1 / 17

Linkage challenges: What does good governance look like? 4 May 2011 Graeme Laurie Edinburgh Law School Chair, Privacy

Linkage challenges: What does good governance look like? 4 May 2011 Graeme Laurie Edinburgh Law School Chair, Privacy Advisory Committee. Legal and ethical challenges. Common law of confidentiality; Data Protection Act 1998; human tissue regulation; human rights considerations

avari
Download Presentation

Linkage challenges: What does good governance look like? 4 May 2011 Graeme Laurie Edinburgh Law School Chair, Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Linkage challenges: What does good governance look like? 4 May 2011 Graeme Laurie Edinburgh Law School Chair, Privacy Advisory Committee

  2. Legal and ethical challenges • Common law of confidentiality; Data Protection Act 1998; human tissue regulation; human rights considerations • Ethical principles driving medical research: first do no harm, autonomy, welfare, benefit and justice – a culture of caution • A plethora of standards, policies and guidelines • The challenge: translating legal and ethical principles into effective and efficient practice

  3. SHIP: improving governance for all • Reducing burden & uncertainty and increasing transparency • Setting standards: Principles & Best Practices • Responsibilities: Data Flows, Data Controllers, Data Stewards • Seeking buy-in from stakeholders • Providing uniform and high-quality advice in single structure • The importance of proportionate governance

  4. The SHIP model (under construction) Data permissions Data release Non-NHS Data controller National PAC (ISD, GROS) Local PAC or equivalent (NHS HB) Non-NHS dataset ISD dataset Local HB dataset Referral of data request National Indexing Service Data request Research Coordinator Creation and storage of linked dataset National RDC (NSS) Advice & guidance Safe haven Training Researcher approval Researcher approval and secure access

  5. What does proportionate governance look like? 1) What is at stake? (principles and best practices) (2) Who is involved and who is responsible? (data controllers) (3) What are the benefits, burdens and risks involved with each application? (an appropriate risk assessment) (4) What is an appropriate research pathway for this application? (engaging the right people and principles – avoiding unnecessary regulatory burden)

  6. (1) What is at stake? Principles and Best Practices • Principles: foundational starting points for deliberation and action • Best practice: instances of implementation of principles to a high standard • Content: • Public interest and the importance of research • Privacy/Anonymisation/Consent/Data Protection • Authorising/advisory bodies • Governance/Access • Trusted Third Parties (where appropriate) • Clinical Trials • Cross-sector sharing and sharing agreements • Public engagement and benefit sharing

  7. Principles and Best Practices examples • 1. Public interest • Principles • Scientifically sound and ethically robust research is in the interest of protecting the health of the public.  • The responsible use of health data should be a stated objective of all organisations adhering to this instrument. • Best Practice • It is the data controller's responsibility to ensure the development of transparent policies that demonstrate their understanding of public interest and the basis upon which they will use and disclose health data;

  8. Principles and Best Practices examples • 11. Cross-sector sharing • Principles • Where ethical & legal standards are met, data should be made accessible to trusted researchers across disciplines. The value of such cross-sector sharing should be recognised. • Along with the potential benefits, risks should also be identified and appropriately addressed. In particular, assurance of reciprocal privacy standards across sectors is necessary. • The unnecessary duplication of approval procedure(s) and governance mechanisms should be avoided. Mutual recognition of equivalent standard and procedures should be sought. • Best practice • Clear and easy to understand specifications covering confidentiality, security and privacy, and which define roles and protocols, should be agreed prior to cross-sector data sharing taking place.

  9. (2) Who is involved and responsible? Data stewards and data controllers 1) When does one become (and stop being) a data controller? 2) What flexibilities exist for the assumption of, or agreement on, data protection responsibilities? 3) Is there a meaningful distinction between data disclosure (surrender responsibility) and data sharing (share responsibility)?

  10. Data controllers: who and what is involved? • The DPA confers the responsibility and liability for compliance with the requirements of the DPA on the Data Controller. • Identifying the Data Controller(s) in relation to a set of personal data and its processing operations is therefore key to ensuring that data protection obligations are known and adhered to.

  11. Data controllers: who and what is involved? • Article 29 Data Protection Working Party (2010): • An actor is not a Data Controller unless in facts and law they have the capacity to set the purposes for the processing of the personal data; • A pluralistic situation, with a number of Data Controllers, including with different degrees of responsibility and liability, is both possible and acceptable

  12. Data controllers: Key messages • It is essential to be clear as to who is acting as a data controller with respect to any given data set involving the processing of personal data • It is possible that one or more parties can act in the capacity as a data controller and will accordingly be held jointly liable • It is possible to agree between parties who will act as a data controller with respect to a given dataset and/or to agree difference levels of responsibility and liability.

  13. (3) Categorising applications: What are the benefits, burdens and risks? ONS draft Research Data Access Strategy: Category 0: Public, Open Access Category 1: Low impact Category 2: Medium impact (potentially disclosive) Category 3: High impact (forms of health data?) Risk assessed relative to probable threat to privacy, likely impact on privacy and reputation risk to DC or DSs.

  14. SHIP: What are the benefits, burdens and risks? • Safe havens, data extraction and/or travel (responsibilities?) • Renewals (original application and trust in researcher) • Promoting the DCs core purposes (facilitating sharing) • Sensitive linkages (what counts as additional safeguards?) • Multiple sector linkages (a role for a national PAC) • International linkages (in principle the same, but…)

  15. (4) Mapping categories of application to suitable governance pathways • Education and Approved Researcher status • Data Controller Toolkit for decision-making • Research Coordinator as informed gate-keeper • Triage: building precedents and trusted relationships • A national Privacy Advisory Committee as one-stop-shop • Categories of licence reflecting category of application • Safe haven; data travel; appropriate sanctions

  16. (4) Mapping categories of application to suitable governance pathways

  17. Next steps? • Running case studies through the SHIP model • Shaping good governance as robust proportionate governance • Engaging the range of stakeholders and refining the model(s) • Suggestions? Graeme.Laurie@ed.ac.uk • Thank you!

More Related