guidelines for release of data - department of health/media/files... · guidelines for the release...
TRANSCRIPT
1
Information Circular
Enquiries to: Brooke Smith Senior Policy Officer
OD number: IC: 0208/14
Phone number: 9222 0268 Date: November 2014 Supersedes: IC 0125/12 File No: F-AA-14159
Subject: Guidelines for the Release of Data
WA Health collects, stores, uses and discloses large volumes of data. Managing information through each phase of the lifecycle provides WA Health the ability to monitor and effectively manage patient care, strategic and operational resources and fulfil legislative requirements.
The purpose of the Guidelines for the Release of Data (Guidelines) is to ensure data are released in a responsible manner and meets the requirements of its intended use. This is achieved through the proper documentation of the requester’s requirements and the completion of a Data Release Pro-Forma highlighting specific details of the data provided.
The Guidelines also aim to safeguard WA Health information by ensuring that authorised recipients are aware of their obligations to maintain the confidentiality and security of the data received. The Data Release Contract sets out binding terms and conditions relating to the use and disclosure of information and provides a useful resource for protecting confidential information.
Karen Lopez A/DIRECTOR PERFORMANCE
This information is available in alternative formats for a person with a disability.
No Lon
ger A
pplica
ble - R
escin
ded 7
May 20
20
Guidelines for the Release of Data
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Page 1 Page 1
Page 1
Table of Contents
1. BACKGROUND ..................................................................................................................... 2 2. SCOPE .................................................................................................................................. 2 3. TYPES OF DATA REQUESTS .............................................................................................. 3 4. PROTOCOLS FOR RELEASE OF DATA .............................................................................. 4 5. HUMAN RESEARCH ETHICS COMMITTEE APPROVAL .................................................... 5 6. DATA RELEASE PROCESS ................................................................................................. 5 7. DEFINITIONS ........................................................................................................................ 8
8. ROLES AND RESPONSIBILITIES ...................................................................................... 10 9. EVALUATION ...................................................................................................................... 10 10. RELATED DOCUMENTS .................................................................................................... 10 11. RELEVANT LEGISLATION ................................................................................................. 11 Appendix A................................................................................................................................. 12 Appendix B..................................................................................................................................14 Appendix C..................................................................................................................................15
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Effective: November 2014
Page 2
TITLE: GUIDELINES FOR THE RELEASE OF DATA
1. BACKGROUND WA Health creates, collects and maintains a vast amount of information, much of which is confidential personal health information. The information is an important resource used for the clinical care of patients, for funding, planning, monitoring, evaluation and improvement of health and health services in the State. It is also used to meet performance reporting obligations and to support health related research.
WA Health is committed to ensuring that information is available in a timely manner to authorised users and is of high quality to meet the requirements of its intended use. To protect information, authorised users (both internal and external to WA Health) must be well informed of their obligations to maintain confidentiality and security of the data received.
The Guidelines for the Release of Data (Guidelines) supplement the Information Access and Disclosure Policy (OD 0539/14) with respect to the authorised release and protection of information. The Guidelines should also be considered in conjunction with the Data Stewardship and Custodianship Policy (OD 0487/14), which documents the delegated responsibilities of Data Stewards and Data Custodians with respect to access and disclosure of WA Health information.
The term ‘data’ generally refers to unprocessed information, whilst the term ‘information’ refers to data that has been processed in such a way as to be meaningful to the person who receives it. For the purpose of the Guidelines, the terms ‘data’ and ‘information’ have been used interchangeably and should be taken to mean both data and information.
2. SCOPE
The Guidelines outline best practice for managing the release of information from data collections held by WA Health. In the context of this document, a data collection includes both operational data collections and data repositories. The information requested may be identifiable or non-identifiable and its release can either be ad-hoc/one-off or regular extractions of data. Although staff are encouraged to use the resources provided within the Guidelines, they are not mandatory. The resources may need to be modified or adapted to meet specific business requirements.
The purpose of the Guidelines is to ensure data are released in a responsible and accountable manner that supports the efficient, effective and appropriate use of information. This is achieved through a Data Request Form (Appendix A), which documents the requester’s requirements and the completion of a Data Release Pro-Forma (Appendix B), highlighting specific details of the data provided.
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Page 3
The Guidelines also provide a Data Release Contract (Appendix C), which outlines obligations of confidentiality with respect to information received from WA Health. This will ensure authorised recipients are informed of their obligations to maintain confidentiality and security of the data received.
Where data release processes are already in place, staff are encouraged to review existing processes in light of the Guidelines to ensure best practice in the release of WA Health information.
3. TYPES OF DATA REQUESTS
3.1 Identifiable Information Requests for identifiable information refers to any request for information (record level or aggregated) where the identity of an individual, health service, clinician or health professional is apparent or can reasonably be ascertained by the holder of the information. It includes both identifying information (e.g. name, address, date of birth, medical record number) and health information (e.g. diagnosis, treatment).
Information is also identifiable if it is reasonably possible for the person receiving the information to identify the individual or health provider by using other information they already hold. It may be possible to ascertain identity from aggregated data where there are few individuals in a particular category. Requests for identifiable data must include reasonable justification as to why non-identifiable information is not sufficient for the purpose of the data request. As a general rule, identifiable personal health information should only be disclosed to another person with the consent of the patient (refer to Information Access and Disclosure Policy OD 0539/14). There are exceptional situations where consent is not required in order to disclose a patient’s personal health information. They include:
a court order to disclose a patient’s personal health information
a requirement authorised by or under law (e.g. mandatory reporting of child sexual abuse)
where the health professional believes that the disclosure is necessary to prevent a serious threat to public health or public safety
statutory medical notifications (e.g. notifiable communicable diseases, anaesthetic deaths, cervical cancer testing)
research in the public interest, in accordance with statutory guidelines and WA Health policy
mandatory reporting under the National Healthcare Agreement, National Health Reform Agreement or any other funding agreement.
Identifiable information must only be released to authorised users. An authorised user is a person who has obtained the appropriate approvals for the use of information. The appropriate approvals are determined from the Information Access and Disclosure Models for each data collection, which have been developed by the Data Custodian and endorsed by the Data Steward (refer to Information Access and Disclosure Policy OD 0539/14).
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Page 4
3.2 Non-identifiable information Non-identifiable information typically corresponds to a particular person or health provider, but is not sufficient to identify, contact or locate the person or health facility to whom such information pertains. In a health context, requests for non-identifiable information refer to requests for information (record level or aggregated) that have never been labelled with individual identifiers or from which identifiers have been permanently removed, and by means of which no specific individual or health facility can be identified by the recipient of the information. This also applies to data that may contain a unique person identifier, but the identifier has no meaning to the recipient of the information when viewed alone or in combination with other data.
4. PROTOCOLS FOR RELEASE OF DATA
Prior to releasing WA Health information, the following must be adhered to:
data extracted should be checked against previously provided data to ensure consistency
the sensitivity and risk classification of data must be considered when processing a request for data release (refer to Information Classification Policy OD 0537/14)
data release approvals must be in accordance with the Information Disclosure Model (refer to Information Access and Disclosure Policy OD 0539/14) for the specific data collection
the product to be released should have a ‘look and feel’ common to other WA Health products
access to identifiable information is limited to authorised users who need the information to perform the duties of their role (i.e. Need-to-know principle)
consideration given to the National Aboriginal and Torres Strait Islander Health Data Principles
all authorised users must sign a declaration of confidentiality where applicable
requester to provide justification for the release of sensitive data items
confidential or sensitive data must be transferred to the recipient in a secure manner (refer to Information Security Policy OD 0389/12)
a contact person must be available to handle enquiries from the requester and/or recipient
identifiable information must not be transported or used outside of Western Australia without consultation with the Data Custodian and approval from the Data Steward and relevant Senior Executive
when releasing published tables or aggregate level data, the disclosure of information in small cells (n<5) should be avoided to decrease the potential for the identification of individuals
where third parties are involved a contract or Memorandum of Understanding (MOU) between WA Health and the third party must be developed to mitigate risks associated with information sharing
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Page 5
5. HUMAN RESEARCH ETHICS COMMITTEE APPROVAL Requests for information may require approval from a Human Research Ethics Committee (HREC) (refer to Information Access and Disclosure Policy OD 0539/14). HREC provides an independent, competent and timely ethical review of projects involving the use and disclosure of WA Health information with respect to their ethical acceptability. In undertaking ethical assessment of research proposals the HREC uses the National Statement on Ethical Conduct in Human Research (2007), which consists of a series of guidelines made in accordance with the National Health and Medical Research Council Act 1992.
Projects that require approval from a WA Health HREC include, but are not limited to:
any request for personal health information by individual’s external to WA Health
any research project involving the use and disclosure of personal health information from data collections held by WA Health
projects involving the linkage of data collections held by the Department of Health (the Department) (refer to Data Linkage Access Policy)
any request that the Data Custodian considers high risk or requiring ethics approval.
Applications for ethics approval and relevant supporting documents will need to be submitted to the appropriate HREC. Contact should be made with the Department or Health Services HREC for details about the application process (refer to WA Health Research Governance and Single Ethical Review Standard Operating Procedures OD 0446/13). It is important to note that approval from a WA Health HREC does not guarantee the release of data. All human research conducted in WA Health must undergo governance review before authorisation can be granted for the release of information. The governance review at Health Services is to be undertaken by the Research Governance Officer before authorisation can be granted by the Chief Executive (or delegate). The governance review for the Department’s data collections involves review of the data application by the Data Custodian and approval for the release of data by the Data Steward.
6. DATA RELEASE PROCESS
Figure 1 outlines the protocols that apply when releasing information (identifiable or non-identifiable) from the data collections held by WA Health. As shown in Figure 1, some requests for data may need to be submitted to a WA Health HREC for approval prior to the release of data.
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Page 6
Figure 1. Data Release Flow Chart
* Requester must consult with Data Custodian(s) and the relevant Executive Officer of HREC. Data to be released in accordance with the Information Disclosure Model for the data collection (refer to Information Access and Disclosure Policy OD 0539/14).
Applicant completes Data Request form (Appendix A) and submits to Data Custodian for
consideration
Data Custodian advises applicant of outcome and recommendations
for resubmission if appropriate
Data Custodian advises applicant of outcome
Does the request require ethical approval?*
Applicant submits application to relevant HREC
Letter sent to applicant from HREC advising of reasons
why not approved
Applicant advises Data Custodian and revises
request for resubmission if appropriate
Letter sent to applicant from HREC advising of approval
Applicant advises Data
Custodian of outcome and provides evidence of HREC
approval Data Custodian completes Data
Release Pro Forma (Appendix B)
Data recipient signs Data Release Contract
(Appendix C)
Data extracted
Data Custodian ensures release of
data via secure method
Not approved
Approved in principle
Yes
No Not approved
Approved
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Page 7
6.1 Data Request Form Applicants must consult with the relevant Data Custodian of the data collection before applying for data (refer to WA Health Information Register). After the initial contact with the Data Custodian, a Data Request Form (Appendix A) should be completed and submitted. The Data Request Form ensures that the request is clearly documented to enable the Data Custodian to assess the request and provide the data if appropriate. Where the request is required on a regular basis, completion of a new Data Request Form may not be required each time. The Data Request Form should include, as a minimum:
the requester’s details (i.e. name, position, work location and contact details)
the recipient’s details (if not the same as the requester)
the data collection(s) from which the data will be sourced (if known)
reason / purpose for the required data
data items / variables required
description of what is required
parameters of data required
details as to how the data will be used
list of persons having access to the data
details of how the data will be disseminated to others
details of how the data will be stored securely
data retention period
date required by. 6.2 Data Release Pro-Forma Prior to releasing data, a Data Release Pro-Forma (Appendix B) must be completed by the Data Custodian. This form documents the data that has been extracted for the recipient. It also serves as a record for the Data Custodian. The Data Release Pro-Forma must include, as a minimum:
details of a contact person for enquiries
reporting definition or data extract criteria used (e.g. inclusions and exclusions)
data collection(s) from which the data was extracted
reporting period (e.g. one quarter, one year)
known data quality issues
a definition of all variables provided
date that the data extract was produced.
For established routine data requests, a Data Release Pro-Forma only needs to be produced on the initial request for data, unless substantial modifications to the data request have been made. 6.3 Data Release Contract Data Custodians need to ensure and be confident that the recipient of the data fully understands the conditions of data release and their related obligations. The Data Custodian administers this by signing a Data Release Contract (Appendix C) with the recipient of the data. This is particularly important when releasing confidential and/or sensitive data.
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Page 8
The Data Release Contract describes limitations on the usage of the data, security and storage requirements, as well as restrictions on further dissemination of the data to third parties.
7. DEFINITIONS
Aggregate Level Data is summed and/or categorised data that is analysed and placed in a format (for example, in tables or graphs) that prevents the chance of revealing an individual’s identity (individual records cannot be reconstructed).
Authorised Users refers to individuals (internal and external to WA Health) authorised by the relevant Data Custodian or Data Steward to access information within a specific WA Health data collection.
Confidentiality the ethical principle or legal right that a physician or other health professional will hold secret all information relating to a patient, unless the patient gives consent permitting disclosure.
Data is defined as anything spoken, overheard, written, stored electronically, copied, transmitted or held intellectually concerning WA Health general business, information systems, employees, business partners, patients or customers, including information and entity types.
Data Collection refers to the systematic gathering of data for a specific purpose from various sources, including manual entry into an application system, questionnaires, interviews, observation, existing records and electronic devices. It includes collections of patient, corporate, financial and workforce information. This includes both operational data collections and data repositories.
Data Custodian the person(s) responsible for the day-to-day management of data from a business perspective. The Data Custodian aims to improve the accuracy, usability and accessibility of data within the data collection.
Data Linkage is the activity of finding connections between different pieces of information that are thought to belong to the same person, family, place or event.
Data Repository refers to data that is collected from various sources, including operational data collections for the primary purpose of monitoring, evaluation, reporting and research. Examples of data repositories include data held within the Hospital Morbidity Data Collection, Finance Data Warehouse and the Emergency Department Data Collection.
Data Steward is a delegated person responsible for setting the overall strategic direction of a specific data collection. They ensure the collection is developed, maintained and utilised in accordance with the strategic goals of WA
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Page 9
Health. Data Stewards are also responsible for authorising access, use and disclosure of data from the data collection for defined purposes that comply with WA Health’s statutory obligations.
Duty of Confidentiality is an element of common law that prevents the disclosure of information to individuals and organisations not involved in the particular health care episode.
Human Research Ethics Committee (HREC)
are specialised committees that protect the welfare and rights of participants involved in research. HREC review research proposals that either involve humans directly or require the use and disclosure of personal health information. HREC is responsible for ensuring that research proposals are ethically acceptable and in accordance with relevant standards and guidelines.
Identifiable Information is information where the identity of an individual, health service, clinician or health professional can be reasonably ascertained by the holder of the information. Examples of identifiers include: name, address, full date of birth, geocodes, hospital names or numbers. An individual will be identifiable if the information contains unique personal identifiers and the holder of the information also has the master list linking the identifiers to individuals.
It may be possible to ascertain the identity of individuals from aggregated data where there are very few individuals in a particular category.
Information refer to Data.
Information Disclosure in the context of this policy information ‘release’ and ‘disclosure’ are considered synonymous and involves providing information from WA Health’s data collections to authorised users (both internal and external to WA Health). Information is generally released in a form of hard copy documents, data extracts or electronic medium.
Information Release Refer to Information Disclosure.
Non-Identifiable Information
is information that may correspond to a particular person or health provider, but is not sufficient to identify, contact or locate the person to whom such information pertains. Non-identifiable information is generally collected in an aggregated form.
Operational Data Collection
includes data that is collected as part of the day-to-day activities of an area for the primary purpose of tracking and managing operational aspects of the area. The operational data collection is typically a transaction- based system which contains detailed data elements to represent the activities of the area. Examples of operational data collections include data held within Patient Administration Systems, Total Records and Information Management System (TRIM), Financial
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Page 10
Systems and Human Resource Management Systems.
Personal Health Information
pertains to all health information where the identity of a person is apparent or can reasonably be ascertained from the information itself. Information is also personal information if it is reasonably possible for the person receiving the information to identify the individual by using other information that they already hold.
Potentially Identifiable Personal Health Information
contains a range of data items that in combination with each other contain sufficient overall detail that it is possible that some individuals could be identified. This may result when combining two or more de-identified data sets.
Record Level Data is usually data at the level of an individual person. Record level data need not directly identify the data subject, but is more vulnerable to re-identification than aggregate data.
WA Health includes the Department of Health, Metropolitan Health Service (North Metropolitan Health Service, South Metropolitan Health Service, Child and Adolescent Health Service, Health Information Network and Health Corporate Network), the WA Country Health Service and the Peel Health Service.
8. ROLES AND RESPONSIBILITIES
Data Custodians are responsible for managing the release of WA Health information in accordance with these Guidelines and other relevant legislation, policies, guidelines and procedures. Authorised users of WA Health information are responsible for protecting the security and integrity of data within their possession. They must ensure that information (in electronic or non-electronic format) is used and managed in accordance with the contractual obligations outlined in the ‘Data Release Contract’ and other relevant legislation, policies, guidelines and procedures.
HREC are responsible for providing independent, competent and timely ethical review of projects involving the use and disclosure of WA Health information with respect to ethical acceptability.
9. EVALUATION
In order to ensure currency and ongoing relevance to WA Health, the Guidelines will be reviewed every 3 years by the Information Development and Management Branch (IDM) within the Resourcing and Performance Division.
10. RELATED DOCUMENTS Data Linkage Access Policy Data Quality Policy (OD 0380/12) Data Stewardship and Custodianship Policy (OD 0487/14) Information Access and Disclosure Policy (OD 0539/14)
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Page 11
Information Classification Policy (OD 0537/14) Information Lifecycle Management Policy (OD 0557/14) Information Security Policy (OD 0389/12) Information Use Policy (OD 0390/12) National Aboriginal and Torres Strait Islander Health Data Principles Patient Confidentiality (IC 0164/13) Patient Information Retention and Disposal Schedule Version 3, 2008 (OD 0133/08) Practice Code for the Use of Personal Health Information Provided by the Department of Health (IC 0177/14) WA Health Information Register WA Health Misconduct and Discipline Policy (OD 0323/11) WA Health Research Governance and Single Ethical Review Standard Operating Procedures (OD 0446/13)
11. RELEVANT LEGISLATION
Children and Community Services Act 2004 Commonwealth Privacy Act 1988 (Australian Privacy Principles) Coroners Act 1996 Corruption and Crime Commission Act 2003 Criminal Code Act 1913 Electronic Transactions Act 2011 Evidence Act 1906, Acts Amendment (Evidence) Act 2000 Financial Management Act 2006 Freedom of Information Act 1992 Freedom of Information Regulations 1993 Health Act 1911 Health and Disability Services (Complaints) Act 1995 Health Legislation Administration Act 1984 Hospital and Health Services Act 1927 Human Reproductive Technology Act 1991 Mental Health Act 1996 National Health and Medical Research Council Act 1992 Public Sector Management Act 1994 State Records Act 2000
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Appendix A
Page 12
SECTION 1: REQUESTER DETAILS (To be completed by person requesting data)
Name Contact Number
Organisation Position
Work Location
Email Contact
Recipient Name (If not the same as the requester)
Contact Number
Organisation Position
Work Location
Email Contact
Urgency (Please circle) Urgent: 1-10 Working
days Semi-Urgent: 11-30 Working
Days Non-Urgent: 31 + Working
Days
Date Data is Required
Data Collection(s)
Reason/Purpose (What the
information/data is required for)
Description of information required (Please include data items/variables required)
Parameters of data required (Data selection period
etc)
Details as to how the data will be used
List all persons who will have access to the data
Details of how the information will be disseminated to others
Please provide details of how the data will be stored securely
Data Retention Period Destruction Date
Frequency (Circle as appropriate)
One off Request
Fortnightly Monthly 6 Monthly Annually Ongoing
Other (please specify)
Requester’s Signature Date
Data Request Form
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Appendix A
Page 13
SECTION 2: APPROVAL DETAILS (To be completed by the relevant Data Custodian)
Request Number Date Received
Comments (Discussion with requester – revisions required? Agreement to proceed? Can data be provided?)
Data Custodian Recommendation (Circle as appropriate)
Approved Not approved
Data Custodian Signature Date
SECTION 3: COMPLETION DETAILS
Date Completed Date Provided
Revisions Required
Feedback/Comments
No L
onge
r App
licable
- Res
cinde
d 7 M
ay 20
20
Appendix B
Page 14
Data Release Pro Forma
TO BE COMPLETED BY THE PERSON EXTRACTING DATA
Request Number
Date
Description of Data Request
Data Supplier Name
Contact Number
Position E-mail Contact
Reporting Definition or data extract criteria used (e.g. Inclusions and exclusions – supply location or attach)
Data collection(s) from which the data was extracted from
Reporting period (e.g.One
quarter, one year)
Known data quality issues
Definition of variables provided (Specify or attach)
Date that the data extract was produced
Time taken to produce output
Signature Completion Date
Other Comments
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
Appendix C
Page 15
Data Release Contract
The following contract is designed to protect the confidentiality and integrity of health information and patient data after its release upon request to an internal (WA Health) or external individual, department or organisation. OBLIGATIONS OF THE REQUESTER By signing the contract, the requester:
Agrees to maintain the data in a confidential and secure manner and control against loss, unauthorised
use, access, modification and disclosure.
Acknowledges that the data released remains the property of WA Health.
Acknowledges that information must not be transported or used outside of Western Australia without
consultation with the Data Custodian and authorisation from the relevant Data Steward and Health Service
Senior Executives.
Agrees to, under no circumstances, pass on or divulge the released data to a third party without the prior
approval of the Data Custodian.
Agrees not to use the data for any purpose other than that for which it was originally requested.
Agrees that the source of the data will be properly referenced and relevant approvals obtained whenever
WA Health information is used in publications.
Agrees not to copy or store parts or the whole of the released dataset in a directory that may be accessible
to anyone else.
Agrees not to leave printouts of datasets in any form in an area accessible to anyone else.
Agrees to destroy all copies of the data and hard copies upon completion of its use for the purpose
intended and inform the Data Custodian of the outcome.
DISCLAIMER All information/data provided is accurate and up to date at the time of release. WA Health cannot be held liable for the accuracy of the reports based on the analysis of the data. CONTRACT I _____________________________________________________________ (please print) Of __________________________________________________ department/organisation Acknowledge that I have read and agree to the above provisions of the contract and indicate the intended use of the information requested as follows:- _________________________________________________________________________________ I agree to retain the data in the following location in a secure manner:- _________________________________________________________________________________ Signed: _______________________________________ Position/Title: __________________________________ Date: _____________________________
Request Number: _____________________ Received by: ____________________________________
Witnessed by __________________________ Position: ____________________________________
Signature: ____________________________ Date: ________________________________
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020
This information is available in alternative formats for a person with
a disability. © Department of Health 2014
No Lon
ger A
pplica
ble - R
escin
ded 7
May
2020