QResearch Confidentiality
QRESEARCH
has extensive, robust protection of confidentiality for patients and the
practices.
Key features
- No patient
identifiers are extracted from the practices. Patients are
pseudoanonymised to protect their identity but allow their records to be
updated
- Researchers only
receive anonymised data
- Special
protection is employed to protect practice identity
- The QRESEARCH
servers are in secure environments
- Data transfers
are encrypted
- Use of the data
is strictly controlled
- QRESEARCH
has ongoing approval from the Trent Multi-Centre Research Ethics
Committee
Pseudo-anonymised
data
No data
is extracted from a practice database that contains any strong patient
identifier, such as name, address, full postcode, date of birth etc. The
practice computer allocates a unique number to each patient (a GUID). This GUID
is used by the practice system to allocate later data to the same patient file.
The collection server cannot identify which patient the GUID refers to. As an
additional protection, this GUID is further encrypted at the point of
collection by the collection server using a hash key. This additional
protection prevents the potential for the GUID from the research database being
taken back to the practice, the database being illegally accessed and the GUID
cross referenced back to the patient. This process o pseudonymisation is much stronger
than the MIQUEST identifiers.
Anonymised
data
Researchers,
having gone through the process
of approval, are given, if appropriate, files that contain records for
individual patients. However these records do not contain a GUID and are
therefore truly anonymised.
When
the database is interrogated for information for morbidity studies etc, the
results do not contain any records for individual patients. The outputs are in
tables, graphs etc and we refer to these as tabular analyses.
Protection
for practice identity
One
named member of staff in Nottingham and one in EMIS have a list of the
practices that have given and returned signed consent to participate in
QRESEARCH during recruitment. This list is kept on a separate computer from the
EMIS file server or the research server in Nottingham; and is encrypted. The
list of participating practices will not be released to other individuals or
organisations by EMIS or Nottingham.
There
are no patient identifiers on the database because of the anonymisation
process outlined above. In this way, patient confidentiality will be completely
secure. There may be occasions where researchers wish to relate practice
characteristics (for example practice size) to some clinical process or
outcome. However it might be possible to derive a limited number of practice
level characteristics directly from the anonymised database held on the
research computer in Nottingham for example, list size, average deprivation
score and rurality. Only banded data (for example, the list size can be banded
< 5,000; 5000-7999; 8000+) will be provided to prevent any possibility of
identifying the practice.
QRESEARCH
servers
There
are several servers involved in the QRESEARCH project.
(a)
The data collection server at EMIS. This
server is linked to practices via the NHSnet in order to undertake the
triggered upload ONLY after the practice has authorised the upload by
activating the QRESEARCH module within its surgery system.
(b) The research servers, which houses the resulting aggregated database, and
which are located at The University of Nottingham. The research computers are dedicated isolated computer (i.e. it is not linked to the NHSnet or external
networks). This computer is the single point of access to the data collected by
QRESEARCH.
Each of
the servers (at EMIS and at Nottingham) are used solely for the purposes of
QRESEARCH.
Data
transfers
EMIS
only transfers QRESEARCH data to The University of Nottingham. The data
transfer will be secure as the data are encrypted.
Use of the data
EMIS
and The University of Nottingham are contractually bound not to use the data
collected by QRESEARCH for any other purpose than QRESEARCH.
Access
by researchers is carefully regulated since they will receive patient level
sub-sets of the database. See Using it for Research.
Morbidity
analyses will be undertaken as appropriate - see Using it for
data analyses The results will be included on the website - see Current data
analyses.
Section
251 compliance
In
order to clarify whether Section 60 support was necessary to cover the process
of anonymisation/pseudo-anonymisation, we contacted Sean Kirwan from the
Department of Health in 2002 with a copy of the protocol and details of the processes
to be used. He advised us that Section 60 support was necessary only when
patient identifiable information is required and it is not practicable to
either obtain patient consent or use anonymised/pseudonymised data. With the
process of pseudonymisation employed in QRESEARCH, no patient identifiable
information will be shared with, or processed by, a third party (ie an
individual or organisation not employed by the GP practice) and hence Section
60 support is not required for the QRESEARCH database. We repeated this
exercise in 2011 when we approached the Ethics and Confidentiality Advisory
Committee to advise on whether s251 was needed for our method of pseudonymised
data linkage. Since no patient identifiable data is released by the
practices or held by QRESEARCH, 251 support was not required.
Multi-Centre
Research Ethics Committee
QRESEARCH
has full approval from the Trent MREC [Ref: MREC 03/04/021]. Research studies
which utilise QRESEARCH data need to obtain ethical approval from this
committee. The contact for the MREC administrator is:
Trent MREC
Derwent Shared Services
6th Floor Laurie House
Colyear Street
Derby
Derbyshire
DE1 1LJ