RPA RPA
Research Ethics and Governance Office

Databases

The establishment of databases for clinical and research purposes is the basis of good clinical care and a valuable tool for the investigation of research questions that can lead to improved patient outcomes.

The establishment of a database for research purposes requires the approval of a Human Research Ethics Committee (HREC) and the authorisation of the Research Governance Officer(s) at the site(s) where the data will be collected and stored before the activity commences. You should familiarise yourself with the following documents as part of your preparations:

- Chapter 3.2 (Databanks) of the National Statement on Ethical Conduct in Human Research (2007, updated May 2015) (referred to below as the “National Statement”)

- Chapter 2.2 of the Privacy Manual for Health Information (© NSW Ministry of Health 2015) (referred to below as the “Privacy Manual”)

- Guidelines under Section 95 of the Privacy Act 1988 https://www.nhmrc.gov.au/guidelines-publications/pr1

- Guidelines approved under Section 95A of the Privacy Act 1988 https://www.nhmrc.gov.au/guidelines-publications/pr2

Strictly speaking, the establishment of a database of clinical practice medical records (eg within a private practice or a clinical department) does not require ethics approval. However, it is likely that such a database will – sooner or later - be utilised for research purposes. For this reason, it is highly recommended that ethics approval is sought before clinical records are transferred into an electronic format.

The following documentation is required for ethics / governance review of a database:
1. A completed ethics application form 

2. A protocol, which should address the following issues:

- The name of the database
- Its overall aim
- The database’s Sponsor 
  This can be an organisation or department. The Sponsor is responsible for the following:
- Defining the purpose or objective of the data collection;
- Establishing the scope and coverage of the data collection;
- Defining access and custody arrangements.

- The database’s Data Custodian

This must be a named person; changes must be notified to the HREC. The Data Custodian is responsible for the following:

- Ensuring a secure physical environment for the data, including backups and other safeguards, to prevent unauthorised access, destruction, use, modification or disclosure of data;
- Maintaining documentation, through development and update of the Protocol, of the existence, content and format of the data collection;
- Authorising new data users and providing advice and assistance on any constraints which apply to use of the data;
- Determining and implementing appropriate levels of protection for the data;
- Dealing with requests for access to the data;
- Maintaining a list of authorised data users.

- Location of the database

- Platform on which the database will be developed

- Database security

This should discuss firewall protection, log-in and passwords, details of staff with routine access, privacy / confidentiality agreements signed by such staff, etc.

- Nature of the data, ie identifying, re-identifiable (ie coded), non-identifying

Consideration should be given to whether it would be practicable to develop dual databases, one of which contains personal identifiers and codes and the other contains the codes and the data fields. Separate log-ins and passwords would then give added security to the data, and reduce the risk of releasing identifying data to authorised researchers.

- The data fields to be collected
- Informed consent of the patients / research participants

There are three options to consider:
a. Obtaining the informed consent of the people whose personal and health information will be included in the database is the ‘gold’ standard. Please refer to the National Statement 2.2 and 3.2, and the Privacy Manual 5.4. Templates of the information sheet and consent form for the establishment of databases can be found on the Research Ethics and Governance Office website at: http://www.slhd.nsw.gov.au/rpa/Research/forms.html

b. Informing the people whose personal and health information will be included in the database and then giving them the option to opt-out. Please refer to the National Statement 2.3 (particularly 2.3.5 - 2.3.8) for further information and guidelines on opt-out consent and on the bases upon which the HREC may consider this acceptable.

c. If you believe that it is not possible to obtain the informed consent of the people whose personal and health information will be included in the database, you may seek a waiver of consent from the HREC under the Statutory Guidelines on Research of the Health Records and Information Privacy Act 2002. To justify such a request, you would need to explain the following:

(1) why the database could not be developed using non-identifying data, eg
- It involves data linkage from multiple sources,
- scientific defects would result if non-identifying data were used)

(2) why it would be impracticable to obtain consent, eg
- the size of the population involved;
- The proportion of people who are likely to have moved or died since the health information was originally collected;
- The risk of introducing potential bias into the research, thereby affecting the generalisability and validity of results;
- The risk of creating additional threats to privacy by having to link information in order to locate and contact individuals to seek their consent;
- The risk of inflicting psychological, social or other harm by contacting individuals with particular conditions in certain circumstances;
- The difficulty of contacting individuals directly when there is no existing or continual relationship between the organisation and the individuals;
- The difficulty of contacting individuals indirectly through public means, such as advertisement and notices

and

(3) why the public interest in the proposed database and the research to be done using the collected data outweighs the public interest in the protection of privacy.

More information and guidelines on the waiving of consent and on the bases upon which the HREC may consider this acceptable can be found in the National Statement 2.3 (particularly 2.3.9 – 2.3.12).

- Database management, including details of the Management Committee – if it is the expectation of the Data Sponsor that access to data in the database will be given to researchers from outside the SLHD

- Database access for research purposes, including the Data Request Form which researchers will be required to complete and sign before being given data for a specific research study.

For both SLHD researchers and researchers from outside the SLHD, it is the expectation of the HREC that:

- Applications for access to and use of data held in the database will be considered by the Data Custodian (if SLHD researchers wish to access the data) or the Database Management Committee (if researchers from outside the SLHD wish to access the data).
- Such applications will be made on a Data Request Form, which will seek details of the applicants, the aim of the study, hypothesis, number of records sought, data fields sought, security of provided data, statistical analysis plan. In addition, in the case of researchers from outside the SLHD, the Form should require the applicants’ signature on an undertaking to maintain the security of the data provided and an assurance that it will not be passed to any third party.
- Every use of data from the database for research purposes will have its own ethics approval granted by a duly constituted HREC and its own site authorisation (via a Site Specific Assessment application) by the relevant Research Governance Officer. Such applications should refer to the database by name and ethics approval number.

- The Protocol should include a footer with a version number and date.

3. The information sheet and consent form / opt-out form which will be given to patients / research participants on the development of the database. These should include a footer with a version number and date.

4. The data fields to be included in the database, along with the data dictionary, and, if appropriate, the Data Collection Form. These should include a footer with a version number and date.

5. Following receipt of ethics approval for the establishment of the database, a Site Specific Assessment Form will need to be completed and submitted for review and site authorisation to the Research Governance Officer of the site at which the database is to be located. In addition, if data are to be collected for the database from multiple sites, then the submission of a Site Specific Assessment Form will need to be made to the Research Governance Officers responsible for those sites.

 VERY USEFUL INFORMATION ON SENSITIVE DATA

The Australian National Data Service (ANDS) has a website (http://www.ands.org.au/working-with-data/sensitive-data) which contains a vast amount of very helpful information on the management of data, including the following:

1. 10 medical and health research data Things (http://www.ands.org.au/__data/assets/pdf_file/0005/589694/10medicalandhealthresearchdataThings.pdf)

2. ANDS Guide: De-identification (http://www.ands.org.au/__data/assets/pdf_file/0003/737211/De-identification.pdf)

3. ANDS Guide: Publishing and sharing sensitive data (http://www.ands.org.au/__data/assets/pdf_file/0010/489187/Sensitive-data.pdf)

In addition, it conducts webinars on topics of relevance to researchers on the collection, use and sharing of data. Past webinars are available on YouTube and as text. Free registration is available for future presentations.