Data protection and research implications for a national out of hospital cardiac arrest register
Download
1 / 31

Data Protection and Research - PowerPoint PPT Presentation


  • 255 Views
  • Updated On :

Data Protection and Research – Implications for a National Out-of-Hospital Cardiac Arrest Register. NUI Galway Dept of General Practice Lunchtime seminar 20 November Gary Davis Deputy Data Protection Commissioner. Presentation Outline. Data Protection: Human Right to Privacy

Related searches for Data Protection and Research

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Data Protection and Research ' - Mia_John


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Data protection and research implications for a national out of hospital cardiac arrest register l.jpg

Data Protection and Research – Implications for a National Out-of-Hospital Cardiac Arrest Register

NUI Galway Dept of General Practice

Lunchtime seminar

20 November

Gary Davis

Deputy Data Protection Commissioner


Presentation outline l.jpg
Presentation Outline Out-of-Hospital Cardiac Arrest Register

  • Data Protection: Human Right to Privacy

  • Data Protection Principles

  • Protecting Personal Health Information

  • Draft Guidelines on Health Research


Survey results 2005 1 l.jpg
Survey Results (2005) (1) Out-of-Hospital Cardiac Arrest Register

  • Is privacy important?

    important very important

    • Crime Prevention 7% 91%

    • Personal Privacy 9% 89%

    • Consumer protection 12% 85%

    • Workplace equality 11% 82%

    • Ethics in public office 14% 78%


Survey 2 privacy most important in relation to l.jpg

Financial records Out-of-Hospital Cardiac Arrest Register

Medical Records

PPS Number

Credit Card Details

Telephone No

Home Address

Date of Birth

Marital Status

Survey (2): Privacy most important in relation to-


Data protection a human right l.jpg
Data Protection: a Human Right Out-of-Hospital Cardiac Arrest Register

  • Part of Right to Personal Privacy

  • Personal Privacy : necessary in a Democratic Society

  • Not absolute: other necessary Rights on a Democratic Society ( e.g. Freedom of Expression, Rights of Others)


Constitution l.jpg
Constitution Out-of-Hospital Cardiac Arrest Register

  • Implicit Right to Personal Privacy under Article 40.3.1 …The State guarantees in its laws to respect, and, as far as practicable, by its laws to defend and vindicate the personal rights of the citizens

  • Court Interpretation: the right to privacy is one of the fundamental personal rights of the citizen which flow from the Christian and democratic nature of the State


European human rights convention l.jpg
European Human Rights Convention Out-of-Hospital Cardiac Arrest Register

  • Explicit Right to Personal Privacy under Article 8 of European Convention for the Protection of Human Rights & Fundamental Freedoms (ECHR)

  • ECHR now indirectly part of domestic law due to ECHR Act 2003


Echr article 8 privacy l.jpg
ECHR Article 8: Privacy Out-of-Hospital Cardiac Arrest Register

  • (1) Everyone has the right to respect for his private and family life, his home and his correspondence.

  • (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others


Eu eea directives l.jpg
EU/EEA Directives Out-of-Hospital Cardiac Arrest Register

  • Directive 95/46/EC Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data

  • Directive 2002/58/EC Privacy and Electronic Communications


Eu irish legislation l.jpg

Data Protection Directive 95/46/EC Out-of-Hospital Cardiac Arrest Register

Electronic Privacy Directive 2002/58/EC

EUROPOL etc

Data Protection Acts 1988 & 2003

EC Electronic Privacy Regulations 2003 (SI 535/2003)

Corresponding Acts

Good Friday Agreement

Disability Act 2005

EU & Irish Legislation


Presentation outline11 l.jpg
Presentation Outline Out-of-Hospital Cardiac Arrest Register

  • Data Protection: Human Right to Privacy

  • Data Protection Principles

  • Protecting Personal Health Information

  • Draft Guidelines on Health Research


Definitions personal data l.jpg
Definitions: Personal Data Out-of-Hospital Cardiac Arrest Register

  • “Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller “ (DP Act, Section 1)

  • Applies to any data that is processed (includes hosting) using any medium by a legal entity essentially. Paper, computer, network, web, phone etc.

  • Only relates to a living person


European data protection rules l.jpg

Fair obtaining & processing Out-of-Hospital Cardiac Arrest Register

Consent

Specified purpose

No disclosure

unless “compatible”

Safe and secure

Accurate, up-to-date

Relevant, not excessive

Retention period

Right of access

Independent Supervisory Authority

European Data Protection Rules


Restrictions on disclosure l.jpg

General rule – no disclosure for different purpose Out-of-Hospital Cardiac Arrest Register

Exceptions made, to balance other interests of society

Section 8 exceptions

Investigation of crime

Collection of taxes

Security of the State

Protect life & limb

Required by Law

No general “public interest” test

Restrictions on disclosure


Role of the data protection commissioner l.jpg
Role of the Data Protection Commissioner Out-of-Hospital Cardiac Arrest Register

  • Ombudsman Role: resolution of disputes between data subjects and data controllers or processors

  • Enforcer Role: compliance by data controllers & processors

  • Educational Role: Promotes DP rights and good practice

  • Registration Authority: obligation on major holders of personal data to be placed on public register


Presentation outline16 l.jpg
Presentation Outline Out-of-Hospital Cardiac Arrest Register

  • Data Protection: Human Right to Privacy

  • Data Protection Principles

  • Protecting Personal Health Information

  • Draft Guidelines on Health Research


Data protection health data l.jpg
Data Protection & Health Data Out-of-Hospital Cardiac Arrest Register

  • Data on physical or mental health or condition or sexual life are ‘sensitive personal data’ with special protection but some leeway for:

    • Processing of Data “kept for statistical or research or other scientific purposes”

    • Processing “necessary for medical purposes”(including medical research) and carried out by a “health professional” or someone who owes an equivalent duty of confidentiality

  • DP and Medical Ethics mutually reinforcing


Presentation outline18 l.jpg
Presentation Outline Out-of-Hospital Cardiac Arrest Register

  • Data Protection: Human Right to Privacy

  • Data Protection Principles

  • Protecting Personal Health Information

  • Draft Guidelines on Health Research


Consultation on personal data use for health research l.jpg
Consultation on Personal Data use for Health Research Out-of-Hospital Cardiac Arrest Register

  • Try to reach consensus on balanced approach reflecting Irish conditions

  • Seminar November 2006

  • Addressed by speakers from different perspectives (HSE, public health, research)

  • EUROSOCAP guidelines (www.eurosocap.org)


Draft guidelines paper l.jpg
Draft Guidelines Paper Out-of-Hospital Cardiac Arrest Register

  • Presented July 2007 (on www.dataprotection.ie)

  • Comments up to 21 September

  • 11 Submissions received

  • Final version in coming weeks


Draft guidelines key points l.jpg
Draft Guidelines: Key Points Out-of-Hospital Cardiac Arrest Register

  • Use anonymised/pseudonomised patient data wherever possible

  • Where a health facility (e.g. hospital) anticipates research use of identifiable patient data, seek patient consent at earliest possible opportunity, backed by patient leaflet and research policy approved by ethics committee

  • Treat identifiable personal data on “need to know” basis

  • Recognises possibility within Acts for research to be undertaken by the Data Controller itself.

  • Makes provision for context for seeking consent including where a person not in a position to give it.


Anonymisation l.jpg
Anonymisation Out-of-Hospital Cardiac Arrest Register

  • Effectively anonymised data not subject to data protection acts – so anonymise where possible

  • Pseudonimisation, subject to safeguards, acceptable where full anonymisation not possible


Guidelines paper patient consent l.jpg
Guidelines Paper: Patient Consent Out-of-Hospital Cardiac Arrest Register

  • “best practice would suggest that allowing the patient choice and providing them with information in relation to how their data is used should be the standard approach. “


Guidelines paper patient consent24 l.jpg
Guidelines Paper: Patient Consent Out-of-Hospital Cardiac Arrest Register

  • “What is being put forward here is a relatively simple model that every effort should be made to ensure that the patient knows what could happen to their data for purposes unrelated to their treatment and are given an opportunity to consent or refuse consent for such use. In this way, if any proposed use of a patient’s data for purposes unrelated to their treatment would likely come as a surprise to them, then a new and separate consent should be sought.”


Guidelines paper patient consent25 l.jpg
Guidelines Paper: Patient Consent Out-of-Hospital Cardiac Arrest Register

  • “ an informed and explicit consent [should] be sought as soon as possible after a patient presents at a health facility …… each data controller [should] consider in a thorough manner what such potential [research] uses might be and specifically capturing these in an appropriate consent supported by an informative patient leaflet

  • Additional research initiatives, not envisaged at the time of seeking the initial consent, involving the use of patient data would need to be predicated on further specific consents going forward.”


Slide26 l.jpg

Can anonymised data be used to achieve the aims of the proposed project?Yes/No?

Yes – Proceed with proposed project using data anonymised by the data controller without requiring consent.

No – Can pseudonymised data be used instead with appropriate safeguards? Yes/No?

Yes – Proceed with proposed project ensuring that the key to a person’s identity is retained by the data controller only and not revealed to third parties.

No – Patient consent is normally required.

Has consent for research purposes been secured in relation to the files previously? Yes/No?

Yes – Is this consent valid (specific enough) to cover this particular research proposal? Yes/No?

No – Specific, informed, freely given consent must be captured from individuals by the data controller.

Yes – Proceed with research project (subject to adequate safeguards being in place in relation to security etc).

Once valid consent is in place, the research project can proceed (subject to adequate safeguards being in place in relation to security etc).


Ohcar key points l.jpg
OHCAR – KEY POINTS proposed project?

  • Pilot Project limited to one HSE area

  • Difficulties in obtaining explicit consent

  • Largest part of data was not personal data as it related to dead persons

  • Who is the data controller in this case?

  • Attempt through collation of the data to provide better care to patients


Ohcar l.jpg
OHCAR proposed project?

  • What about data in the private system and held by GPs?

  • Security arrangements for both physical and systems put in place for access to the data by OHCAR project manager and personnel only

  • Intended media campaign in relation to project


Ohcar29 l.jpg
OHCAR proposed project?

  • From a DP perspective Methodology 1 preferred

  • Methodology 2

    • No difficulty with OHCAR gathering data from ambulance service and A+E Depts to identify surviving persons

    • Have to deal with reality that HSE could not be considered the Data Controller in relation to a large part of the data


Recommendations on methodology 2 l.jpg
Recommendations on proposed project?Methodology 2

  • Informed consent in unique circumstances of project

  • OHCAR to write to surviving patients outlining all relevant information in relation to the study and the safeguards in place for their privacy

  • 21 days to raise any concerns and OHCAR to send reminder if doubt as to receipt

  • Any objections must be respected


Thank you l.jpg
Thank You proposed project?

  • www.dataprotection.ie

  • Contact: [email protected]


ad