Data management plan (DMP)
While IGJ has set requirements for adequate data management in studies subject to the WMO and GCP, journals and funders such as ZonMw and the EU also demand responsible handling of research data during all phases of the so-called Research Life Cycle in order to foster the verifiability and reusability of data. This requirement therefore explicitly applies to all types of research; studies that are and are not subject to the WMO, quantitative and qualitative studies, and studies that do and do not involve human subjects.
Researchers are thereby required by the above institutions to set up their data management process in accordance with FAIR principles (Findable, Accessible, Interoperable, Reusable) and to document this process in a Data Management Plan (DMP).
To this end, an Amsterdam UMC Standard Operation Procedure (SOP) RDM001 SOP Research Data Management has been drawn up with a corresponding RDM F01 Data Management Plan (DMP). The SOP describes how the various data management processes should be organized to meet all requirements. The SOP combines classic (Clinical) Data Management processes with newly added RDM aspects mainly related to storing, managing, archiving and reusing data. This eliminates the need for researchers to maintain multiple DMPs. The SOP refers to various related SOPs, templates, tools, support and websites. Remaining site-specific procedures and references are listed separately.
ZonMw has recognized the SOP and DMP template as institutional templates, eliminating the need to use the DMP template via DMP Online. The DMP also meets all the requirements for a so-called Clinical Data Management Plan.
You can contact the RDM Helpdesk for advice and assistance on preparing, reviewing and implementing your DMP. Additional tips for each study type are also available now <link>.
Privacy and information security
According to the General Data Protection Regulation (GDPR), research data should be recorded anonymously if possible. However, medical research often still requires a link to be made with patient data, using a unique study number via a Subject ID log. This is known as pseudonymizing/encoding data. Hence your dataset does not contain directly identifiable personal data (such as a person’s Medical Record Number, address, date of birth, etc.). Note that the collected data, when combined, should also be minimally identifiable (e.g. a combination of a diagnosis, region and age cohort that only applies to a single person).
However, when conducting a patient study, it will often be necessary to collect data that can be used to identify individual patients, e.g. to access patient records, send out surveys, etc. This requires the consent of the patient concerned. Moreover, directly identifiable personal data should be stored separately from other research data. The study data should be recorded in the study database or web survey using a unique study number - often called a Subject ID. A separate key table consisting of the personal data and subject IDs can then be used to make the data identifiable again. This file must be kept in a secure location, separate from the database, and may only be accessed by authorized persons. In case of multi-center studies, this key table should be kept and managed on-site.
If it is necessary for your dataset to contain identifiable personal data (e.g. because you need someone’s email address to send a survey on health complaints), you need permission from the Data Protection Officer (DPO). The DPO can also provide advice in how such data can still be collected and stored separately in a secure manner.
Datasets should always contain as little identifiable information as possible. For example recording the patient’s date of birth, consider recording their “age in years” or age cohort (age category).
Registering your data collection activities
All studies involving the collection and further processing of personal data, including health data, should be reported to the DPO. This applies if your dataset contains personal data, but also if it contains an anonymous study number that can be linked to personal data such as Medical Record Numbers via a separate key table.
The pages on Privacy Protection & Information Security contain all relevant information about privacy regulations and privacy policy, including a link to the Data Processing Register. A Data Privacy Impact Analysis (DPIA) can be used to identify privacy risks from a processing of personal data. This applies both to a proposed new processing and to the modification of an existing processing. A privacy assessment is a standard part of the intake sessions performed by the METC at Amsterdam UMC.
If you have any questions about how to protect privacy in the context of your study, please contact the Data Protection Officer at privacy@amsterdamumc.nl.