Privacy Notice:
King’s College London – Global Registry of COVID-19-related diabetes
(‘CoviDiab Registry’) – Privacy Notice
This Privacy Notice applies solely to the CoviDiab Registry. The King’s College London core privacy policy can be found here.
King’s College London (“we”, “us”) is committed to safeguarding the privacy of visitors to this website and the CoviDiab Registry and this privacy notice sets out the basis on which any personal information we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.
For the purposes of the General Data Protection Regulation 2016 and the Data Protection Act 2018 (the “Data Protection Legislation”), the Data Controller is King’s College London of Strand, London WC2R 2LS and the Data Processor is Dendrite Clinical Systems Limited (“Dendrite”) who provide CoviDiab Registry platform and web services.
What is the CoviDiab Registry?
The CoviDiab Registry is an international clinical registry set up by researchers at King’s College London to determine the presentation and course of diabetes in COVID-19 disease and investigate its pathogenesis, management, and outcomes. The Registry includes a minimal dataset consisting of routinely collected clinical data which is anonymised, to be entered by you as a participating clinician/ researcher. The CoviDiab Registry aims to establish of the range of phenotypes at presentation and during recovery and will focus on phenotype, ethnicity, body habitus, insulin requirements and outcomes.
The CoviDiab Registry will draw patient data from UK and across the world. We will create it using the established methodology behind the Global Registry for Bariatric/Metabolic surgery (established by IFSO & Dendrite). The CoviDiab Registry will be accessible through an online page that reports the background, methods, aims of the Registry and participating centres and co-investigators.
In collaboration with Monash University collaboration, and King’s Health Partners Transcampus, we have identified and engaged leading international experts in diabetes (the CoviDiab Registry co-investigators) representing several countries with high prevalence of COVID-19, including UK; China; Africa (Cameroon, South Africa); Europe (France, Germany, Italy); USA and Australia. In addition to help gathering data from observations of new onset diabetes at their Institutional practices, the CoviDiab Registry co-investigators will also seek assistance of professional organizations and medical journals to raise awareness of the initiative and invite other contributing clinicians from around the word to share their observations via the CoviDiab Registry.
The data you add to the CoviDiab Registry will also be used to develop downstream hypotheses and inform the design of future research studies, which may or may not be related to COVID-19, for which King’s College London will seek specific ethical approval.
What information does the CoviDiab Registry contain?
The CoviDiab Registry consists of two data set: a) the anonymized patient data routinely collected by providing organisations and uploaded by you (Data Set A), and b) the personal data you provide alongside the clinical data (Data Set B).
DATA SET A – Anonymised Clinical Data
As part of Data Set A, we will request you provide routine clinical data in fully anonymised form including:
Relevant medical history including biochemical data, co-morbidities, lab tests, symptoms, and admission route;
Complications of diabetes;
Age in years, gender, ethnicity, body weight, BMI;
Outcomes (i.e. ICU admission, death, discharge);
Meds on Admission; Meds during in-hospital management; Meds on discharge;
Insulin Therapy and pre-existing therapies.
To ensure capturing exclusive new-onset diabetes, only data from patients with confirmed COVID-19 diagnosis, negative history of diabetes and hyperglycaemia in the context of documented normal HbA1c will be considered.
DATA SET B – Your Personal Data
As part of Data Set B, we will collect and process the following personal data from you:
Contact information including: title, first name, surname, email address, and contact number;
Professional information including: Hospital/Practice affiliation, job title, professional qualifications, academic affiliation, and professional specialism (e.g. endocrinology, diabetology, ICU, general practice, surgery, other).
Your personal data will be used to:
Create a registration on the Dendrite platform to allow you to create login credentials and access the CoviDiab Registry website, to enable Dendrite to send out login details, and so that Dendrite can provide you with support for, access to, and use of the Registry;
Verify the source of the anonymised clinical you upload to ensure the integrity of the wider research project and facilitate an understanding of diabetes characterization and outcomes of treatment in patients with COVID-19 in the public interest; and
Contact the individual as a named contact at the Data Collaborator in order to update them about the progress of the research and/or integrity of the data added to the registry;
With your explicit consent, which will be requested at the point of registration to the CoviDiab Registry, your data will also be used to produce a generic description of the source of the clinical data added to the Registry (as part of Data Set A) and, where ethical approvals are in place, may be processed as part of future academic research.
We will not share your personal data with any third-party in an identifiable form apart from in cases where an independent audit of the CoviDiab Registry has been legitimately requested for the purposes of verifying the source of Data Set A.
What is the CoviDiab Registry Legal Basis for processing?
Data Protection Legislation allows King’s College London to use your personal information in this way as part of its Public Task, under GDPR Article 6(1)(e), on the basis that the data is necessary for facilitating and carrying out research that looks to address global challenges and provide long-term benefits to humanity.
What happens to your data and who can access it
You, as the clinician in charge of patient care or as a member of a clinical team, or existing research database team, collect the relevant clinical data and enter it into the CoviDiab Registry via a secure username and password protected web-based access. During the data transfer from your hospital, or other institution, to Dendrite’s server the information is protected through secure encryption to ensure it cannot be interfered with. Once this information has been loaded, a you can review or edit your own data via the same username and password protected access but cannot view data recorded by other CoviDiab Registry member.
When the data have been checked by the Registry team at King’s College London, software engineers and data analysts at Dendrite will download and transfer the data to King’s College London’s secure server based in the UK.
Our research coordinators and data managers will periodically check the quality of Data Set A and may contact you if there are missing data points or problems/inaccuracies with your entries. We will have no access to patients’ identities and therefore require access to your accurate contact details in order to follow-up on the clinical data you choose to enter.
We intend to share fully anonymised project data from the CoviDiab Registry with external CoviDiab Co- investigators (including Monash University, Australia) subject to your consent which will be requested at point of registration to the CoviDiab Registry.
The Registry has been created and developed solely for non-commercial purposes and King’s College London intends to retain an anonymised copy of the data provided indefinitely for the purposes of academic research.
Your personal data may be shared where an independent audit of the CoviDiab Registry is requested, for example by an academic publisher, in order to independently validate the integrity of the clinical data added to the Registry, in the interests of meeting a high standard of accountability and integrity in research outputs. In such cases, we will ensure only the data strictly necessary for carrying out a data integrity audit is shared with the third-party auditor and that security requirements under the Data Protection Legislation are met.
How long will we retain your personal data
We will process and continue to retain your personal data as part of Data Set B until the CoviDiab Registry project is complete and in line with King’s College London’s published retention schedule and the principles stated in the KCL core Privacy Notice.
Security information
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice. We will store all of your personal data on our secure servers. Data transmission over the internet is inherently insecure, and although we will do our best to protect your personal data, neither King’s College London nor Dendrite can guarantee the total security of the data you transmit to the CoviDiab Registry. Once we have received your information, we will use appropriate security procedures and features aimed at preventing unauthorised access, unlawful processing, accidental loss, destruction or damage.
You are responsible for keeping your password and user details confidential. We will not ask you for your password except when you login to the CoviDiab Registry website or when you request us to provide you with technical assistance through that website.
King’s College London and Dendrite, as Data Processor acting on its behalf, uses a secure https server which means that traffic between the end user and the server is encrypted and access to the registry software requires an ID and Password.
Access IDs can only be issued by Dendrite’s Registration desk providing you give us authorisation to< set up a specified user;
The password format provides strong authentication – a minimum of 8 characters and must include both upper and lower alpha characters + numerals;
Dendrite software has a comprehensive security system to tightly control read/write access down to the level of individual questions;
As an individual contributor, you can only ever see/ analyse your own data – you cannot see or access data entered by anyone else;
Only designated ‘Consultant Record’ owners can download their own data;
‘Delegate Record’ holders can only download data if specifically authorised by the Consultant Record owner (an e-mail from the Consultant Record owner is required to activate this);
Only designated system administrators at Dendrite and King’s College London can see all the data in the Registry;
The Dendrite web-registry software incorporates a fully automated Audit Trail so that every keystroke/data addition/deletion/edit is tracked in a background log;
Dendrite registry software conforms to NHS Information Governance certification, Cyber Essentials certification and G-Cloud certification and is assessed against NHS Information Governance standards, which includes both physical and organisational security measures. Dendrite’s toolkit assessment score is available on the DSP Toolkit website (https://www.dsptoolkit.nhs.uk/OrganisationSearch, searching on either “Dendrite” or “8HJ38”.
Amendments to this Policy
From time to time King’s College London may at its sole discretion amend this Privacy Notice. Your continued use of the CoviDiab Registry website constitutes your acceptance of and agreement to any changes made within an updated Privacy Notice. King’s College London will ensure that details of any such changes are communicated by being clearly posted on the website in a timely manner.
How can you contact us or make a complaint to the regulator?
To contact us about our privacy notice or information we hold about you, please write to the university’s Data Protection Officer, Albert Chan by email at info-compliance@kcl.ac.uk, or by post:
Information Compliance team,
King’s College London,
Room 5.20 JCMB
57 Waterloo Road, London SE1 8WA
If you don’t feel we have dealt with your request appropriately, you can complain to the Information Commissioner’s Office.