Royal College of Surgeons in Ireland Coláiste Ríoga na Máinleá in Éirinn

What is data protection?

Data protection entails protecting the privacy of the individual in relation to their personal information. It also means ensuring the reliability of any information used and its fair and legitimate use by everyone.

Any stored personal data are covered by the Data Protection Act (1998) and legal penalties may arise if personal data are not looked after properly. Such data might include patient records, personal information or any other sensitive confidential information.

Read about data protection in RCSI here.

 If you are collecting such data in connection with research at the RCSI then the following will apply:

  • Study data must be stored and encrypted on the RCSI server (V drive). This is to avoid risks posed by the storage of data on portable devices and media (e.g. laptops, USB flash drives etc) in case it gets lost or stolen, especially if it contains sensitive information
  • Please see below for more information on data storage:
  • If work has to be done off the server for practical reasons it must also be encrypted. Encryption is the most effective way to achieve data security. For information on the few simple steps that need to be take to ensure our confidential information is protected visit the RCSI Staff portal or the IT Helpdesk who are available to help with any queries you may have.
  • Where possible, it is good practice to separate collected data from personal identity information as soon as possible after collection and to use codes to identify individual cases if this is necessary. The key linking such codes to identity information such as names, addresses and telephone numbers should be kept secure and separate from the dataset, accessible only to a strictly limited number of project staff (researcher and supervisor).
  • Data controllers must be clear about the length of time for which (personal) data will be kept and the reasons why the information is being retained. Data should be kept for no longer than is necessary and each case be considered on its own merits [sometimes there is a legal obligation to store for a particular length of time (e.g. clinical trials, financial records)].
  • Guidance note for data controllers on purpose limitation and retention
  • Always be aware of the eight rules of data protection as follows:
    1. Obtain and process information fairly
    2. Keep it only for one or more specified, explicit and lawful purpose
    3. Process it only in ways compatible with these purposes
    4. Keep it safe and secure
    5. Keep it accurate, complete and up-to-date
    6. Ensure that it is adequate, relevant and not excessive
    7. Retain it for no longer than is necessary for the purpose or purposes
    8. Give a copy of his/her personal data to that individual, on request

For more information: www.dataprotection.ieHSE Data Protection Guidances August 2013 and data protection in RCSI

Data storage for RCSI researchers

  • A unique project folder for each lead applicant/researcher is provided within the RCSI V: drive named 'Applicant Projects'.
  • The REC convenor will have full control of these project folders.
  • The REC convenor will provide the applicant (and principal investigator) a link to this folder with their HREC APPROVAL email notification.
  • The REC convenor will keep a record of applicants who are in possession of such folders and their associated details i.e. (link details/project title/lead applicant and PI contact details/approval dates)
  • Access may also be given to other individuals involved where necessary.
  • It is no longer acceptable to store study data in locked filing cabinets.
  • All study data must be stored and encrypted within this location (RCSI V:drive) including (where applicable) associated study documentation (scanned if necessary) for example:
    1. Participant and/or patient information leaflets
    2. Consent forms
    3. Permission letters from relevant organisations associated with the study
  • Study data retention time should also be given, the current guideline is that study data should be retained for 5-7 years and then destroyed. However this retention time could be significantly less or more depending on the nature of the study being conducted, in which case a justification for a shorter or longer retention period must be provided by the researcher.