware of the types of patient identifiable data to be collected as part of the ethics application process.
Use of patient identifiable information to identify trial subject:
It is expected that each subject would be assigned a unique trial number, and that the trial number together with the subject’s initials would be used to identify the subject when communicating with the site.
The amount of patient identifiable information required to identify a trial subject will depend on the amount of subjects expected to be recruited in the trial, and at each site. Having a larger number of subjects in a trial and/or at a site will increase the coincidence of having same patientidentifiers. In such cases, having multiple patientidentifiers will allow for a better check to ensure the correct subject is identified.
Date of birth:
The additional use of subject date of birth could be justified for larger trials as a standard patient identifier. In these larger trials, subjects may have the same initials, and having the date of birth will provide a third checkpoint to ascertain the correct subject has been identified. These details may be collected on each CRF page to identify the subject’s CRF pages.
Note that the date of birth may also need to be collected for research purposes (e.g. where age is a data point), or for safety reporting (e.g. where a subject experiences a Serious Adverse Event). In these cases it is expected that the date of birth would be collected as a data field, and not as a standard patient identifier.
Local patient identifiable codes e.g. hospital number, histopathology number or GP EMIS number:
Local patient identifiable codes may be required in specific situations. One example is where tissue blocks are to be sent from the site’s pathology department. In this case the pathology department may require the patients’ hospital number to identify the correct tissue samples. Another example is when a trial is scheduled to enrol 1000 subjects or more; in this case a local patient identifiable code may be collected to ensure correct subject identification.
Patient’s NHS number
The NHS number is a unique patient identifier which carries a higher risk to patient confidentiality; regardless of their location, individuals who have access to an NHS network will be able to retrieve patient confidential information using the NHS number only.
The NHS number may be collected where this number is required for facilitating long term follow-up using external registries, e.g. the NHS Information Centre. In addition, some grant bodies, e.g. NIHR and Cancer Research UK may request for the NHS number to be collected; this would typically be listed in their Terms and Conditions.
Where the NHS number is collected, this should be only collected once at subject registration/randomisation, preferably over the phone. The NHS number should then be stored securely within the coordinating centre, e.g. on a protected trial database.
Patient’s name, address, full post code etceteras:
This may be collected where the coordinating centre takes on responsibilities for sending out questionnaires directly to the subject. This may be done where subjects are not seen by their health care professional at the time the questionnaire is due to be completed, or to reduce resource impact on the site staff. This may also be collected where subjects are contacted directly for long term follow up assessments, again to reduce resource impact on the site staff. To allow for long term follow up using the NHS Information Centre the subject’s name and address would be required in those cases where the NHS number cannot be obtained from site (e.g. at GP practices).
These details are expected to be collected only once, at subject registration/randomisation. It is strongly recommended to capture the information over the phone. The information must be kept on a protected database in the coordinating centre.
Note that where subjects are contacted directly by the coordinating centre, caution should be taken with regards to revealing the purpose of the contact to the outside world. The subject may participate in research as a result of an illness they would like to keep private. For example, do not print the trial logo or trial acronym on the envelope or mention these details to others than the subject when contacting by phone. The same holds for return address details; ensure these do not contain information that may reveal the context of the research.
This degree of detail may also be collected on laboratory reports, images of subjects and alike that are sent to the coordinating centre for central review, or on blood samples or tissue blocks sent to laboratories for analysis. All efforts must be made to have the information blinded with only trial number (for smaller trials) and initials and date of birth (where used, e.g. for larger trials) before it is sent to the coordinating centre or laboratory. Where this is logistically not feasible, it needs to be made clear in the protocol or other trial specific documentation (e.g. tissue collection guidelines) how this information is collected, and where any blinding may be done instead. Where the coordinating centre takes on the responsibility for blinding, it is strongly recommended to blind any data upon arrival at the coordinating centre.
Use of quotes, pictures, photographs, videos, audio-tapes or other images of subjects
Efforts should be made to blind the data where possible. The preferred option is for sites to take on the task of blinding the information. Where this is logistically not possible, e.g. as they are not part of the data flow, the coordinating centre could take on the role of blinding before the data is used for analysis. It is strongly recommended to blind any data upon arrival at the coordinating centre. The method of blinding and/or lack of blinding must be clearly stated in the trial protocol or any other trial related document, and in the ethics application form. It should also be clearly stated in the information sheet.
Where any of the above is used for publication purposes, e.g. photographs in newsletters, specific consent must be obtained beforehand.
Sending confidential information to the coordinating centre / third parties
It is recommended to use a secure method of post, e.g. double wrapping the information, i.e. in an envelope clearly marked ‘confidential’ and ‘for the attention of...’, which is places in a similarly marked outer envelope. This provides extra protection should the envelope be opened by somebody else by mistake.
A “Safe Haven” fax could be used; this is a dedicated fax machine in a restricted area that is checked regularly to ensure no sensitive data is left unnoticed.
Transfer of data via E-mail is considered insecure, unless messages can be encrypted. The encryption key should be sent via a separate route.
For transfer of data sets containing any patient identifiable information, personal data or confidential data to third parties (e.g. regulatory agency, sponsor, drug companies, funders, ...) a contract with the third party should be put in place to clarify how the data will be processed at the receiving end. The University’s Contracts Office will liaise with Legal Services and the University’s Chief Enterprise Architect based in the University’s IT services.
The dataset(s) requires to be encrypted before it is sent to the third party; the preferred method is using an encrypted file transfer. The encryption key has to be sent to the third party via a separate route. It is also possible to use a public key encryption.
When confidential information is accidentally sent to the coordinating centre:
It may well happen that the site accidentally sends or E-mails documentation to the coordinating centre that contains patient identifiable information that otherwise would not be collected. Where this happens, the coordinating centre must remove the patient identifiable information, labelling the documentation with the appropriate trial number, initials and if used, date of birth. The coordinating centre must thereafter notify the sites immediately of the need to maintain subject confidentiality.
Members of the public contacting the coordinating centre
It may well happen that a member of the public contacts the coordinating centre to obtain more information regarding a specific clinical trial. It is up to the coordinating centre/trials team as to who is best placed to liaise with the member of the public. With regards to confidential data; there would be implied consent to the coordinating centre returning their E-mail or call on the single issue. The recommendation is that upon closure of the enquiry, any electronic records (be it storage of phone number or E-mail address) are removed, and any copies of sent E-mails and/or telephone reports are filed in the Trial Master File in case of further queries in future.
References
Department of Health Confidentiality NHS Code of Practice November 2003:
EC policy on rare diseases:
Department of Health The Caldicott Committee Report on the Review of Patient-Identifiable Information December 1997:
UK Data Protection Act 1998;
UoB IT guidelines for information handling:
Patient identifiable information guideline v. 1.0 dd. 02-May-2013 / Page 1 of 5