You should protect both the privacy of your study subjects and the scientific integrity of your study by preventing unauthorized and unnecessary access to your data. You should implement state-of-the-art standard safety measures.
You can do this by:
Apply the FAIR principle both during and after completion of your research project. You should think of these safety measures to protect your data:
Having access policies for your data is an important part of data stewardship. Your access policies should establish:
Access policies are part of your data management plan. It is your responsibility to describe them before you start collecting data. In case of a clinical trial, a substantial change in access policies should lead to an amendment of your ethical protocol.
Important aspects are:
Make sure that you log who accesses the system for what purpose and who retrieves which data elements. Any access outside the authorisations in the access policies should be considered unauthorised access. You should be able to detect unauthorised access timely, whether from inside or outside.
In cohort studies, contact data is usually registered for study subjects. Access rules should differentiate between those having access to research data and those having access to contact data. In principle one should not have access to both, unless the researcher is also the treating physician. An exception can only be made for smaller projects that have a limited period in which data is created, processed, and analysed. You will have to argue why this exception applies to your research project in your research protocol (i.e., explain why it is necessary for staff members to access both research data and contact data).
In principle, your access policies should be described at the start of your project. One reason for this is that, in many cases, patients have to give informed consent on data sharing before you start collecting data. Yet, there should be sufficient room for change, following from the principle of responsible data sharing.
Although you describe it at the start, it may be adapted later on. New funders may require new access and sharing conditions. Your project may lead to unforeseen data, which generate unforeseen requests for those data. A recipient of the data, agreed upon at the start of the project, may have had a serious data breach or infringed scientific integrity. This should lead to reconsidering the original agreement.
Yes, most UMCs make all personnel that work with data in the care environment sign a
'geheimhoudingsverklaring' as a standard procedure.
According to current legislation, you need to distinguish the notions of 'the responsible entity' and 'the executor'.
The responsible entity:
New European legislation will place heavy fines on failure to report not only any attempt to unauthorized access to the data but also failure to report any possible unauthorized use of the data. For example, if the executor was aware of a major flaw in the protection mechanism of the data, this vulnerability should be reported to the authorities.
This topic is currently under debate. In the near future, an obligation to report data leaks is expected.
Databases connected to the internet are more vulnerable to unauthorized access. They should not contain identifiable data unless the infrastructure has taken sufficient measures to reduce the risk of access to the identity of a human subject to an extremely low level. Such measures could entail for example:
Also make sure that you can log who accesses the system for what purpose and who retrieves which data elements.
Don't. Use a proper password management system.
Ask your UMC's ICT Helpdesk.
Text in preparation