data protection and research implications for a national out of hospital cardiac arrest register
Download
Skip this Video
Download Presentation
Data Protection and Research – Implications for a National Out-of-Hospital Cardiac Arrest Register

Loading in 2 Seconds...

play fullscreen
1 / 31

Data Protection and Research – Implications for a National Out-of-Hospital Cardiac Arrest Register - PowerPoint PPT Presentation


  • 258 Views
  • Uploaded on

Data Protection and Research – Implications for a National Out-of-Hospital Cardiac Arrest Register. NUI Galway Dept of General Practice Lunchtime seminar 20 November Gary Davis Deputy Data Protection Commissioner. Presentation Outline. Data Protection: Human Right to Privacy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Data Protection and Research – Implications for a National Out-of-Hospital Cardiac Arrest Register' - Mia_John


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
data protection and research implications for a national out of hospital cardiac arrest register

Data Protection and Research – Implications for a National Out-of-Hospital Cardiac Arrest Register

NUI Galway Dept of General Practice

Lunchtime seminar

20 November

Gary Davis

Deputy Data Protection Commissioner

presentation outline
Presentation Outline
  • Data Protection: Human Right to Privacy
  • Data Protection Principles
  • Protecting Personal Health Information
  • Draft Guidelines on Health Research
survey results 2005 1
Survey Results (2005) (1)
  • Is privacy important?

important very important

    • Crime Prevention 7% 91%
    • Personal Privacy 9% 89%
    • Consumer protection 12% 85%
    • Workplace equality 11% 82%
    • Ethics in public office 14% 78%
survey 2 privacy most important in relation to
Financial records

Medical Records

PPS Number

Credit Card Details

Telephone No

Home Address

Date of Birth

Marital Status

Survey (2): Privacy most important in relation to-
data protection a human right
Data Protection: a Human Right
  • Part of Right to Personal Privacy
  • Personal Privacy : necessary in a Democratic Society
  • Not absolute: other necessary Rights on a Democratic Society ( e.g. Freedom of Expression, Rights of Others)
constitution
Constitution
  • Implicit Right to Personal Privacy under Article 40.3.1 …The State guarantees in its laws to respect, and, as far as practicable, by its laws to defend and vindicate the personal rights of the citizens
  • Court Interpretation: the right to privacy is one of the fundamental personal rights of the citizen which flow from the Christian and democratic nature of the State
european human rights convention
European Human Rights Convention
  • Explicit Right to Personal Privacy under Article 8 of European Convention for the Protection of Human Rights & Fundamental Freedoms (ECHR)
  • ECHR now indirectly part of domestic law due to ECHR Act 2003
echr article 8 privacy
ECHR Article 8: Privacy
  • (1) Everyone has the right to respect for his private and family life, his home and his correspondence.
  • (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others
eu eea directives
EU/EEA Directives
  • Directive 95/46/EC Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data
  • Directive 2002/58/EC Privacy and Electronic Communications
eu irish legislation
Data Protection Directive 95/46/EC

Electronic Privacy Directive 2002/58/EC

EUROPOL etc

Data Protection Acts 1988 & 2003

EC Electronic Privacy Regulations 2003 (SI 535/2003)

Corresponding Acts

Good Friday Agreement

Disability Act 2005

EU & Irish Legislation
presentation outline11
Presentation Outline
  • Data Protection: Human Right to Privacy
  • Data Protection Principles
  • Protecting Personal Health Information
  • Draft Guidelines on Health Research
definitions personal data
Definitions: Personal Data
  • “Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller “ (DP Act, Section 1)
  • Applies to any data that is processed (includes hosting) using any medium by a legal entity essentially. Paper, computer, network, web, phone etc.
  • Only relates to a living person
european data protection rules
Fair obtaining & processing

Consent

Specified purpose

No disclosure

unless “compatible”

Safe and secure

Accurate, up-to-date

Relevant, not excessive

Retention period

Right of access

Independent Supervisory Authority

European Data Protection Rules
restrictions on disclosure
General rule – no disclosure for different purpose

Exceptions made, to balance other interests of society

Section 8 exceptions

Investigation of crime

Collection of taxes

Security of the State

Protect life & limb

Required by Law

No general “public interest” test

Restrictions on disclosure
role of the data protection commissioner
Role of the Data Protection Commissioner
  • Ombudsman Role: resolution of disputes between data subjects and data controllers or processors
  • Enforcer Role: compliance by data controllers & processors
  • Educational Role: Promotes DP rights and good practice
  • Registration Authority: obligation on major holders of personal data to be placed on public register
presentation outline16
Presentation Outline
  • Data Protection: Human Right to Privacy
  • Data Protection Principles
  • Protecting Personal Health Information
  • Draft Guidelines on Health Research
data protection health data
Data Protection & Health Data
  • Data on physical or mental health or condition or sexual life are ‘sensitive personal data’ with special protection but some leeway for:
    • Processing of Data “kept for statistical or research or other scientific purposes”
    • Processing “necessary for medical purposes”(including medical research) and carried out by a “health professional” or someone who owes an equivalent duty of confidentiality
  • DP and Medical Ethics mutually reinforcing
presentation outline18
Presentation Outline
  • Data Protection: Human Right to Privacy
  • Data Protection Principles
  • Protecting Personal Health Information
  • Draft Guidelines on Health Research
consultation on personal data use for health research
Consultation on Personal Data use for Health Research
  • Try to reach consensus on balanced approach reflecting Irish conditions
  • Seminar November 2006
  • Addressed by speakers from different perspectives (HSE, public health, research)
  • EUROSOCAP guidelines (www.eurosocap.org)
draft guidelines paper
Draft Guidelines Paper
  • Presented July 2007 (on www.dataprotection.ie)
  • Comments up to 21 September
  • 11 Submissions received
  • Final version in coming weeks
draft guidelines key points
Draft Guidelines: Key Points
  • Use anonymised/pseudonomised patient data wherever possible
  • Where a health facility (e.g. hospital) anticipates research use of identifiable patient data, seek patient consent at earliest possible opportunity, backed by patient leaflet and research policy approved by ethics committee
  • Treat identifiable personal data on “need to know” basis
  • Recognises possibility within Acts for research to be undertaken by the Data Controller itself.
  • Makes provision for context for seeking consent including where a person not in a position to give it.
anonymisation
Anonymisation
  • Effectively anonymised data not subject to data protection acts – so anonymise where possible
  • Pseudonimisation, subject to safeguards, acceptable where full anonymisation not possible
guidelines paper patient consent
Guidelines Paper: Patient Consent
  • “best practice would suggest that allowing the patient choice and providing them with information in relation to how their data is used should be the standard approach. “
guidelines paper patient consent24
Guidelines Paper: Patient Consent
  • “What is being put forward here is a relatively simple model that every effort should be made to ensure that the patient knows what could happen to their data for purposes unrelated to their treatment and are given an opportunity to consent or refuse consent for such use. In this way, if any proposed use of a patient’s data for purposes unrelated to their treatment would likely come as a surprise to them, then a new and separate consent should be sought.”
guidelines paper patient consent25
Guidelines Paper: Patient Consent
  • “ an informed and explicit consent [should] be sought as soon as possible after a patient presents at a health facility …… each data controller [should] consider in a thorough manner what such potential [research] uses might be and specifically capturing these in an appropriate consent supported by an informative patient leaflet
  • Additional research initiatives, not envisaged at the time of seeking the initial consent, involving the use of patient data would need to be predicated on further specific consents going forward.”
slide26
Can anonymised data be used to achieve the aims of the proposed project?Yes/No?

Yes – Proceed with proposed project using data anonymised by the data controller without requiring consent.

No – Can pseudonymised data be used instead with appropriate safeguards? Yes/No?

Yes – Proceed with proposed project ensuring that the key to a person’s identity is retained by the data controller only and not revealed to third parties.

No – Patient consent is normally required.

Has consent for research purposes been secured in relation to the files previously? Yes/No?

Yes – Is this consent valid (specific enough) to cover this particular research proposal? Yes/No?

No – Specific, informed, freely given consent must be captured from individuals by the data controller.

Yes – Proceed with research project (subject to adequate safeguards being in place in relation to security etc).

Once valid consent is in place, the research project can proceed (subject to adequate safeguards being in place in relation to security etc).

ohcar key points
OHCAR – KEY POINTS
  • Pilot Project limited to one HSE area
  • Difficulties in obtaining explicit consent
  • Largest part of data was not personal data as it related to dead persons
  • Who is the data controller in this case?
  • Attempt through collation of the data to provide better care to patients
ohcar
OHCAR
  • What about data in the private system and held by GPs?
  • Security arrangements for both physical and systems put in place for access to the data by OHCAR project manager and personnel only
  • Intended media campaign in relation to project
ohcar29
OHCAR
  • From a DP perspective Methodology 1 preferred
  • Methodology 2
    • No difficulty with OHCAR gathering data from ambulance service and A+E Depts to identify surviving persons
    • Have to deal with reality that HSE could not be considered the Data Controller in relation to a large part of the data
recommendations on methodology 2
Recommendations on Methodology 2
  • Informed consent in unique circumstances of project
  • OHCAR to write to surviving patients outlining all relevant information in relation to the study and the safeguards in place for their privacy
  • 21 days to raise any concerns and OHCAR to send reminder if doubt as to receipt
  • Any objections must be respected
thank you
Thank You
ad