Aim

Comply with the statutory requirements for handling privacy sensitive data

Description

Two codes of practice have been drawn up by the Netherlands Epidemiological Society in order to facilitate the implementation of epidemiological research in the face of increasing restrictions in the privacy legislation. These are the code of conduct: Proper Secundary Use of Human Tissue (Code Goed Gebruik), which regulates the subsequent use of human material (see: Guideline 1.1A-04: Use of Human Material), and the Use of Data in Health Research (Code Goed Gedrag), which regulates the use of epidemiological databases in such a way as to safeguard the privacy of research participants. More information about the Use of Data in Health Research is described in the Details section. Additional information can also be found in details about the Medical Research (Human Subjects) Act (Wet Medisch-Wetenschappelijk Onderzoek met mensen, WMO) and the Data Protection Act (Wet Bescherming Persoonsgegevens, WBP), which each researcher needs to observe.

The researcher needs to undertake the necessary measures regarding safeguarding files with sensitive information, potentially in consultation with EMGO’s Data and Systems Management department:
•          NAT (name, address, town) details and research details need to be stored in separate files. Files with research details should only include an administrive identifier.
•          All files containing confidential information from research participants should not be stored on local computers. These should be stored on the network in a folder that only members of the project team who have signed a confidentiality agreement are authorised to access: Dutch English
•          Project team members with access to confidential data need to be registered. A form is available for this.
•          The project is to be registered with the Privacy Officer (Functionaris Gegevensbescherming).

The project leader is responsible for ensuring that files with confidential information are stored safely.

A transfer agreement needs to be signed before individual, anonymised files are made available to individuals outside the EMGO Institute.
See also the guideline Transfer and Archiving upon study completion.

• Use of Data in Health Research (Code Goed Gedrag Samenvatting)
The Use of Data in Health Research Code is a code of conduct for researchers handling personal data, based on the Data Protection Act and the Medical Treatment Contracts Act (Wet op de Geneeskundige Behandelingsovereenkomst).
A distinction is made in the Code between what can and what cannot be done using anonymous and coded data. Coded data are anonymous from the researcher’s perspective, as the data can only be led back to an identifiable, natural person through the intervention of a messenger and the application of code key. The procedure for providing coded data should such that the researcher receiving the data does not have access to the code!

The Code details restrictions and compulsory procedures for each of these kinds of registrations. No permission is required from those involved if the study is totally anonymous. In principle, individuals involved in studies need to provide explicit consent if the details are directly or indirectly identifiable. A number of exceptions apply to this. Coded data that can be indirectly led back to participants may be used without consent in scientific research if the individuals concerned have not objected to this and the study involves such large groups that the research could not reasonably be carried out by asking individual consent. Data leading directly to participants may only be used without consent if the individuals concerned have not objected to this and requesting consent is impossible as a result of a number of instances described in the Code.

The full text of the code, summaries, information, a presentation about the principles and implementation and letter templates can be downloaded from this site: http://www.federa.org.

• Medical Research (Human Subjects) Act
When conducting scientific research using (healthy) trial participants in extramural settings, each researcher needs to observe the Medical Research (Human Participants) Act (WMO). The Central Committee on Research involving Human Subjects (Centrale Commissie Mensgebonden Onderzoek, CCMO) is responsible for implementing the WMO. See http://www.ccmo.nl for the text of the WMO, clear guidelines and a flowchart of the issues that need to be tested. The CCMO monitors the activities of recognised medical ethics committees (METc), which are responsible for assessing research protocols.

• Data Protection Act
The Dutch Data Protection Act (Wet Bescherming Persoonsgegevens, WBP) protects the rights of individual citizens in the Netherlands. Monitoring whether the laws governing the use of personal data are being observed is in the hands of the Data Protection Board (College Bescherming Persoonsgegevens, CBP). In principle, all recording of personal data needs to be reported to the Board.
The EMGO has an arrangement whereby this can be undertaken internally via the so-called Privacy Officer. The registration procedure is described here on our intranet .
For further information and details about the WBP and the CBP visit: http://www.cbpweb.nl.

• For information: Penalties
According to the Medical Research (Human Subjects) Act of February 1998, conducting scientific research without written consent of the participant is a serious offence that is punishable with a prison sentence of up to 1 year. Undertaking research without insurance cover, or in the absence of a protocol that has been approved by a recognised medical ethics committee, is an offence punishable with a prison sentence of up to 6 months.

• Codes of conduct: www.federa.org
• College bescherming persoonsgegevens

Privacy sensitive data: Details that enable individual study participants to be identified.

V 1.2: 1 Jan 2010: Translation guideline to English and updated.
V1.1: 27 Oct 2005: Amendment to include that the project needs to be registered with the Privacy Officer.

• Are confidential details being collected in the project?
• Which members of staff have access to confidential research data?
• Has a confidentiality agreement been signed by all staff who have access to confidential research data?
• Has the researcher taken the necessary measures regarding the safeguarding of files with confidential information?
• Will separate, anonymised data be made available to individuals outside the EMGO Institute? If so, has a transfer agreement been signed for this?
• Are the input databases and other files with confidential information in a directory on the network?
• Has the project been registered with the Privacy Officer?
• Will/have all names and addresses of research participants be/been removed no later than 6 months after the study is completed? Have the stored research data been archived anonymously, and can they therefore not be led back to individuals?

If not, have the research participants signed consent forms allowing the data to be stored longer than 6 months after the study completion?