Asim A. Sheikh B.A., LL. M.

Barrister-at-Law

Lecturer in Legal MedicineForensic and Legal Medicine

Faculty of Medicine, University College Dublin

Role of Law in the Regulation of Science, Medicine & Technology:

Medical Research, Public Health & Data Protection & Law

Promoting Health Research & Protecting Patient Rights

Office of the Data Protection Commissioner29th November, 2006

Role of Law in the Regulation of Science, Medicine & TechnologyRole of Law in the Regulation of Science, Medicine & Technology

Role of LawRole of Law– prevention of harmprevention of harm– protection of societyprotection of society– provision of certaintyprovision of certainty– standards of carestandards of care– Adversarial system – objective forum of exposureAdversarial system – objective forum of exposure

Role of Science, Medicine & Technology– progress / amelioration of quality of life?progress / amelioration of quality of life?

““Why is progress a prerequisite reserved almost exclusively for Why is progress a prerequisite reserved almost exclusively for the activities we call science?...Does a field make progress the activities we call science?...Does a field make progress because it is a science, or is it a science because it makes because it is a science, or is it a science because it makes

progress?”progress?”Kuhn TS. The Structure of Scientific Revolutions

PARADIGM SHIFTNormal Science

1

New Paradigm

2

People work within the parameters of theparadigm, indulging in 'Puzzle-Solving'.

Occurs as a result a reconstruction of the original field from new fundamentals, changing the field's initial theory, methods and applications.

Paradigm Shifts require guidance of the Law to ensure smooth transition from one paradigm to next

The Law and Kuhn's

Critique

Interface of Law, Science & MedicineInterface of Law, Science & Medicinesome examplessome examples

Medical Practitioners Act

Diamond v. Chakrabarty (US - 1980) - living matter is patentable

EC Directive: 98/44/EC; On the Legal Protection of Biotechnological

Inventions

Clinical Trials Acts 1987, 1990, Clinical Trials Directive

Human Fertilisation and Embryology Act (UK – 1990)

Best v. Wellcome Foundation Ltd (Ire – 1993) - pertussis vaccine -

scientific evidence

DNA Evidence cases

Grimes v Kennedy Krieger Institute (Maryland, US – 2000) – consent

in children – non-therapeutic medical research and RECs

Safety, Health and Welfare at Work Act, 2005 and regulations

(biological, chemical)

““...it seems to me imperative that the moral, social ...it seems to me imperative that the moral, social and legal issues raised by this case should be and legal issues raised by this case should be

considered by Parliament. The judges’ function considered by Parliament. The judges’ function in this area of the law should be to apply the in this area of the law should be to apply the

principles which society through the democratic principles which society through the democratic process, adopts, not to impose their standards on process, adopts, not to impose their standards on

society. If Parliament fails to act, then judge-society. If Parliament fails to act, then judge-made law will of necessity through a gradual and made law will of necessity through a gradual and uncertain process provide a legal answer to each uncertain process provide a legal answer to each

new question as it arises.”new question as it arises.”

Lord Browne-Wilkinson in Lord Browne-Wilkinson in Airedale NHS Trust v. BlandAiredale NHS Trust v. Bland

[1993] All ER 821[1993] All ER 821

The Tort SystemThe Tort SystemThe Tort SystemThe Tort System

The TortSystem

Clinical Negligence

Litigation

Judgment

Principlesof

RiskManagement

Ideals of Law in MedicineIdeals of Law in Medicine

Self-determination

Consent

Best interests of patient

Full disclosure of information

Protection of Privacy and

Confidentiality

Data ProtectionData Protection

Background I: General Concerns

Increased Activity in non-statutory medical research

Concerns over patient data Freedom of Information Change to electronic patient records

(EPR) Change in Data protection law Increased move toward embracing of

consent doctrine in clinical practice

“As the information society proceeds apace, public unease about new technologies needs to be firmly laid to rest…This survey shows

that public anxieties are, if anything, on the increase.” Joe Meade, DP Commissioner, 2003

Background II: Law Constitution Universal Declaration on Human Rights, 1948 European Convention on Human Rights, 1950 Council of Europe Convention on Data Protection, 1981 Data Protection Act, 1988 Freedom of Information Act, 1997-2003 Convention on Human Rights and Biomedicine, 1997 EU Directive on Data Protection, 1995 and Data Protection

(Amendment) Act 2003 European Recommendation No R (97) 5 on the Protection of

Medical Data (Council of Europe, Committee of Ministers), 13/2/97

Convention on Human Rights Act, 2003 Ethical & Legal Doctrine of Confidentiality Common Law

European Convention on Human Rights

Everyone has the right to respect for his private life

and family life, his home and correspondence

There shall be no interference by a public authority

with the right except such as is necessary in a

democratic society in the interests of national

security, public safety or the economic well-being of

the country, for the prevention of disorder or crime,

for the protection of morals, or for the protection of

the rights and freedoms of others.

The Irish Constitution & Privacy

The Irish Constitution does not expressly provide

for a Constitutional right to privacy

However, Irish case law provides authority which

indicates that the citizen may invoke the personal

rights provisions of Article 40.3.1 of the

Constitution so as to require the State to protect

and vindicate the citizen’s right to constitutional

privacy:

Kennedy v. Ireland [1987]

Chapter III – Private life and right to informationArticle 10 – Private life and right to information

1. Everyone has the right to respect for private life in relation to information about his or her health;

2. Everyone is entitled to know any information collected about his or her health. However, the wishes of individual not to be so informed shall be observed;

3. In exceptional cases, restrictions may be placed by law on the exercise of the rights contained in paragraph 2 in the interests of the patient.

Convention for the Protection of Human Rights and Dignityof the Human Being with regard

to the Application of Biology and Medicine:Convention on Human Rights and Biomedicine, 1997

“There can be no exceptions to the ordinary requirements of disclosure in the case of research as there may well be in ordinary

medical practice. The researcher does not have to balance the probable effect of lack of treatment against the risk involved in the

treatment itself. The example of risks being properly hidden from a patient where it is

important that he should not worry can have no application in the field of research. The subject of medical experimentation is entitled to full and frank disclosure of all the facts, probabilities and

opinions which a reasonable man might be expected to consider before giving his consent.”

Halushka v. University of Saskatchewan (1965)

Dis

clo

su

re in

Med

ical

Researc

h

The Nuremberg CodeThe Nuremberg Code

“The voluntary consent of the human subject

is absolutely essential... and should have sufficient knowledge and comprehension of the elements of the subject matter involved as to enable him to make an understanding

and enlightened decision. This latter element requires that before the acceptance

of an affirmative decision by the experimental subject there should be made

known to him the nature, duration, and purpose of the experiment ”

The Helsinki DeclarationThe Helsinki Declaration

Article 1Article 1

“The World Medical Association has developed the Declaration of Helsinki as a statement of ethical principles to provide

guidance to physicians and other participants in medical research involving

human subjects. Medical research involving human subjects includes research on

identifiable human material or identifiable data.”

The Helsinki DeclarationThe Helsinki Declaration

Article 22Article 22

““In any research on human beings, each In any research on human beings, each potential subject must be adequately potential subject must be adequately

informed of the aims, methods, sources of informed of the aims, methods, sources of funding, any possible conflicts of interest, funding, any possible conflicts of interest, institutional affiliations of the researcher, institutional affiliations of the researcher,

the anticipated benefits and potential risks the anticipated benefits and potential risks of the study and the discomfort it may of the study and the discomfort it may

entail…”entail…”

The Helsinki The Helsinki DeclarationDeclaration

“...The subject should be informed of the right to abstain from participation in the

study or to withdraw consent to participate at any time without reprisal. After ensuring

that the subject has understood the information, the physician should then

obtain the subject's freely-given informed consent, preferably in writing…”

Case Law

Geoghegan v. Harris (2000, HC)

R v. Department of Health, ex parte Source Informatics Ltd [2000]

Durant v. FSA (CA) [2003]

– Change from importance of use of information to maintenance of anonymity of information?

Processing means performing any operation or set of operations on data including:

– obtaining, recording or keeping the data

– collecting, organising, storing, altering or adapting the data

– retrieving, consulting or using the data

– disclosing the data by transmitting, disseminating or otherwise making it available

– aligning, combining, blocking, erasing or destroying the data.

Section 2: Protection of Privacy of Individuals with regard to Personal Data (1st STEP) - General Obligations

In relation to Personal Data (PD) a DC will ensure that that data shall:(a) be processed fairly(b) be accurate and complete and, where necessary, kept up to date,(c) The data shall:

– (i) be kept only for one or more specified, explicit and legitimate purposes,

– (ii) not be further processed in a manner incompatible with that purpose or those purposes,

– (iii) be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and

– (iv) not be kept for longer than is necessary for that purpose or those purposes

(d) appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network

1st Exemption - s2(5)Previous paragraphs (ii) & (iv)

(a) “do not apply to personal data kept for statistical or research or

other scientific purposes, and the keeping of which complies with such

requirements (if any) as may be prescribed for the purpose of

safeguarding the fundamental rights and freedoms of data subjects…

And

(b) “the data or, as the case may be, the information constituting such

data shall not be regarded for the purposes of paragraph (a) of the said

subsection as having been obtained unfairly by reason only that its use

for any such purpose was not disclosed when it was obtained,

 

if the data are not used in such a way that damage or distress is, or is

likely to be, caused to any data subject

Ramifications for personal data for a

secondary use

Seems to be case – data could be used

for a secondary purpose – not first

considered

But such secondary use – cannot cause

harm or distress to data subject

What are the basics of ‘fair processing’?

In section 2D – when obtaining data from Data Subject

– the identity of the data controller

– the purpose in collecting the data

– the persons or categories of persons to

whom the data may be disclosed

– any other information which is necessary

so that processing may be fair

If not obtaining information from data subject but from another source then:

Data Subject should know:– Identity of representative of DC and name of original

DC– Categories of data concerned

However: if this is for purposes of historic/scientific research and this information would be impossible to get or involve a disproportionate effort

– Then DPC can lay down conditions

PD shall NOT be processed unless - Fulfill S2 requirements and 1 of the following: the data subject must have given consent to the processing or the processing must be necessary for one of the following reasons -

– the performance of a contract to which the data subject is party– in order to take steps at the request of the data subject prior to– entering into a contract– compliance with a legal obligation, other than that imposed by contract– to prevent injury or other damage to the health of a data subject– to prevent serious loss or damage to property of the data subject– to protect the vital interests of the data subject where the seeking of

the consent of the data subject is likely to result in those interestsbeing damaged

– for the administration of justice– for the performance of a function conferred on a person by or under

an enactment– for the performance of a function of the Government or a Minister of

the Government– for the performance of any other function of a public nature– performed in the public interest by a person

Section 2A: Processing of Personal Data(2nd STEP)

Section 2B: Processing of Sensitive Personal Data(3rd STEP)

SPD shall NOT be processed unless - Fulfill S2 & S2A requirements and 1 of the following:

the data subject’s consent is explicitly given; the processing must be necessary for:

– for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment

– to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where, consent cannot be given, or the data controller cannot reasonably be expected to obtain such consent

– to prevent injury to, or damage to the health of, another person, or serious loss in respect of or damage to, the property of another person, in a case where such consent has been unreasonably withheld

– it is carried out by a not for profit organisation in respect of its members or other persons in regular contact with the organisation

– the information being processed has been made public as a result of steps deliberately taken by the data subject

– for the purpose of obtaining legal advice, or in connection with legal proceedings, or is necessary for the purposes of establishing, exercising or defending legal rights

– for medical purposes – undertaken by a health professional– is carried out by political parties or candidates for election in the context of an election– for the purpose of the assessment or payment of a tax liability– in relation to the administration of a Social Welfare scheme.

2nd

Ex

3rd

Ex

‘Medical Purposes & Health Professional’ 2nd Exemption (Research Exemption)

Defined as:

“‘medical purposes’ includes the purpose of preventive medicine, medical

diagnosis, medical research, the provision of care and treatment and the

management of healthcare services.”

“‘health professional’ includes a registered medical practitioner, within the

meaning of the Medical Practitioners Act, 1978, a registered dentist, within

the meaning of the Dentists Act, 1985, or a member of any other class of

health worker or social worker standing specified by regulations made by the

Minister after consultation with the Minister for Health and Children and any

other Minister of the Government who, having regard to his or her functions,

ought, in the opinion of the Minister, to be consulted”

3rd Exemption - s2B(1)(b)(xi)

Where:

“…processing is authorised by regulations that are made by

the Minister and are made for reasons of substantial public

interest.”

……then sensitive personal data can be processedthen sensitive personal data can be processed

4th Exemption - s2D(4)

Where giving of information to a data subject in relation to

the purpose/s of the data when that data is for the purposes

of historical or scientific research and “the provision of the

information specified therein proves impossible or would

involve a disproportionate effort…”

……then that information does not have to be giventhen that information does not have to be given

s4(4)-DC cannot disclose info about a 3rd party unless 3rd party consents, unless identity can be omitted and 3rd party is rendered unidentifiable

1.1. Data must be processed, fairly – which means that a data subject Data must be processed, fairly – which means that a data subject should know the following:should know the following:

(a)(a) the identity of the data controller or a nominated a representative the identity of the data controller or a nominated a representative (b) the purpose or purposes for which the data are intended to be (b) the purpose or purposes for which the data are intended to be

processed, andprocessed, and(c)(c) any other information which is necessary to enable processing in any other information which is necessary to enable processing in

respect of the data to be fair to the data subject such as information respect of the data to be fair to the data subject such as information about the recipients of the data (s2D)about the recipients of the data (s2D)

In this section of the Act, the data subject is not required to give In this section of the Act, the data subject is not required to give consent. It is the data controller who must provide informationconsent. It is the data controller who must provide information

if data is being obtained from someone or somewhere other than the data if data is being obtained from someone or somewhere other than the data subject, then, the data subject should be informed of the above information subject, then, the data subject should be informed of the above information and the identity of the original data controller and the category of data and the identity of the original data controller and the category of data before the information is processed or if to be disclosed to a third party, before the information is processed or if to be disclosed to a third party, before such disclosure. In scientific research if the provision of this before such disclosure. In scientific research if the provision of this information is impossible or involves a disproportionate effort, then it would information is impossible or involves a disproportionate effort, then it would not have to be disclosed if conditions laid down by the Minister are met not have to be disclosed if conditions laid down by the Minister are met (currently non such exist) (s2D4).(currently non such exist) (s2D4).

2.2. Data must be accurate, complete and, where necessary, kept up Data must be accurate, complete and, where necessary, kept up to date, kept only for one or more specified, explicit and to date, kept only for one or more specified, explicit and legitimate purposes. The data shall not be further processed in a legitimate purposes. The data shall not be further processed in a manner incompatible with that purpose or those purposes, shall manner incompatible with that purpose or those purposes, shall be adequate, relevant and not excessive in relation to the be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further purpose or purposes for which they were collected or are further processed, and shall not be kept for longer than is necessary for processed, and shall not be kept for longer than is necessary for that purpose or those purposes (s2).that purpose or those purposes (s2).

However, the use of data for secondary purposes in scientific However, the use of data for secondary purposes in scientific research is permitted and would not be regarded as ‘unfair research is permitted and would not be regarded as ‘unfair processing’ even though such secondary use was not initially processing’ even though such secondary use was not initially disclosed if (i) any prescribed requirements are complied with to disclosed if (i) any prescribed requirements are complied with to safeguard the fundamental rights and freedoms of the data safeguard the fundamental rights and freedoms of the data subject and (ii) the data are not used in such a way that damage subject and (ii) the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject or distress is, or is likely to be, caused to any data subject (s2(5)). (s2(5)).

In this section of the Act also, the data subject is not required to In this section of the Act also, the data subject is not required to give consent. It is the data controller who must provide give consent. It is the data controller who must provide information).information).

3.3. Adequate security measures must be taken to protect data.Adequate security measures must be taken to protect data.

4.4. Personal Data (identifiable data) shall not be processed unless Personal Data (identifiable data) shall not be processed unless s2 is complied with and 1 additional requirement of s2A is met.s2 is complied with and 1 additional requirement of s2A is met.

This could be the data subject giving his/her consent to the This could be the data subject giving his/her consent to the processingprocessing

(Article 7 of the Directive uses the words ‘unambiguous (Article 7 of the Directive uses the words ‘unambiguous consent’ and in article 2(h), consent is defined as “…consent’ and in article 2(h), consent is defined as “…any freely any freely given specific and informed indication of his wishes by which given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data.”)the data subject signifies his agreement to personal data.”) or or instead,instead,

if one of number of other conditions were met. However, apart if one of number of other conditions were met. However, apart from the consent condition, none of these would seem to be from the consent condition, none of these would seem to be relevant to medical research or public health (except when the relevant to medical research or public health (except when the processing is required to protection the vital health interests of processing is required to protection the vital health interests of a data subject or in the public interest) and thus, for personal a data subject or in the public interest) and thus, for personal medical data (identifiable), consent must be given (s2A).medical data (identifiable), consent must be given (s2A).

5.5. Sensitive Personal Data (health/medical data) Sensitive Personal Data (health/medical data) shall not be processed unless in addition to shall not be processed unless in addition to satisfying the conditions of sectionssatisfying the conditions of sections 2 and 2(A), at 2 and 2(A), at least one of the additional listed conditions is also least one of the additional listed conditions is also met.met.

This could be the data subject giving his/her This could be the data subject giving his/her consent explicitly to the processing or instead if consent explicitly to the processing or instead if one of a number of other conditions are met. one of a number of other conditions are met.

Here the one of most note is the processing of Here the one of most note is the processing of data for medical purposes which includes medical data for medical purposes which includes medical research (‘medical research exemption’) (and research (‘medical research exemption’) (and also to protect the vital health interests of a data also to protect the vital health interests of a data subject or in the public interest) (s2B). subject or in the public interest) (s2B).

Medical Research Concerns

Issue of explicit consent – e.g. in epidemiological studies

Secondary use of data

Issue of Anonymisation

Issue of data protection policies

There are no consistent guidelines in EU member states. Some have

opted for a more, seemingly, liberal approach, for example, Sweden, in the

application of the medical research exemption.

Others however, such as France and Germany, have opted for a less

liberal approach.

The lack of consistency has not helped in the interpretation of the

Directive.

““A blanket requirement for A blanket requirement for anonymisation of data, as well as anonymisation of data, as well as informed consent from all individuals informed consent from all individuals to use identifiable data about them, to use identifiable data about them, would jeopardise the methodological would jeopardise the methodological integrity of research and audit. This integrity of research and audit. This would not just hinder the progress of would not just hinder the progress of medical knowledge but might lead to medical knowledge but might lead to completely incorrect conclusions. This completely incorrect conclusions. This would be against the public interest would be against the public interest and make the process of clinical and make the process of clinical governance impossible…” governance impossible…” BMJ 2000 “…it would appear that the Directive will, in

many circumstances, shift the balancein favour of obtaining clearer, more

unambiguousConsent from individuals than

has been the case up to now.” DP Commissioner, 2002

““Consent has a role to play but it does not emerge as a trump card. Consent has a role to play but it does not emerge as a trump card. Indeed some might argue that the broad and indistinct Indeed some might argue that the broad and indistinct

categories of justifications for processing without consent categories of justifications for processing without consent potentially weaken the protection that is afforded to potentially weaken the protection that is afforded to

informational privacy interests. The model, however, is, as informational privacy interests. The model, however, is, as always, a search for a balance and few could deny that privacy always, a search for a balance and few could deny that privacy protection showed sometimes bow to other interests. But the protection showed sometimes bow to other interests. But the devil is in the detail of determining which interest should be devil is in the detail of determining which interest should be

weighed in the balance and how far privacy should be weighed in the balance and how far privacy should be compromised in any given case. The example of research is compromised in any given case. The example of research is

particularly apt. Some member states, for example Denmark particularly apt. Some member states, for example Denmark and Austria, allow research on secondary uses of patient data, and Austria, allow research on secondary uses of patient data,

that is, uses beyond those for which the data were first that is, uses beyond those for which the data were first obtained, without the need for patient consent so long as the obtained, without the need for patient consent so long as the

national data protection office gives prior approval. The United national data protection office gives prior approval. The United Kingdom also has mechanisms for allowing research using Kingdom also has mechanisms for allowing research using

patient data subject to rigorous review…It is to be noted with patient data subject to rigorous review…It is to be noted with some regret, however, that a culture of caution has grown up some regret, however, that a culture of caution has grown up

around the workings of the Data Protection Act such that there is around the workings of the Data Protection Act such that there is a widespread belief that the law now hinders research.a widespread belief that the law now hinders research.

In the main, we consider this to be unfounded.”In the main, we consider this to be unfounded.”

Mason & Laurie, Law & Medical Ethics (2006)

Two general categories of data require to be considered:Two general categories of data require to be considered:

– (a) retrospective/archived/historical data (where consent for the (a) retrospective/archived/historical data (where consent for the current use was never obtained or is inadequate) andcurrent use was never obtained or is inadequate) and

– (b) prospective/future data, for which, how and what type of (b) prospective/future data, for which, how and what type of consent should be obtained needs to be discussed.consent should be obtained needs to be discussed.

In relation to the former, the questions that arise are:In relation to the former, the questions that arise are:

– (i) when does a researcher require to re-obtain consent (where the (i) when does a researcher require to re-obtain consent (where the data is identifiable) and if this cannot be obtained (due to data is identifiable) and if this cannot be obtained (due to impossibility/disproportionate effort) can the research progress?impossibility/disproportionate effort) can the research progress?

– (ii) Can the researcher continue carry out the research by (ii) Can the researcher continue carry out the research by anonymising the data and if so, who should anonymise this data?anonymising the data and if so, who should anonymise this data?

– (iii) If the research would prove futile by anonymisation can it be (iii) If the research would prove futile by anonymisation can it be pseudo-anonymised and (iv) what onus is there on a research pseudo-anonymised and (iv) what onus is there on a research ethics committee to ensure that the research proposal is in ethics committee to ensure that the research proposal is in accordance with the Data Protection Act?accordance with the Data Protection Act?

The exemptions exist for reason, however,The exemptions exist for reason, however, do not allow data controllers to by-pass their do not allow data controllers to by-pass their

obligations to ensure that prior to health and personal obligations to ensure that prior to health and personal data, being processed, a subject:data, being processed, a subject:– (i) is given information in relation to their data and(i) is given information in relation to their data and– (ii) in certain circumstances, gives his/her consent prior to the (ii) in certain circumstances, gives his/her consent prior to the

processing of their data.processing of their data.

Other practitioners, whilst discussing the concerns, Other practitioners, whilst discussing the concerns, have also stated that:have also stated that:

“…“…health professionals need to understand health professionals need to understand current anxieties about the ways in which health current anxieties about the ways in which health

information is handled; they need to learn the information is handled; they need to learn the rules and apply them and accept that unfettered rules and apply them and accept that unfettered access to personal health information is a thing access to personal health information is a thing of the past and that, among the many tools they of the past and that, among the many tools they

need for modern clinical practice are those of need for modern clinical practice are those of skilled information management.”skilled information management.”

Chalmers and Muir, “Patient privacy and confidentiality: The debate goes on; the issues are complex, but a consensus is emerging.” BMJ,

2003;326:725–6, 2003)

Data Protection Principles 

1 Personal data shall be processed fairly and lawfully and, in particular,shall not be processed unless:(a) The conditions of section 2 are satisfied and (b) at least one of the conditions in s 2A is met, and(c) in the case of sensitive personal data, at least one of the conditions

in s 2B is also met. 2 Personal data shall be obtained only for one or more specified andlawful purposes, and shall not be further processed in any mannerincompatible with that purpose or those purposes. 3 Personal data shall be adequate, relevant and not excessive inrelation to the purpose or purposes for which they are processed. 4 Personal data shall be accurate and, where necessary, kept up to date. 5 Personal data processed for any purpose or purposes shall not bekept for longer than is necessary for that purpose or those purposes.

6 Personal data shall be processed in accordance with the rights

of data subjects under this Act.

 

7 Appropriate technical and organisational measures shall be

taken against unauthorised or unlawful processing of personal

data and against accidental loss or destruction of, or damage to,

personal data.

 

8 Personal data shall not be transferred to a country or territory

outside the European Economic Area unless that country or

Territory ensures an adequate level of protection for the rights

And freedoms of data subject in relation to the processing of

personal data.

Moving forwardBest Practice Models?

Moving forwardBest Practice Models?

MR

C G

uid

elin

es,

20

00

Learn

ing

from

Exp

erie

nce

,Priv

acy

& th

e S

eco

nd

ary

Use

of

Data

in H

ealth

Rese

arch

Low

ran

ce W

Nu

ffield

Tru

st, 20

02

Conclusions Increased move toward maximum disclosure of information – utilisation

of proper and clear provision of information over the use of patient information

Consent as the first port of call, would overcome all obstacles – but is not necessarily required if exemptions are invoked (medical research exemption)

Specific information, however, must be provided to data subjects Personal information must be protected

– Kept confidential

– Anonymised (utilisation of Privacy Enhancing Techniques – PETs)

– Definitions of ‘anonymous; Where anonymisation cannot be achieved

– Require ethics approval

– Adequate safeguards in place to ensure safety Properly considered research policies Assistance of

– Ethics Committees

– Data Protection Commissioner

Other Options In certain limited circumstances for public health screening

reasons:– Health (Provision of Information) Act, 1997 (Cancer Registry)

– Allows passing of data from bodies to other bodies with permission of Minister of Health

Pass Similar legislation on a limited basis:– S60 Health and Social Care Act 2001, UK– Health Service (Control of Patient Information) 2002, UK – public

health patient data

this should done only with careful consultation: need to avoid panic reactions?

The Data Protection Acts 1988 and 2003: Implications for Medical and Public Health Research in Ireland (Health Research Board, 2007 – forthcoming)

This lecture or any of the information given therein is not

and should not be taken to be or relied on as legal medico-legal or

medico-ethical advice.

No reproduction or distribution

without prior permission of author

All Notes © Asim A. Sheikh BL, 2006