GDPR in Research
The EU’s General Data Protection Regulation (GDPR) came into effect on the 25 May 2018. For an organisation such as the GMMH, our role and level of involvement changes with each particular study. However in each case we are required to be transparent in how personal data is collected, processed, accessed and stored as well as informing service users of the safeguards involved to retain compliance with appropriate legislations, and their rights around this.
What is our legal basis for processing personal data?
All NHS organisations are expected to support and endorse health and care research in the public interest and for the benefit of society as a whole. This forms the legal basis for the GMMH to lawfully collect personal information for the conduct of research.
How does GMMH safeguard participant’s data?
It is important to stress that GDPR does not alter GMMH’s duty to follow and comply with the UK Policy Framework for Health and Social Care Research; ensuring that health research adheres to ethical standards for example, as well as the respective legislation around principles such as informed consent and Good Clinical Practice.
For personal data, this means that considerations must be given to the security and storage of that data; limiting the levels of access to that data and ensuring that personal data will be pseudo-anonymised (by assigning a study number) or fully anonymised at the earliest opportunity so that patients and participants cannot be identified.
GMMH’s role within data protection
As a research Sponsor, GMMH acts as the “Data Controller”. The Data Controller determines the purpose and means of processing personal data. It is the Sponsor who determines what data is collected for the research study through the protocol, case report form and/or structured data fields in a database.
As a research Host (i.e. where the Sponsor is another organisation, such as a university or commercial company), GMMH acts as the “Processor”. The Processor collects personal data on behalf of the Data Controller.
Transparency Information on how data is collected and used
Personal data can be obtained in research either directly, via health records or from the participant themselves for example, or indirectly by sharing information between organisations or from one research study to another.
Where research participants are patients at GMMH, that participation will be documented in the GMMH health records held on the Trust’s electronic health care information system, in full compliance with the GMMH overarching polices on the management of personal information. This may include information on clinical test results, assessment scores, physical observations or treatments undertaken for the purpose of research, or other information relevant to the clinical care or safety of the research participant.
Further information for patients has been provided from the Health Research Authority, as the regulator for health research, detailing how this information might be collected and used: https://www.hra.nhs.uk/information-about-patients/.
What are your rights as a patient / participant?
GDPR clearly outlines the rights individuals have within health research in the following areas:
The right to erasure
The right to access by the data subject
The right to rectification
The right to restrict processing
The right to object to processing
For health research, participant’s rights on these can be quite limited and quite varied depending on each particular type of research study. GDPR allows exemptions to these rights as longs as the appropriate safeguards are in place (as outlined above). Read the HRA statement for further information.
Useful transparency statements for researchersResearchers should liaise with the research Sponsor to ensure that the appropriate transparency statements are inserted into Protocols and Participant Information Sheets. The HRA has provided some useful guidance templates here. Of course if you have any further query or seek assistance on composing the relevant statement, feel free to contact R&I team or e-mail: firstname.lastname@example.org.
Where can I access further information?
You can access the full information provided by the HRA detailing how GDPR is applicable to health research here.