Data Protection Concept Europa
Total Page:16
File Type:pdf, Size:1020Kb
Data protection concept EuroPa September 2002
1. Institutions and persons in charge
Responsible Contact at national level
Prof. Dr. med. Wolfgang Oertel, Scientific Coordinator Philipps-University Marburg Department of Neurology Rudolf-Bultmann-Str. 8 35039 Marburg Tel.: +49-6421-28-65200 Fax: +49-6421-28-68955 Email: [email protected]
Dr. Regina Wick, Project Manager Philipps-University Marburg Department of Neurology Rudolf-Bultmann-Str. 8 35039 Marburg Tel.: +49-6421-28-65455 Fax: +49-6421-28-65308 Email: [email protected]
Responsible Project Coordinator
Prof. Dr. med. Wolfgang Oertel, Scientific Coordinator Philipps-University Marburg Department of Neurology Rudolf-Bultmann-Str. 8 35039 Marburg Tel.: +49-6421-28-65200 Fax: +49-6421-28-68955
Contact at project coordination level
Dr. Regina Wick, Project Manager Philipps-University Marburg Department of Neurology Rudolf-Bultmann-Str. 8 35039 Marburg Tel.: +49-6421-28-65455 Fax: +49-6421-28-65308 Email: [email protected]
1 2. General project description and objectives
The European Cooperative Network for Research, Diagnosis and Therapy of Parkinson’s Disease (EuroPa) is a project funded by the European Commission within the 5th Framework Programme (Quality of Life and Management of Living Resources) over a period of 3 years. Project start was December 1, 2001.
The project aims at the development of a synergistic European network that bundles and coordinates existing competence in clinically orientated research on Parkinson’s Disease (PD). A main achievement will be a central patient registry, combined with a web-based data entry system. The registry will be maintained and extended continuously by all participating centers. The capability of recruiting clinically well described patients from the registry will give EuroPa a big advantage in planning and conducting multinational, multicenter clinical trials and research projects on PD. The multinational network of highly qualified clinical centers will furthermore accelerate the standardization of diagnostic and therapeutic strategies and the spread of good clinical practice. By this means the work of EuroPa aims at a faster improvement of the treatment of patients suffering from PD. The network and its infrastructure is also qualified for conducting epidemiological studies as well as comparative research on socio-economic aspects of PD. EuroPa will increase our knowledge about the disease and its impact on the patients, the health care system and the society in many European countries.
Organization Clinical centers of 11 countries participating in the EuroPa project (Germany, France, United Kingdom, The Netherlands, Austria, Spain, Portugal, Italy, Sweden, Czech Republic, Israel). Project coordinator is Prof. Wolfgang Oertel, Philipps University Marburg (Germany). The network is organized in a nodal structure. Besides Germany, the centers from France, The Netherlands and United Kingdom play a particular role in setting up the network structure of EuroPa. By cooperating with additional clinical centers on a national level, small national networks of PD specialists will be developed that take advantage of EuroPa’s infrastructure. Decision making boards are the Contractors Council and the Steering Committee. The Contractors Council comprises a representative of each country and meet at least once a year. The members of the Steering Committee are eight representatives of the Contractors Council. The Steering Committee will meet two times a year or more frequently if necessary and provides the overall policy, direction and management for the project and monitors the work progress. Certain project tasks are specified in terms of work packages (patient registry, clinical research and trial center, data management, network management, economics and fundraising). Work package leaders are responsible for their work package and organize the tasks within their work groups. They report to the project coordinator, the Steering Committee and the Contractors Council.
Network and Clinical Research & Trial Center The main objective of the project is the constitution of a functioning and productive network of European clinical specialists for Parkinson’s Disease. Initially, the network will associate clinical researchers from 11 European countries. Centers that have signed the contract with the European Commission will form the core of the network. They will furthermore extend the scope of EuroPa by establishing small networks on a national level. The network will further grow and continue its work as an independent organization, utilizing the infrastructure of EuroPa to initilize, plan and carry out research and clinical trials on Parkinson’s Disease.
2 By establishing the according administrative and organizational infrastructure, EuroPa could become the European counterpart to the US Parkinson Study Group.
Patient registry Clinical data of patients with Parkinson’s Disease are stored in a central database – the EuroPa patient registry. The data will be stored anonymised. Only the treating doctor can re- identify a patient according to his pseudonym. A common minimal data set that was defined and agreed on by all members specifies which clinical data will be collected. Data entry will be web-based. No additional client software must be installed. Access rights are regulated. Access to the database is password-protected. Each participating center can only access its on data. Only members authorized by the legitimate administrative board (e.g. Steering Committee) will have access to query the entire database for selecting entries (patients) for a certain study or trial.
Research Part of the project is a comparative analysis of patient care in PD patients in Europe in order to gain a better understanding of the pharmaco-economic and socio-economic impact of the disease. The study will evaluate the health care system and the consequences for care of PD patients in all participating countries.
Furthermore, a cross-sectional epidemiological study will be carried out during the project phase. The topic has still to be chosen. The study will evaluate the ability of the network and its infrastructure to carry out international, multi-center research studies.
3. Collected data
3.1. Patient personal data
The following personal data will be collected from each new patient.
- Gender - Title - Name - First name - Middle Initials - Address - Date, place and country of birth
The personal data will at no time be stored at the central patient registry or transferred via Internet. The treating doctor will print out the patient personal data together with the pseudonym (patient identification code) that will be allocated to each patient (see below). Since the pseudonym is a random number it contains no information about the patient’s identity.
3.2. Medical data
The medical data collected of each patient for the registry are defined by the minimal data set. For details see Annex I. No additional data will be stored in the central patient registry. Prerequisite of the collection of any data is the consent by the patient that he needs to confirm with his signature in advance(see below and Annex II for details). The collection of additional
3 data within the scope of clinical trials or research projects will require the approval by ethical committees.
4. Pseudonymization and Re-identification
Medical data of each patient are stored anonymised. That is, all personal data are replaced by a pseudonym that contains no information about the patient’s identity (like initials, birth day etc.). Each pseudonym (patient identification code - PID) will be allocated to just one patient. It is a free combination of together 6 letters and numbers, like agh347. All pseudonyms are generated and allocated at random. Besides the pseudonym, only the identification ID of the medical center who is attending the patient will be stored on the central server of the patient registry. Patient code, center ID and medical data collected will not allow to retrieve the patient’s identity.
The responsible doctor who collected the medical data and printed out and safely preserved the pseudonym together with the personal data will be the only person who can re-identify the patient. If the doctor is no longer involved in the treatment of the patient or in case responsibilities for the EuroPa project have been changed at the center, another doctor could take over the responsibility for the files with the pseudonyms and personal data. He must be a registered and trained doctor for EuroPa as well. At the time of a re-visit the patient must be informed about this change. The patient will receive contact information from the new doctor and has the chance to direct inquiries regarding his data or the project at any time.
It is not allowed to share the personal data of a patient with any third party, also not with another participating center in the project.
Re-identification will be allowed for the following purposes: a) The pseudonym was selected for a clinical trial and the patient needs to be contacted and asked whether he agrees to take part. b) A new visit has to be scheduled for the patient and new data will be collected. c) The patient withdrew his consent and the doctor has to find the patient’s pseudonym in order to have his data be deleted from the database.
5. Data collection process
Personal and medical data of patients diagnosed with Parkinson’s Disease are collected by the treating neurologist during a visit of the patient. Participation in the project is voluntary for all patients. The patient will be informed by the neurologist about kind and purpose of the data collection and will sign an informed patient consent prior data collection (see Annex II). The patient can always withdraw his consent and his participation in the project. The patient has furthermore the opportunity to direct inquiries regarding data collection and processing to the treating neurologist and to inspect the data collected from him. Visits will be scheduled on an annual basis. Therefore, the medical condition of the patient will be followed up and the database will be updated regularly.
All participating neurologists are registered and must identify themselves to the database by entering their ID and password. A high level of password security will be enforced. Participation in the project combined with the right to enter data will require prior training. For that purpose, the database and web application contains a separate training mode. The neurologist can get familiar with the system without entering real data or having access to any
4 data stored in the registry. Furthermore, Standard Operating Procedures (SOP) define measures and rules for a proper use of the web-based data entry system.
Both, personal data and medical data are collected by a web-based data capture system. A web application running on the application server that is connected to the database (patient registry) will establish and control the communication between application and browser of the authenticated user. In order to enter a new patient into the database a form will be generated by the application that allows to fill in the personal data of the patient. Only after all mandatory fields have been completed, a pseudonym will be allocated to the new patient automatically by the application, as described above. The form containing the personal data AND the pseudonym will be printed out. The personal data will not be stored on the local computer, neither transferred, processed or even stored in the patient registry.
After a new patient was anonymized entered to the registry by means of his pseudonym, the web-application will provide a questionnaire according to the minimal data set and the medical data of the patient can be entered into the central database. Data once stored in the database could be modified later on but not deleted unless the patient withdraws his consent. A history of all modifications made will be registered by the system and stored.
6. Data storage and processing
6.1. Storage of patient personal data
The patient personal data and the patient identification code exist only as a print out in the center responsible. So far, this print out is the only data basis for re-identification of the patient who’s medical data are stored anonymised in the patient registry with the patient code as the only reference. The data must be stored in a safe place and be protected from misuse or theft. The criteria for treating sensitive patient data within hospitals also apply to the data collected within this project. The same is valid if the personal data will be stored electronically in a separate database at the clinical center.
6.2. Transfer and storage of patient medical data
An authorized member of the EuroPa network can access the patient registry database via the Internet using a standard web browser. All data is transferred via SSL (128bit) to the central server located at the place of the project coordinator at Philipps University Marburg, Germany.
Technically speaking the patient registry database is an Oracle 9i relational database. The database is accessed by an application, the middleware, programmed using Apple’s WebObjects 5.1, which is communicating over the so-called “Oracle Channel”. The application can read, change or store data in the database. It contains an audit trail functionality where changes of electronic forms are logged including the information what was done by whom and when. Access is granted only to authorized users according to the assigned user rights.
The security policy does not allow to access the database directly. EuroPa-members can access an external webserver using an SSL-connection only. This webserver is working in proxy mode. It is verifying the connection and is then requesting an internal webserver for the
5 required information. Replies from the internal secured network are passed back by the external webserver to the EuroPa member. Therefore the secured internal network is transparently decoupled and invisible to the Internet. Additionally, communication can take place using encrypted channels only. Data can therefore not be changed or wiretapped during submission.
6.3. Data security and protection measures
Physically the database and the servers are kept in a secured server room. Only authorized personnel of the contracting partner responsible for the data management of the project (iAS GmbH, Berlin) can access the servers directly for support and maintenance. A UPS (uninterruptable power supply) is protecting the system from power failures. An external rack storage contains the hard disk drives configured as RAID-5 (redundant array of inexpensive disks). The provided redundancy is protecting the database in case of a failure of a hard disk. In addition, a regular backup provides the possibility to restore the database after a complete data loss (e.g. necessary after data corruption).
The security during data transfer is assured by several measures at different levels: The application layer security is represented by the external proxy webserver which is accepting only encrypted protocols both from external connections as well as the internal webserver. This layer also contains the first component of the packet filter of the firewall. The external webserver is preventing direct access from the Internet to the internal webserver and the database. The protocol layer security covers the second part of the packet filter of the firewall, allowing only communication between external and internal webserver. Additional security mechanisms like intrusion detection system and intrusion response systems are installed at this layer as well. The middleware as the connection between internal webserver and database is responsible to restrict the database access only to authorized users according to the specified user rights.
7. Access rights and responsibilities
All scientific members who belong to a participating clinical center and are registered have full access to their own data but not to the data of other centers.
Non-scientific members and sub-contractors have no access to any patient data.
Scientific sub-contractors that do not enter data (e.g. biometrics, monitors) could have reading rights for certain data, e.g. for quality control purposes. Such access rights are project- dependent and temporary and need the approval of the Steering Committee.
Technical administrators and user administrators have no access to any patient data. The user administrator can register new centers and users (neurologists). Each center will have its own ID. To register a new center will require a written application by the responsible EuroPa member. Each user has his own ID and password. To register a new user will require a written application by his responsible clinical center. Furthermore, information about his name, address, telephone number, his responsibilities and rights and whether he has been trained for using the database is also required. Access rights of users and centers could also be canceled. A written application from the responsible member/center will be required.
6 The technical administrator can erase the data of a certain patient in case the patient has withdrawn his consent of participating in the project and having his data stored in the patient registry. In order to erase the data of a patient, the responsible center has to send a written order with the patient pseudonym to the technical administrator. The process of erasing data must be documented.
An authorized registry administrator will have query rights for the entire database, e.g. for selecting patients (pseudonyms) for certain studies or trials. He has no direct access to the data and no writing rights. All queries will be stored for reference purposes. The registry administrator will be elected by the Steering Committee. Each query will require a mandate by the Steering Committee as well.
8. Patient consent
A signed patient consent will be mandatory before any data of the patient is collected. A patient information brochure explains the project and its objectives as well as the rights of the patient. See Annex II for a copy of the patient information brochure and the informed consent. If patients have already signed a consent for a similar, national registry / project that covers the extension of the use of their data – no further consent will be necessary.
Patients have the right to withdraw their consent for a) being recruited for clinical trials b) having their data stored in the registry For a) this information must be documented in the registry. Patients will not be part of database queries for trial recruitment. For b) data have to be erased from the registry and the local database.
7