Contact Us: 1129 Kikuyu Close, Off Nairobi Street, Wuse 2, Abuja

Info@cihpng.org

 

privacy-and-data-policy

Centre for Integrated Health Programs is a leading indigenous not-for-profit non-governmental organization, promoting better health outcomes for all Nigerians through the creation of sustainable systems and partnerships by applying our collective learnings and experiences.

Our mandate aligns with goal three (3) of the United Nations Sustainable Development Agenda and is fueled by a passion to ensure no woman, child, or man in Nigeria is left behind as we strive to achieve good health and wellbeing for all.

 

DEFINITION OF TERMS AND CONCEPTS

Dissemination: the process of sharing program or research findings with stakeholders and wider audiences. Dissemination is essential for uptake, and uptake and use of research findings are crucial for the success and sustainability of the intended outcomes or impact of a program or intervention.

 

Data use: For the purpose of this SOP, data use refers to how data is managed securely, including storage or archiving, encryption, or destruction to prevent unauthorized access, and is retrieved or shared for further analysis for information purposes while ensuring adequate confidentiality and privacy.

 

Privacy: this is both a legal and an ethical concept that provides the overall framework within which both confidentiality and security are implemented The legal concept refers to the legal protection that has been accorded to an individual to control both access to and use of personal information and provides the overall framework within which both confidentiality and security are implemented.

 

Data Confidentiality: relates to the right of individuals to protect their data during storage, transfer, and use, to prevent unauthorized disclosure of information to third parties. Decisions must be made whether and under what conditions nominal, anonymized, or pseudo‐anonymized data can be collected, stored, and used.

 

Data Security: is a collection of technical approaches that address issues covering physical, electronic, and procedural aspects of protecting information collected as part of the scale‐up of HIV services. At each level of service provision, security discussions should include the identification of potential threats to the systems and data, the likelihood of harm from any of these threats to security, and the development of strategies to manage identified threats, protection of data from accidental or malicious inappropriate disclosure, and non‐availability of data due to system failure and user errors.

 

INTRODUCTION

The Centre for Integrated Health Programs (CIHP) aims to promote better health outcomes through its numerous health programs that target key disease burdens in the Nigerian population in collaboration with partners, funders, and the Government. These health program activities, which include surveillance and research, generate a huge amount of data and information that are important for providing insight and direction for decision-making. To enable effective decision-making, strategic dissemination objectives targeting the right stakeholders must be implemented using best practices. At the same time, there is a need to guard against improper use of data or information by staff, stakeholders, and collaborators alike. This standard operating procedure (SOP) document therefore deals with two main issues: how data available to CIHP will be used and how to ensure that important information for strategic decision-making is made available to the right audience while ensuring that ethical requirements for human subjects’ involvement are strictly observed.

 

PURPOSE OF THE SOP

The purpose of this SOP is to provide guidance on the steps and processes that should be followed for data use and sharing information about CIHP’s programs (e.g. lessons learned, success stories, or outcomes of projects) and research studies conducted, to ensure adequate data are secured and confidential, dissemination objectives are met, technical quality standards are assured and required clearances are secured.

 

SCOPE OF THE SOP

The SOP is developed as a guide for CIHP staff members or units involved in the planning, implementation, and evaluation of programs, data management/analysis, and the reporting of project activities/processes, outcomes, and research findings. The SOP will cover protocol requirements for human subject information products, key considerations for data use and protection, developing dissemination plans, identification of relevant audiences or stakeholders, and messages using appropriate dissemination channels. It will also document requirements for developing scientific papers for publications and conference meetings, and monitoring/evaluation of dissemination activities.

The SOP is adapted to cover the relevant regulatory requirements of funders, collaborating institutions, and the National Health Research Ethics Committee.

 

OBJECTIVES OF THE SOP

  1. Outline the various data-generating project activities (including routine program activities, surveillance, surveys, and research studies) and provide guidance for monitoring project implementation to ensure compliance with regulations aimed at protecting human subjects.
  2. Describe modalities for data use including security and confidentiality components of data management.
  3. Describe various data dissemination activities, and contents of a data dissemination plan, and provide guidance on identifying the right audience, and developing and delivering tailored messages for specific stakeholder information needs using the right communication channels.
  4. Provide guidelines on the development of specific dissemination products (such as manuscripts, abstracts, and project learning/evidence papers)
  5. Describe the roles and responsibilities for ensuring technical review of dissemination products and obtaining appropriate technical and administrative clearances before dissemination activities.
  6. Monitoring dissemination activities and potential outcomes.
  7.  

MONITORING PROJECT IMPLEMENTATION AND RELATED ACTIVITIES

Public health interventions and their evaluations are characteristically focused on human populations. CIHP will continue to participate in the Government of Nigeria and donor-supported, especially PEPFAR-funded surveys-surveillance, research, and evaluation (SRE) activities1 as well as similar strategic information activities funded by other grants. Therefore, to ensure human subject protection, health interventions, and related activities must be conducted under the guidance of an ethically approved protocol.

CIHP will ensure that a project performance monitoring plan (PPMP) is developed for and tailored to each proposed intervention project. The components of the PPMP will include:

 

  1. Archiving and updating of project regulatory filesthis is a compilation of documents essential to assess the conduct of study implementation and data quality. The documents include approved protocols, informed consent forms, financial documents, institutional signed agreements, IRB/Ethics approvals, investigators’ qualifications, monitoring visits reports, report of project closeout, and final report to IRB/Funders
  2.  
  3. COVID-19 Mitigation Plan: this is required due to the need to continue implementation and monitoring/evaluation of essential health services, including HIV, in the context of the COVID-19 pandemic.
  4. Plans for a progress report
  5. Progress reports
  6. Training logs
  7. Site visit schedule
  8. Site visit agenda
  9. Site activation checklist
  10. Quality assurance checklist
  11. Staff roles and responsibilities

Technical documents will be archived physically (as applicable) and electronically as part of the PPMP.

 

DATA USE AND PROTECTION

This section outlines the procedures to be followed when dealing with CIHP data. It intends to protect the information assets of the organization within a secure environment and inform authorized data users of the principles governing the retention, use, and disposal of information.

The three interrelated concepts that have an impact on the development and implementation of protections for sensitive data are privacy, confidentiality, and security (see definition). While interrelated, each is distinct, and each is developed and implemented in a different manner.

 

Guiding principles on the confidentiality and security of health-related information
  1. The UNESCO Universal Declaration on Bioethics and Human Rights 34 Article 9 of the Declaration, entitled Privacy and Confidentiality2, states: “The privacy of the persons concerned, and the confidentiality of their personal information should be respected. To the greatest extent possible, such information should not be used or disclosed for purposes other than those for which it was collected or consented to, consistent with international law, in particular, international human rights law.”
  2.  

2 United Nations Educational, Scientific and Cultural Organization. Universal Declaration on Bioethics and Human Rights. Adopted by acclamation on 19 October 2005 by the 33rd session of the General Conference of UNESCO

Data collection that fails to conform to these standards should not be used for the program activity. Funding organizations should comply with these standards and have an obligation to make adequate funding available to implement them, sufficient to ensure the protection of the data collected and used. Funding organizations must also require that maintaining these standards is a condition for funding of any implementing partners or agencies.

CIHP as an organization and its staff will comply with the following requirements:

  • Ensure that confidentiality and security protections for identifiable information are in place.
  • Ensure that HIV‐related information and data collected for patient management and monitoring are maintained in a technically and physically secure environment in absolute compliance with the organization’s authorization processes.
  • Ensure that individuals authorized to access HIV‐ related information receive appropriate training and should be responsible for protecting confidentiality.
  • Ensure that security breaches and loss of confidentiality are thoroughly investigated, and appropriate sanctions imposed.
  • Ensure that security strategies and related laws and policies are continuously reviewed, independently assessed, and changed when required.
  • Collect only the information which fulfills the clearly stated purpose(s) of the activity
  • Ensure that all policies and procedures related to confidentiality and security of identifiable information are transparent and available. This includes potential future use of routinely collected patient information, including on deceased individuals.
  • Any staff failing to adequately protect the confidentiality and security of identifiable information should be held accountable and appropriate remedies imposed.

CIHP will ensure that individual-level information should not be shared with those charged with law enforcement, immigration control, management of the public welfare system, or other non-health functions without consent from the individual to whom the information relates, except in circumstances involving the threat of imminent danger of grave physical harm to individuals or populations.

New and existing technologies deployed to service persons living with HIV should conform to Health Information Exchange standards.

 

Storage of Confidential Data

The amount of personal data to be stored should be based on the medical needs of the patient and the requirements to adequately monitor and evaluate special programs or routine healthcare, and should not be stored longer than necessary (see disposal of data section below).

CIHP will put in place procedures and systems to monitor the use of all types of data stored in order to detect potential threats to data confidentiality or actual security breaches. Such procedures include but not limited to:

  1. Ensuring existing staff member or service provider access right is taken off the system (hardware or software or even physical access) upon disengagement with the organization.
  2. New staff members or service providers shall be granted access to the system based on official approval.
  3. Backups and/or files containing confidential information must be transmitted only via secured channels either through the Internet or by hand to the appropriate designate.
  4. Routinely check to ensure that storage medium that houses confidential data are not deployed for other file-sharing or archiving purposes.
  5. Monitor user logins and data pull frequency from stored confidential data.

Threat or disaster management analysis will be performed periodically to assess all potential events that could increase the risk of inadvertent release of data or the destruction of data at sites housing confidential and program data, such as acts of vandalism, fires, civil unrest, and storms. Appropriate preventive measures established to support this process by the IT team in line with approved IT policy, will be monitored for efficiency and preparedness. Information stored on computer systems must be regularly backed up over a secure channel on the organization’s server and drives in addition to the hard drive such that it can be restored when necessary.

CIHP in collaboration with partnering facilities, organizations, and institutions will ensure that rooms/offices containing individual medical records or HIV program data, whether stored as paper documents or electronically, are properly secured to limit unauthorized access.

CIHP as an organization, its staff, and partners will ensure that all removable or portable equipment is properly secured within facilities – room or cabinets – which are locked and appropriately monitored. Computers and other hardware should be properly pass-worded.

Identification tags are applied to fixed and portable equipment to facilitate the creation and maintenance of a regularly updated inventory which will allow detection of equipment losses.

All public health intervention and study data are stored and backed up, usually at physically separate facilities, to prevent loss or damage to the stored data, and to enable data recovery in the event of natural disaster or other data loss. Therefore, backup policies will be implemented to ensure that backed-up data are maintained with the same level of privacy, confidentiality, and security as the original data being used for patient management.

Data storage must anticipate changes to storage technology over the anticipated life span of the data system. As HIV therapy is expected to be a life‐long activity for infected patients, stored data (including backups) must be periodically migrated to newer, more efficient, or compatible storage media.

All additions, deletions, and modifications to electronically and paper-based stored data must always be recorded in a separate file or log. Logs generated during this process must be secured, regularly reviewed, and safely stored.

Rigorous and frequent evaluation of network security is required, which should include ensuring the presence of an effective firewall or other controls where required. All computers need an up‐to‐date anti‐virus and intrusion‐detection software. Linking computers to different networks needs to be done within the context of preserving network security.

 

Access, Retrieval, and Use of Data

CIHP as an organization ensures the control of access to critical information that requires protection against unauthorized disclosure or modification. This refers to the permissions assigned to staff or systems that are authorized to access specific resources. Access controls exist at different layers in the organization, including the network and it is implemented by username and password. Retrieval of information is duly based on access authorized to staff and such requests must be approved by the unit head. At the application and database level, other access control methods (access control lists (ACLs), and group policies) and use of data are implemented to further restrict access.

 

Sharing of Data

CIHP as an organization and its staff may share data between or among organizations or institutions provided that:

  1. The recipient will be using the data for legitimate health purposes.
  2. The nature and amount of data shared are contingent on the reason for the data transfer but should always be the minimum amount of data required to successfully complete the task. For example, personal identifiers should never be transmitted when a pseudo-anonymized record can complete the task.
  3. The confidentiality and security measures of the receiving organization are equivalent to those of the organization that collected the data and were agreed to when the data were collected.
  4. A data request form is completed and signed agreeing to the terms and conditions for sharing (see Appendix 1 for the data request template)

Access control mechanisms, such as encryption, should be deployed to maintain the confidentiality of data shared. With the increased use of mapping tools for geographic display of data analysis, measures should be taken to indirectly identify individuals via precise location on geographical displays. Data recipients must incorporate available geographic masking techniques for the display of confidential information.

The provision of HIV program information for purposes beyond the needs of public health, or of monitoring and evaluation of services must be contingent on an appropriate scientific protocol addressing a demonstrable need, signing of relevant confidentiality statements, and subject to ethics committee or institutional review board (IRB) approval. Personally identifiable data are most likely to be sent only for clinical management issues and should be sent only by and to people who have signed the relevant confidentiality agreements.

Access to HIV information for non‐public health purposes, for instance for legal issues, should be granted only in circumstances involving the threat of imminent danger of grave physical harm to individuals or populations.

 

Disposal/Destruction of Data

Data designated for disposal should be destroyed in a secure manner according to the approved protocol in relation to data management, including keeping to the timeline for data archiving. All sensitive or confidential paper documents should be placed in the shredding bins or destroyed in the manner indicated by the protocol. Both paper and electronic records should be destroyed, including all data backups.

If modified datasets have been provided to healthcare professionals from outside the institution, upon completion of the authorized work datasets will have to be destroyed by the professionals who analyzed them. Such parties must make a written declaration indicating that this has been done.

 

Roles and Responsibilities for Data Protection

CIHP as an organization will ensure to make the data security and confidentiality SOP available to all new and existing staff.

CIHP as an organization and its staff will ensure that the privacy, confidentiality, and security standards outlined in this SOP must apply to all forms of data exchange/transmission. The IT department shall be responsible for monitoring data exchange/transmission over the organization’s network and flagging data exchange/transmission process that goes contrary to the organization’s policies. The SI department shall work in conjunction with the IT department to ensure that tools deployed for data collection and reporting are being used appropriately for the purpose for which they are deployed or else it flags where not to be used appropriately.

CIHP will oversee the data privacy and data protection policies to ensure the operationalization of those policies through all organizational units.

CIHP is obligated to monitor internal compliance and ensure that its staff and partners process personal data in compliance with applicable data protection laws.

 

DATA DISSEMINATION

Planning for Data Dissemination

A data dissemination plan must be developed to guide how program and research product findings will be shared with stakeholders who need to use the information for their purposes. This should be done in the formative stage of the proposal development in consultation with stakeholders who can potentially affect or be affected by the planned project. The following should be included in a dissemination plan:

A brief summary of the project and/or study

  1. The objectives of information sharing in relation to the expected outcomes of the project
  2. Stakeholder’s analysis
  3. Development of messages and dissemination activities for key stakeholders
  4. Planning and monitoring dissemination activities
  5.  

Identifying the Right Audience and Information Needs

The type and content of information to be shared will depend on identified stakeholders who are important to the project outcomes, either as beneficiaries, facilitators or potential opponents of the project.

A stakeholder analysis should be conducted to map out stakeholders using common tools such as the power/interest matrix (which maps out stakeholders according to their levels of power and interest they have concerning the project) or the AIIM tool (which maps out stakeholders according to their levels of interest and influence as well as alignment to the project).

Along with this analysis, the information needs of each respective groups of stakeholders identified will be clearly defined and documented through a brainstorming session involving the project/research team and other relevant collaborators. This will feed into the messages that will be developed for the stakeholders giving considerations to level of technical understanding.

To ensure timely feedback to target populations/communities participating in research, results will be shared with key stakeholders within two months of the end of data collection and prior to the release of a report. A full report will thereafter be shared with key stakeholders within a required timeframe.

 

Data Dissemination Activities and Modes of Dissemination

The activities required for dissemination consists of the various means of engaging stakeholders and informing them of the progress of the project/study. Specifically, these include:

  • Initial meetings with stakeholders at formative phase
  • Sensitization meetings/workshops (state, national levels)
  • Production of dissemination materials
  • Periodic updates for relevant stakeholders (e.g. national program level)
  • Presentation at Scientific/Conference meetings
  • State/national dissemination
  • Manuscript development, learning papers, project/research reports)

Budget lines for data dissemination activities should be factored into the planning for dissemination as appropriate, depending on the type of activities that will be required for a specific project/study.

 

Manuscript Development and Publication Plan

As an organization, we strive to do high-quality research that will advance science. We come up with what we believe are unique hypotheses, base our work on robust data and use an appropriate research methodology.

In developing manuscripts and other scientific publications, CIHP will ensure compliance with funder requirements/guidelines and this will be considered on a case by case basis.

As we write up our findings, we aim to provide theoretical insight, and share practical implications about our work. Then we submit our manuscript for publication in a peer-reviewed journal.

Submitting our publications in a peer reviewed journal is the vital part of research and so we come up with critical steps to ensure that our manuscript publication is eventually published in the shortest time possible

 

Figure 1: Evaluation Process, Acceptance for publication

The following adapted rules and plans apply to us as an organization as much as to any organization into publications.

  1. Do not rush in submitting your article for publication.
  2. Select an appropriate publication outlet.
  3. Read the aims and scope and author guidelines of your target journal carefully.
  4. Make a good first impression with your title and abstract.
  5. Have a professional copy-edit (not just proofread) your manuscript, including the main text, list of references, tables and figures
  6. Submit a cover letter with the manuscript.
  7. Address reviewer comments very carefully.

Rules Guiding Authorship Requirements

According to the 2008 International Committee of Medical Journal Editors Statement on Authorship Requirements (verbatim) and which the organization adopts; authorship credit should be based on:

  1. Substantial contributions to conception and design, acquisition of data, or analysis and interpretation of data.
  2. Drafting the article or revising it critically for important intellectual content.
  3. Final approval of the version to be published.

Authors should meet at least one of conditions 1, 2, or 3. All persons designated as authors should qualify for authorship, and all those who qualify should be listed. Each author should have participated sufficiently in the work to take public responsibility for appropriate portions of the content. It is important to note that acquisition of funding, collection of data, or general supervision of the research group does not justify authorship. This indicates no automatic authorship for technicians, students, coordinators, or chairmen; an active contribution is always required.

A manuscript development plan shall be completed and approved as a perquisite for submission to a journal. (See Appendix 2 for template)

 

Technical review of data dissemination materials and clearance

All dissemination materials must be go through successive levels of review for technical quality. This entire process will be led by the Associate Director, Epidemiology Surveillance, Research and Outcome; AD-ESRO.

Within CIHP, the first level of review will be conducted by the AD-ESRO or his/her designate.

A satisfactory revised version will be forwarded for a second level review (with possible iterative feedback and revision) and subsequent approval by the D-SI.

In projects or studies conducted in collaboration with other institutions, external reviews may be indicated.

In such circumstances, and where required, external approvals will be secured before information sharing.

A working timeframe for reviews and final sign-off of data dissemination materials is given below in Table 1:

 

Table 1: Approval Process for Technical Review of Dissemination Products*

Stage Description of task Responsible person Timeline Remark
1 Draft and circulate 1st draft of dissemination material Designated CIHP staff (may involve multiple persons) As soon as developed. Could be mandated 5-10 days from assigned date  
2 Review zero draft and feedback Technical team (CIHP) Within 5 days of receipt Leadership by AD- ESRO
3 Revise and share 1st draft AD-ESRO or designate Within 2 days of feedback receipt Submission for the DSI review
4 Review and feedback D-SI Within 2 days  
5 Revise and share 2nd draft Designated staff 1 day Submission to AD- ESRO for review
7 Review and share 3rd draft AD-ESRO 2 days Final submission to D- SI for finalization and to CEO for final internal approval.
8 Final approval CEO Within 2 days of receipt Sign-off will be final at this stage except need for external review and approval
Where external review is required;
9 Circulate to external reviewers/Co-Authors for review (if required by TOR) AD-ESRO Within 24 hours of D-SI  
10 Review and feedback External Reviewers/Co- Authors Within 5 days of receipt  
11 Joint revision and finalization CIHP Designated Staff Within 2 days of receipt Submit to CEO for final approval
12 Final approval CEO With 24 hrs.  

Note: D-SI – Director Strategic Information (CIHP); AD-ESRO – Associate Director, Epidemiology Surveillance, Research and Outcome CEO – Chief Executive Officer (CIHP)

*The timelines are considered adequate for the maximum time required to review any information product.  

Collaborations with Partners and Funders on Grants Implementation

CIHP will collaborate with program partners and funders according to the terms of reference (ToR) which pertains to awarded grants. This collaboration may include the provision of technical assistance to develop program activities, data management and analysis, quality assurance, the presentation and publication of program results and findings, and the management and tracking of finances or other activities as defined by the specific ToR.

 

Ethical Consideration on Data Dissemination

Dissemination sessions will be planned with policy makers, donors, IPs, researchers, network of PLWHIV and the academia to discuss findings. Key stakeholders in the HIV response will be prioritized for program data dissemination in line with relevant policies, based on interest and power, for meaningful engagement geared towards the adoption and use of data/findings.

Stakeholders will include government (Ministry of Health) at federal, state and facility levels, network of people living with HIV, donors, implementing agencies, implementing partners, academia and international technical experts.

Strategies will be implemented to ensure that disseminated data are of topmost quality due to their importance for public health policies and actions based on these data.

Non-identifiable summary data will be disseminated to stakeholders and the public in line with relevant procedures, policies and guidelines. Summary data will be disseminated in a manner that facilitates understanding by affected populations. Since some aggregate data could be used to identify individuals, relevant policies will be applied to restrict the release of certain data elements to avoid a confidentiality breach.

 

Roles and Responsibilities for Data Dissemination

  • The SI units under the leadership of the DSI conducts analyses to present data in a form that meets the information need of different stakeholders for data-driven decision making
  • The technical team comprising of SI, communication and relevant program staff will be involved in the development and review of information products including newsletter, bulletins, policy briefs etc and abstract for presentation at both local and international conferences
  • The AD-ESRO leads review of materials to be disseminated
  • The D-SI and CEO gives first and second level approval respectively for the finalisation of information products, policy briefs and abstracts.
  • The communication focal person/unit will facilitate production and distribution of dissemination materials to relevant stakeholders or for publication on the CIHP website, social media platforms or other online channels as applicable.
  • Communication units will organize, coordinate and align periodic dissemination meetings with government’s HIV strategic plan and policy review cycle so as to ensure that information is ready when it is most needed.
  • Technical team under the leadership of the CEO will coordinate and implement strategies to ensure that findings from evaluation and research are published in notable international journals such as Lancet, international journal on public health, Nature etc.

 

Monitoring and Evaluation of Data Dissemination

Indicators will be developed and a follow up system will be put in place to track dissemination activities are actually carried out as planned and specific audience are reached according to set objectives.

It is also important to assess the extent of adoption of recommendations and possible impact on behavior, practice or changes in policy as a distal effect of dissemination. The findings of such assessments should be documented for continuous learning and planning of future interventions and should form part of the project/study reports.