Is Data Protection a barrier to Medical Research? Tom Maguire Deputy Data Protection Commissioner NUI Galway 8 March, 2005

Download Report

Transcript Is Data Protection a barrier to Medical Research? Tom Maguire Deputy Data Protection Commissioner NUI Galway 8 March, 2005

Is Data Protection a
barrier to Medical
Research?
Tom Maguire
Deputy Data Protection Commissioner
NUI Galway
8 March, 2005
Presentation Outline

Basic Data Protection
 Medical Research issues
– Obligations on researchers
– Rights of individuals
– What are the problems?
Why Data Protection?

Post World War II emphasis on human rights.
 George Orwell’s “1984” (published 1949).
 Government in absolute control.
 No privacy or freedom of thought.
 Constant surveillance – “Big Brother”.


International agreements on Human Rights.
Development of computer power.
UN Universal Declaration
on Human Rights, 1948
Article 12: No one shall be subjected
to arbitrary interference with his
privacy, family, home or
correspondence ... Everyone has the
right to the protection of the law
against such interference ….
European Convention on
Human Rights, 1950
Article 8: Everyone has the right to
respect for his private and family
life, his home and his
correspondence …
There shall be
no interference by a public authority
with this right except such as is
necessary in a democratic society
Irish Constitution, 1937
No express Right to Privacy…
…but case law has established privacy as
one of the “unenumerated rights”
– Phone-tapping cases
– Homosexual rights
Council of Europe
Convention, 1981
Also called “Convention 108”
 Deals specifically with data protection
 Ireland’s Data Protection Act gives effect
to this Convention

Data Protection Act, 1988
Rights
For
Individuals
Responsibilities
For
Computer
Users
Directive 95/46/EC
Harmonisation across EU.
Extends DP to manual records.
Data Protection (Amendment) Act 2003.
– Commencement order 1st July 2003.
Law Reform Commission

1998 Report on Privacy, Surveillance and the
Interception of Telecommunications
– “Privacy is not merely instrumental to
the achievement of other goals but is a
basic human right that applies to all
persons in virtue of their status as
human beings. It is not possible to
overstate just how fundamental privacy
is in a civilised legal system.”


UK Ministers/Liverpool
Childrens Inquiry
“The traditional paternalistic attitude of
the NHS that the benefits of science and
research are somehow self-evident was
no longer acceptable”.
NHS challenge twofold- change culture
and move to consent for personal data or
use information which no longer
identifies individual patients.
The Data Protection Rules.
1.
2.
3.
4.
Fair obtaining
 consent
Specified purpose
No further processing
 unless compatible
Safe and secure
5.
6.
7.
8.
Accurate, up-to-date
Relevant, not excessive
Retention period
Comply with access
request
Fair processing of Data
Section 2(5)(a) compatibility and
retention test need not be met for
data used in research. Rules 3&7 “do
not apply to personal data kept for
statistical or research or other
scientific purposes….”
Fair Obtaining of Data
• Section 2(5)(b): research a legitimate use of
•
existing data, even if the patient is unaware of
this use. (Rule 1) Data shall not be regarded as
having being unfairly obtained “by reason only
that its use for any such purpose was not
disclosed when it was obtained, if …damage or
distress” is unlikely to be caused…
But advise good practice to notify patients
Practical issue – who is the
Data Controller?

If the data are collected by a hospital, the
research should take place under its control.
 Where the researcher wishes to use hospital
data for his/her own research, this constitutes a
disclosure and requires that the data subject is
aware of the disclosure (section 2D)
Practical issue – can data be
disclosed to a researcher?

If the researcher is a separate Data Controller,
should only be done with data subject consent
and only the minimum data necessary should
be disclosed, or
 The data should be anonymised.
 What about PET’s?
Practical issue – why not
anonymise?
“Uses of information other than for the direct provision of
healthcare to the individual rarely requires the individual to
be identified. However, the need to link episodes of care
and prevent duplication of data means that information
must be matchable/linkable.“
UK Dept of Health request for tender to evaluate scope for
anonymisation/pseudonymisation 2001
How can researchers avoid duplication of
data in respect of the same individual?

Researchers who obtain anonymised data are sometimes
faced with the problem that they may be dealing with two
or more data-sets from the same individual. To address this
problem, it may be permissible for a data controller to
make available anonymous data together with a unique
coding, which falls short of actually identifying the
individual to the researcher (I.e.a data controller might
"code" a unique data-set using a patient’s initials and dateof-birth). The researcher should not be in a position to
associate the data-set with an identifiable individual.
Practical issue – can data be
transferred outside the EEA?
Such transfer requires either:
–
–
–
–
Consent
Use of EU Model Contract
Reason of substantial public interest
Data are part of a public register
Processing sensitive data 1
Sensitive data are defined in the Acts
as including reference to the physical
or mental health or condition of the
data subject.
Processing sensitive data 2
•Additional conditions must be met to legitimise
processing (section 2B)
•Explicit consent of Data Subject (or parent,
relative, guardian), or
•Urgently required to protect life, or
Processing sensitive data 3
Section 2B(1)(viii) “the processing is necessary for medical
purposes and is undertaken by
(I) a health professional, or
(II) a person who in the circumstances owes a duty of
confidentiality to the data subject that is equivalent to that
which would exist if that person were a health
professional”
Medical purposes “includes the purpose of preventative
medicine, medical diagnosis, medical research, the
provision of care and treatment and the management of
healthcare services”.
“Health professional”
A health professional “includes a registered medical
pactitioner, within the meaning of the Medical
Practitioners Act, 1978, a registered dentist, within
the meaning of the Dentists Act, 1985, or a
member of any other class of health or social
worker standing specified by regulations made by
the Minister” of Justice (None, so far).
“Medical
purposes”
•May be relied on where obtaining explicit consent not
practicable.
•Implies patient has been informed.
•Applies where damage/distress unlikely, no adverse
consequences for patient, where there is ethics cttee.
approval and good d.p. controls in place.
•Can purpose be achieved without personal data?
Additional responsibilities
•
•
•
•
Respond to an access request
Respond to objection
Employ adequate security measures
Registration
Access Request
The Data Controller is obliged to
respond to a request for information
received from a data subject
Respond having first consulted
appropriate health profesional
Scope of Access Request
• Applies to computerised and manual records
•
•
(forming part of structured filing system)
Shall not supply data “if it is likely to cause
serious harm to the physical or mental health of
the data subject” (SI 82/1989)
Need not supply if data kept only for research
Right to object
Section 6A(1) allows the data subject to object to
the processing of data
(a) Is “likely to cause substantial damge or distress
to him or her, or to another person, and
(b) The damage or distress is or would be
unwarranted”
Restriction on right to object
 Where data subject has already
given explicit consent;
 Legal obligation to process data;
 Processing necessary to protect the
vital interests of the data subject.
Any exemption for research or
statistical purposes?
Cancer research and screening is an exception to the rule
prohibiting disclosures without consent. Under the Health
(Provision of Information) Act, 1997, any person may
provide any personal information to the National Cancer
Registry Board for the purpose of any of its functions; or to
the Minister or any body or agency for the purpose of
compiling a list of people who may be invited to participate
in an approved cancer screening programme. Also
Notifiable Disease Regulations.
Need for Comprehensive Research legislation?
Security Measures
• Appropriate security measures.
Appropriate to the harm that might result..
Appropriate to the nature of the data.
• May have regard to the current state of
technology.
• May have regard to cost of implementation.
• Staff must know and comply with measures.
Registration
 New
registration if a new data
controller;
 Amend existing registration if new
purpose / application involved.
Enforcement by ODPC
Audits
Codes of Practice
What are the problems?
 Research projects where data not accessible
because of Acts?
 Research projects abandoned because of Acts?
 What unable to do now than before DP Acts?
 What kind of Guidance from DPC would be
helpful?
Conclusion

Data Protection is not a barrier to medical
research.
 Need to protect confidentiality of patient and
right to privacy unequivocal
 Challenge to ensure this while facilitating
research for the public good .
Thank You
Thank You for Listening.
Any Questions?
[email protected]