Skip Ribbon Commands
Skip to main content

GDPR Compliance

:

GDPR: New Item

Top Link Bar

Data Flow Mapping / GDPR Compliance

You have been sent this form because you are conducting research within the University Hospitals of Leicester NHS Trust. There is a requirement as part of the Data Protection Act of 2018 and the EU General Data Protection Regulations to understand how data is used, stored, destroyed and sent.

This form must be completed for each research study. Each form is study specific although many of the answers may be the same. The completion of the form will enable a Study Support Officer to populate the EDGE Business Intelligence Tool and therefore provide evidence of compliance to GDPR for all Research to the CIRO and Privacy Board at UHL.

 
 
* indicates a required field

Email address *


What is the title of your Research Study? *



Please provide the short title & if used the acronym of the research. Where a short title does not exist please use the full title

What is the IRAS Number for the study? *



Please provide the IRAS Number for the study

What is the description of the data? *


What category of Personal Confidential Data does your study collect? More information about what constitutes Personal Data can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data/

Is it bulk data? *


Bulk data is defined as more than 50 occasions of data instances. All data collected in relation to an individual participant would class as one instance of data. Therefore recruitment of more than 50 participants would be defined as 'bulk' data.

What is / are the name/s of the data capture tools? *


What are the system(s) called? e.g. MS Excel, SPSS, RedCap etc

What is/are the 'type' of data capture tools? *


Bespoke means built from scratch at your PC - i.e. Excel. Off the Shelf is one that you have been provided or purchased that is ready to go with no design. On-line Data Capture means an electronic system held in a cloud, Desktop data capture means a system downloaded onto your desktop only.

Please provide a description of the data capture tools *


Please describe the type of database that will be used (e.g. MS Access, MS Excel, web-based etc.?) Please indicate for each system you'll be using.

Is the data already collected for clinical purposes? *


Is this data already collected in the patient notes / other existing data capture tools used for CLINICAL care?

Is relevant access authorised? *


Do the study personnel have authorised access to all the systems that they will require during the course of the study?

How does the data flow? *


Please indicate one of the following - if your scenario doesn't fit, please let the R&I Office know.

Does the data leave the originating department? *


Does the data leave the clinic or place of origin?

What is the Specific Address of Originating Data? *


Please give the specific clinic / location address of the origin of the data - please include all areas

What is the Specific Address of Destination for Data? *


Please give the specific clinic / location address of the destination of the data - please include all areas

What is the Legal Cover for Flow of Data? *


What Legal cover are you using to share the data? Please note that this is not the same as the Legal Basis for collecting the data.

How is Data Sent? *


Please select as many as apply. If you can't find an appropriate 'fit' please notify R&I.

If 'other' answered above, please give details


Please give details

Is information provided via other teams? *


Do you rely on other teams to provide information for your study?

Are you collecting Childrens Personal Confidential Data? *


Children are deemed as being between 0 & 18 for the purposes of this exercise

Have the roles for data collection personnel been defined? *


Do the individuals responsible for collecting the data have access to the systems and understand their role?

Have the roles for CRF completion personnel been defined? *


Do the individuals responsible for completing the CRF have access to the systems and understand their role?

How are access controls managed? *


Please describe the Access Controls set up for this study - please include all systems listed. Access controls mean Passwords, downloaded to specific PCs or systems etc.

Have 'data' personnel been added to the Delegation Log? *


Are individuals responsible for Data added to the Delegation of Authority and Signature Logs for the study

How will staff be trained on the systems and how will ongoing training be provided? *

Has access to electronic CRF been arranged? *


This will usually be negotiated with the Sponsor or Clinical Research Organisation dealing with the study.

Has the frequency of collection and upload to CRF been agreed? *


This will usually be negotiated with the Sponsor or Clinical Research Organisation dealing with the study.

Will any mobile equipment be used for this study? *


Mobile equipment can be described as USB sticks, Ipads, Laptops, cameras etc.

Has the Point of Contact for Data Queries been confirmed? *


Who will be responsible for dealing with Data Queries

Does a Confidentiality Agreement exist? *


Is there a Confidentiality Agreement in place for the study

Is 3rd Party access allowed? *

Does a Data Sharing Agreement Exist? *


If you are unsure, please check with RIContracts@uhl-tr.nhs.uk. In some cases a separate Data Sharing Agreement may not be required.

Are there defined access controls? *


This means access to the system such as Passwords, Logins, lock out on failed password etc.

Does Data Collection Tool(s) Remote Access exist? *


Can the system be accessed through explorer or chrome from outside of the Trust. i.e is it in a Cloud or through VPN Access

Other HCP Social Care access - name protocol *


What access is available for HCP - if this doesn't exist please state N/A

Please describe the Registration / Deregistration process *

Who will the data be shared with? *


Which organisations will you be sharing the data with. Please include all organisations in the UK, EU and world wide

In what Media is Data Set Stored? *


How are you planning to store your data

Data stored electronically - where? *


Where will you / do you store your data

Who is the Information Asset Owner? *



Who is responsible for the Data Asset at UHL

Who is the Information Asset Administrator? *



Who administers the system i.e gives
passwords, allows access

Name of Data Controller/s & Organisation *



Who is/are the MAIN Data Processor/s for this Study and which organisation/s are they employed by. A study may have multiple Data Processors we are asking you to name the MAIN processors in the first instance. Please see this guidance for more information: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/

Are there business continuity plans in place? *


What plans are in place should the whole system go down? What Cloud backup is there? Is there a policy?

Have the Data capture tools been recorded on UHL Asset Register? *


This is a difficult one because the GDPR is very black or white on this. If the data cipher is held in the same organisation then it is possible that a 'motivated intruder' could line up the data and identify and individual? Have you got both the cipher & the data in the same organisation? If yes then it is possible and answer Yes, if no then it is less possible so answer no.

How long will the data set be stored? *



How long in years will you be storing the data

How will information be disposed of? *



How do you plan to dispose of the data

What Date will the data be destroyed? *

Select a date from the calendar.

Attachments