Ethical and Governance Approval
The Health Research Authority (HRA) assesses governance and legal compliance of England-led project-based research in the NHS. HRA Approval is a process undertaken by dedicated HRA staff and offers an independent Research Ethics Committee (REC) opinion provided through the UK research ethics service.
The OPTIMAM project has ethical approval to collect images and data from participating sites for the creation of a research database and to add new collection sites.
The OPTIMAM project obtained HRA approval and a favourable ethical opinion in July 2014 for a renewable period of five years.
This OPTIMAM project obtained renewed HRA approval and a favourable ethical opinion in July 2019 for a renewable period of five years.
Ethical and Governance Considerations
The NHS constitution clarifies that the collection of de-identified data without patient consent is permissible. In fact, in its constitution, the NHS pledges:
"To anonymise the information collected during the course of your treatment and use it to support research and improve care for others."
All OMI-DB data is pseudonymised at the point of collection using DICOM 142 supplement compliance tools. This supplement is a standard for de-identification of data in DICOM files. Pseudonym lookup tables are maintained on secure servers at the clinical collection sites and access is restricted to staff involved in the patients' clinical care or data managers with specific approval to access the patient data for the purpose of de-identification. All data shared with research staff will have already been de-identified and researchers will have no access to the pseudonym look-up tables.
The NHS Constitution also states that:
"You have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure."
An Information Governance Review carried out in 2013 by an independent panel on behalf of the Secretary of State for Health, clarifies how data should be shared and accessed for research: Pseudonymous data or anonymous data that can be re-identified has been reclassified as de-identified data for limited disclosure or limited access. Researchers using data must enter a contractual agreement between data controllers covering data flow, purposes of use, and safeguards. The data can be shared within an environment covered by a contractual agreement.
The agreement states how mammography images and associated data will be collected and that sites give OMI-DB permission to act as data processors (via letters of access) in order to de-identify the images and data.
At the larger centres, data is accessed by two data managers with letters of access giving permission to access the data at the clinical sites for this purpose. The data managers are full time NHS employees with a duty of confidentiality with regards to patient information. As far as possible, the pseudonymisation process will be done in an automated way which avoids the need for the data managers to see any patient identifiable data. The data managers are trained in information governance policies by their host Trust.
At sites providing a smaller number of images, staff with clinical care responsibilities will complete the pseudonymisation process using software tools provided by our team.
Data held by the collection sites' PACS, clinical systems and databases is the responsibility of that site and they are the data owners of that data. It is with this proviso that they give us letters of access to access the data they are responsible for. When we take de-identified copies and centralise them, we become the data owners of that data.
The sharing agreement is created in collaboration with Cancer Research Technology (CRT). Applications will be subject to scientific critique and subject to external peer review if deemed proportionate and where the necessary expertise is not available within the subgroup.
Informing Patients about Data usage
The NHS Constitution also states that:
"You have the right to be informed about how your information is used."
At each collection site, a Patient Information Poster is displayed, informing patients about the usage of their data.
- Patel MN, Looney P, Young K, Halling-Brown MD. Automated Collection of Medical Images for Research from Heterogeneous Systems: Trials and Tribulations. 2014;9039:90390C.
- EC. REGULATION (EU) 2016/ 679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of 27 April 2016 - on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/ 46/ EC (General Data Protection Regulation). 2016 [cited 2017 Sep 27]; Available from: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
- Caldicott review: information governance in the health and care system - GOV.UK [Internet]. [cited 2017 Sep 27]. Available from: https://www.gov.uk/government/publications/the-information-governance-review
- Vollmer N. Recital 26 EU General Data Protection Regulation (EU-GDPR). 2016 Dec 6 [cited 2017 Sep 27]; Available from: https://www.privacy-regulation.eu/en/r26.htm
- The NHS Constitution for England - GOV.UK [Internet]. [cited 2017 Sep 27]. Available from: https://www.gov.uk/government/publications/the-nhs-constitution-for-england/the-nhs-constitution-for-england#introduction-to-the-nhs-constitution