The establishment of databases for clinical and research purposes is the basis of good clinical care and a valuable tool for the investigation of research questions that can lead to improved patient outcomes.
The establishment of a database for research purposes requires the approval of a Human Research Ethics Committee (HREC) and the authorisation of the Research Governance Officer(s) at the site(s) where the data will be collected and stored before the activity commences. You should familiarise yourself with the following documents as part of your preparations:
- Chapter 3.2 (Databanks) of the National Statement on Ethical Conduct in Human Research (2007, updated May 2015) (referred to below as the “National Statement”)
- Chapter 2.2 of the Privacy Manual for Health Information (© NSW Ministry of Health 2015) (referred to below as the “Privacy Manual”)
- Guidelines under Section 95 of the Privacy Act 1988 https://www.nhmrc.gov.au/guidelines-publications/pr1
- Guidelines approved under Section 95A of the Privacy Act 1988 https://www.nhmrc.gov.au/guidelines-publications/pr2
Strictly speaking, the establishment of a database of clinical practice medical records (eg within a private practice or a clinical department) does not require ethics approval. However, it is likely that such a database will – sooner or later - be utilised for research purposes. For this reason, it is highly recommended that ethics approval is sought before clinical records are transferred into an electronic format.
The following documentation is required for ethics / governance review of a database:
2. A protocol, which should address the following issues:
- The name of the database
- The database’s Data Custodian
This must be a named person; changes must be notified to the HREC. The Data Custodian is responsible for the following:
- Ensuring a secure physical environment for the data, including backups and other safeguards, to prevent unauthorised access, destruction, use, modification or disclosure of data;
- Location of the database
- Platform on which the database will be developed
- Database security
This should discuss firewall protection, log-in and passwords, details of staff with routine access, privacy / confidentiality agreements signed by such staff, etc.
- Nature of the data, ie identifying, re-identifiable (ie coded), non-identifying
Consideration should be given to whether it would be practicable to develop dual databases, one of which contains personal identifiers and codes and the other contains the codes and the data fields. Separate log-ins and passwords would then give added security to the data, and reduce the risk of releasing identifying data to authorised researchers.
There are three options to consider:
b. Informing the people whose personal and health information will be included in the database and then giving them the option to opt-out. Please refer to the National Statement 2.3 (particularly 2.3.5 - 2.3.8) for further information and guidelines on opt-out consent and on the bases upon which the HREC may consider this acceptable.
c. If you believe that it is not possible to obtain the informed consent of the people whose personal and health information will be included in the database, you may seek a waiver of consent from the HREC under the Statutory Guidelines on Research of the Health Records and Information Privacy Act 2002. To justify such a request, you would need to explain the following:
(1) why the database could not be developed using non-identifying data, eg
(2) why it would be impracticable to obtain consent, eg
(3) why the public interest in the proposed database and the research to be done using the collected data outweighs the public interest in the protection of privacy.
More information and guidelines on the waiving of consent and on the bases upon which the HREC may consider this acceptable can be found in the National Statement 2.3 (particularly 2.3.9 – 2.3.12).
- Database management, including details of the Management Committee – if it is the expectation of the Data Sponsor that access to data in the database will be given to researchers from outside the SLHD
- Database access for research purposes, including the Data Request Form which researchers will be required to complete and sign before being given data for a specific research study.
For both SLHD researchers and researchers from outside the SLHD, it is the expectation of the HREC that:
- Applications for access to and use of data held in the database will be considered by the Data Custodian (if SLHD researchers wish to access the data) or the Database Management Committee (if researchers from outside the SLHD wish to access the data).
- The Protocol should include a footer with a version number and date.
3. The information sheet and consent form / opt-out form which will be given to patients / research participants on the development of the database. These should include a footer with a version number and date.
4. The data fields to be included in the database, along with the data dictionary, and, if appropriate, the Data Collection Form. These should include a footer with a version number and date.
5. Following receipt of ethics approval for the establishment of the database, a Site Specific Assessment Form will need to be completed and submitted for review and site authorisation to the Research Governance Officer of the site at which the database is to be located. In addition, if data are to be collected for the database from multiple sites, then the submission of a Site Specific Assessment Form will need to be made to the Research Governance Officers responsible for those sites.
Issued: 31 August 2017