Add to collection(s) Add to saved
  1. Science
  2. Health Science

Summary of the legal framework - National Information Governance

advertisement 
NIGB
Identifying and contacting patients for medical research
Summary of the legal framework
The use of personal i.e. identifiable data is governed by both the Common Law and
various Acts of Parliament and statutory instruments. The legal framework sets out
how identifiable patient information may, or must, be used. A useful overview of
legislation can be found in NHS Information Governance: Guidance on legal and
professional obligations at:
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/codes/lglobligat.
pdf.
Reference should also be made to the NHS Confidentiality Code of Practice which
can be found at:
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAn
dGuidance/DH_4069253
Additionally, the requirements for professional practice are set by the professional
regulatory bodies such as the General Medical Council (GMC), Nursing and
Midwifery Council (NMC) Health Professions Council (HPC) et al. These also have a
quasi-legal function and are taken into consideration by the Courts 1.
The key areas of law that need to be considered in relation to all research using
identifiable data are:
i.
The Common Law duty of Confidentiality
ii.
The Data Protection Act 1998
iii.
The Human Rights Act 1998
Legislation places some additional restrictions on specific types of sensitive personal
data, e.g. sexually transmitted diseases and assisted reproductive technologies such
as In vitro fertilisation.
The Common law duty of Confidentiality
The common law, case law determined by the Courts, has established that
information provided by individuals in confidence should generally be protected and
not disclosed to anyone other than the person to whom the information was provided
or used for other purposes without their consent. The duty of confidentiality owed by
clinicians to their patients is well established and is in addition to the requirements of
the Data Protection Act 1998 and other legislative requirements.
1
The standard of care clinicians are required to meet is known as the Bolam test, following the Bolam case,
which refers to the reasonable opinion of a body of professional men. This was later modified by Bolitho to
indicate a decision must also stand up to logical scrutiny. These principles would also be applied in considering
professional practice in relation to confidentiality as well as professional clinical practice.
National Information Governance Board for Health and Social Care
NIGB
For the common law duty of confidentiality to apply the information must be
confidential in nature or imparted with an expectation of confidentiality. Normally
information already in the public domain would not be regarded as having the
necessary quality of confidentiality, however sometimes demographic data can be
sensitive or imparted with an expectation of confidentiality and caution should be
exercised in such cases. The common law provides protection for confidential patient
information in particular because of the importance confidentiality plays in the clinical
relationship, allowing patients to divulge sensitive information without concern that it
will be disclosed to others. Maintaining public trust in a confidential service is
therefore in the public interest and is strongly supported by the courts 2 3. It is also
acknowledged that healthcare is now largely delivered by teams of clinicians rather
than individuals and therefore that there is implied consent to share confidential
patient information within the clinical care team for the purposes of providing care to
patients.
As with the Data Protection Act, information that has been anonymised is exempt.
Other exemptions from the common law duty of confidence may apply when:
•
The law requires or permits disclosure through statute or court order.
•
There is a public interest necessitating disclosure which is sufficient to
outweigh both the private interests of the individual and the public interest in
maintaining public trust in a confidential service.
The Data Protection Act 1998
The Data Protection Act 1998 provides a framework for ensuring that personal
(identifiable) data is only processed for appropriate and authorised purposes, is held
securely, and disposed of when no longer needed. The Act provides data subjects
with a number of rights in respect of data that refers to them. In the context of health
research, there are a number of requirements imposed by the Data Protection Act,
but also exemptions, which facilitate research activities under specific conditions.
The main requirements are that:
2
3
•
Those responsible for clinical records i.e. clinicians and healthcare provider
organisations such as NHS Trusts, must inform patients that the records may
be used for clearly defined purposes which facilitate research and/or clearly
defined research projects/studies and that patients have a right to dissent to
records about themselves being used for such purposes;
•
Those responsible for records (i.e. Clinicians & Trusts) must authorise
formally any disclosure of information from those records;
Ashworth Security Hospital v MGN [2002] UKHL 29
Campbell v MGN [2004] UKHL 22, [2004] 2 AC 457
National Information Governance Board for Health and Social Care
NIGB
•
Any disclosure of information must be lawful in a broader sense, i.e. must
respect other legal restrictions on disclosure e.g. the common law duty of
confidentiality, which requires consent for disclosure to third parties;
•
Those who process patient identifiable health information for research
purposes, where this is lawful, must be under a duty of confidentiality to the
patient which is equivalent to that which would arise if they were health
professionals. This means that they must be under a contractual obligation of
confidentiality as part of their employment and which must be enforceable
through disciplinary procedures 4. This applies, irrespective of whether the
consent of the patient has been obtained. A researcher owing a duty of
confidentiality does not lift the requirement for clinicians to seek the consent of
patients for disclosure.
The Data Protection Act also makes specific provision in relation to research i.e.:
•
Whilst there is a requirement that information collected for one purpose
should not be used in ways incompatible with that purpose, the Act makes it
clear that further processing for research purposes is to be regarded as
compatible with the original purpose. The use of the term ‘further processing’
indicates that it does not remove the onus on the original data controllers to
inform patients that their data may be used for research purposes; there are
also conditions that need to be met in order for the exemption to apply.
•
Whilst there is a general requirement to dispose of records when they are no
longer needed for their original purpose, retaining them for research is
permissible.
In practice the Data Protection Act may restrict research activities, no matter how
well constituted, where:
•
those who hold data fail to inform patients about potential research activity;
and/or
•
the information in question is held subject to common law obligations of
confidentiality, when disclosure without express consent would not be in
keeping with the requirement, under the first Data Protection Principle, for
disclosures of information to be fair and lawful. This is reinforced by
professional obligations of confidentiality.
It is worth noting that the Data Protection Act does not apply to data that has been
effectively anonymised. The Information Commissioner has produced guidance on
the type of data that is governed by the Act, which can be found at:
www.ico.gov.uk/about_us/news_and_views/current_topics/what_is_personal_data.a
spx
4
Given that clinicians are also under a professional duty of confidentiality and breach of confidentiality could
result in clinicians being struck off, it is arguable whether a purely contractual obligation of confidentiality is
equivalent, albeit that this is accepted practice in the UK.
National Information Governance Board for Health and Social Care
NIGB
The Human Rights Act 1998
The Human Rights Act 1998 requires that any intrusion into the private and family life
of an individual must be in accordance with the law, proportionate and necessary for
one of the following reasons: national security; public safety; the economic wellbeing of the country; for the prevention of disorder or crime; for the protection of
health or morals or for the protection of the rights and freedoms of others. In the UK,
it has generally been interpreted that provided there is robust compliance with the
Data Protection Act and the common law confidentiality obligations, this will usually
be sufficient to satisfy the Human Rights requirements where the purpose is health
research. High quality medical research can play a part in improving the safety,
quality and effectiveness of care.
NHS Care Record Guarantee
In addition to the legal framework outlined above, the Department of Health
published guidance, agreed with the key regulatory bodies, in 2003 that established
how the common law should be interpreted in a health setting. This guidance,
Confidentiality: NHS Code of Practice, was subsequently used as the basis of the
Secretary of State’s NHS Care Record Guarantee, which set out a series of
commitments that the NHS must adhere to in order to provide the confidentiality
management required by law, policy, best practice and professional guidelines. The
Guarantee makes it clear that information can be shared between those involved in
providing care or checking the quality of that care, but will only be shared in an
identifiable form for research purposes where consent has been gained or when
support under Section 251 is granted.
Those responsible for clinical records i.e. clinicians and health care provider
organisations, therefore normally require a patient’s explicit consent or a clear legal
basis before they permit individuals who have no involvement in providing or
checking the care provided to a specific patient, to access confidential patient
information.
It is sometimes suggested that the public interest could justify the disclosure of
patient identifiable information without consent for research purposes. Whilst this is
theoretically the case, it is rare for a research project to be of such importance that
the processing of patient information for research purposes is justified without patient
consent as explained in the Department of Health guidance. Obviously, it is not for
researchers to judge whether an activity is of sufficient public interest to justify
disclosure of confidential patient information. Ultimately, this judgment rests with the
Caldicott Guardian of the disclosing body, although it is also considered by research
governance staff and the Research Ethics Committee.
The ECC advises the Secretary of State for Health about whether to permit the
disclosure and use of confidential patient information without consent for particular
purposes, under the powers set out in Health Service (Control of patient information)
National Information Governance Board for Health and Social Care
NIGB
regulations 2002. Such processing is limited to medical purposes and only where
using anonymised data cannot be used and where it can be shown that consent is
not practicable. The purpose of identifying potential research participants and
contacting them to invite them to participate in, or to allow their data or tissue to be
used for, medical research 5,is included within the regulations and as such is
something that ECC can advise the Secretary of State about whether to permit use
of these powers for this purpose.. Such approval allows medical research, which is in
the public interest to process confidential patient information where consent is not
practicable, prior to obtaining their details in order to seek their consent to participate
directly in a study or to allow their data or tissue to be used for a study.
In 2009, the NIGB also published an equivalent guarantee for social care called the
Social Care Record Guarantee 6.
The NHS Constitution
The Health Act 2009 placed a duty on NHS bodies and organisations providing NHS
funded care to have regard to the NHS Constitution in performing their NHS
functions. Whilst the NHS Constitution does include a commitment to make patients
aware of research in which they might participate it also includes a commitment to
safeguard the security and confidentiality of patient information 7.
5
The Health Service (Control of patient information) Regulations 2002 - Schedule:
3.
The processing of confidential patient information to enable the lawful holder of that information to
identify and contact patient for the purpose of obtaining consent –
(a) to participate in medical research;
(b) to use the information for the purposes of medical research, or
(c) to allow the use of tissue or other samples for medical purposes.
6
http://www.nigb.nhs.uk/social
7
http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/documents/digitalasset/dh_093442.pdf
National Information Governance Board for Health and Social Care
Related documents
There are conditions under which confidentiality may be breached. ... wanting to harm yourself or someone else, the experimenter will... LIMITS OF CONFIDENTIALITY
There are conditions under which confidentiality may be breached. ... wanting to harm yourself or someone else, the experimenter will... LIMITS OF CONFIDENTIALITY
Federal Work-Study Statement of Confidentiality
Federal Work-Study Statement of Confidentiality
Medical Imaging Data Access and Sharing Meeting 18 March 2009
Medical Imaging Data Access and Sharing Meeting 18 March 2009
Download
advertisement