Data Confidentiality in the National Cancer Registry

This document sets out the broad principles and practice relating to data confidentiality and security within the Irish National Cancer Registry. It describes

General Principles of Confidentiality

Confidentiality in the use of personal data in medical research is governed both by the ethical guidelines of the medical profession [1] and by the provisions of the Data Protection Act, 1988. Preservation of confidentiality, as well as being an obligation, is also essential to maintain the trust of those who provide us with information and ensures that the information gathered will continue to be of high quality. Doctors must be assured that the welfare of their patients will be respected and that the Registry will observe the same strict rules with regard to confidentiality that exist in the doctor-patient relationship. Finally, we have a legal and moral duty to avoid acts that might cause suffering or distress to any individual, whether patient or doctor.

The Board of the Registry, in carrying out its functions, has adhered to the following principles:

  1. Identifiable information will not be released without patient consent except to the treating physician of the patient.
  2. No disadvantage, harm or distress may be caused to the patient by any release of data;
  3. Appropriate safeguards must be in place to preserve the confidentiality of the information in our custody;
  4. Reports of our work must not contain information which would destroy the anonymity of a patient or doctor;
  5. The Registry has a duty to maximise the use of information in its possession to the benefit of all patients.

The principles of confidentiality must apply, not only within the Registry, but also to any data released by it, whether for public information, or to individual researchers. In particular, the Registry must take care not to publish data in a way that would allow any individual to be indirectly identified. The rights of deceased persons and their families must be given as much consideration as those of the living. Against this need to protect the rights of the individual must be balanced the value of accurate cancer registration data in assessing the causes, treatment and outcome of cancer [2] [3] [4].

Successful cancer registration requires that the individual registered can be identifiable, for a number of reasons:

  1. Information on a single cancer often comes from a variety of sources. This duplication of information would inevitably lead to multiple registrations of the tumour, and a gross over-estimation of the rate of incidence of cancer, unless some method were available for linking all information on the same individual.
  2. Information on outcome, and particularly on survival, is essential to the operation of the registry, and links between registrations and death certificates can only be achieved by the use of some type of personal identification.
  3. The Registry can carry out assessment of the success and coverage rate of screening programmes only if individuals screened can later be identified if they develop cancer.
  4. Cancer Registries may also contribute to medical research by allowing researchers to identify individuals with cancer for the purposes of case-control studies of cancer aetiology, and by helping with the recruitment of individuals to properly conducted clinical trials of cancer treatment. Because these individuals may have been treated by a number of physicians in different institutions, the Registry may offer the only method of allowing their identification and follow up.

The principles of confidentiality can only be reconciled with the functions of the Registry by the adoption of a comprehensive code of practice governing the acquisition, processing, storage and release of identifiable patient data. Where doubt exists as to the appropriateness of a particular line of action, this code of practice must have as its highest priority the protection of the rights of the individual patient. As well as guidelines for the use of data within the Registry, this code of practice must also include guidelines on the use of Registry data by individuals outside the Registry, and should also protect the rights of the dead as well as living persons.

Responsibility for ensuring adherence to the code of practice will rest ultimately with the Director, who may ask the Board for guidance on cases which do not conform to the agreed guidelines.

Definitions

Registration:

Registration is the process of acquiring information on an individual considered to have cancer, extracting demographic and medical information on that individual from medical records, and adding this information to the Registry database.

Confidential data:

Confidential data is any personal information relating to an identified or identifiable person; an identifiable person is one who can be identified, either:

  1. directly or
  2. indirectly, in particular by reference to an identification number, or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.[5]

Data presented in statistical form, which is of such a type that the persons concerned can no longer be reasonably identified, are not considered as personal data.

Treating physician:

The treating physician is:

  1. The doctor, either consultant or general practitioner, who was mainly involved with the treatment of the patient at the time of registration,
  2. The physician now responsible for the patient if the above has retired from practice;
  3. A doctor to whom the patient has been referred for further diagnosis or treatment of the cancer
  4. The patient's general practitioner if no other doctor can be identified.

Operation of the Registry

Data collection.

The Registry obtains data on patients with cancer from a variety of sources:

Pathology Laboratories.

The majority of notifications come initially from pathology reports. Similar notifications may be received from haematology, cytology and, on rare cases, radiology departments. These notifications rarely contain sufficient information for a full registration, and the registration is completed by reference to the patient's medical records.

Medical Records.

A systematic search of medical records from appropriate departments, such as radiotherapy and oncology, yields the names of patients who had not been notified through pathology reports. The medical records contain all the information necessary for registration.

Death Certificates.

The diagnosis of cancer may be initially notified through death certificates, which are supplied by the Central Statistics Office. The physician certifying the death is then contacted and can either give the information necessary for a full registration or can allow the patient to be identified and the medical records retrieved.

Other Registries.

Notifications, updates or treatment of patients normally resident within this Registry area are sometimes received from registries in the UK.

Processing of Information.

Each notification is checked against the existing registry database, to see if the cancer has already been registered. Records can usually be matched on the basis of full name and address, although sometimes other details, such as date of birth, may be used. If no previous entry exists for the cancer, it is registered, and the record added to the database. In this Registry, registrations are made by qualified Tumour Registration Officers, who are full-time employees of the Registry, and who have signed an undertaking to safeguard the confidentiality and security of all the information to which they have access. They make these registrations directly onto laptop computers, and completed registrations are forwarded to the Registry at weekly intervals. All phases of the data collection, storage and transmission are protected by computer passwords and encoding of the data.

On arrival at the main Registry, these registrations are again checked against the database for duplication. All patient and doctor identifiers are removed from the database before it is used for analysis, and access to the identifying information is limited to a small number of named persons within the Registry. Identifiable information is used for:

  1. Elimination of duplicate registrations
  2. Follow-up of patients through death certificates and hospital records.

Uses of data

Statistical reports:

The main use of the data is to produce regular statistical reports on the incidence of cancer in particular areas, for particular sub-groups of the population, broken down by cancer type. None of the data is presented in a way which can allow the identification of individuals.

Detailed reports:

The Registry can also produce, on request, specific analyses of the data for researchers and others. These analyses do not identify individuals, and are governed by safeguards with regard to the use of the data, as set out in the Aggregate Information section

Release of personally identifiable data:

No restrictions are placed on the release of data on a patient to the treating physician of that patient. The Registry may also provide personally identifiable data for research purposes, subject to the consent of the patient.

All requests for confidential information must be approved by the Director, and are responded to, initially, in a way which does not indicate whether a particular individual is registered or not. The Director is responsible for assessing if proposed research meets the Registry's criteria for the release of data. The guidance of the Board is sought for cases which seem to fall outside these guidelines. The precise procedures to be followed are set out in the section "Release of data for research and audit".

Procedures for data security within the Registry

Staff

All staff concerned with the collection, processing and output of personal data are employees of the National Cancer Registry. On taking up duty, they are asked

  1. To read, agree to and observe the rules set out in "Guidelines for staff on confidentiality within the National Cancer Registry".
  2. To sign an undertaking of confidentiality, which will remain binding on them even following their departure from Registry work. This undertaking prohibits them from disclosing, either directly or indirectly, to any individual outside the Registry, the identity of any person registered, or any data concerning such an individual, or any other confidential material they may come across in the course of their work.
  3. To observe the security precautions currently operating within the Registry.

Physical security[6]

The operation of the Registry is largely electronic, and few written documents containing individual identification are created. Any such written documents are shredded immediately after use. Documents which need to be kept for archival purposes are microfilmed and shredded. Microfilms are kept in secure storage within the Registry. All the paper records currently held within the Registry are held within locked storage cabinets. Access to these cabinets is limited to authorised Registry personnel.

The Registry is locked at all times. Visitors to the Registry must be admitted to the Registry premises by a staff member, must be accompanied at all times and have no access to areas where sensitive information could be visible. The Registry premises are protected by high-security locks and by electronic alarms.

Electronic security

Data collected by Registry staff on laptop computers is password protected and encoded, and is also encoded during any transmission to the Registry, whether by modem or on diskette. Tumour Registration Officers are asked to keep their computers in their possession at all times while away from home, and in a securely locked place in their hospital office. Rooms in the Registry containing computer terminals are kept locked when not occupied. Terminals are also locked when not in use.

Data within the Registry is protected by passwords and encoding. Each individual within the Registry has a personal password, which defines their level of access to the computer system. A second password is needed for access to the patient database. Access to all computers is automatically logged by the network system, which records the identity of the person using the computer, and the times at which they log on and log off. These logs are regularly reviewed for anomalous patterns of use. Staff are instructed to log off their computers when leaving the room, and not to allow any identifiable data to appear on the screen while leaving their desk. Registry computers which contain personally identifiable data are not be connected to any outside computer system, making outside access to the data impossible.

Guidelines for staff on confidentiality within the National Cancer Registry

Introduction

This document sets out the procedures for observing confidentiality and security of data within the Registry. It is meant to offer a series of principles, and cannot cover every possible eventuality. When in doubt in a situation which may involve confidential information, please contact the Director. All staff are expected to make themselves familiar with the rules contained in this document, and to re-read them annually. A confidentiality statement is attached, and must be signed by each staff member on taking up his or her post.

The Cancer Registry is in a position of trust. We are trusted by society at large and by doctors and other hospital workers in particular, to observe the highest standards of security and confidentiality with regard to the very sensitive information which we have in our possession. Those of us handling this information every day may sometimes forget the devastating effect its disclosure might have for individuals or their families. We must also be aware of the disastrous consequences for the Registry, should our sources of information lose their trust in us. The basic principle of operation of the Registry must be, above all, to protect the rights of the individual.

The rules set out here govern the handling of confidential personal information. This is described as any information which could identify an individual (patient, family or health care worker) either directly or indirectly. The fact that an individual is registered is in itself an item of confidential personal information. Individuals can be directly identified by name, address, date of birth or personal identification number (GMS number, RSI number, hospital medical record number), or indirectly through a combination of unique personal characteristics.

Apart from confidential personal information, the Registry also produces statistical information on cancer. Many different individual and groups may request this information. Because cancer incidence information is not always easily interpretable, the Registry needs to be able to control the uses made of information supplied by us, at least to the extent of having the users take responsibility for any interpretations. The Director must first clear all requests for information, no matter how apparently innocuous.

Registry staff may, in the course of their work, come across information not pertaining to cancer registration, or may have access to confidential information on others which might be of interest to them. The same rules of confidentiality apply to personal information, whether gathered for registration purposes, or come across accidentally. Staff must not abuse their privileges of access to medical records by seeking information not relevant to their work.

Data Collection

Most data collection is carried out by the Tumour Registration Officers. To some extent, their method of operation is governed by different procedures within hospitals, but certain procedures remain common throughout.

  1. Tumour Registration Officers must make themselves known to hospital staff at each visit. The identification provided by the Registry should always be carried. The arrangements for security and confidentiality within each hospital must be strictly observed. Medical records should not be taken from areas assigned to them without the specific permission of somebody in authority.
  2. All written material, whether pertaining to the Registry or to the hospital medical records, must be locked away when not personally attended.
  3. Details of cases should be discussed only with the doctors responsible for the case; staff should not assume that others within the hospital are in possession of the same amount of information as they are. All requests for information must be referred to the Registry centrally.
  4. Never examine any material that is not pertinent to your work.
  5. The notebook computers on which data is entered keep it in a form that would be quite difficult for the average person to break into. However, it is not impossible, with enough time, determination and technical skill. Staff should be careful to keep the computer in their possession at all times while away from home. In particular, it should not be left unattended in any unlocked room, or in a car. The computer should never be left switched on while you leave your desk, even for brief periods. The safest place for storage of the computer is probably in your home, but, in the home, it should always be kept in a locked cupboard. If any breach of security is suspected, the Director should be informed immediately. Passwords will be changed on a regular basis; passwords should never be written down.
  6. After data transmission to the Registry by modem, please telephone to inform the computer operators that the data has been transmitted.

Data Processing

  1. Data received from other sources on tape, diskette or printed form must be logged in on receipt, labelled, and kept in secure storage until used.
  2. All Registry computers are password protected, but these passwords are worthless if they are written down, and should be changed regularly.
  3. Access to the Registry office is restricted to Registry staff. All visitors must be admitted by a member of Registry staff, must sign in and out, and must be accompanied at all times. If visitors wish to have access to the data entry area, this should be authorised by the Director, no paper forms should be visible and data entry screens should not show any personally identifiable information. If visitors wish to have demonstrations carried out, there is a separate "dummy" registry data base available containing details of fictitious persons.
  4. The last person using the door should always lock the main door to the Registry and that of the document storage area. All paper documents containing confidential information must be kept in locked containers when not in use. Overnight, all confidential documents should be kept in the high security cabinet. During the day, they should be locked in desk drawers when the desk is not being used.
  5. Certain areas within the Registry are restricted to named staff; an authorised person should accompany other staff (e.g. cleaning personnel) needing access to these areas.

Output

  1. All reports printed off for use by Registry staff, which contain identifiable data, should be treated with the same procedures as patient registrations.
  2. All printed records with personal data should be shredded as soon as they are no longer needed.
  3. When printing reports for internal use, avoid the use of identifiers, unless this is essential for the purpose of the report.
  4. The Director should approve all data analyses before being sent out.

Communication.

  1. Identifiable patients should never be discussed over the telephone.
  2. All letters to consultants and general practitioners should be addressed to them personally and marked "Confidential". If you are unsure of the person to whom you should address the letter, please confirm their name and address by telephone before writing. If confidential information is sent out, check its arrival with the recipient by telephone.
  3. All requests for information from the Registry should be referred to the Director.
  4. Identifiable data should not be taken outside the Registry building for processing, copied onto floppy discs or moved to computers outside the data entry network.
  5. Any communication between Registry and TROs should use patients' registration numbers, not names and/or addresses. Material should be sent by modem, rather than mail, if possible.

Release of National Cancer Registry data

The National Cancer Registry contains information on registrations of patients with cancer in Cork and Kerry from 1980 and for the whole of Ireland from 1994. It is a valuable resource, available for use in epidemiological and clinical research, as well as the planning and evaluation of services. We welcome requests for information for research, planning and statistical purposes.

However, because of the sensitivity of much of the information we keep on file, we need to observe certain procedures with regard to the release of information. We may therefore need reasonable advance notice of a project in order to prepare the necessary data analysis, and we need to retain some control over the publication of data supplied by the Registry.

The following document sets out the current guidelines for the release of data. If you would like more information on our procedures, or if you have some special data needs, the Director would be quite happy to amplify or clarify any of the information below.

General guidelines on information release

The Registry will supply any data requested, provided that complying with the request does not conflict with our obligations of confidentiality or with those under the Data Protection Act, 1988.

Any person requesting information must do so in writing, either by post, fax or email. The request should state clearly the type of information required, under the following headings

If the amount of data analysis involved is extensive, a fee may be payable to cover our costs. We attempt to respond to all requests within two working weeks of receipt and should be able to reply to most within a week.

The information available can be broadly classified as:

General information

This describes the total number of cases broken down into broad categories, such as age band, sex, site or county. This information is of the same general level of detail as that published in the annual reports of the Registry and will be made available on request. This data is also available on the registry website

Aggregate Information 

Aggregate information is that which is analysed in greater detail than described above, at a level which is not routinely produced and published by the Registry, but which does not allow the identification of individuals. In some cases, e.g. analysis of small geographical areas for uncommon cancers, individuals may be potentially identifiable, and a decision on the release of this information will need to be made by the Director. Aggregate information will be made available on tumours by site and sub-site, by histological type, by age band, and for district electoral division or city ward. Cross-tabulations of this data will also be made available, provided that individual cells in the cross tabulation do not contain fewer than 5 observations.

Personal (identifiable) data

Data will be considered to be identifiable if it contains any of the following:

  1. Patient's name and/or full address
  2. Hospital or other registration number
  3. GMS, PRSI or other identifying numbers
  4. If the unit of analysis is sufficiently small to allow the identification of individual patients, using other data available to the requester.
  5. Date of birth alone is not to be considered as identifiable, but may be so in combination with other data (e.g. place of residence).

Identifiable information will not be released without patient consent except to the treating physician of the patient.

All other potential users, even if working within the institution in which the patient was treated, must obtain written consent from the patient to the release of information. Enquiries for the purposes of genetic counselling must follow these guidelines.

Information on deceased patients

Information extracted from death certificates is obtained by the Registry from the General Register Office. If an individual is deceased, permission to access this information must be obtained, under the Vital Statistics Acts, from the Registrar General at the Department of Health and Children.

Other information held by the registry on deceased persons will be released.

  1. For audit and follow-up to registered medical practitioners who have been involved in the care of the patient
  2. For research purposes subject to approval by an appropriate ethics committee.
  3. On request to recognised genetic counselling services, if accompanied by a dated signed consent form obtained from the next of kin.
  4. Release of data from the National Cancer Registry for the purposes of genetic counselling.
  5. The National Cancer Registry, while wishing to facilitate genetic counselling, takes as its primary principle the confidentiality of cancer patients, whether living or deceased. Information concerning cancer patients will not be released without consent.

Requests from recognised genetic counselling services will be dealt with as follows:

  1. Requests for cancer registry information from genetic counselling clinics regarding suspected cancer diagnoses in living family members, related to a proband undergoing counselling, should be accompanied by a dated signed consent form obtained from each relevant family member (or their legal guardian) about whom information is sought. The consent form should permit the release to the genetic counselling clinic of information relating to cancer from medical records.

    The managing consultant and general practitioner should be informed of the proposed data release by the counselling centre and provided with a copy of the signed consent.

  2. Requests for information regarding cancer patients known to have died should be accompanied by a dated signed consent form obtained from the next of kin. The last managing consultant of the deceased will be contacted by the Registry and will also be asked for consent.