310 likes | 662 Views
Data Protection and Research – Implications for a National Out-of-Hospital Cardiac Arrest Register. NUI Galway Dept of General Practice Lunchtime seminar 20 November Gary Davis Deputy Data Protection Commissioner. Presentation Outline. Data Protection: Human Right to Privacy
E N D
Data Protection and Research – Implications for a National Out-of-Hospital Cardiac Arrest Register NUI Galway Dept of General Practice Lunchtime seminar 20 November Gary Davis Deputy Data Protection Commissioner
Presentation Outline • Data Protection: Human Right to Privacy • Data Protection Principles • Protecting Personal Health Information • Draft Guidelines on Health Research
Survey Results (2005) (1) • Is privacy important? important very important • Crime Prevention 7% 91% • Personal Privacy 9% 89% • Consumer protection 12% 85% • Workplace equality 11% 82% • Ethics in public office 14% 78%
Financial records Medical Records PPS Number Credit Card Details Telephone No Home Address Date of Birth Marital Status Survey (2): Privacy most important in relation to-
Data Protection: a Human Right • Part of Right to Personal Privacy • Personal Privacy : necessary in a Democratic Society • Not absolute: other necessary Rights on a Democratic Society ( e.g. Freedom of Expression, Rights of Others)
Constitution • Implicit Right to Personal Privacy under Article 40.3.1 …The State guarantees in its laws to respect, and, as far as practicable, by its laws to defend and vindicate the personal rights of the citizens • Court Interpretation: the right to privacy is one of the fundamental personal rights of the citizen which flow from the Christian and democratic nature of the State
European Human Rights Convention • Explicit Right to Personal Privacy under Article 8 of European Convention for the Protection of Human Rights & Fundamental Freedoms (ECHR) • ECHR now indirectly part of domestic law due to ECHR Act 2003
ECHR Article 8: Privacy • (1) Everyone has the right to respect for his private and family life, his home and his correspondence. • (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others
EU/EEA Directives • Directive 95/46/EC Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data • Directive 2002/58/EC Privacy and Electronic Communications
Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2003 (SI 535/2003) Corresponding Acts Good Friday Agreement Disability Act 2005 EU & Irish Legislation
Presentation Outline • Data Protection: Human Right to Privacy • Data Protection Principles • Protecting Personal Health Information • Draft Guidelines on Health Research
Definitions: Personal Data • “Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller “ (DP Act, Section 1) • Applies to any data that is processed (includes hosting) using any medium by a legal entity essentially. Paper, computer, network, web, phone etc. • Only relates to a living person
Fair obtaining & processing Consent Specified purpose No disclosure unless “compatible” Safe and secure Accurate, up-to-date Relevant, not excessive Retention period Right of access Independent Supervisory Authority European Data Protection Rules
General rule – no disclosure for different purpose Exceptions made, to balance other interests of society Section 8 exceptions Investigation of crime Collection of taxes Security of the State Protect life & limb Required by Law No general “public interest” test Restrictions on disclosure
Role of the Data Protection Commissioner • Ombudsman Role: resolution of disputes between data subjects and data controllers or processors • Enforcer Role: compliance by data controllers & processors • Educational Role: Promotes DP rights and good practice • Registration Authority: obligation on major holders of personal data to be placed on public register
Presentation Outline • Data Protection: Human Right to Privacy • Data Protection Principles • Protecting Personal Health Information • Draft Guidelines on Health Research
Data Protection & Health Data • Data on physical or mental health or condition or sexual life are ‘sensitive personal data’ with special protection but some leeway for: • Processing of Data “kept for statistical or research or other scientific purposes” • Processing “necessary for medical purposes”(including medical research) and carried out by a “health professional” or someone who owes an equivalent duty of confidentiality • DP and Medical Ethics mutually reinforcing
Presentation Outline • Data Protection: Human Right to Privacy • Data Protection Principles • Protecting Personal Health Information • Draft Guidelines on Health Research
Consultation on Personal Data use for Health Research • Try to reach consensus on balanced approach reflecting Irish conditions • Seminar November 2006 • Addressed by speakers from different perspectives (HSE, public health, research) • EUROSOCAP guidelines (www.eurosocap.org)
Draft Guidelines Paper • Presented July 2007 (on www.dataprotection.ie) • Comments up to 21 September • 11 Submissions received • Final version in coming weeks
Draft Guidelines: Key Points • Use anonymised/pseudonomised patient data wherever possible • Where a health facility (e.g. hospital) anticipates research use of identifiable patient data, seek patient consent at earliest possible opportunity, backed by patient leaflet and research policy approved by ethics committee • Treat identifiable personal data on “need to know” basis • Recognises possibility within Acts for research to be undertaken by the Data Controller itself. • Makes provision for context for seeking consent including where a person not in a position to give it.
Anonymisation • Effectively anonymised data not subject to data protection acts – so anonymise where possible • Pseudonimisation, subject to safeguards, acceptable where full anonymisation not possible
Guidelines Paper: Patient Consent • “best practice would suggest that allowing the patient choice and providing them with information in relation to how their data is used should be the standard approach. “
Guidelines Paper: Patient Consent • “What is being put forward here is a relatively simple model that every effort should be made to ensure that the patient knows what could happen to their data for purposes unrelated to their treatment and are given an opportunity to consent or refuse consent for such use. In this way, if any proposed use of a patient’s data for purposes unrelated to their treatment would likely come as a surprise to them, then a new and separate consent should be sought.”
Guidelines Paper: Patient Consent • “ an informed and explicit consent [should] be sought as soon as possible after a patient presents at a health facility …… each data controller [should] consider in a thorough manner what such potential [research] uses might be and specifically capturing these in an appropriate consent supported by an informative patient leaflet • Additional research initiatives, not envisaged at the time of seeking the initial consent, involving the use of patient data would need to be predicated on further specific consents going forward.”
Can anonymised data be used to achieve the aims of the proposed project?Yes/No? Yes – Proceed with proposed project using data anonymised by the data controller without requiring consent. No – Can pseudonymised data be used instead with appropriate safeguards? Yes/No? Yes – Proceed with proposed project ensuring that the key to a person’s identity is retained by the data controller only and not revealed to third parties. No – Patient consent is normally required. Has consent for research purposes been secured in relation to the files previously? Yes/No? Yes – Is this consent valid (specific enough) to cover this particular research proposal? Yes/No? No – Specific, informed, freely given consent must be captured from individuals by the data controller. Yes – Proceed with research project (subject to adequate safeguards being in place in relation to security etc). Once valid consent is in place, the research project can proceed (subject to adequate safeguards being in place in relation to security etc).
OHCAR – KEY POINTS • Pilot Project limited to one HSE area • Difficulties in obtaining explicit consent • Largest part of data was not personal data as it related to dead persons • Who is the data controller in this case? • Attempt through collation of the data to provide better care to patients
OHCAR • What about data in the private system and held by GPs? • Security arrangements for both physical and systems put in place for access to the data by OHCAR project manager and personnel only • Intended media campaign in relation to project
OHCAR • From a DP perspective Methodology 1 preferred • Methodology 2 • No difficulty with OHCAR gathering data from ambulance service and A+E Depts to identify surviving persons • Have to deal with reality that HSE could not be considered the Data Controller in relation to a large part of the data
Recommendations on Methodology 2 • Informed consent in unique circumstances of project • OHCAR to write to surviving patients outlining all relevant information in relation to the study and the safeguards in place for their privacy • 21 days to raise any concerns and OHCAR to send reminder if doubt as to receipt • Any objections must be respected
Thank You • www.dataprotection.ie • Contact: gdavis@dataprotection.ie