Notification routine to the Data Protection Officer / Research Section

All processing of personal data, including anonymized data, at Sørlandet Hospital (SSHF) shall be registered in the overview of the hospital's processing of personal data, cf. Article 30 of the Personal Data Act.

Establishment of new data processing activities related to clinical and administrative purposes and which involve the registration of personal data, shall be decided by the manager and have a designated system owner. This applies both to the establishment of an application/service in the hospital network and with another data processor, including services that are available via the Internet.
 
Research, studies and quality assurance carried out at SSHF, including release to external studies, must always be management-anchored before commencement. This applies to both health research that must be approved by REK (Regional Ethics Committee), and other research, quality assurance, as well as broad research and quality registries that require advice from the Data Protection Officer.
 
Processing of anonymized data is not subject to the notification requirement to the Data Protection Officer, but it presupposes that the information has been legally collected.
 

The boundary between quality assurance and research is difficult. If you are unsure which category the project falls under, it is recommended to contact SSHF's Data Protection Officer (DPO) and/or REK for clarification. A quality project can identify conditions that will later be studied in a research project. If the project changes status, it must be promptly applied for approval from REK.
 

Research

In research, one seeks to establish new knowledge, not to evaluate existing treatment. Research projects should as a rule be approved by REK and have consent from the research participant cf. Informed Consent.
 
Characteristics indicating that the project is a research project:
 
  1. There is a protocol for the project describing a research question to be investigated or a hypothesis to be tested using scientific methods.
  2. The project involves risks for the participants beyond what is normal in diagnostics and treatment.
  3. The project contains something qualitatively new that will be done with the participants and which otherwise would not have been done in regular follow-up/follow-up examination.
  4. The project will be able to generate new knowledge about health and disease.
  5. New diagnostic or therapeutic methods should be tested.
  6. A randomization will be performed.
  7. Use of a control group with healthy individuals.
  8. The project is "other research" and requires an exemption from the consent requirement for access to health information identifying personal data.
 

Quality assurance

While research is about acquiring new knowledge about what is, or should be best practice, a quality study is about finding out whether best practice is followed.
 
Quality assurance can be defined as projects, surveys, evaluations, etc. that aim to control that diagnostics and treatment actually produce the results that are expected. For example, one will improve the efficiency and/or quality of treatment.
 
The National Research Ethics Committee for Medicine and Health Sciences (NEM) has created a checklist that can be helpful in the assessment:
 
  1. Is the purpose of the proposed project to improve the quality of patient treatment locally?
  2. Will the project measure practice against established standards?
  3. Will the project in any way involve the patient beyond what is routine in treatment?
If the answer to 1 and 2 is "yes", and 3 is "no", then the project is likely a quality study. If not, it is likely research.


Diagram
Health research (REK)

 

The project manager or the project's contact person shall complete the internal notification form:
Notification to the Data Protection Officer and Research Section - SSHF - Web form
Select the option "Health research (REK)"
 
The following documentation must be uploaded in connection with completing the notification:
  • Copy of REK application with all attachments
  • REK approval (all, if there have been several rounds with REK)
  • Protocol / project description
  • Information and consent form
  • Approval from department head

Diagram
Release to health research
Before release of health and personal data to an externally managed health research project can be carried out, a notification must be sent to the Data Protection Officer at SSHF. It is the basis for release that the Data Protection Officer shall assess. Furthermore, the information security officer shall ensure that information security is maintained in the collection and release.
 
The project's contact person shall complete the notification form:
Notification to the Data Protection Officer and Research Section - SSHF - Web form
Select the option "Release to health research"
 
Upload the following documentation in the form:
  • Copy of REK application with all attachments
  • REK approval (all, if there have been several rounds with REK)
  • Protocol / project description Information and consent form
  • Any approval from department head at SSHF

Diagram
Quality studies, health service research and other research
Research that falls outside REK's mandate to assess, must be reported to the Data Protection Officer.
This also applies to quality studies that are not regulated by the provisions for internal quality assurance.
 
The project manager or the project's contact person shall complete the notification form:
Select the option "Quality study, health service research, or other research outside REK’s mandate"
Upload the following documentation in the form:
Protocol / project description
  • Information and consent form
  • Other relevant documentation, such as questionnaires for participants
  • Commencement awaits the Data Protection Officer's recommendation of the project.
  • Internal quality assurance - Patient Journal Act § 6, cf. Health Personnel Act § 26
 

Bilde></picture> <figcaption class=Internal quality assurance
The Patient Journal Act § 6 and the Health Personnel Act § 26 provide a legal basis for projects and registries that are decided to be established by the manager to carry out internal control and quality assurance of healthcare. Management decision and advice from the Data Protection Officer are required.
The project's objective is to improve the treatment of patients at the hospital, for example through improved diagnostic or treatment methods. This is an internal purpose that is to ensure continuous improvement and possibly correct treatments so that changes in treatment regimens at least give the same result or better.
 
Neither the patient nor their relatives are directly involved. No new information is obtained from the patient or other external sources, but only information that is already collected in healthcare and is registered as part of the company's collective journal is used.
 
The purpose is limited to internal activity and needs. The purpose does not include publishing results. Any need to publish results must be stated as an additional purpose. The decision to publish results will require an assessment of the justification for the creation and purpose of the quality register and the assumption of an internal purpose.
 
The department’s contact person shall complete the notification form:
 
Notification form to the Data Protection Officer for internal quality assurance.
 
The Data Protection Officer's recommendation must be available before registration can be started.
 
For a more detailed definition of an internal quality register, see the document
 
Quality assurance - Approval of internal quality registersResearch/quality register with a broad purpose.
 

Diagram
Establishment of a health register with a broad thematic purpose related to research, including nationwide quality registers, must be reported to the Data Protection Officer. Such registers will generally require a documented assessment of data protection implications (DPIA).
The Data Protection Officer can be contacted for advice in connection with the preparation of this.
 
The project manager or the project's contact person shall complete the notification form:
 
Upload the following documentation in the form:
 
Protocol
  • Articles of association, see
  • template from SKDEInformation and consent form
  • DPIA, if this is available
  • The Data Protection Officer's recommendation must be available before registration can be started.
Release to other research and quality assurance
 
 

Diagram
Before release of health and personal data to an externally managed project or registry, whether it is quality assurance or other research outside REK's mandate, a notification must be sent to the Data Protection Officer at SSHF. This applies even if the external party has advice from its own Data Protection Officer. It is the basis for release that the Data Protection Officer shall assess. Furthermore, the information security officer shall ensure that information security is maintained in the collection and release.
The project’s contact person shall complete the notification form:
 
Upload the following documentation in the form:
 
Recommendation from another Data Protection Officer
  • Protocol / project description
  • Information and consent form, or copy of exemption
  • If release to a registry: The registry's articles of association
  • Recommendation for release from the Data Protection Officer at OUS must be available before commencement and release.
Master's projects and other student projects
 

 
Contact Vivi Haavik Tønnessen
 
Vivi.Tonnessen@sshf.nofor guidance.Case study / case report for scientific presentation and / or publication
 
 

Diagram
Before looking up in the journal with the purpose of presenting a patient's history (in a journal, at a conference, etc.), a notification must be sent to the Data Protection Officer at SSHF. Only employees of SSHF are entitled to apply.
The project’s contact person shall complete the notification form:
 
Notification to the Data Protection Officer at Sørlandet Hospital HF - Case study for scientific presentation - Web form
Upload the following documentation in the form:
 
Consent template case study to Ext.docx
 

Diagram
Notification of changes to previously approved data registrations is sent to the instance(s) that approved the registrations.
If the change affects information security, for example electronic collection solution, storage, analysis tools or release, then approval from the DPO/information security officer at SSHF must be obtained.
 
Health research
 

A change notification is only necessary if the change relates to the storage location and/or release of data. In such cases, the notification form must be completed:

Notification to the Data Protection Officer
All other changes in health research projects should only be reported to REK.
 
Other research, quality studies and internal quality assurance
 

Fill out the notification form:

Notification to the Data Protection Officer
The change cannot be implemented until feedback on the change notification has been received from the Data Protection Officer and/or Information Security Officer.

 

Electronic collection and storage
 

Implementation and data storage.Confirmation of deletion/anonymization of data


Confirm that data in the project/registry has been deleted or anonymized - Web formshould be completed.Last updated



2024