In order to take appropriate technical and organisational measures to protect the privacy and autonomy of people involved in your study, it is important to distinguish between data in care environment and data in the scientific research environment.
The care environment is typical for UMCs and refers to databases that are used for diagnosis and treatment of patients or self-evaluation of healthcare providers, such as Electronic Patient Files (EPD). The scientific research environment refers to databases that are used to answer scientific research questions, such as research data warehouses and (clinical) research databases.
In modern medical research, these two data systems are increasingly integrated. However, the distinction is important because different laws and guidelines apply to the two environments and these laws may even conflict. Your data environment needs to comply with the applicable rules and regulations. It is necessary to take appropriate technical and organisational measures to protect privacy and offer data security.
Figure. The technical and operational measures that should minimally be taken to protect privacy and offer data security. Source: Radboud University Medical Centre Nijmegen
Data collected in a care environment may be used to answer research questions. Data collected in a scientific research system may travel back to the healthcare system as 'unexpected incidental findings' crucial to be communicated to the study subject. Data collected in a scientific research system may also be used in a healthcare system to avoid double data collection (e.g., collection of quality of life data in intervention trials).
Yes, you are allowed to do this. However, it is crucial that you protect the privacy of patients and the safety of the data. To this end, we recommended using the infrastructure that is supported by your UMC, or at least:
he GDPR allows for some exceptions when the purpose is scientific research. Yet, the criteria of these exceptions have not been defined. Currently, efforts are being made to define the criteria. The Code of Conduct for the Use of Data in Health Research will be updated soon.
The current code can be applied as long as it is in line with the WGBO and GDPR (AVG).
Yes, but only when the data are fit for clinical purposes. Be aware that research data usually undergoes less stringent quality control than clinical data. Extra checks are often required before research data can be used in the clinic, including an extra verification of the identity of the study subject.
If data have to be collected in the research environment for logistic or technical reasons, the data should only be allowed to return to the care domain under very stringent data quality conditions. These conditions should be explicitly described in the research protocol and the procedures and data should explicitly be verified by the responsible treating physician or the Board of the UMC.
Data collected in a healthcare environment, such as a UMC, are subject to an identity verification process involving the 'Burger Service Nummer' (BSN), which is a unique identification number for civilians. Data collected in scientific research projects are generally not allowed to contain the BSN in unencrypted format. Therefore, any automated mechanism to return research data to the care domain without additional verification of the subject's identity and an assessment whether the data is also fit for care purposes, is unacceptable. A solution could be the explicit verification by a responsible physician to classify the information content of data in a research environment as 'accepted for care purposes' before being added to an electronic patient file as a date and time-stamped snapshot.