Is Data Protection a barrier to Medical Research? Tom Maguire Deputy Data Protection Commissioner NUI Galway 8 March, 2005 Presentation Outline Basic Data Protection Medical Research issues – Obligations on researchers – Rights of individuals – What are the problems? Why Data Protection? Post World War II emphasis on human rights. George Orwell’s “1984” (published 1949). Government in absolute control. No privacy or freedom of thought. Constant surveillance – “Big Brother”. International agreements on Human Rights. Development of computer power. UN Universal Declaration on Human Rights, 1948 Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence ... Everyone has the right to the protection of the law against such interference …. European Convention on Human Rights, 1950 Article 8: Everyone has the right to respect for his private and family life, his home and his correspondence … There shall be no interference by a public authority with this right except such as is necessary in a democratic society Irish Constitution, 1937 No express Right to Privacy… …but case law has established privacy as one of the “unenumerated rights” – Phone-tapping cases – Homosexual rights Council of Europe Convention, 1981 Also called “Convention 108” Deals specifically with data protection Ireland’s Data Protection Act gives effect to this Convention Data Protection Act, 1988 Rights For Individuals Responsibilities For Computer Users Directive 95/46/EC Harmonisation across EU. Extends DP to manual records. Data Protection (Amendment) Act 2003. – Commencement order 1st July 2003. Law Reform Commission 1998 Report on Privacy, Surveillance and the Interception of Telecommunications – “Privacy is not merely instrumental to the achievement of other goals but is a basic human right that applies to all persons in virtue of their status as human beings. It is not possible to overstate just how fundamental privacy is in a civilised legal system.” UK Ministers/Liverpool Childrens Inquiry “The traditional paternalistic attitude of the NHS that the benefits of science and research are somehow self-evident was no longer acceptable”. NHS challenge twofold- change culture and move to consent for personal data or use information which no longer identifies individual patients. The Data Protection Rules. 1. 2. 3. 4. Fair obtaining consent Specified purpose No further processing unless compatible Safe and secure 5. 6. 7. 8. Accurate, up-to-date Relevant, not excessive Retention period Comply with access request Fair processing of Data Section 2(5)(a) compatibility and retention test need not be met for data used in research. Rules 3&7 “do not apply to personal data kept for statistical or research or other scientific purposes….” Fair Obtaining of Data • Section 2(5)(b): research a legitimate use of • existing data, even if the patient is unaware of this use. (Rule 1) Data shall not be regarded as having being unfairly obtained “by reason only that its use for any such purpose was not disclosed when it was obtained, if …damage or distress” is unlikely to be caused… But advise good practice to notify patients Practical issue – who is the Data Controller? If the data are collected by a hospital, the research should take place under its control. Where the researcher wishes to use hospital data for his/her own research, this constitutes a disclosure and requires that the data subject is aware of the disclosure (section 2D) Practical issue – can data be disclosed to a researcher? If the researcher is a separate Data Controller, should only be done with data subject consent and only the minimum data necessary should be disclosed, or The data should be anonymised. What about PET’s? Practical issue – why not anonymise? “Uses of information other than for the direct provision of healthcare to the individual rarely requires the individual to be identified. However, the need to link episodes of care and prevent duplication of data means that information must be matchable/linkable.“ UK Dept of Health request for tender to evaluate scope for anonymisation/pseudonymisation 2001 How can researchers avoid duplication of data in respect of the same individual? Researchers who obtain anonymised data are sometimes faced with the problem that they may be dealing with two or more data-sets from the same individual. To address this problem, it may be permissible for a data controller to make available anonymous data together with a unique coding, which falls short of actually identifying the individual to the researcher (I.e.a data controller might "code" a unique data-set using a patient’s initials and dateof-birth). The researcher should not be in a position to associate the data-set with an identifiable individual. Practical issue – can data be transferred outside the EEA? Such transfer requires either: – – – – Consent Use of EU Model Contract Reason of substantial public interest Data are part of a public register Processing sensitive data 1 Sensitive data are defined in the Acts as including reference to the physical or mental health or condition of the data subject. Processing sensitive data 2 •Additional conditions must be met to legitimise processing (section 2B) •Explicit consent of Data Subject (or parent, relative, guardian), or •Urgently required to protect life, or Processing sensitive data 3 Section 2B(1)(viii) “the processing is necessary for medical purposes and is undertaken by (I) a health professional, or (II) a person who in the circumstances owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health professional” Medical purposes “includes the purpose of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services”. “Health professional” A health professional “includes a registered medical pactitioner, within the meaning of the Medical Practitioners Act, 1978, a registered dentist, within the meaning of the Dentists Act, 1985, or a member of any other class of health or social worker standing specified by regulations made by the Minister” of Justice (None, so far). “Medical purposes” •May be relied on where obtaining explicit consent not practicable. •Implies patient has been informed. •Applies where damage/distress unlikely, no adverse consequences for patient, where there is ethics cttee. approval and good d.p. controls in place. •Can purpose be achieved without personal data? Additional responsibilities • • • • Respond to an access request Respond to objection Employ adequate security measures Registration Access Request The Data Controller is obliged to respond to a request for information received from a data subject Respond having first consulted appropriate health profesional Scope of Access Request • Applies to computerised and manual records • • (forming part of structured filing system) Shall not supply data “if it is likely to cause serious harm to the physical or mental health of the data subject” (SI 82/1989) Need not supply if data kept only for research Right to object Section 6A(1) allows the data subject to object to the processing of data (a) Is “likely to cause substantial damge or distress to him or her, or to another person, and (b) The damage or distress is or would be unwarranted” Restriction on right to object Where data subject has already given explicit consent; Legal obligation to process data; Processing necessary to protect the vital interests of the data subject. Any exemption for research or statistical purposes? Cancer research and screening is an exception to the rule prohibiting disclosures without consent. Under the Health (Provision of Information) Act, 1997, any person may provide any personal information to the National Cancer Registry Board for the purpose of any of its functions; or to the Minister or any body or agency for the purpose of compiling a list of people who may be invited to participate in an approved cancer screening programme. Also Notifiable Disease Regulations. Need for Comprehensive Research legislation? Security Measures • Appropriate security measures. Appropriate to the harm that might result.. Appropriate to the nature of the data. • May have regard to the current state of technology. • May have regard to cost of implementation. • Staff must know and comply with measures. Registration New registration if a new data controller; Amend existing registration if new purpose / application involved. Enforcement by ODPC Audits Codes of Practice What are the problems? Research projects where data not accessible because of Acts? Research projects abandoned because of Acts? What unable to do now than before DP Acts? What kind of Guidance from DPC would be helpful? Conclusion Data Protection is not a barrier to medical research. Need to protect confidentiality of patient and right to privacy unequivocal Challenge to ensure this while facilitating research for the public good . Thank You Thank You for Listening. Any Questions? tmaguire@dataprotection.ie