Updated 28 May 2018


Ethics and Patient Confidentiality


Obtaining consent from patients is an essential part of joining the ECFS Patient Registry (ECFSPR), as required by the EU General Data Protection Regulation 2016/679. National requirements may be stricter than the EU Regulation and it is therefore important to check the sample consent forms provided by the ECFSPR with your local Data Protection Officers.
Patients should be fully informed of procedures for collecting and processing their data; these are determined by the design of the ECFSPR. The Information Sheet provides more detailed information. 
The various documents necessary to accompany your application to local data protection authorities can be downloaded from this page. If you have any questions, please contact the ECFSPR Executive Coordinator, Jacqui van Rens (ecfs-pr@uzleuven.be), before you start.
You will need to follow the relevant procedure below, depending on whether your country already has patient consents or not.

I- If you have existing consents which satisfy your local laws:

  • Please check with your local Data Protection Officer to ensure that these forms meet the ECFSPR requirements or to know if you will need new patient consent forms. 
    "Patient Information Sheet" Template and
    "Patient Consent Form" Template.
  • If your local Data Protection Officer approves your existing consent form, please inform the ECFSPR Coordinator (ecfs-pr@uzleuven.be) and send a copy of the approval from your data protection authorities. This approval should be in English. If it is not in English we will need the original document together with an English translation. 
    Furthermore, we will need a signed statement from the country representative, if you have a national registry, or from the single centre representative (statement).

II.    If you do not have existing consents, or you need new patient consents:

  • Make an application to your local/national data protection authorities to store data on the ECFSPR webserver, located at Hetzner in Germany (www.hetzner.com) and to export anonymous data to the ECFSPR. The ECFSPR complies with the EU General Data Protection Regulation 2016/679; data controller on behalf of the ECFS is Hanne Vebert Olesen, MD, PhD, Aarhus University Hospital, Denmark.
  • The following documents will be needed for the application:

ECFSPR Registration
ECFSPR Registration Terms

  • The Patient Information Sheet Template and Patient Consent Form Template must be changed to meet any requirements of your local legal and ethics laws, and translated into your own language.
  • When your application has been approved by your local data protection agency, please inform the ECFSPR Coordinator (ecfs-pr@uzleuven.be) and send a copy of the approval from your data protection authorities. This approval should be in English. If it is not in English we will need the original document together with an English translation. 
    Furthermore, we will need a signed statement from the country representative if you have a national registry (statement NR), or from the centre representative (statement centre).
  • Patients can only be included in the registry when you have received signed, informed consent from them, or their legal guardian, to do so. Please store all signed consent forms in a safe and secure place at your local hospital.
  • Patients have the right, at any time, to withdraw their consent. All they need to do is contact their local clinical team about their decision; the team should inform the ECFSPR Coordinator in writing (ecfs-pr@uzleuven.be). The ECFSPR will ensure that the patient’s data is removed from the current year and that it will not be included in future years in the European and centre databases. It is not possible to remove the data from the previous years in the European database since these data have already been published. 
  • If a patient expresses the wish to receive his/her own data, the ECFSPR advises to contact the local clinical team to discuss the request. The ECFSPR does not see or receive names or full date of birth, and cannot identify individual patients in the database.

It is the responsibility of the reporting centres/countries/registries to ensure they have the required permissions to export/report data to the ECFSPR.  The ECFS and the ECFSPR Steering Committee are responsible for ensuring these permissions are compliant before any data is received. The ECFS and the ECFSPR Steering Committee are also responsible for ensuring that the data are stored and handled in accordance with current EU Data Protection laws. 

The ECFSPR was formerly registered under the Danish Data Protection Agency, file no 2013-41-2105. The new EU General Data Protection Regulation 2016/679, however, which came into vigor on 25 May 2018, no longer requires formal registration and approval for private registries; instead, internal procedures that meet the regulation and are subject to review by the Data Protection Authorities must be in place.
For questions concerning the above please feel free to contact the ECFSPR Coordinator Jacqui van Rens, ecfs-pr@uzleuven.be or +32 484 443 435.


FORMS:


REFERENCES:

The Danish Data Protection Agency can hereby confirm that the ECFS Patient Registry is governed by the Danish Act on Processing of Personal Data (Act No. 429 of 31 May 2000). The act implements Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 
For the full document: click here

Standard terms for a database for private research approved by the Danish Data Protection Agency.

AUTHORISATION to process personal data

The Data Protection Agency hereby grants authorisation for the implementation of the project, cf. section 50(1)(i) of the Danish Act on Processing of Personal Data. In this connection, the Data Protection Agency lays down the following terms:

General terms

Period of validity: The authorisation is valid until September 1, 2015

1. Hanne Vebert Olesen is responsible for compliance with these present terms.

2. The data can be used for the implementation of the project only.

3. Processing of personal data must be performed only by the controller or at the instance of the controller and at his responsibility.

4. Any person processing personal data must be cognizant of these present terms.

5. The terms must be complied with also where processing is made by a data processor. 

6. Facilities used for storage and processing of the data must be organized and fitted up in order to prevent unauthorized access.

7. Data processing must be organized in such a manner that data are protected against accidental or unlawful destruction, loss or impairment. Furthermore, the necessary control should be exercised to ensure that no inaccurate or misleading data are processed. Inaccurate or misleading data or data processed in contravention of the above Act or of these terms shall be rectified or erased.

8. Data must not be kept in a form that makes it possible to identify the data subject for a longer period than is necessary for the implementation of the project. 

9. If results from the project are published this must be done so that it is impossible to identify individual persons.

10. It is a condition compliance is made with related terms, if any, laid down in accordance with other legislation.

Electronic data

11. Identification data must be encrypted or replaced by a code number or the like. Alternatively, all data can be stored encrypted. Encryption keys, code keys etc. must be stored securely and separate from the personal data.

12. Access to project data can be obtained only through the use of a confidential password. A password must be replaced at least once a year and when conditions dictate it.

13. If data identifying individuals are transferred over the Internet or other external network, the necessary security measures must be taken to ensure that the data do not come to the knowledge of any unauthorized third parties. As a minimum, the data must be encrypted during transmission. Transmission of sensitive personal data requires strong encryption. When using internal networks, it must be ensured that unauthorized persons are unable to obtain access to the data.

14. Removable storage media, safety copies of data etc. must be stored securely and under lock and so that unauthorized access is prevented.

Manual data

15. Manual project material, including print-outs, failure lists and control lists etc., as well as other material which may directly or indirectly be linked with specific persons, must be stored securely under lock and so that unauthorized access is prevented.

Bio-bank and biological material 

16. Samples with biological material and biological material in bio-banks must be stored securely under lock so that unauthorized access is prevented and in such a manner that it is ensured that the material is not lost, impaired or accidentally or illegally destroyed.

17. Biological material marked with civil registration number (CPR-no.) or name must be stored subject to special safety requirements.

18. The project material shall contain internal guidelines for storage of biological material and the guidelines shall be updated at least once a year.

Data to be provided to the data subject

19. Where the personal data are to be obtained from the data subject (through interviews, questionnaires, clinical or para-clinical examination, treatment, observation etc.), detailed data about the project shall be distributed/forwarded to the data subject. The data subject must be informed of the name of the controller, the purpose of the project and of the fact that it is voluntary to participate and that consent may be withdrawn at any time. Where the data are to be disclosed to be used for other scientific or statistical purposes, the data subject shall be advised also of the purpose of the disclosure and the recipient's identity.

20. The data subject shall furthermore be advised that the project is notified to the Data Protection Agency in accordance with Act on Processing of Personal Data, and that the Agency has laid down specific terms to be complied with for the project for the purpose of protecting the data subject's privacy.

Right of access to personal data

21. The data subject has no right of access to the data being processed with regard to himself.

Disclosure 

22. Disclosure of data identifying individuals to a third party may take place for other statistical or scientific purposes only.

23. Disclosure may be made only subject to prior approval of the Data Protection Agency. The Data Protection Agency may lay down new terms for the disclosure as well as the recipient’s data processing.

24. Disclosure of data may furthermore take place if it appears from other legislation that the data shall be disclosed.

Processing by a data processor

25. The Data Protection Agency’s conditions shall apply also to processing made by a data processor.

26. When data are processed by a data processor, a written agreement shall be made between the controller and the data processor. The agreement shall stipulate that the data processor acts on behalf of the controller only and that the data must not be used for the data processor’s own purposes. The controller shall furthermore request sufficient data from the data processor to ensure that the Data Protection Agency’s terms can and will be complied with.

27. Where the data processor is established in another Member State it shall, furthermore, appear from the agreement that such other regulations on safety measures with regard to data processors that may be in force in the Member State in question, shall apply also to the data processor in question.

Changes of the project

28. The Data Protection Agency shall be notified of significant changes in relation to the project (in the form of a change to an existing notification). Less significant changes may be notified to the Data Protection Agency.

29. Changes, if any, of the final date of completion of the project shall always be notified.

Completion of the project

30. At the completion of the project at the latest the data shall be erased, be made anonymous, or be destroyed, so that subsequently it is not possible to identify individuals participating in the project.

31. Alternatively, the data may be transferred for further storage with the State’s Archives (including “Dansk Dataarkiv” - Danish Data Archives)

32. The controller shall inform the Data Protection Agency promptly when the project is completed and the data have been erased, made anonymous, destroyed or transferred to the State’s Archives.

33. Erasure of data from electronic media shall take place in such a manner that it is impossible to recover the data.

34. (Special terms for tests/ trials, etc.) After the completion of the project, data regarding the individual person may, however, if requested by an authority or if to comply with the GCP rules, be kept for the period of time required. A list of participating individuals can be kept as well for the same period of time.

Transfer of data to third countries

35. Transfer of data to third countries, including for the purpose of processing by a data processor and for internal application in the project, requires the Data Protection Agency’s prior approval.

36. Transfer may, however, take place without approval of the Data Protection Agency if the data subject has given his explicit consent. The data subject can withdraw his consent.

37. Transfer of data shall take place by courier or registered mail. In case of electronic transmission the necessary security measures shall be taken to prevent unauthorized access. As a minimum, the data must be safely encrypted during the entire transmission.

The above terms shall apply until further notice. The Data Protection Agency reserves the right to take up the terms and conditions for revision at a later date, if required.