Data Protection in the Health Sector

Survey Results (2005) (1) Is privacy important? important very important Crime Prevention 7%91% Personal Privacy9%89% Consumer protection 12%85% Workplace equality 11%82% Ethics in public office 14%78%

Survey (2): Privacy most important in relation to- 1.Financial records 2.Medical Records 3.PPS Number 4.Credit Card Details 5.Telephone No 6.Home Address 7.Date of Birth 8.Marital Status

Presentation Outline Data Protection: Human Right to Privacy Data Protection Principles Obligations and Rights Data Protection and Health Data Health-related Scenarios

Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society Not absolute: other necessary Rights on a Democratic Society ( e.g. Freedom of Expression, Rights of Others)

European Human Rights Convention Explicit Right to Personal Privacy under Article 8 of European Convention for the Protection of Human Rights & Fundamental Freedoms (ECHR) ECHR now indirectly part of domestic law due to ECHR Act 2003

ECHR Article 8: Privacy (1) Everyone has the right to respect for his private and family life, his home and his correspondence. (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others

Council of Europe Data Protection Convention 1981 Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (in force October 1985) – based on Article 8 of the European Convention on Human Rights (ECHR) 1981 Convention basis for 1988 Data Protection Act

EU/EEA Directives Directive 95/46/EC Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data Directive 2002/58/EC Privacy and Electronic Communications

EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2003 (SI 535/2003) Corresponding Acts Good Friday Agreement Disability Act 2005

Data Protection and Privacy Part of Right to Personal Privacy: protects personal data Comprehensive legal regime - focussed on compliance rather than punishment or compensation per se Controls processing of Personal Data in the EEA.

Role of the Data Protection Commissioner Ombudsman Role: resolution of disputes between data subjects and data controllers or processors Enforcer Role: compliance by data controllers & processors Educational Role: Promotes DP rights and good practice Registration Authority: obligation on major holders of personal data to be placed on public register

How does Commissioner fulfill role? Investigations/Audits  Arising from complaints  On own initiative Maintains public register Codes of Practice Guidance booklets, website, presentations, advice, Annual Report

Powers of DPC Information notice (section 12) Enforcement notice (section 10) Compliance Audits (section 10) Powers of entry and inspection (section 24) Decision on complaints (section 10) Refusal to register (section 17) Prohibition of non-EEA transfers (section 11) Prosecute Offences (section 30)

Individual Remedy: Ireland (Tort) “For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned” (DP Acts, s.7)

Definitions: Personal Data  “Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller “ (DP Act, Section 1)  Applies to any data that is processed (includes hosting) using any medium by a legal entity essentially. Paper, computer, network, web, phone etc.

Definitions Data Subject  an individual who is the subject of personal data/identifiable Data Controller  a person who controls the contents and use of personal data Data Processor  a person who processes personal data on behalf of a data controller – must be under contract

European Data Protection Rules 1.Fair obtaining & processing Consent 2.Specified purpose 3.No disclosure unless “compatible” 4.Safe and secure 5.Accurate, up-to-date 6.Relevant, not excessive 7.Retention period 8.Right of access 9.Independent Supervisory Authority

Obtain & Process Fairly I Data controller must give full information about  identity  purposes  disclosees  any other data necessary for “fairness” Third party data controllers  must contact data subject to provide these details  must give name of original data controller Rule 1

Obtain & Process Fairly II One of these conditions required:  Consent  Legal obligation  Contract with individual  Necessary to protect vital interests  Necessary for a public function (Justice)  necessary for ‘legitimate interests’ Rule 1

Processing Sensitive Data One of these additional conditions is required  Explicit consent  Necessary under employment law  To prevent injury or protect vital interests  Process the data of members of non-profit orgs.  Legal advice  For Medical Purposes(includes research)  Substantial Public interest, prescribed by Reg Rule 1

What is sensitive data Physical or mental health Racial origin Political opinions Religious or other beliefs Sexual life Criminal convictions Alleged commission of offence Trade Union membership

Specified Purpose Part of obligations when obtaining to specify purpose Cannot expand purpose without reverting to individual Be aware of different data sets/purposes Rule 2

Disclosing personal data not generally permitted – compatibility test section 8 – lifts the restrictions on disclosure:  crime; tax; State security; international relations  required urgently to protect life and limb  required by law or court order  with consent of, or on behalf of, data subject No general public interest test Rule 3

Disclosure Policy The Data Controller should have a policy in place to determine how requests for data from third parties are handled. This policy should be consulted by appropriate staff members

Security Procedures Security measures  Appropriate security measures Appropriate to the harm that might result.. Appropriate to the nature of the data  May have regard to cost of implementation  May have regard to the current state of technology  Staff must know and comply with measures  Internal review of security measures-part of IA function ? Rule 4

Security Procedures 1 Internal Access controls– physical,technical, Tracking of activity on files– to see if appropriate Internet Connectivity/networks -anti- virus software/firewalls/encryption Access- need to know and relevant to purpose Third party interception

Security Procedures 2 Accidental disclosure to third parties, PC in public area, non-secure fax External-robust encryption, online forms, technical measures Audit trails, reviews, logs, unusual events Manual Files ! Individual is the biggest risk- NB Training

Data Processors Agents and sub-contractors There must be a written contract in place Data Processor must provide sufficient guarantees regarding security measures

Accurate, Complete and up to date 1.Often a reactive rather than proactive task 2.Clerical/computer procedures/reviews Rule 5

Adequate, relevant and not excessive  In relation to purpose  Do you need all this data?  Different policies for different sectors Rule 6

7. Retention of data Legal obligations to hold data? Customer/Patient files  Do you need to hold all that data? Personnel files  Revenue requirement? Must have policy thought through  Defend retention as necessary for purpose.

8. Access Right Rights granted to individuals are a means of granting them control over how their data are processed - transparency

Rights of individuals to have data processed in accordance with DP principles to get a copy of personal data  “right of access” to correct data if it is wrong  or to have data deleted to opt out of direct marketing to complain to the D. P. Commissioner

Access to Health Data Direct access by the data subject … … subject to consultation with his/her GP (or some other health professional) … … to ensure that access would not be “likely to cause serious harm to the physical or mental health of the data subject” S.I. No. 82/1989

Access to “Social Work Data” Data kept for, or obtained while carrying out social work by a Minister, a local authority, a health board, or a grant-aided voluntary organisation or other social-work body Direct access … except insofar as it would be “likely to cause serious harm to the physical or mental health or emotional condition of the data subject”

Access to “Social Work Data” Social work data supplied by other individuals must not be supplied without first consulting the other individuals Social work data prepared for a court report may be withheld by the court S.I. No. 83/1989

Right of correction/erasure Section 6 of the Act Data Subject makes a written request Personal data must be:  Corrected, if inaccurate; or  Deleted, if should not be held. Data Controller has 40 days to respond No fee

Restrictions on disclosure General rule – no disclosure for different purpose Exceptions made, to balance other interests of society Section 8 exceptions  Investigation of crime  Collection of taxes  Security of the State  Protect life & limb  Required by Law No general “public interest” test

Data Protection & Health Data Data on physical or mental health or condition or sexual life are ‘sensitive personal data’ with special protection but some leeway for:  Processing of Data “kept for statistical or research or other scientific purposes”  Processing “necessary for medical purposes”(including medical research) and carried out by a “health professional” or someone who owes an equivalent duty of confidentiality DP and Medical Ethics mutually reinforcing

Frequently Asked Questions 1 I am a general practitioner or a hospital consultant: can my locum access my patient records? Yes. The Data Protection Commissioner’s view is that making clinical patient records available to a locum doctor, so that the locum may provide medical care to patients, is compatible with the purpose for which the GP keeps the patient record.

Frequently Asked Questions 2 Should my secretary or office manager be allowed access to my patient records? Yes, although only to the extent necessary to enable the secretary or manager to perform their functions. Non-medical professionals should have no need to access clinical material or medical notes, as distinct from administrative details (such as patients' names and addresses). The patient is entitled to an assurance that their medical information will be treated on a need-to-know basis.

Frequently Asked Questions 3 What about hospital staff having unrestricted access to all patient data? Cannot be the position in general. Only appropriate to the extent necessary to enable each discipline to perform their functions. Need to know is the key factor here.

Frequently Asked Questions 4 Do I need to obtain patients’ explicit permission before storing their medical details on computer? As a general rule, no. The Commissioner’s view is that the patient’s consent for the storage and use of their personal data is implicit in the fact that they come to you, as a medical professional, for help. However, it is good practice to inform patients that you will keep their details on computer and of what use will be made of their data. You will need to obtain clear consent for uses which might not be obvious to the patient.

Frequently Asked Questions 5 Can I pass patient details on to another health professional for clinical purposes? If you are passing the patient data to another health professional for guidance and advice on clinical issues, the patient data should be kept anonymous. If you wish to pass on the full patient data, including identifying details, you will need the consent of the patient in advance, except in cases of urgent need.

Frequently Asked Questions 6 Can I pass patient data to the Health Boards or other bodies for administrative purposes? You can pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data.

Frequently Asked Questions 7 What if I need to disclose patient data, and I don't have the time to obtain consent? If patient details are urgently needed to prevent injury or other damage to the health of a person, then you may disclose the details. Section 8(d) of the Act makes special provision for such disclosures. However, if the reason for the disclosure is not urgent, then you will need to obtain consent in advance.

Frequently Asked Questions 8 Can I as a consultant or hospital doctor use my patient’s data for research or statistical purposes? Ideally you should make patients aware in advance if you intend to use their data for your own research purposes. However, the Act provides that such uses of personal data are permitted, even where the patient was not informed in advance, provided that no damage or distress is likely to be caused to the individual.

Frequently Asked Questions 9 Can I disclose patient data to others for research or statistical purposes? You may pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data. If you wish to pass on personal data, including identifying details, you will need to obtain patient consent in advance.

Frequently Asked Questions 10 Any exemption for research or statistical purposes? Cancer research and screening is an exception to this rule. Under the Health (Provision of Information) Act, 1997, any person may provide any personal information to the National Cancer Registry Board for the purpose of any of its functions; or to the Minister or any body or agency for the purpose of compiling a list of people who may be invited to participate in an approved cancer screening programme.

Frequently Asked Questions 11 How can researchers avoid duplication of data in respect of the same individual? Researchers who obtain anonymised data are sometimes faced with the problem that they may be dealing with two or more data-sets from the same individual. To address this problem, it may be permissible for a data controller to make available anonymous data together with a unique coding, which falls short of actually identifying the individual to the researcher (I.e.a data controller might "code" a unique data-set using a patient’s initials and date-of-birth). The researcher should not be in a position to associate the data-set with an identifiable individual.

Frequently Asked Questions 12 Can external researchers access patient data for medical research purposes? The medical facility/doctor remains responsible for protecting the data and ensuring it is not further disclosed. For your protection, the researchers should be tightly bound by duties of confidentiality. Any data extracted must be anonymised. Patients should be informed.

Frequently Asked Questions 13 What about Insurance companies? Explicit consent needed. GP’s should inform patients of the type of information and possible consequences of data to be disclosed. Patients should be given time to view contents. Should not send notes-only give nature of complaint, treatment offered and outcome. Consultants reports should not be given – can be obtained direct.

Frequently Asked Questions 14 Do my patients have a right to see their medical data? Yes they do. An individual is entitled to see a copy of any data which you keep relating to him or her on computer. This right of access is subject to a limited exemption in the case of health and medical records, and in the case of social worker records, where allowing access would be likely to damage the physical, mental or emotional well-being of the individual.

Frequently Asked Questions 15 Have parents and guardians a right of access under DP law to data held relating to their children? The right of access is that of the person on whom the data are held. However under Section 8 the restrictions on disclosure do not apply in certain circumstances including where a person is acting on behalf of a child. In such circumstances it is a matter for the discretion of the data controller. Case by case –maturity/best interests of child.

CONCLUSION Information management – principles of openness, transparency, fairnesss, confidentiality, security. Consistent with ethics. Patient information should flow in parallel with patient treatment Informed consent of patients for how their data is used