QResearch has extensive, robust protection of confidentiality for patients and the practices.
Key features
-
No patient identifiers are extracted from the practices. Patient records are anonymised to protect their identity but allow their records to be updated
-
Researchers only receive subsets of anonymised data
-
Special protection is employed to protect practice identity
-
The QResearch servers are in secure environments
-
Data transfers are encrypted
-
Use of the data is strictly controlled
-
QResearch has ongoing approval from the East Midlands Multi-Centre Research Ethics Committee
Research Ethics Committee approval
QResearch obtained full approval from the Trent Multi-Centre Research Ethics Committee [Ref: 03/4/021]. Approval is now confirmed yearly from the East Midlands - Derby Research Ethics Committee. In 2018, an updated application was approved [Ref: 18/EM/0400] in readiness for the transfer of QResearch to the University of Oxford. In 2023, an updated application was approved in line with REC procedures to renew such approvals every five years (Ref: 23/EM/0166). All previous approval letters can be found in the Downloads section. Research studies which utilise QResearch data need to obtain approval from the QResearch Scientific Committee.
Anonymised data
No data is extracted from a practice database that contains any strong patient identifier, such as name, address, full postcode, date of birth etc. The practice computer allocates a unique number to each patient (a GUID). This GUID is used by the practice system to allocate later data to the same patient file. The collection server cannot identify which patient the GUID refers to. As an additional protection, this GUID is further encrypted at the point of collection by the collection server using a hash key. This hash key is only available to EMIS Health and is not available to the University of Oxford. This additional protection prevents the potential for the GUID from the research database being taken back to the practice, the database being illegally accessed and the GUID cross referenced back to the patient. This process of anonymisation is much stronger than the MIQUEST identifiers.
Researchers whose projects have gone through the process of approval, are given, if appropriate, files that contain subsets of records for individual patients. These records do not contain a GUID and are anonymised.
When the database is interrogated for information for morbidity studies etc, the results do not contain any records for individual patients. The outputs are in tables, graphs etc and we refer to these as tabular analyses.
Protection for practice identity
One named member of staff in Oxford and one in EMIS have a list of the practices that have given and returned signed consent to participate in QResearch during recruitment. This list is kept on a separate computer from the EMIS file server or the research server in Oxford; and is encrypted. The list of participating practices will not be released to other individuals or organisations by EMIS or Oxford.
There are no patient identifiers on the database because of the anonymisation process outlined above. In this way, patient confidentiality will be completely secure. There may be occasions where researchers wish to relate practice characteristics (for example practice size) to some clinical process or outcome. However it might be possible to derive a limited number of practice level characteristics directly from the anonymised database held on the research computer in Oxford for example, list size, average deprivation score and rurality. Only banded data (for example, the list size can be banded < 5,000; 5000-7999; 8000+) will be provided to prevent any possibility of identifying the practice.
QResearch servers
There are several servers involved in the QResearch project.
(a) The data collection server at EMIS. This server is linked to practices via the NHSnet in order to undertake the triggered upload ONLY after the practice has authorised the upload by activating the QResearch module within its surgery system.
(b) The research servers, which house the resulting aggregated database, and which are located at the University. The research computers are dedicated isolated computers (i.e. it is not linked to the NHSnet or external networks). These computers are the single point of access to the data collected by QResearch.
Each of the servers (at EMIS and at the University) are used solely for the purposes of QResearch.
Data transfers
EMIS only transfers QResearch data to the University of Oxford. The data transfer will be secure as the data are encrypted.
Use of the data
EMIS and the University of Oxford are contractually bound not to use the data collected by QResearch for any other purpose than QResearch.
Access by researchers is carefully regulated since they will receive patient level sub-sets of the database. See Information for Researchers.
Morbidity analyses will be undertaken as appropriate - see Using QResearch for morbidity data analysis. The results will be included on the website - see Research for a list of project summaries, Publications for lists of research outputs, and Validation and initial reports for a list of initial reports produced for the Department of Health.
Section 251 compliance
In order to clarify whether Section 60 support was necessary to cover the process of anonymisation/pseudo-anonymisation, we contacted Sean Kirwan from the Department of Health in 2002 with a copy of the protocol and details of the processes to be used. He advised us that Section 60 support was necessary only when patient identifiable information is required and it is not practicable to either obtain patient consent or use anonymised data. With the process of anonymisation employed in QResearch, no patient identifiable information will be shared with, or processed by, a third party (ie an individual or organisation not employed by the GP practice) and hence Section 60 support is not required for the QResearch database. We repeated this exercise in 2011 when we approached the Ethics and Confidentiality Advisory Committee to advise on whether s251 was needed for our method of data linkage. Since no patient identifiable data is released by the practices or held by QResearch, 251 support was not required.