Skip Ribbon Commands
Skip to main content
"Generating new knowledge to improve patient care"
:

Confidentiality

QRESEARCH specialises in research & analyses
using primary care electronic health data

Confidentiality

 

QRESEARCH has extensive, robust protection of confidentiality for patients and the practices.

Key features

  • No patient identifiers are extracted from the practices. Patients are pseudo-anonymised to protect their identity but allow their records to be updated
  • Researchers only receive anonymised data
  • Special protection is employed to protect practice identity
  • The two QRESEARCH servers are in secure environments
  • Data transfers are encrypted
  • Use of the data is strictly controlled
  • QRESEARCH is Section 60 compliant and has approval from the Trent Multi-Centre Research Ethics Committee
Pseudo-anonymised data

No data is extracted from a practice database that contains any strong patient identifier, such as name, address, full postcode, date of birth etc. The practice computer allocates a unique number to each patient (a GUID). This GUID is used by the practice system to allocate later data to the same patient file. The collection server cannot identify which patient the GUID refers to. As an additional protection, this GUID is further encrypted at the point of collection by the collection server using a hash key that the collection server maintenance personnel do not have access to. This additional protection prevents the potential for the GUID from the research database being taken back to the practice, the database being illegally accessed and the GUID cross referenced back to the patient. This process of anonymisation is much stronger than the MIQUEST identifiers.

Similarly, each practice is also allocated a unique code but no practice identifiers are retained. In the national phase, when the data are fully pseudo-anonymised, no-one (including EMIS) can track back to the practice of origin from the resulting database.

Anonymised data

Researchers, having gone through the process of approval, are given, if appropriate, files that contain records for individual patients. However these records do not contain a GUID and are therefore truly anonymised.

When the database is interrogated for information for morbidity studies etc, the results do not contain any records for individual patients. The outputs are in tables, graphs etc and we refer to these as tabular analyses.

Protection for practice identity

One named member of staff in Nottingham and one in EMIS have a list of the practices that have given and returned signed consent to participate in QRESEARCH during recruitment. This list is kept on a separate computer from the EMIS file server or the research server in Nottingham; and is encrypted. The list of participating practices will not be released to other individuals or organisations by EMIS or Nottingham.

There will be no practice or patient identifiers on the database because of the anonymisation process outlined above. In this way, patient and practice confidentiality will be completely secure.

There may be occasions where researchers wish to relate practice characteristics (for example practice size) to some clinical process or outcome. It will not be possible to link practices to external data sources (such as PACT) as the identity of the practice will not be known and there will not be any code which can link it to external sources of data. We will not therefore have ANY information on GP age or sex, achievement of target or contract payments.

However it might be possible to derive a limited number of practice level characteristics directly from the anonymised database held on the research computer in Nottingham for example, list size, average deprivation score and rurality. Only banded data (for example, the list size can be banded < 5,000; 5000-7999; 8000+) will be provided to prevent any possibility of identifying the practice.

The only exception to this would be data that were entered by the practices themselves onto a template that was then included with the main download. If this were to be undertaken, then practices would need to give fully informed consent and enter the data themselves onto a template within their surgery system.

QRESEARCH servers

There are several servers involved in the QRESEARCH project.

 

(a) The data collection server at EMIS. This server is linked to practices via the NHSnet in order to undertake the triggered upload ONLY after the practice has authorised the upload by activating the QRESEARCH module within its surgery system.
(b) The research server, which houses the resulting aggregated database, and which is located at The University of Nottingham. The research computer is a stand-alone computer (i.e. it is not linked to the NHSnet or internal or external networks). This computer is the single point of access to the data collected by QRESEARCH.

 

Each of the servers (at EMIS and at Nottingham) are used solely for the purposes of QRESEARCH.

Data transfers

EMIS only transfers QRESEARCH data to The University of Nottingham. The data transfer will be secure as the data are encrypted.

Use of the data

EMIS and The University of Nottingham are contractually bound not to use the data collected by QRESEARCH for any other purpose than QRESEARCH.

Access by researchers is carefully regulated since they will receive patient level sub-sets of the database. See Using it for Research.

Morbidity analyses will be undertaken as appropriate - see Using it for data analyses The results will be included on the website - see Current data analyses.

Section 60 compliance

In order to clarify whether Section 60 support was necessary to cover the process of anonymisation/pseudo-anonymisation, we contacted Sean Kirwan from the Department of Health with a copy of the protocol and details of the processes to be used. He advised us that Section 60 support was necessary only when patient identifiable information is required and it is not practicable to either obtain patient consent or use anonymised/pseudonymised data. With the process of pseudo-anonymisation employed in QRESEARCH, no patient identifiable information will be shared with, or processed by, a third party (ie an individual or organisation not employed by the GP practice) and hence Section 60 support is not required for the QRESEARCH database.

 

Multi-Centre Research Ethics Committee

QRESEARCH has full approval from the Trent MREC [Ref: MREC 03/04/021]. Research studies which utilise QRESEARCH data need to obtain ethical approval from this committee. The contact for the MREC administrator is:

Ms Jill Marshall
Trent MREC
Derwent Shared Services
6th Floor Laurie House
Colyear Street
Derby
Derbyshire
DE1 1LJ
Email: Jill.Marshall@DerwentSharedServices.nhs.uk

 

Copyright © 2002-2010 QRESEARCH®. ALL RIGHTS RESERVED.
Materials on this web site are protected by copyright law. Access to the materials on this web site for the sole purpose of personal educational and research use only. Where appropriate a single print out of a reasonable proportion of these materials may be made for personal education, research and private study. Materials should not be further copied, photocopied or reproduced, or distributed in electronic form. Any use or distribution for commercial purposes is expressly forbidden. Any other use or distribution of the materials, particularly of a commercial nature, may constitute an infringement of the University's copyright and may lead to legal action.