1. 1 Data Protection and Research – Implications for a National Out-of-Hospital Cardiac Arrest Register NUI Galway Dept of General Practice Lunchtime seminar 20 November Gary Davis Deputy Data Protection Commissioner

2. 2 Presentation Outline Data Protection: Human Right to Privacy Data Protection Principles Protecting Personal Health Information Draft Guidelines on Health Research

3. 3 Survey Results (2005) (1) Is privacy important? important very important Crime Prevention 7%91% Personal Privacy9%89% Consumer protection 12%85% Workplace equality 11%82% Ethics in public office 14%78%

4. 4 Survey (2): Privacy most important in relation to- 1.Financial records 2.Medical Records 3.PPS Number 4.Credit Card Details 5.Telephone No 6.Home Address 7.Date of Birth 8.Marital Status

5. 5 Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society Not absolute: other necessary Rights on a Democratic Society ( e.g. Freedom of Expression, Rights of Others)

6. 6 Constitution Implicit Right to Personal Privacy under Article 40.3.1 …The State guarantees in its laws to respect, and, as far as practicable, by its laws to defend and vindicate the personal rights of the citizens Court Interpretation: the right to privacy is one of the fundamental personal rights of the citizen which flow from the Christian and democratic nature of the State

7. 7 European Human Rights Convention Explicit Right to Personal Privacy under Article 8 of European Convention for the Protection of Human Rights & Fundamental Freedoms (ECHR) ECHR now indirectly part of domestic law due to ECHR Act 2003

8. 8 ECHR Article 8: Privacy (1) Everyone has the right to respect for his private and family life, his home and his correspondence. (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others

9. 9 EU/EEA Directives Directive 95/46/EC Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data Directive 2002/58/EC Privacy and Electronic Communications

10. 10 EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2003 (SI 535/2003) Corresponding Acts Good Friday Agreement Disability Act 2005

11. 11 Presentation Outline Data Protection: Human Right to Privacy Data Protection Principles Protecting Personal Health Information Draft Guidelines on Health Research

12. 12 Definitions: Personal Data –“Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller “ (DP Act, Section 1) –Applies to any data that is processed (includes hosting) using any medium by a legal entity essentially. Paper, computer, network, web, phone etc. –Only relates to a living person

13. 13 European Data Protection Rules 1.Fair obtaining & processing Consent 2.Specified purpose 3.No disclosure unless “compatible” 4.Safe and secure 5.Accurate, up-to-date 6.Relevant, not excessive 7.Retention period 8.Right of access 9.Independent Supervisory Authority

14. 14 Restrictions on disclosure General rule – no disclosure for different purpose Exceptions made, to balance other interests of society Section 8 exceptions –Investigation of crime –Collection of taxes –Security of the State –Protect life & limb –Required by Law No general “public interest” test

15. 15 Role of the Data Protection Commissioner Ombudsman Role: resolution of disputes between data subjects and data controllers or processors Enforcer Role: compliance by data controllers & processors Educational Role: Promotes DP rights and good practice Registration Authority: obligation on major holders of personal data to be placed on public register

16. 16 Presentation Outline Data Protection: Human Right to Privacy Data Protection Principles Protecting Personal Health Information Draft Guidelines on Health Research

17. 17 Data Protection & Health Data Data on physical or mental health or condition or sexual life are ‘sensitive personal data’ with special protection but some leeway for: –Processing of Data “kept for statistical or research or other scientific purposes” –Processing “necessary for medical purposes”(including medical research) and carried out by a “health professional” or someone who owes an equivalent duty of confidentiality DP and Medical Ethics mutually reinforcing

18. 18 Presentation Outline Data Protection: Human Right to Privacy Data Protection Principles Protecting Personal Health Information Draft Guidelines on Health Research

19. 19 Consultation on Personal Data use for Health Research Try to reach consensus on balanced approach reflecting Irish conditions Seminar November 2006 Addressed by speakers from different perspectives (HSE, public health, research) EUROSOCAP guidelines (www.eurosocap.org)

20. 20 Draft Guidelines Paper Presented July 2007 (on www.dataprotection.ie) Comments up to 21 September 11 Submissions received Final version in coming weeks

21. 21 Draft Guidelines: Key Points Use anonymised/pseudonomised patient data wherever possible Where a health facility (e.g. hospital) anticipates research use of identifiable patient data, seek patient consent at earliest possible opportunity, backed by patient leaflet and research policy approved by ethics committee Treat identifiable personal data on “need to know” basis Recognises possibility within Acts for research to be undertaken by the Data Controller itself. Makes provision for context for seeking consent including where a person not in a position to give it.

22. 22 Anonymisation Effectively anonymised data not subject to data protection acts – so anonymise where possible Pseudonimisation, subject to safeguards, acceptable where full anonymisation not possible

23. 23 Guidelines Paper: Patient Consent “best practice would suggest that allowing the patient choice and providing them with information in relation to how their data is used should be the standard approach. “

24. 24 Guidelines Paper: Patient Consent “What is being put forward here is a relatively simple model that every effort should be made to ensure that the patient knows what could happen to their data for purposes unrelated to their treatment and are given an opportunity to consent or refuse consent for such use. In this way, if any proposed use of a patient’s data for purposes unrelated to their treatment would likely come as a surprise to them, then a new and separate consent should be sought.”

25. 25 Guidelines Paper: Patient Consent “ an informed and explicit consent [should] be sought as soon as possible after a patient presents at a health facility …… each data controller [should] consider in a thorough manner what such potential [research] uses might be and specifically capturing these in an appropriate consent supported by an informative patient leaflet Additional research initiatives, not envisaged at the time of seeking the initial consent, involving the use of patient data would need to be predicated on further specific consents going forward.”

26. 26 Can anonymised data be used to achieve the aims of the proposed project? Yes/No? Yes – Proceed with proposed project using data anonymised by the data controller without requiring consent. No – Can pseudonymised data be used instead with appropriate safeguards? Yes/No? Yes – Proceed with proposed project ensuring that the key to a person’s identity is retained by the data controller only and not revealed to third parties. No – Patient consent is normally required. Has consent for research purposes been secured in relation to the files previously? Yes/No? Yes – Is this consent valid (specific enough) to cover this particular research proposal? Yes/No? No – Specific, informed, freely given consent must be captured from individuals by the data controller. Yes – Proceed with research project (subject to adequate safeguards being in place in relation to security etc). Once valid consent is in place, the research project can proceed (subject to adequate safeguards being in place in relation to security etc).

27. 27 OHCAR – KEY POINTS Pilot Project limited to one HSE area Difficulties in obtaining explicit consent Largest part of data was not personal data as it related to dead persons Who is the data controller in this case? Attempt through collation of the data to provide better care to patients

28. 28 OHCAR What about data in the private system and held by GPs? Security arrangements for both physical and systems put in place for access to the data by OHCAR project manager and personnel only Intended media campaign in relation to project

29. 29 OHCAR From a DP perspective Methodology 1 preferred Methodology 2 –No difficulty with OHCAR gathering data from ambulance service and A+E Depts to identify surviving persons –Have to deal with reality that HSE could not be considered the Data Controller in relation to a large part of the data

30. 30 Recommendations on Methodology 2 –Informed consent in unique circumstances of project –OHCAR to write to surviving patients outlining all relevant information in relation to the study and the safeguards in place for their privacy –21 days to raise any concerns and OHCAR to send reminder if doubt as to receipt –Any objections must be respected

31. 31 Thank You www.dataprotection.ie Contact: gdavis@dataprotection.ie