ScHARR Information Governance
Policy Section 5: Information sharing
Researchers may share data relating to research participants with other persons, researchers or organisations. Sharing individual participant data can advance clinical research and benefit patients.
Data sharing and transferring requests must be handled in accordance with the requirements of the Data Protection Act 1998 (DPA) and other relevant guidance, e.g. the NHS Caldicott principles. A failure to safeguard information could result in legal action.
Each member of ScHARR must at all times have great regard for the safeguarding of the research data in their possession. Smith et al (2015) provides useful background information and guidance on data sharing and anonymisation and is the document on which this ScHARR policy is based. If a person is unsure as to what action they should take then they should, in the first instance, approach their section IG Lead (Supervisor or Personal Tutor, in the case of students) and discuss the matter with them.
This policy must be applied to all information sharing requests that are not already authorised. This includes requests from individuals and groups both inside and outside of the University. For sharing of data outside the European Economic Area (EEA), please also see Section 7. Where sharing is already pre-authorised, e.g. with external collaborators, it is assumed that the IG arrangements for their institution is covered by the project documentation.
There must be a clear purpose to share research data which is aligned with the purposes for which the data were collected: principle one of the DPA ‘fair processing’ must be upheld. The project team should ensure a system is in place to review data access requests and only accept them if this is satisfied. Similarly, data should only be deposited with data repositories which follow these principles.
Consent must be sought from data subjects if it is appropriate and practicable to do so (although a lack of consent for sharing does not prohibit sharing of data that is not reasonably likely to lead to the identification of individuals or if Section 251 approval has been obtained).
It is recommended that the following wording be included in consent forms: “I understand that the information collected about me may be used to support other research in the future, and may be shared anonymously with other researchers.” Other data providers may have their own preferred wording.
Authorisation to share the information must be in place: agreement should be made within the project team regarding who should authorise requests for data sharing. As a minimum this should be from the project lead, but may also include the sponsor and ethics committee. Roles and responsibilities should be included in the protocol and data management plan. Refer also to the University Research Ethics Policy guidance document regarding sharing with other researchers within the University.
Data must be anonymised as far as possible prior to being shared. There may be a trade-off between privacy and data utility as it can be difficult to attain true anonymisation and it is difficult to predict the risk of re-identification through data linkage.
The recipient of information must agree to safeguard the security and confidentiality of risk-bearing data. Where the transfer is outside ScHARR an agreement must be in place as part of a contract or as a separate data sharing agreement (DSA). This should outline the purpose and security arrangements. An example DSA is given at the end of this section. For sharing with external institutions The University is generally legal party to DSAs to ensure that legal liability rests with the institution, rather than an individual employee/student. However, it is the responsibility of the person receiving the data to ensure compliance with all the obligations of the agreement on behalf of the University. We would therefore request provision for the person receiving the data to sign the document in acknowledgement of the terms and conditions as well as a member of the Contracts Team. This applies to both provision of and receipt of data.
Risk-bearing data must be shared securely. Files must be encrypted before they are sent via e-mail or stored in locations other than the University’s network drive. CiCS offers guidance on how to encrypt files. Any difficulties should be discussed with the relevant Section IG Lead.
|Section 6: Incident management|