Patient Information for people with IBD participating in the IBD Registry

This is Version 4.0.1 of this Patient Information Leaflet dated April 2021. You can download it here here

About joining the IBD Registry

Do I have to take part?

The decision is yours. If you decide not to, your decision will not affect the healthcare you receive in any way. If you do decide to join, you will be free to withdraw at any time and without having to give a reason.

Can I change my mind later?

Yes. You are free to amend your options or withdraw from the IBD Registry at any time and don’t have to give a reason. You can do this by updating your consent preferences either electronically or on paper. We will confirm your amendment or withdrawal with you, together with details of your revised preferences.

About my data

What data do you collect?

We collect personal data such as your name, contact details, age, sex, whether you smoke, etc. We use the minimum required personal data (usually your NHS Number and your data of birth) to collect your relevant medical data from your hospital(s) and/or your GP.

We also request your centrally held health records (NHS databases regarding hospital admissions, diagnoses, surgeries and cause of death and prescribing databases) and data held at the Office for National Statistics.

We also request data from other relevant research studies to which you have consented (such as the IBD BioResource), registries and organisations which hold information about you that is relevant to our purpose.

We only collect data that has been approved as being relevant to what the IBD Registry does. We have a designated oversight group for this approval.

A complete listing of this data and its approvals can be found on our website ibdregistry.org.uk.

How do you collect this data ?

We collect data directly from you by means of surveys conducted once each year, possibly in some circumstances, a couple of times each year. We also collect relevant data from your hospital or GP. This is done several times each year to build a picture of your changing health, healthcare and treatments. We may collect relevant data from central NHS bodies (such as NHS Digital), other registries and national datasets. We have approved data tools in place to allow the secure collection and transfer of this medical data.

What do you do with the data ?

The IBD Registry brings all of the data it collects together for a unique view of IBD in the UK. This supports better understanding by people, hospitals and other health-related organisations about how IBD is treated, about medicines that are used and about IBD in general.

We analyse the data we hold to provide reports and insights about IBD in the UK. We design the reports so that they provide insights that are useful to patients and to people involved in helping patients (e.g. hospital teams and GPs, patient organisations, commercial organisations developing healthcare products for IBD and policy advisors).

All our reports and publications are about the results of statistical analysis and are de-identified. You will not be identified personally in any report or publication. We follow best practice to ensure that if small or unusual groups of results mean that an individual could be identified, those results are withheld. All public reports that we produce will be available on our website ibdregistry.org.uk. Reports (fully de-identified) may be made available to hospitals, medical and academic organisations and to health-related companies, such as pharmaceutical companies.

We may do the analysis ourselves, or we may work with other approved organisations for this. We may share data with approved organisations where there is a specific piece of analysis to do.

Where you have agreed for your data to be used in IBD related research, this will be undertaken by the IBD Registry or by approved research groups.

How do you protect my identity and my data?

We hold data about you (e.g. personal details and health information) securely within electronic databases, which are located in the UK and are subject to technical and organisational controls to ensure the security of your information. We follow and meet strict NHS requirements for data security, which is assessed annually. All data transferred to us is tightly and securely controlled. All analysis or research taking place on IBD Registry data is done within an approved secure data environment.

More information on our data security can be found on our website ibdregistry.org.uk

We follow best ethical and legal practice to ensure that all data collected about you is handled in confidence.

We employ privacy-enhancing techniques within the Registry. These include de-identification (where data items which could identify you directly such as your name or NHS Number are replaced with a code so that your identity is protected) and data minimisation (where data items which are not needed are removed before use). All of our analysis and research takes place using de-identified data. Analysts and researchers are only granted access to the specific data needed to address their study or research project. No one has access to any more data than is necessary for the activities they are undertaking.

Who will have access to my data?

We are careful about who has access to information held within the IBD Registry, and which other organisations and individuals this is shared with.

Access to your de-identified information within the IBD Registry is restricted to authorised and trained individuals who are subject to contractual obligations of confidentiality.

There is an approval process for authorising new uses of data, including any research. This process seeks to confirm the purpose of any access, assess the minimum data required and determine who can access that data. The IBD Registry are responsible for ensuring all uses of data are lawful.

Where you have consented to another study or database, we can agree to allow the IBD Registry data to be linked with this where the linkage forms a necessary part of the study protocol. Only de-identified data will be shared and extra care will be taken to ensure no re-identification occurs.

In addition to internal Registry analysis and research, we take requests for analysis and research from approved organisations, for example public bodies such as the NHS, charities, academics and commercial healthcare organisations.

Approved analysis or research groups will be given access to the data for their study through legally enforceable agreements. These will oblige them to use your data only for the agreed purposes, keep your data safe and comply with the law.

We will share data with NHS or government and public bodies where this is lawful, proportionate and there is a clear public interest in doing so.

We will not share data that identifies you with any commercial organisations. We will never allow your data to be used for marketing or by insurance companies.

How is research approved?

Research groups wanting to access Registry data must first ensure the right approvals are in place, including ethical approval. They then have to apply to the IBD Registry committee that safeguards the use of Registry data for research. This committee will check that the research questions are important and will produce scientific advances or benefit patients, or both. They will also consider whether the information requested is the minimum necessary for the project, as well as any ethical considerations.

Researcher groups share the results of their studies in reports or publications, which includes placing the results of research on the internet, in press articles, in medical research journals, in project leaflets and through other media. Under no circumstances will any information that identifies you personally be disclosed in any of these types of media.

How long will you keep my data for?

Inflammatory bowel diseases are usually lifelong conditions, so the Registry aims to keep information indefinitely. This will help us to understand the long-term pattern of disease and how different treatments work over time.

How can I access the data you hold about me?

For details on how to access the data the Registry holds, and for information about how you can exercise your other rights under data protection law, please see our Privacy Notice on our website ibdregistry.org.uk.

About my data

What do you do with the data?

We will store your data securely in line with information governance requirements, using the IBD Registry’s secure data hosting facility at AIMES. Your responses relating to your medications, IBD activity, and COVID-19 vaccination status can also be shared with both the hospital teams that currently care for you. Your data will also be used for analysis and research relating to COVID-19 and IBD.

We might undertake this research ourselves, or we might approve other organisations to do specific studies. We will only share your de-identified data with approved organisations who are undertaking studies that the IBD Registry has approved.

In order for specific research studies to be undertaken, either by the IBD Registry or by approved organisations, it might be necessary to link your data to other national datasets, databases, or tissue banks. Only de-identified data will be shared and extra care will be taken to ensure no re-identification occurs.

We are careful about who has access to information held within the IBD Registry, and which other organisations and individuals this is shared with. Access to your de-identified information within the IBD Registry is restricted to authorised and trained individuals who are subject to contractual obligations of confidentiality.

We will only use your contact details to contact you if it relates to your involvement with COVID-19/IBD research. If you give us permission to do so, we will also contact you to invite you to join the main IBD Registry once the mechanism for this is in place.

Will my data be transferred back to my healthcare provider?

Your responses from the medications, IBD activity, and vaccination surveys can be shared with both the hospital teams that currently care for you. Data will not automatically be shared – individual hospitals will need to request it. This gives them the opportunity to learn about your condition and treatment which could be relevant during this COVID-19 response period. Just because you have completed the survey does not mean that your healthcare team will receive the information.

Answers from the other surveys available will not be fed back to your healthcare teams at an individual level. You will be given the option of downloading a pdf copy of your answers at the end of each survey. You can choose to share these with your healthcare teams if you want to.

If there is information that you urgently want your IBD team to receive then please contact them directly.

Who will my data be shared with?

Some of your responses may be shared with hospitals and specialist doctors that care for you, upon request from the healthcare provider. This means that they have the most up to date information about your condition and treatment which could be relevant during this COVID-19 response period.

To maximise the potential of the research, we would like to link the data with public health data, such as Public Health England and the equivalent NHS bodies in the devolved nations. This will mean sharing your NHS Number (CHI Number in Scotland and HSC Number in Northern Ireland) with these NHS organisations and another personal identifier such as date of birth. The NHS organisations will use these identifiers to find the matching record in their dataset and send us a linked set of data.

For specific research studies, we may also link your data with other national datasets, databases or tissue banks (for example, the NIHR IBD BioResource). The linkage of de-identified data with such organisations will be made possible by sharing a specially created unique key that is the same in both the datasets.

Your de-identified data may be shared with approved organisations who are undertaking research that has been approved by the IBD Registry. Special agreements covering data sharing and data protection will be in place with all of these organisations to make sure they will look after your data when we have shared it with them.

We will not share data that identifies you with any commercial organisations. We will never allow your data to be used for marketing or by insurance companies.

How is my personal data protected ?

All data that we collect will be processed in accordance with the General Data Protection Regulation (GDPR) and the Common Law Duty of Confidentiality (CLDC). The data is securely collected and then held within secure data centres in the UK which are compliant with industry and NHS data security standards.For further information, including details of our lawful basis, the purposes for which personal confidential data will be processed, your rights and how to contact us, please see the full Privacy Notice (also on our website).

How do you protect my identity and my data in research?

We hold data about you (e.g. personal details and health information) securely within electronic databases, which are located in the UK and are subject to technical and organisational controls to ensure the security of your information. We follow and meet strict NHS requirements for data security, which is assessed annually. All data transferred to us is tightly and securely controlled. All analysis or research taking place on IBD Registry data is done within an approved secure data environment.

More information on our data security can be found on our website here.

We follow best ethical and legal practice to ensure that all data collected about you is handled in confidence.

We employ privacy-enhancing techniques within the Registry. These include de-identification (where data items which could identify you directly such as your name or NHS Number are replaced with a code so that your identity is protected) and data minimisation (where data items which are not needed are removed before use). All of our analysis and research takes place using de-identified data so that the researchers will not be able to identify you. Analysts and researchers are only granted access to the specific data needed to address their study or research project. No one has access to any more data than is necessary for the activities they are undertaking.

For sharing data with national datasets and central NHS bodies, their process is to share only identifiers and then to use those to return the dataset that matches exactly those identifiers. For sharing with other organisations, such as the BioResource, we will use a privacy-enhancing technique that means no identifiable data is shared. The enhanced records are then de-identified before further activity is undertaken.

Only aggregate data – statistics – will be used in reports and publications, and small number suppression will be used.

How long will my data be kept for?

Inflammatory bowel diseases are usually lifelong conditions, so the Registry aims to keep information indefinitely. There may be other viruses which behave similar manner to COVID-19, which means that data on it may be useful for further research in the future.Where an ethically approved research study is given access to data, it will be for a shorter period of time in line with the research protocol and agreed with us in advance.

How is research approved?

The IBD Registry has an approval process for authorising new uses of data, including any research. This process seeks to confirm the purpose of any access, assess the minimum data required and determine who can access that data. The IBD Registry are responsible for ensuring all uses of data are lawful.In addition to internal Registry analysis and research, we take requests for analysis and research from approved organisations, for example public bodies such as the NHS, charities, academics and commercial healthcare organisations.

Approved analysis or research groups will be given access to the data for their study through legally enforceable agreements. These will oblige them to use your data only for the agreed purposes, keep your data safe and comply with the law.

Research groups wanting to access Registry data must first ensure the right approvals are in place, including ethical approval. They then have to apply to the IBD Registry committee that safeguards the use of Registry data for research. This committee will check that the research questions are important and will produce scientific advances or benefit patients, or both. They will also consider whether the information requested is the minimum necessary for the project, as well as any ethical considerations.

Research groups share the results of their studies in reports or publications, which includes placing the results of research on the internet, in press articles, in medical research journals, in project leaflets and through other media. We hope that the research will be important for public health and so we may also share results with national health organisations, including NHS organisations, policy makers and national charities for the benefit of people with IBD. Under no circumstances will any information that identifies you personally be disclosed in any of these types of media.

About the IBD Registry

 

How is the IBD Registry funded?

 

The IBD Registry does not share or receive any money for your personal information.  However, running the IBD Registry costs money, and we must raise enough income to cover these costs.  We only plan to raise the income we need to cover our costs – we do not seek to make a profit.

We raise income from a variety of sources which includes public grants and support (educational) grants from pharmaceutical companies and other commercial entities.  We provide paid services to companies involved in IBD healthcare but only where the service aligns with our purpose of improving IBD health. These services include observational IBD drug safety studies (also called pharmacovigilance). We also use our skills and expertise to provide services to academic and research studies about IBD.

The IBD Registry produces statistics and insights based on the data it holds and charges fees for these to support the operating costs of the Registry.

The IBD Registry has procedures that ensure that all relationships with commercial organisations are subject to clear guidelines for joint working, promote openness and transparency, and ensure that we maintain our independence and impartiality.

Data held within the IBD Registry will never be sold.

Who is responsible for looking after the data?

The IBD Registry is the Data Controller for the personal data held within the Registry and are accountable for protecting that data in accordance with all relevant laws.  We are registered with the ICO (Information Commissioner’s Office).  Our ICO Registration Number is: ZA334069

How is the Registry governed?

 The IBD Registry is a not-for-profit organisation, wholly owned by three joint members – the Royal College of Physicians (RCP), the British Society of Gastroenterology (BSG) and Crohn’s & Colitis UK 

How do I complain or give feedback ?

If you are unhappy about any aspect of the Registry or how your data is being used, please talk to us to try and resolve the problem. You can find out more about us on our website or contact us as below. If you want to make a formal complaint about any aspect of the IBD Registry, then you can do so by emailing support@ibdregistry.org.uk.  Please see our website ibdregistry.org.uk for more information on contacting us.

Click here to download this patient information leaflet

IBD Registry Ltd is a not-for-profit company limited by guarantee - Company Number 11197749.