Transcript Maastricht 2002 - Data Protection Commissioner
Role of Law in the Regulation of Science, Medicine & Technology:
Medical Research, Public Health & Data Protection & Law
Promoting Health Research & Protecting Patient Rights
Office of the Data Protection Commissioner 29 th November, 2006
Asim A. Sheikh
B.A., LL. M.
Barrister-at-Law
Lecturer in Legal Medicine Forensic and Legal Medicine Faculty of Medicine, University College Dublin
Role of Law in the Regulation of Science, Medicine & Technology
Role of Law
– prevention of harm – protection of society – provision of certainty – standards of care – Adversarial system – objective forum of exposure
Role of Science, Medicine & Technology
– progress / amelioration of quality of life?
“Why is progress a prerequisite reserved almost exclusively for the activities we call science?...Does a field make progress because it is a science, or is it a science because it makes progress?”
Kuhn TS. The Structure of Scientific Revolutions
The Law and Kuhn's Critique
1
Normal Science
PARADIGM SHIFT 2
New Paradigm
People work within the parameters of theparadigm, indulging in 'Puzzle-Solving'.
Paradigm Shifts require guidance of the Law to ensure smooth transition from one paradigm to next Occurs as a result a reconstruction of the original field from new fundamentals, changing the field's initial theory, methods and applications.
Interface of Law, Science & Medicine some examples
Medical Practitioners Act
Diamond v. Chakrabarty (US - 1980) - living matter is patentable EC Directive: 98/44/EC; On the Legal Protection of Biotechnological Inventions
Clinical Trials Acts 1987, 1990, Clinical Trials Directive Human Fertilisation and Embryology Act (UK – 1990) Best v. Wellcome Foundation Ltd (Ire – 1993) - pertussis vaccine scientific evidence DNA Evidence cases Grimes v Kennedy Krieger Institute (Maryland, US – 2000) – consent in children – non-therapeutic medical research and RECs Safety, Health and Welfare at Work Act, 2005 and regulations (biological, chemical)
“...it seems to me imperative that the moral, social and legal issues raised by this case should be considered by Parliament. The judges’ function in this area of the law should be to apply the principles which society through the democratic process, adopts, not to impose their standards on society. If Parliament fails to act, then judge made law will of necessity through a gradual and uncertain process provide a legal answer to each new question as it arises.”
Lord Browne-Wilkinson in Airedale NHS Trust v. Bland [1993] All ER 821
Principles of Risk Management
The Tort System
Clinical Negligence The Tort System Litigation Judgment
Ideals of Law in Medicine
Self-determination
Consent
Best interests of patient
Full disclosure of information
Protection of Privacy and Confidentiality
Data Protection
Background I: General Concerns
Increased Activity in non-statutory medical research
Concerns over patient data
Freedom of Information
Change to electronic patient records (EPR)
Change in Data protection law
Increased move toward embracing of consent doctrine in clinical practice
“As the information society proceeds apace, public unease about new technologies needs to be firmly laid to rest…This survey shows that public anxieties are, if anything, on the increase.”
Joe Meade, DP Commissioner, 2003
Background II: Law
Constitution Universal Declaration on Human Rights, 1948 European Convention on Human Rights, 1950 Council of Europe Convention on Data Protection, 1981 Data Protection Act, 1988 Freedom of Information Act, 1997-2003 Convention on Human Rights and Biomedicine, 1997 EU Directive on Data Protection, 1995 and Data Protection (Amendment) Act 2003 European Recommendation No R (97) 5 on the Protection of Medical Data (Council of Europe, Committee of Ministers), 13/2/97 Convention on Human Rights Act, 2003 Ethical & Legal Doctrine of Confidentiality Common Law
European Convention on Human Rights
Everyone has the right to respect for his private life and family life, his home and correspondence There shall be no interference by a public authority with the right except such as is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of morals, or for the protection of the rights and freedoms of others.
The Irish Constitution & Privacy
The Irish Constitution does not expressly provide for a Constitutional right to privacy
However, Irish case law provides authority which indicates that the citizen may invoke the personal rights provisions of Article 40.3.1 of the Constitution so as to require the State to protect and vindicate the citizen’s right to constitutional privacy:
Kennedy v. Ireland
[1987]
Convention for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine, 1997 Chapter III – Private life and right to information Article 10 – Private life and right to information
1.
Everyone has the right to respect for private life in relation to information about his or her health; 2.
Everyone is entitled to know any information collected about his or her health. However, the wishes of individual not to be so informed shall be observed; 3.
In exceptional cases, restrictions may be placed by law on the exercise of the rights contained in paragraph 2 in the interests of the patient.
“There can be no exceptions to the ordinary requirements of disclosure in the case of research as there may well be in ordinary medical practice. The researcher does not have to balance the probable effect of lack of treatment against the risk involved in the treatment itself. The example of risks being properly hidden from a patient where it is important that he should not worry can have no application in the field of research. The subject of medical experimentation is entitled to full and frank disclosure of all the facts, probabilities and opinions which a reasonable man might be expected to consider before giving his consent.”
Halushka v. University of Saskatchewan
(1965)
The Nuremberg Code
“The voluntary consent of the human subject is absolutely essential... and should have sufficient knowledge and comprehension of the elements of the subject matter involved as to enable him to make an understanding and enlightened decision. This latter element requires that before the acceptance of an affirmative decision by the experimental subject there should be made known to him the nature, duration, and purpose of the experiment ”
The Helsinki Declaration
Article 1
“The World Medical Association has developed the Declaration of Helsinki as a statement of ethical principles to provide guidance to physicians and other participants in medical research involving human subjects. Medical research involving human subjects includes research on identifiable human material or identifiable data.
”
The Helsinki Declaration
Article 22
“In any research on human beings, each potential subject must be adequately informed of the aims, methods, sources of funding, any possible conflicts of interest, institutional affiliations of the researcher, the anticipated benefits and potential risks of the study and the discomfort it may entail…”
The Helsinki Declaration
“...The subject should be informed of the right to abstain from participation in the study or to withdraw consent to participate at any time without reprisal. After ensuring that the subject has understood the information, the physician should then obtain the subject's freely-given informed consent, preferably in writing… ”
Case Law
Geoghegan v. Harris (2000, HC)
R v. Department of Health, ex parte Source Informatics Ltd [2000]
Durant v. FSA (CA) [2003]
–
Change from importance of use of information to maintenance of anonymity of information?
Processing means performing any operation or set of operations on data including:
– obtaining, recording or keeping the data – collecting, organising, storing, altering or adapting the data – retrieving, consulting or using the data – disclosing the data by transmitting, disseminating or otherwise making it available – aligning, combining, blocking, erasing or destroying the data.
Section 2: Protection of Privacy of Individuals with regard to Personal Data (1 st STEP) - General Obligations In relation to Personal Data (PD) a DC will ensure that that data shall:
(a) be processed fairly (b) (c) be accurate and complete and, where necessary, kept up to date, The data shall: – – – – (i) be kept only for one or more
specified, explicit and legitimate purposes,
(ii) not be further processed in a manner incompatible with that purpose or those purposes, (iii) be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and (iv) not be kept for longer than is necessary for that purpose or those purposes (d) appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network
1
st
Exemption - s2(5)
Previous paragraphs (ii) & (iv) (a) “
do not apply to personal data kept for statistical or research or other scientific purposes, and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects… And (b) “the data or, as the case may be, the information constituting such data shall not be regarded for the purposes of paragraph (a) of the said subsection as having been obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained, if the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject
Ramifications for personal data for a secondary use
Seems to be case – data could be used for a secondary purpose – not first considered
But such secondary use – cannot cause harm or distress to data subject
What are the basics of ‘fair processing’?
In section 2D – when obtaining data from Data Subject
– the identity of the data controller – the
purpose
in collecting the data – the persons or categories of persons to whom the data may be disclosed – any other information which is necessary so that processing may be fair
If not obtaining information from data subject but from another source then:
Data Subject should know: – Identity of representative of DC and name of original DC – Categories of data concerned However: if this is for purposes of historic/scientific research and this information would be impossible to get or involve a disproportionate effort – Then DPC can lay down conditions
Section 2A: Processing of Personal Data (2nd STEP)
PD shall NOT be processed unless - Fulfill S2 requirements and 1 of the following:
the data subject must have given consent to the processing or the processing
must be necessary
for one of the following reasons – the performance of a contract to which the data subject is party – in order to take steps at the request of the data subject prior to – entering into a contract – –
compliance with a legal obligation, other than that imposed by contract to prevent injury or other damage to the health of a data subject
– to prevent serious loss or damage to property of the data subject –
to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged
– for the administration of justice – for the performance of a function conferred on a person by or under an enactment – for the performance of a function of the Government or a Minister of the Government – for the performance of any other function of a public nature – performed in the public interest by a person
Section 2B: Processing of Sensitive Personal Data (3rd STEP) SPD shall NOT be processed unless - Fulfill S2 & S2A requirements and 1 of the following:
the data subject’s consent is explicitly given; the processing must be necessary for: – – – – for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where, consent cannot be given, or the data controller cannot reasonably be expected to obtain such consent to prevent injury to, or damage to the health of, another person, or serious loss in respect of or damage to, the property of another person, in a case where such consent has been unreasonably withheld it is carried out by a not for profit organisation in respect of its members or other persons in regular contact with the organisation – – – – – – the information being processed has been made public as a result of steps deliberately taken by the data subject for the purpose of obtaining legal advice, or in connection with legal proceedings, or is necessary for the purposes of establishing, exercising or defending legal rights
for medical purposes – undertaken by a health professional
is carried out by political parties or candidates for election in the context of an election for the purpose of the assessment or payment of a tax liability in relation to the administration of a Social Welfare scheme.
2 nd Ex 3 rd Ex
‘Medical Purposes & Health Professional’ 2
nd
Exemption (Research Exemption)
Defined as: “
‘medical purposes’ includes the purpose of preventive medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.” “‘health professional’ includes a registered medical practitioner, within the meaning of the Medical Practitioners Act, 1978, a registered dentist, within the meaning of the Dentists Act, 1985, or a member of any other class of health worker or social worker standing specified by regulations made by the Minister after consultation with the Minister for Health and Children and any other Minister of the Government who, having regard to his or her functions, ought, in the opinion of the Minister, to be consulted”
3
rd
Exemption - s2B(1)(b)(xi)
Where: “…processing is authorised by regulations that are made by the Minister and are made for reasons of substantial public interest.”
…then sensitive personal data can be processed
4
th
Exemption - s2D(4)
Where giving of information to a data subject in relation to the purpose/s of the data when that data is for the purposes of historical or scientific research and “the provision of the information specified therein proves impossible or would involve a disproportionate effort…”
…then that information does not have to be given
s4(4)
-DC cannot disclose info about a 3rd party unless 3rd party consents, unless identity can be omitted and 3rd party is rendered unidentifiable
1.
Data must be processed, fairly – which means that a data subject should know the following: (a) the identity of the data controller or a nominated a representative (b) the purpose or purposes for which the data are intended to be processed, and (c) any other information which is necessary to enable processing in respect of the data to be fair to the data subject such as information about the recipients of the data (s2D) In this section of the Act, the data subject is not required to give consent. It is the data controller who must provide information if data is being obtained from someone or somewhere other than the data subject, then, the data subject should be informed of the above information and the identity of the original data controller and the category of data before the information is processed or if to be disclosed to a third party, before such disclosure. In scientific research if the provision of this information is impossible or involves a disproportionate effort, then it would not have to be disclosed if conditions laid down by the Minister are met (currently non such exist) (s2D4).
2.
Data must be accurate, complete and, where necessary, kept up to date, kept only for one or more specified, explicit and legitimate purposes. The data shall not be further processed in a manner incompatible with that purpose or those purposes, shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and shall not be kept for longer than is necessary for that purpose or those purposes (s2).
However, the use of data for secondary purposes in scientific research is permitted and would not be regarded as ‘unfair processing’ even though such secondary use was not initially disclosed if (i) any prescribed requirements are complied with to safeguard the fundamental rights and freedoms of the data subject and (ii) the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject (s2(5)). In this section of the Act also, the data subject is not required to give consent. It is the data controller who must provide information).
3.
Adequate security measures must be taken to protect data.
4.
Personal Data (identifiable data) shall not be processed unless s2 is complied with and 1 additional requirement of s2A is met.
This could be the data subject giving his/her consent to the processing (Article 7 of the Directive uses the words ‘unambiguous consent’ and in article 2(h), consent is defined as “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data.”) or instead, if one of number of other conditions were met. However, apart from the consent condition, none of these would seem to be relevant to medical research or public health (except when the processing is required to protection the vital health interests of a data subject or in the public interest) and thus, for personal medical data (identifiable), consent must be given (s2A).
5.
Sensitive Personal Data (health/medical data) shall not be processed unless in addition to satisfying the conditions of sections 2 and 2(A), at least one of the additional listed conditions is also met.
This could be the data subject giving his/her consent explicitly to the processing or instead if one of a number of other conditions are met. Here the one of most note is the processing of data for medical purposes which includes medical research (‘medical research exemption’) (and also to protect the vital health interests of a data subject or in the public interest) (s2B).
Medical Research Concerns
Issue of explicit consent – e.g. in epidemiological studies Secondary use of data Issue of Anonymisation Issue of data protection policies There are no consistent guidelines in EU member states. Some have opted for a more, seemingly, liberal approach, for example, Sweden, in the application of the medical research exemption.
Others however, such as France and Germany, have opted for a less liberal approach.
The lack of consistency has not helped in the interpretation of the Directive.
“A blanket requirement for anonymisation of data, as well as informed consent from all individuals to use identifiable data about them, would jeopardise the methodological integrity of research and audit. This would not just hinder the progress of medical knowledge but might lead to completely incorrect conclusions. This would be against the public interest and make the process of clinical governance impossible…” BMJ 2000 “…it would appear that the Directive will, in many circumstances, shift the balance in favour of obtaining clearer, more unambiguous Consent from individuals than has been the case up to now.” DP Commissioner, 2002
“Consent has a role to play but it does not emerge as a trump card. Indeed some might argue that the broad and indistinct categories of justifications for processing without consent potentially weaken the protection that is afforded to informational privacy interests. The model, however, is, as always, a search for a balance and few could deny that privacy protection showed sometimes bow to other interests. But the devil is in the detail of determining which interest should be weighed in the balance and how far privacy should be compromised in any given case. The example of research is particularly apt. Some member states, for example Denmark and Austria, allow research on secondary uses of patient data, that is, uses beyond those for which the data were first obtained, without the need for patient consent so long as the national data protection office gives prior approval. The United Kingdom also has mechanisms for allowing research using patient data subject to rigorous review…It is to be noted with some regret, however, that a culture of caution has grown up around the workings of the Data Protection Act such that there is a widespread belief that the law now hinders research.
In the main, we consider this to be unfounded.”
Mason & Laurie, Law & Medical Ethics (2006)
Two general categories of data require to be considered: – (a) retrospective/archived/historical data (where consent for the current use was never obtained or is inadequate) and – (b) prospective/future data, for which, how and what type of consent should be obtained needs to be discussed.
In relation to the former, the questions that arise are: – (i) when does a researcher require to re-obtain consent (where the data is identifiable) and if this cannot be obtained (due to impossibility/disproportionate effort) can the research progress?
– (ii) Can the researcher continue carry out the research by anonymising the data and if so, who should anonymise this data?
– (iii) If the research would prove futile by anonymisation can it be pseudo-anonymised and (iv) what onus is there on a research ethics committee to ensure that the research proposal is in accordance with the Data Protection Act?
The exemptions exist for reason, however, do not allow data controllers to by-pass their obligations to ensure that prior to health and personal data, being processed, a subject: – (i) is given information in relation to their data and – (ii) in certain circumstances, gives his/her consent prior to the processing of their data.
Other practitioners, whilst discussing the concerns, have also stated that:
“…health professionals need to understand current anxieties about the ways in which health information is handled; they need to learn the rules and apply them and accept that unfettered access to personal health information is a thing of the past and that, among the many tools they need for modern clinical practice are those of skilled information management.”
Chalmers and Muir, “Patient privacy and confidentiality: The debate goes on; the issues are complex, but a consensus is emerging.” BMJ , 2003;326:725–6, 2003)
Data Protection Principles 1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: (a) The conditions of section 2 are satisfied and (b) at least one of the conditions in s 2A is met, and (c) in the case of sensitive personal data, at least one of the conditions in s 2B is also met.
2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4 Personal data shall be accurate and, where necessary, kept up to date.
5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6 Personal data shall be processed in accordance with the rights of data subjects under this Act.
7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or Territory ensures an adequate level of protection for the rights And freedoms of data subject in relation to the processing of personal data.
Moving forward Best Practice Models?
Conclusions
Increased move toward maximum disclosure of information – utilisation of proper and clear provision of information over the use of patient information Consent as the first port of call, would overcome all obstacles – but is not necessarily required if exemptions are invoked (medical research exemption) Specific information, however, must be provided to data subjects Personal information must be protected – Kept confidential – Anonymised (utilisation of Privacy Enhancing Techniques – PETs) – Definitions of ‘anonymous; Where anonymisation cannot be achieved – Require ethics approval – Adequate safeguards in place to ensure safety Properly considered research policies Assistance of – Ethics Committees – Data Protection Commissioner
Other Options
In certain limited circumstances for public health screening reasons: – Health (Provision of Information) Act, 1997 (Cancer Registry) – Allows passing of data from bodies to other bodies with permission of Minister of Health Pass Similar legislation on a limited basis: – S60 Health and Social Care Act 2001, UK – Health Service (Control of Patient Information) 2002, UK – public health patient data this should done only with careful consultation: need to avoid panic reactions?
The Data Protection Acts 1988 and 2003: Implications for Medical and Public Health Research in Ireland
(Health Research Board, 2007 – forthcoming)
This lecture or any of the information given therein is not and should not be taken to be or relied on as legal medico-legal or medico-ethical advice.
No reproduction or distribution without prior permission of author All Notes © Asim A. Sheikh BL, 2006