- Posted By: Sylwester Pawluk
This year UKCRC ISOG focused on utilising NHS datasets as well as functional and non-functional requirements of the remote data capture (RDC) systems.
The Health and Social Care Information Centre (HSCIC) guest speaker, senior manager John Madsen, talked about application requirements, decision making processes and help offered when requesting the data.
Detailed process for handling requests can be found here.
In the second part of the meeting we discussed the design principles of the remote data capture systems. The arguments for RDC are that the data is collected more quickly, data cleaning is quicker and often clearer and more convenient for both sets of staff and that, in the first instance at least, data is cleaner than that collected on paper. Unsurprisingly, one of the mostly covered aspects of the RDC systems development was security with the key points below.
1. Data must be stored in a secure database server in a secure network environment.
2. Data must be stored in a recognised relational or object database management server such as Oracle, MS SQL Server, MySQL etc. Excel and other systems that provide database functionality but without a recognised enterprise security model should not be used.
3. The data must have a backup each night to a secure location.
4. The database and software must secure behind a firewall.
5. Data transmission between the user and the software must be encrypted to the AES256 standard or an equivalent standard.
6. The software must have individual access control for each user using a username, which must be unique in the software and a password, which the user must define themselves.
7. The software must maintain an audit trail for all activities relating to the adding, modification or removal of subject data. The audit trail must record :
a. The identity of the user. This is usually the username.
b. Identify the record added/modified/removed
c. Record the details of the initial state of the data and the final state of the data
d. If conforming to the US requirements (CFR21 Part 11), the reason for the change
8. The software must have a security model that allows an Administrator to provide different levels of access to different types of users. For example a CTU Trial Manager must be able to review data and create data queries, but may not be able to enter data. Typically this is achieved by defining user roles and assigning one or more role to a user. Some systems use a Task/Role model where the Administrator can configure bespoke Roles from collections of Tasks. Individual CTUs must decide which of the following functionality must be available to which users, but the associated flows are self-explanatory.
9. The software must restrict functionality such that Site users can only view and enter data relating to Subjects recruited from that Site.
10. The software must allow users to define their own passwords. Passwords must be strong.
With OCTRU looking into developing own RDC system in the future, I found the discussion very interesting and encouraging.