BCIS / NICOR data sharing agreement April 2010
BCIS/NICOR data sharing agreement - British Cardiovascular ...
BCIS/NICOR data sharing agreement - British Cardiovascular ...
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>BCIS</strong> / <strong>NICOR</strong> <strong>data</strong> <strong>sharing</strong> <strong>agreement</strong>,<br />
<strong>April</strong> <strong>2010</strong><br />
1. Scope....................................................................................................................................1<br />
2. Background..........................................................................................................................1<br />
3. Application process ............................................................................................................3<br />
3.1 Informal contact...............................................................................................................3<br />
3.2 Project proposal ...............................................................................................................3<br />
3.3 Funding ............................................................................................................................3<br />
3.4 Evaluation of the proposal ...............................................................................................3<br />
3.5 Dataset release .................................................................................................................4<br />
3.6 Appeal process.................................................................................................................4<br />
4. Terms and conditions for use of <strong>BCIS</strong> <strong>data</strong>....................................................................4<br />
4.1 Use of <strong>data</strong> .......................................................................................................................4<br />
4.2 Ethics and confidentiality ................................................................................................5<br />
4.3 Security ............................................................................................................................5<br />
4.4 Breaches in security .........................................................................................................6<br />
4.5 On completion of research project...................................................................................6<br />
4.6 Publications......................................................................................................................6<br />
4.7 Accountability..................................................................................................................7<br />
<strong>BCIS</strong> / <strong>NICOR</strong> Data Application Form .................................................................................8<br />
<strong>BCIS</strong> / <strong>NICOR</strong> Data User’s Agreement ............................................................................11<br />
Checklist for applicants ........................................................................................................13<br />
1. Scope<br />
This document explains the application process for researchers who wish to access<br />
<strong>data</strong> from the British Cardiovascular Intervention Society <strong>data</strong> collected under the<br />
auspices of the Central Cardiac Audit Database. It defines the terms and conditions<br />
that must be agreed before <strong>data</strong> can be released, to ensure <strong>data</strong> security and due<br />
sensitivity for identification of individual patients and hospitals.<br />
2. Background<br />
The British Cardiovascular Intervention Society (<strong>BCIS</strong>) has run a <strong>data</strong>base project<br />
since 1994. More recently the <strong>BCIS</strong> has set up the Data Monitoring and Analysis<br />
Group to steer issues related to the <strong>BCIS</strong> <strong>data</strong>base. The <strong>BCIS</strong> <strong>data</strong> is collected in<br />
each individual hospital and transmitted to the central cardiac audit <strong>data</strong>base<br />
(CCAD), which is in turn part of the NHS information centre. To develop outputs from<br />
the <strong>BCIS</strong> <strong>data</strong>, <strong>BCIS</strong> is working with the National Institute for Clinical Outcomes<br />
Research (<strong>NICOR</strong>) at University College London. <strong>BCIS</strong> encourages applications for<br />
research projects based on the <strong>BCIS</strong> <strong>data</strong>, but because of issues about the legal<br />
basis of this type of <strong>data</strong> and to ensure the reputation of the <strong>BCIS</strong> and <strong>NICOR</strong>, this<br />
document describes the process required for <strong>data</strong> to be shared.
The Patient Information Advisory Group (PIAG) 1 has granted NCASP Section 60<br />
exemption of the Health and Social Care Act 2001 2 for all the cardiac audits,<br />
including the <strong>BCIS</strong> audit. Section 60 permits the common law duty of confidentiality<br />
to be lifted for activities that fall within defined medical purposes where anonymised<br />
information will not suffice and consent is not practicable. Section 60 of the Health<br />
and Social Care Act 2001 has been superseded by Section 252 of the NHS Act 2006<br />
and the National Information Governance Board for Health and Social Care (NIGB) 3<br />
for England and has replaced PIAG as the statutory body with responsibility for<br />
Section 251 of the NHS Act 2006.<br />
Under the Data Protection Act effectively anonymised <strong>data</strong> are not regarded as<br />
personal <strong>data</strong> and therefore may be used for research without consent. There is,<br />
however, no legal definition of anonymised <strong>data</strong>. The Act establishes a definition of<br />
‘personal <strong>data</strong>’ as ‘<strong>data</strong> which relate to a living individual who can be identified (a)<br />
from those <strong>data</strong>, or (b) from those <strong>data</strong> and other information which is in the<br />
possession of, or is likely to come into the possession of, the <strong>data</strong> controller, and<br />
includes any expression of opinion about the individual and any indication of the<br />
intentions of the <strong>data</strong> controller or any other person in respect of the individual’. The<br />
Act was intended to ensure that personal <strong>data</strong> are appropriately protected, so uses a<br />
very broad definition, including information which might potentially identify some<br />
individual, even if no obvious mechanism exists.<br />
Pseudonymised <strong>data</strong> (where the <strong>data</strong> is effectively anonymised, except for a coded<br />
identifier, and where the recipient of the <strong>data</strong> does not have access to the coding<br />
mechanism and so cannot identify the patient) is ‘personal <strong>data</strong>’ within the meaning<br />
of the DPA98, but could be considered to be anonymised information in the hands of<br />
the recipient. Pseudonymised <strong>data</strong> are also referred to as linked anonymised <strong>data</strong>.<br />
Linked anonymised <strong>data</strong> are still regarded as personal <strong>data</strong> even if the person is not<br />
identifiable to the ‘Recipient’ (researcher), because the person is still identifiable to<br />
the original holder of the <strong>data</strong>. In practice, provided the <strong>data</strong> is effectively<br />
pseudonymised (linked anonymised), then researchers are generally given access to<br />
this <strong>data</strong>, subject to certain safeguards.<br />
<strong>NICOR</strong> receives downloads of <strong>data</strong> from the CCAD servers which contain vital status<br />
and date of death supplied by the Office of National Statistics. Although patients’<br />
names, hospital case record number, NHS number and hospital codes are collected,<br />
these <strong>data</strong> items are pseudonymised by CCAD to protect the rights of participants<br />
and the confidentiality of their <strong>data</strong>, before the <strong>data</strong> are released to <strong>NICOR</strong>. Date of<br />
birth is converted to age at admission to 1 decimal place and postcode of residence<br />
converted to deprivation scores and eastings and northings. However date of death<br />
and complete eastings and northings are potential patient identifiers which are not<br />
pseudonymised. Use of these <strong>data</strong> items will have to be justified before they are<br />
released.<br />
The following sections describe the process that researchers that wish to access<br />
<strong>BCIS</strong> <strong>data</strong> for research purposes must follow. It is closely aligned to the MINAP <strong>data</strong><br />
1 http://www.advisorybodies.doh.gov.uk/piag/<br />
2 http://www.hmso.gov.uk/acts/acts2001/20010015.htm<br />
3 http://www.nigb.nhs.uk/
<strong>sharing</strong> <strong>agreement</strong> (MINAP is also based at <strong>NICOR</strong>) and the HES User Guide 4 . The<br />
<strong>BCIS</strong> Data Monitoring and Analysis Group and <strong>NICOR</strong> will consider applications for<br />
access to the <strong>data</strong> from organisations such as recognised Universities, Research<br />
Institutions and NHS Trusts carrying out heart or heart related research in the<br />
European Economic Area, or individuals working for one of the above.<br />
3. Application process<br />
The <strong>BCIS</strong> Data Monitoring and Analysis Group and <strong>NICOR</strong> will consider applications<br />
for access to the <strong>data</strong> from organisations as recognised universities, research<br />
institutions and Hospital Trusts carrying out heart or heart related research world<br />
wide provided they are working in collaboration with a similar UK organisation and<br />
are part of a recognised scheme as the US Safe Harbour Agreement.<br />
3.1 Informal contact<br />
It is recommended that the researcher first contacts the <strong>BCIS</strong> Data Monitoring and<br />
Analysis Group chair via email (peter.ludman@uhb.nhs.uk) to discuss informally the<br />
feasibility of their proposed project.<br />
3.2 Project proposal<br />
3.2.1 <strong>BCIS</strong> Data Application Form<br />
This can be found at the end of this document and must be submitted for initial<br />
approval by the <strong>BCIS</strong> / <strong>NICOR</strong>.<br />
3.2.2 Data requested<br />
A precise list of <strong>data</strong> items and time period required for the project must be defined<br />
in the <strong>BCIS</strong> Data Application Form. The <strong>BCIS</strong> <strong>data</strong>set is available on the <strong>BCIS</strong> web<br />
pages (www.bcis.org.uk). Further use of the <strong>data</strong> in other areas of interest will<br />
require a new application to be submitted and approved by the <strong>BCIS</strong>.<br />
3.3 Funding<br />
If the grant application is partially or totally based on the use of <strong>BCIS</strong> <strong>data</strong> the<br />
applicant should give details about the funding application.<br />
If the researcher wishes to apply for funding once the application has been approved<br />
and the grant application is based on, or contains references to <strong>BCIS</strong> <strong>data</strong>, the <strong>BCIS</strong><br />
/ <strong>NICOR</strong> must be informed about the funding application (organisation, when and by<br />
whom).<br />
The <strong>BCIS</strong> / <strong>NICOR</strong> recommends that £10K is included in research grant proposals<br />
but a smaller charge could be negotiated for smaller studies.<br />
3.4 Evaluation of the proposal<br />
The completed application form should be sent to the <strong>BCIS</strong> Data Monitoring and<br />
Analysis Group chair. Evaluation of the proposal will be made on and ad hoc basis<br />
4 http://www.hesonline.nhs.uk/Ease/servlet/ContentServer?siteID=1937&categoryID=403
y the <strong>BCIS</strong> / <strong>NICOR</strong>. The applicants must also send their System Level Security<br />
Policy (see section 3.3.1)<br />
A member of the <strong>BCIS</strong> Data Monitoring and Analysis Group will be allocated to each<br />
project. The applicant and the <strong>BCIS</strong> collaborator will be asked to sign, date and<br />
return the <strong>BCIS</strong> / <strong>NICOR</strong> Data User’s Agreement which will be counter-signed by<br />
the <strong>BCIS</strong> Data Monitoring and Analysis Group chairman.<br />
3.5 Dataset release<br />
Once all conditions requested by the <strong>BCIS</strong> / <strong>NICOR</strong> for approval have been<br />
accepted in writing by the applicant and the <strong>BCIS</strong> / <strong>NICOR</strong> Data User’s Agreement<br />
has been signed by both parties, the <strong>BCIS</strong> / <strong>NICOR</strong> will authorise the release of the<br />
requested <strong>data</strong>.<br />
<strong>NICOR</strong> will generate the requested <strong>data</strong>set and associated documentation where<br />
necessary. The <strong>data</strong>set will be supplied in ASCII format appropriately delimited,<br />
encrypted using AES 256 encryption and delivered via a drop box. The key will be<br />
given separately. Technologies will change with time and so this method will be<br />
monitored and reviewed constantly.<br />
3.6 Appeal process<br />
Reasons for refusal of an application could include lack of outputs from previous<br />
projects totally or partially based on <strong>BCIS</strong> <strong>data</strong> or concerns about the quality of the<br />
project.<br />
Should an application be refused by the <strong>BCIS</strong> / <strong>NICOR</strong>, the applicant is welcome to<br />
make the appropriate changes and submit a new application which would be<br />
expected to be substantially different to the original one.<br />
4. Terms and conditions for use of <strong>BCIS</strong> <strong>data</strong><br />
The confidentiality of the patients and contributing hospitals must not be<br />
compromised by use of the <strong>BCIS</strong> <strong>data</strong>. The reputation of the funding body, the <strong>BCIS</strong><br />
/ <strong>NICOR</strong> team must not be inappropriately compromised through unethical,<br />
premature or opportunistic <strong>data</strong> analysis and the subsequent production of scientific<br />
outputs.<br />
The terms and conditions for <strong>data</strong> <strong>sharing</strong> outlined here are, together with the rest of<br />
the sections of this document, in line with the MRC <strong>data</strong> <strong>sharing</strong> policy and access<br />
principles.<br />
4.1 Use of <strong>data</strong><br />
4.1.1 Data must be used only in the manner stated and for the research purposes<br />
specified. <strong>BCIS</strong> <strong>data</strong>, in whole or in part, cannot be processed, disseminated or<br />
otherwise made available or used for any other purpose, and none of the <strong>data</strong> can<br />
be distributed to third parties.
4.1.2 Analyses are allowed only accordingly to the protocol described in the<br />
application; major changes will require a new application.<br />
4.1.3 Data users will not have sole and exclusive access to their required set of<br />
<strong>data</strong>. Therefore, the <strong>BCIS</strong> / <strong>NICOR</strong> cannot guarantee that the area of interest stated<br />
in their application will be for the exclusive use of the <strong>data</strong> user.<br />
4.1.4 Data users should notify the <strong>BCIS</strong> Data Monitoring and Analysis Group<br />
chairman of any errors or inconsistencies discovered in the <strong>data</strong>.<br />
4.1.5 Data users should offer their derived variables to enrich the <strong>BCIS</strong> <strong>data</strong>base if<br />
requested to do so by the <strong>BCIS</strong> / <strong>NICOR</strong>.<br />
4.2 Ethics and confidentiality<br />
4.2.1 All medical research using identifiable personal information, or using<br />
anonymised <strong>data</strong> from the NHS which is not in the public domain, must be approved<br />
by a Research Ethics Committee (REC). The <strong>BCIS</strong> / <strong>NICOR</strong> will expect to see a<br />
copy of the REC approval (or an equivalent university or industry specific document).<br />
4.2.2 Ethical approval from the <strong>data</strong> user’s local ethical committee is the<br />
responsibility of the <strong>data</strong> user.<br />
4.2.3 Once the project has been approved, <strong>data</strong>sets will be provided without<br />
restrictions within the European Economic Area (EEA, which consists of the twenty<br />
seven member states of the European Union together with Iceland, Liechtenstein,<br />
Norway and the States of Guernsey) and internationally recognised schemes as the<br />
US Safe Harbour Agreement.<br />
4.2.4 <strong>BCIS</strong> <strong>data</strong> must not be transferred to a country or territory outside the<br />
European Economic Area and internationally recognised schemes as the US Safe<br />
Harbour Agreement.<br />
4.2.5 Researchers must ensure that personal information is handled by healthcare<br />
professionals or staff with an equivalent duty of confidentiality to that in a National<br />
Health Service (NHS) contract (eg an honorary NHS contract or university contract of<br />
employment).<br />
4.2.6 It is virtually impossible to guarantee that an individual will never be identified,<br />
given the nature of the <strong>data</strong>. It is therefore the responsibility of <strong>data</strong> users to ensure<br />
that the participants’ identity is not disclosed under any circumstances.<br />
4.2.7 Data users must consider the risk of identifying individuals in their analyses<br />
prior to publication. ‘Small numbers' are considered from 1 to 5. Low-level analyses<br />
are more likely to contain small numbers which might facilitate identification of<br />
individual patients. A higher level of aggregation should be considered when<br />
analyses produce less than 5 cases.<br />
4.3 Security<br />
4.3.1 A System Level Security Policy must be included with the application. It<br />
should specify precisely how and where the <strong>BCIS</strong> <strong>data</strong>set will be stored and used. It<br />
should include who is responsible for the <strong>data</strong> security and what access controls,<br />
network monitoring and screening, anti virus defences are in place (i.e, all the<br />
information described in the relevant section above). It should also describe the<br />
levels of training regarding <strong>data</strong> handling and security that will be given to all staff<br />
involved.
4.3.2 Secure <strong>data</strong> access such as passwords, firewalls, etc., must be in place to<br />
ensure that the <strong>data</strong> are kept secure. Ideally, <strong>data</strong> users should access the provided<br />
<strong>data</strong>set using a network drive set up by the organisation where they work, and avoid<br />
keeping <strong>data</strong>sets on their own PC/laptop. This network drive should be accessible<br />
through password control.<br />
4.3.3 Data users working on the same project must not use memory sticks or send<br />
files to each other as attachments in e-mails. Instead, they should use a shared drive<br />
for transferring files.<br />
4.3.4 The <strong>BCIS</strong> / <strong>NICOR</strong> requires a list of all individuals who would have access to<br />
the <strong>data</strong>, the names of their employers in this context and their job titles in the <strong>BCIS</strong> /<br />
<strong>NICOR</strong> Data User’s Agreement.<br />
4.3.5 Data must always be stored in a secure repository as a computer file server.<br />
This <strong>data</strong> can then be accessed directly from computer workstations within the same<br />
secure environment of the recipients’ organisation. Copies of the <strong>data</strong> must not be<br />
taken out of this secure environment, for working on a local personal computer or lap<br />
top computer, or taken off site by any means unless the copy has had all potential<br />
identifiers, including eastings and northings, removed. Data should be encrypted on<br />
pen drives and lap tops if there is any possibility of identifying a patient. Data in a cell<br />
that contains
4.6.2 If at any stage the research or any presentation / publication falls outside the<br />
terms of this <strong>data</strong> <strong>sharing</strong> <strong>agreement</strong>, <strong>BCIS</strong> / <strong>NICOR</strong> reserve the right to contact any<br />
journal or conference organisers involved in the presentation /publication of the <strong>data</strong>.<br />
In addition the trust Chief executive and research governance lead will be notified of<br />
any R&D governance issues that have been breached.<br />
4.6.3 Data users must preserve the confidentiality of the <strong>data</strong> in outputs and<br />
publications (see above). The <strong>BCIS</strong> / <strong>NICOR</strong> will require a copy of any paper prior to<br />
publication to be satisfied that no personal identifiers are included in the results. The<br />
<strong>BCIS</strong> / <strong>NICOR</strong> has the right to refuse to grant permission to publish information<br />
arising from <strong>BCIS</strong> <strong>data</strong> on the grounds of <strong>data</strong> protection.<br />
4.6.4 The scope of the project should be aimed at the publication of one or two<br />
scientific articles within two years from the date when the requested <strong>data</strong>set is<br />
received by the <strong>data</strong> users. Users can subsequently submit new applications for <strong>data</strong><br />
if they wish to do further analyses.<br />
4.6.5 The name of the <strong>BCIS</strong> must be included in the title or subtitle, and any<br />
publication must include the sentence: “This study includes <strong>data</strong> collected by the<br />
British Cardiovascular Intervention Society under the auspices of the Central Cardiac<br />
Audit Database.”<br />
4.6.6 Co-authorship is not required but if any member of the <strong>BCIS</strong> / <strong>NICOR</strong> has<br />
provided significant input they should be included as an author.<br />
4.7 Accountability<br />
4.7.1 Overall accountability to funding bodies for research projects remains the<br />
responsibility of the Principal Investigator.<br />
4.7.2 The <strong>BCIS</strong> / <strong>NICOR</strong> should be updated on the progress of the project and<br />
outputs should be submitted within two years from the date when the requested<br />
<strong>data</strong>set is received by the <strong>data</strong> users.<br />
4.7.3 The Principal Investigator must prepare a summary of their main findings<br />
when asked.<br />
Please note that the <strong>BCIS</strong> / <strong>NICOR</strong> retains the right to modify the contents of<br />
this document at any time.
<strong>BCIS</strong> / <strong>NICOR</strong> Data Application Form<br />
1. PRINCIPAL INVESTIGATOR<br />
Title, forename, surname: .<br />
Employing organisation: .<br />
Position in organisation: .<br />
Address of organisation: .<br />
.<br />
.<br />
Telephone: .<br />
Email: .<br />
Please attach the Principal Investigator’s Curriculum Vitae.<br />
2. RESEARCH TEAM / CO-APPLICANTS<br />
Details of each Research team member involved in the proposed project.<br />
Research team<br />
Employing<br />
Position in<br />
Contact details<br />
members / Co-<br />
organisation<br />
organisation<br />
(Email address/Telephone no)<br />
applicants<br />
3. PUBLICATIONS OF THE RESEARCH TEAM MEMBERS<br />
List of the main publications of each Research team member involved in the project.
4. PREVIOUS APPLICATIONS<br />
Have you or any of the Research team members/co-applicants applied for <strong>BCIS</strong> <strong>data</strong><br />
in the past?<br />
If Yes, please give details:<br />
Main<br />
Applicant<br />
Application Date Project Title Scientific Outputs<br />
5. FUNDING<br />
Do you already have funding to carry out this project<br />
If you are planning to seek funding to carry out this project and the grant application is to be partially<br />
or totally based in the use of <strong>BCIS</strong> <strong>data</strong>, please give details about the funding application.<br />
Name of funding body<br />
Dates<br />
Applicants<br />
Title of application<br />
Synopsis of application (max 100 words)<br />
6. RESEARCH PROJECT<br />
6.1 PROJECT TITLE<br />
6.2 SUMMARY<br />
A brief summary of up to 200 words describing the aims of the study/research project<br />
6.3 CONTEXT<br />
Where research is part of a larger programme, please give details.<br />
6.4 PROJECT DESCRIPTION
Full description of the purpose/s for which the <strong>data</strong> are requested (maximum 4 A4 sides excluding<br />
references)<br />
Background<br />
Scientific hypothesis<br />
Objectives<br />
Methodology and planned statistical analyses<br />
Competing interests<br />
References (max 10)<br />
6.5 PLANNED SCIENTIFIC OUTPUTS<br />
Intended outputs/publications arising from the use of these <strong>data</strong>, including abstracts, posters and<br />
research papers.<br />
7. DATA REQUESTED<br />
Data items required for analysis. Please refer to the <strong>BCIS</strong> <strong>data</strong>set and define the time period.<br />
Please be as specific and detailed as possible when compiling this list.
<strong>BCIS</strong> / <strong>NICOR</strong> Data User’s Agreement<br />
To be signed when the application has been approved<br />
Title, forename,<br />
surname:<br />
.<br />
Work Address: .<br />
.<br />
.<br />
Telephone: .<br />
Email: .<br />
Project title: .<br />
I agree that my project will use the requested <strong>BCIS</strong> <strong>data</strong> and will be conducted<br />
according to the terms specified in the <strong>BCIS</strong> / <strong>NICOR</strong> Data Sharing Policy.<br />
I accept that my access to the <strong>BCIS</strong> <strong>data</strong> is limited only to what is relevant for<br />
completion of the above named project.<br />
I accept that if I knowingly disregard the conditions relating to the release of <strong>data</strong><br />
given in the <strong>BCIS</strong> / <strong>NICOR</strong> Data Sharing Policy this will be considered a serious<br />
offence and will result in action being taken against me and my organisation.<br />
I confirm that I have read this document and agree to abide by the terms and<br />
conditions outlined within.<br />
Signature of <strong>data</strong> user: .<br />
Name in block capitals: .<br />
Date: .<br />
Signature of research members<br />
(and everyone having access to<br />
the <strong>data</strong>- see <strong>data</strong> <strong>sharing</strong><br />
<strong>agreement</strong>)<br />
Names in block capitals<br />
Date<br />
.<br />
.<br />
.<br />
.<br />
.<br />
.<br />
.<br />
.<br />
.
Signature of <strong>BCIS</strong> Collaborator:<br />
Name in block capitals: .<br />
Date: .<br />
Signature of <strong>BCIS</strong> Data Monitoring and Analysis<br />
Group Chairman:<br />
.<br />
Name in block capitals: .<br />
Date: .
Checklist for applicants<br />
Download the <strong>BCIS</strong> <strong>data</strong>set from the <strong>BCIS</strong> web pages to determine which <strong>data</strong><br />
items are available.<br />
Download the <strong>BCIS</strong> Data Sharing Policy to understand what is required for your<br />
submission.<br />
Make informal contact with <strong>BCIS</strong> Data Monitoring and Analysis Group chair to<br />
discuss feasibility of your project.<br />
Download the <strong>BCIS</strong> / <strong>NICOR</strong> Data Application Form from the <strong>BCIS</strong> web pages.<br />
Complete all sections of the <strong>BCIS</strong> / <strong>NICOR</strong> Data Application Form and return to<br />
the <strong>BCIS</strong> Data Monitoring and Analysis Group chair with copies of your<br />
organisation’s System Level Security Policy<br />
project’s LREC/MREC approval or equivalent<br />
After approval of your application in principle by the <strong>BCIS</strong> / <strong>NICOR</strong><br />
Complete, sign and return the <strong>BCIS</strong> / <strong>NICOR</strong> Data User’s Agreement to the <strong>BCIS</strong><br />
Data Monitoring and Analysis Group chair<br />
Confirm safe receipt of <strong>data</strong>