Step 1 – Initial question
Researcher has a question that they think could be answered using IORD data
What kind of patients are more likely to get a fungal infection called “C. auris” when they are in an intensive care unit (ICU)?
Step 2 – Project plan development
Researcher writes a project plan, explaining:
- What the question is and why it is important to patients
- What IORD data they would need and how they plan to use this data to answer their question
- Who is part of the team and who will have access to the data
- Whether any sensitive types of data need to be used to answer the question
- Whether there are any risks that people could be accidentally identified from this data
- How they plan to let people know what they find and when they think this will happen
Considerations:
- C. auris is very hard to treat and we don’t know which patients are most likely to get it – if we find out, we may be able to stop it
- For people admitted to ICU, we need the dates they were there, what beds they stayed in, what laboratory tests were done, what drugs they were prescribed, and information about how many times they visited hospital in the year before, their sex, age (in years and months, not exactly), and ethnicity. We also need to know if they died after their ICU stay.
- The team includes Oxford hospital doctors and a project manager; only one doctor will have access to the data
- There are no particularly sensitive data items requested and no specific additional risks
- Expect to report results in a freely available format within 6 months and for findings to be shared as soon as possible with infection prevention and control teams in the hospital to improve patient management
Step 3 - Researcher vetting
The project plan is sent to the team running the database. They check that the researcher is a real person working for a real organization with experience and skills to do the analysis well.
The researchers have all done projects like this before and made results available to other researchers and patients.
Step 4 – Oversight group consultation
The project plan is sent to an oversight group, which includes people representing:
- Patients and the public
- Hospital doctors and nurses
- GPs
- Staff running the laboratories at the hospital
- Researchers running the database
This oversight group decides if the project is clear, appropriate (related to infections and possible to answer using IORD data), and important enough to get approved.
No data is released to commercial companies, only to researchers at places like universities or charities.
Different people on the oversight group asked for some parts of the project to be made clearer, or for some more details. Everyone on the oversight group agreed the project should go ahead.
Step 5 - Project summary submission
A summary of the project is added to the list on oxfordbrc.nihr.ac.uk/iord so everyone can see what kinds of analyses are using their data.
The project is described on iord/investigation-into-novel-outbreak-with-candida-auris.
Step 6 - IORD datasets filtration
The team members (3-5 named people) with access to everything in IORD pull out the specific data the researcher has asked for:
- Only data from the specific people needed to answer the question are given out
- Only the specific pieces of data needed to answer the question are given out
- All of the data is “de-identified” – this means no patient names, addresses, NHS or hospital numbers or date of birth. Instead, records belonging to the same person are identified by a specific, random, number. This means we know which records belong to different people, but not who they are
The datasets contain:
- ONLY people who were admitted to ICU between 1 January 2015 and 31 August 2017
- ONLY the specific pieces of data asked for
- So, for example, not including information about whether people had had surgery in one of the operating theatres, whether they had been to A&E or come to an outpatient clinic
Step 7 – Data usage agreement
The researcher who gets the data has to sign an agreement that:
- They will only use the data to answer their specific question and not for anything else
- They will not pass the data onto anyone else
- They will not try to find out who patients are, and will not try to link the data to other databases
- They will keep the data secure; this means
- Computers have to be in locked or other secure offices (e.g. with a key card) and must be password protected at login
- Any mobile devices (laptops, memory sticks) must be encrypted by default in a way that the user cannot turn off
If the researcher getting the data is not employed by the University of Oxford or the Oxford University Hospitals NHS Foundation Trust, a separate contract called a “Data Sharing Agreement” also has to be signed
The hospital doctor – who is the only person who will have access to the data – signs and returns the agreement.
Because the hospital doctor works for both the University of Oxford and the Oxford University Hospitals NHS Foundation Trust, who already have a legal agreement covering data sharing, no other contract is needed.
Step 8 – Secure data transfer
- The data is sent to the researcher using a method which meets NHS standards for encryption to make sure it is safe
- The hospital doctor gets the data through an encrypted email
- They work on it using their laptop which is password protected at login and encrypted so that if it is lost or stolen, there is no way to get what is on the laptop, including the IORD data
Step 9 – Data analysis
- When the analysis is complete, the researcher sends a summary of what they have found to the oversight group, so they can check what has been done compared with the original project proposal
- Sometimes it turns out that the data cannot actually be used to answer the question. In this case the researcher lets the team know that there will not be any results to report
- The researcher can then send a report to an academic journal, tell people about it in the media, and/or write a blog about it
- They can also tell people working in the hospital about it, to make sure results benefit patients
- The researcher found that people admitted to ICU who had their temperature measured using re-usable thermometers were much more likely to get C. auris
- This is probably because they are very hard to clean
- The hospital stopped using this kind of thermometer
- After this, fewer patients got C. auris
- The analysis was published in the New England Journal of Medicine https://www.nejm.org/doi/10.1056/NEJMoa1714373 and widely reported in the media https://www.mirror.co.uk/news/health/deadly-armpit-superfungus-spread-between-12399337
Step 10 – Project publication
- All reports of IORD projects published in academic journals have to be made freely available
- They are added to IORD Publications
Step 11 – Data deletion
- Sometimes it takes a very long time to get an analysis published in an academic journal and these journals can ask for more analysis to answer the question, so researchers do not have to delete the data straightaway
- However, a year after the analysis the researcher is contacted to ask if they still need the data or if they can delete it. They need to have a good reason to keep the data
- They are contacted every year; they have to delete the data after 5 years
- The researcher deletes the data