= Information Governance Procedure Tags: [[HowTo]] [[LCBRU IT]] [[Information_Governance_Category]] == Overview This is guidance for Information Governance based on the outcome of a meeting with Ewan Robson (UHL Head of Privacy). It consists of a series of scenarios and what would be the appropriate Information Governance requirements in each case. This is just guidance and should not be taken as gospel. In the case of any doubt, ask for advice from Ewan or one of his team. The main thing to remember is that consent is the key deciding factor. If we explicit consent to share data with the organisation, then we should be able to with the appropriate data sharing agreements. On the other hand, if we do not have specific consent, we CAN NOT share the data, no matter what. == Scenarios === Intra-NHS Data Sharing ==== Obtaining Patient Identifiable Clinical Data from Other Sites - Ensure that the data to be shared is contained within the protocol which is signed by the external site's PI. - It should then be up to the external site to decide if a data sharing agreement is required and get us to sign it. ==== Hosting Patient Data Entered by Clinicians at External Sites - They are acting as users to our system, entering data on our behalf, as so no data sharing agreement is required. ==== Sending Patient Identifiable Data to External Sites - This will need us to create a data sharing agreement for the external site to sign. - If we are only hosting the site and are not doing research on the data ourselves, we will be designated as Data Processors. - If we are also going to use the data for our research, we will be designated as Co-controllers of the data. === International Data Sharing - In effect this is the same as Intra-NHS data sharing: if we are receiving data the sending site should get us to sign an agreement; if we are sending data, we should create an agreement and get the receiving site it. However, it is probably worth checking all of these with Ewan and his team. === Data Access within UHL - We are OK to access any data as long as with have explicit consent from the participant. === Data Collection Over the Internet - This is acceptable as long as adequate security measures are in place (SSL, password protection, firewalls, etc). - Collecting data from patients directly over the internet is fine as long as it has been approved in the protocol. === Sharing Data Between UHL and UoL - Sharing of Pseudo-anonymised data between UHL and UoL does not require an agreement. - However, genetic data may soon be considered genetic data. Therefore, sharing of genetic data will not be allowed without explicit consent (this will depend on the meaning of the LCBRU, possibly). Also, does this mean that combining pseudo-anonymised data from UHL with genetic data will be considered re-identification, which is a big no-no? Ewan's advice on this subject is required. [[BackLinks]]