Processing patient data on computers attached to the College network

1. It is recognised that some research, particularly clinical, requires the processing and/or storage of personal and sensitive information relating to living individuals e.g. patients. All such activity is governed by the General Data Protection Regulation (GDPR) and members of College must comply with the GDPR when processing/storing such personal information.

2. It is a condition of Use of Information Communication Technologies (ICT) Facilities at Imperial College that members of College may only process and/or store information relevant to their College work on computers, portables/mobile devices, desk-top or servers, attached, permanently or temporarily, to the College network. Examples of processing and/or storage include e-mail communications (whether stored locally, or on a College server), word processed documents, medical images, databases and web pages. Processing of data for patient management purposes is not permitted on the College network or equipment connected to it.

3. It is essential that the highest standards of ICT systems security are employed to ensure any research involving patient data is carried out only in secure environments. With respect to the security of personal data, it must be noted that the College network is widely and legitimately accessible across the campus and from the internet. In terms of the processing and storage of personal data, the network must be regarded as being insecure, having no access restrictions. Consequently, any identifiable patient data stored on any computer connected to the College’s network must be encrypted and/or secured behind an appropriate firewall. It is not sufficient to rely on normal system passwords. It is also not acceptable for unencrypted identifiable patient data to pass across the College network.  Unencrypted identifiable patient data must never be stored on mobile devices or portable storage devices (such as USB sticks).  Staff intending to conduct research involving identifiable patient data should consult with ICT security staff to ensure that appropriate measures and systems are in place to safeguard the security of the data.

4. Information relating to the clinical management of patients under the care of an NHS Trust typically belongs to that Trust (and not to the individual clinician), irrespective of the usage to which the data is being put, i.e. clinical diagnosis or research purposes. However, in the latter case, the data may be transferred to a third party, such as the sponsor of a study. Identifiable patient data should only be transferred to a third party if the data subject was made aware that the data would be shared in this way at the point they consented to their data being used for research purposes (where consent was sought as the legal basis for processing of the data) or at the point at which it was explained to them (typically in a privacy notice) how their data will or may be used (where one of the other legal basis for processing was relied upon).  Information obtained on patients and healthy volunteers specifically for the purpose of a research study, i.e. beyond normal clinical care, will belong either to the study sponsor or the investigator.

5. In the cases where no more appropriate basis for processing of any sensitive personal data is available under the GDPR, the explicit consent of the data subject must be obtained, by the data owner, before any such sensitive data are stored or processed. The data owner may be a Trust, a sponsor or the investigator. When seeking consent, data subjects should be informed of the purposes for which their data will be used, in accordance with the ‘lawfulness, fairness and transparency’ principle set out in Article 5 of the GDPR, and the likely recipients to whom their information could be disclosed (e.g. the College if the data has been collected by the Trust).

6. To summarise, identifiable patient data e.g. clinical data, collected for whatever purpose, must not be stored or transmitted on the College network unless adequately protected to prevent disclosure of that data to unauthorised persons. This requires either that adequate security measures are in place or that the data are adequately anonymised. It should be noted that where the data has been codified but there still exist separate records, electronic or paper, which enable the individual to be ultimately identified, then that data is not fully anonymised and falls under the GDPR. Thus it must be properly processed in accordance with the GDPR and adequately protected.