Data Protection in the Health Sector

Survey Results (2005) (1)• Is privacy important?

important very important

• Crime Prevention 7% 91%• Personal Privacy 9% 89%• Consumer protection 12% 85%• Workplace equality 11% 82%• Ethics in public office 14% 78%

Survey (2): Privacy most important in relation to-

1. Financial records2. Medical Records3. PPS Number 4. Credit Card

Details

5. Telephone No6. Home Address7. Date of Birth8. Marital Status

Presentation Outline

• Data Protection: Human Right to Privacy

• Data Protection Principles• Obligations and Rights• Data Protection and Health Data• Health-related Scenarios

Data Protection: a Human Right• Part of Right to Personal Privacy• Personal Privacy : necessary in a

Democratic Society• Not absolute: other necessary Rights

on a Democratic Society ( e.g. Freedom of Expression, Rights of Others)

European Human Rights Convention• Explicit Right to Personal Privacy under

Article 8 of European Convention for the Protection of Human Rights & Fundamental Freedoms (ECHR)

• ECHR now indirectly part of domestic law due to ECHR Act 2003

ECHR Article 8: Privacy• (1) Everyone has the right to respect for his private

and family life, his home and his correspondence.• (2) There shall be no interference by a public

authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others

Council of Europe Data Protection Convention• 1981 Council of Europe Convention for

the Protection of Individuals with regard to the Automatic Processing of Personal Data (in force October 1985) – based on Article 8 of the European Convention on Human Rights (ECHR)

• 1981 Convention basis for 1988 Data Protection Act

EU/EEA Directives

• Directive 95/46/EC Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data

• Directive 2002/58/EC Privacy and Electronic Communications

EU & Irish Legislation• Data Protection

Directive 95/46/EC• Electronic Privacy

Directive 2002/58/EC

• EUROPOL etc

• Data Protection Acts 1988 & 2003

• EC Electronic Privacy Regulations 2003 (SI 535/2003)

• Corresponding Acts• Good Friday

Agreement• Disability Act 2005

Data Protection and Privacy

• Part of Right to Personal Privacy: protects personal data

• Comprehensive legal regime - focussed on compliance rather than punishment or compensation per se

• Controls processing of Personal Data in the EEA.

Role of the Data Protection Commissioner • Ombudsman Role: resolution of disputes between

data subjects and data controllers or processors • Enforcer Role: compliance by data controllers &

processors• Educational Role: Promotes DP rights and good

practice• Registration Authority: obligation on major

holders of personal data to be placed on public register

How does Commissioner fulfill role?• Investigations/Audits

Arising from complaints On own initiative

• Maintains public register• Codes of Practice• Guidance booklets, website,

presentations, advice, Annual Report

Powers of DPC • Information notice (section 12)• Enforcement notice (section 10)• Compliance Audits (section 10)• Powers of entry and inspection (section 24)• Decision on complaints (section 10)• Refusal to register (section 17)• Prohibition of non-EEA transfers (section 11)• Prosecute Offences (section 30)

Individual Remedy: Ireland (Tort)“For the purposes of the law of torts and to

the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned” (DP Acts, s.7)

Definitions: Personal Data “Data relating to a living individual who is or can

be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller “ (DP Act, Section 1)

Applies to any data that is processed (includes hosting) using any medium by a legal entity essentially. Paper, computer, network, web, phone etc.

Definitions• Data Subject

an individual who is the subject of personal data/identifiable

• Data Controller a person who controls the contents and use of

personal data

• Data Processor a person who processes personal data on behalf of

a data controller – must be under contract

European Data Protection Rules1. Fair obtaining &

processing• Consent

2. Specified purpose3. No disclosure

• unless “compatible”

4. Safe and secure

5. Accurate, up-to-date6. Relevant, not

excessive7. Retention period8. Right of access9. Independent

Supervisory Authority

Obtain & Process Fairly I• Data controller must give full information

about identity purposes disclosees any other data necessary for “fairness”

• Third party data controllers must contact data subject to provide these details must give name of original data controller

Rule 1

Obtain & Process Fairly II One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function

(Justice) necessary for ‘legitimate interests’

Rule 1

Processing Sensitive DataOne of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Process the data of members of non-profit

orgs. Legal advice For Medical Purposes(includes research) Substantial Public interest, prescribed by Reg

Rule 1

What is sensitive data• Physical or mental health• Racial origin• Political opinions• Religious or other beliefs• Sexual life• Criminal convictions• Alleged commission of offence• Trade Union membership

Specified Purpose

• Part of obligations when obtaining to specify purpose

• Cannot expand purpose without reverting to individual

• Be aware of different data sets/purposes

Rule 2

Disclosing personal data• not generally permitted – compatibility test• section 8 – lifts the restrictions on disclosure:

crime; tax; State security; international relations

required urgently to protect life and limb required by law or court order with consent of, or on behalf of, data subject

• No general public interest test

Rule 3

Disclosure Policy

The Data Controller should have a policy in place to determine how requests for data from third parties are handled.

This policy should be consulted by appropriate staff members

Security ProceduresSecurity measures

Appropriate security measures• Appropriate to the harm that might

result..• Appropriate to the nature of the data

May have regard to cost of implementationMay have regard to the current state of

technologyStaff must know and comply with measuresInternal review of security measures-part of

IA function ?

Rule 4

Security Procedures 1• Internal Access controls– physical,technical, • Tracking of activity on files– to see if

appropriate• Internet Connectivity/networks -anti-virus

software/firewalls/encryption• Access- need to know and relevant to

purpose• Third party interception

Security Procedures 2• Accidental disclosure to third parties, PC in

public area, non-secure fax• External-robust encryption, online forms,

technical measures• Audit trails, reviews, logs, unusual events• Manual Files !• Individual is the biggest risk- NB Training

Data Processors• Agents and sub-contractors• There must be a written contract in

place• Data Processor must provide

sufficient guarantees regarding security measures

Accurate, Complete and up to date

1. Often a reactive rather than proactive task

2. Clerical/computer procedures/reviews

Rule 5

Adequate, relevant and not excessive

In relation to purpose Do you need all this data? Different policies for different

sectors

Rule 6

7. Retention of data• Legal obligations to hold data?• Customer/Patient files

Do you need to hold all that data?

• Personnel files Revenue requirement?

• Must have policy thought through Defend retention as necessary for

purpose.

8. Access Right

Rights granted to individuals are a means of granting them control over how their data are processed - transparency

Rights of individuals• to have data processed in accordance with DP

principles• to get a copy of personal data

“right of access”

• to correct data if it is wrong or to have data deleted

• to opt out of direct marketing• to complain to the D. P. Commissioner

Access to Health Data• Direct access by the data subject …• … subject to consultation with his/her GP

(or some other health professional) … • … to ensure that access would not be

“likely to cause serious harm to the physical or mental health of the data subject”

• S.I. No. 82/1989

Access to “Social Work Data”• Data kept for, or obtained while carrying

out social work by a Minister, a local authority, a health board, or a grant-aided voluntary organisation or other social-work body

• Direct access … except insofar as it would be “likely to cause serious harm to the physical or mental health or emotional condition of the data subject”

Access to “Social Work Data”• Social work data supplied by other

individuals must not be supplied without first consulting the other individuals

• Social work data prepared for a court report may be withheld by the court

• S.I. No. 83/1989

Right of correction/erasure• Section 6 of the Act• Data Subject makes a written request• Personal data must be:

Corrected, if inaccurate; or Deleted, if should not be held.

• Data Controller has 40 days to respond• No fee

Restrictions on disclosure• General rule – no

disclosure for different purpose

• Exceptions made, to balance other interests of society

• Section 8 exceptions Investigation of crime Collection of taxes Security of the State Protect life & limb Required by Law

• No general “public interest” test

Data Protection & Health Data• Data on physical or mental health or condition

or sexual life are ‘sensitive personal data’ with special protection but some leeway for: Processing of Data “kept for statistical or research or

other scientific purposes” Processing “necessary for medical purposes”(including

medical research) and carried out by a “health professional” or someone who owes an equivalent duty of confidentiality

• DP and Medical Ethics mutually reinforcing

Frequently Asked Questions 1

• I am a general practitioner or a hospital consultant: can my locum access my patient records?

• Yes. The Data Protection Commissioner’s view is that making clinical patient records available to a locum doctor, so that the locum may provide medical care to patients, is compatible with the purpose for which the GP keeps the patient record.

Frequently Asked Questions 2

• Should my secretary or office manager be allowed access to my patient records?

• Yes, although only to the extent necessary to enable the secretary or manager to perform their functions. Non-medical professionals should have no need to access clinical material or medical notes, as distinct from administrative details (such as patients' names and addresses). The patient is entitled to an assurance that their medical information will be treated on a need-to-know basis.

Frequently Asked Questions 3

• What about hospital staff having unrestricted access to all patient data?

• Cannot be the position in general. Only appropriate to the extent necessary to enable each discipline to perform their functions. Need to know is the key factor here.

Frequently Asked Questions 4• Do I need to obtain patients’ explicit permission

before storing their medical details on computer?

• As a general rule, no. The Commissioner’s view is that the patient’s consent for the storage and use of their personal data is implicit in the fact that they come to you, as a medical professional, for help. However, it is good practice to inform patients that you will keep their details on computer and of what use will be made of their data. You will need to obtain clear consent for uses which might not be obvious to the patient.

Frequently Asked Questions 5

• Can I pass patient details on to another health professional for clinical purposes?

• If you are passing the patient data to another health professional for guidance and advice on clinical issues, the patient data should be kept anonymous. If you wish to pass on the full patient data, including identifying details, you will need the consent of the patient in advance, except in cases of urgent need.

Frequently Asked Questions 6

• Can I pass patient data to the Health Boards or other bodies for administrative purposes?

• You can pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data.

Frequently Asked Questions 7

• What if I need to disclose patient data, and I don't have the time to obtain consent?

• If patient details are urgently needed to prevent injury or other damage to the health of a person, then you may disclose the details. Section 8(d) of the Act makes special provision for such disclosures. However, if the reason for the disclosure is not urgent, then you will need to obtain consent in advance.

Frequently Asked Questions 8

• Can I as a consultant or hospital doctor use my patient’s data for research or statistical purposes?

• Ideally you should make patients aware in advance if you intend to use their data for your own research purposes. However, the Act provides that such uses of personal data are permitted, even where the patient was not informed in advance, provided that no damage or distress is likely to be caused to the individual.

Frequently Asked Questions 9

• Can I disclose patient data to others for research or statistical purposes?

• You may pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data. If you wish to pass on personal data, including identifying details, you will need to obtain patient consent in advance.

Frequently Asked Questions 10

• Any exemption for research or statistical purposes?

• Cancer research and screening is an exception to this rule. Under the Health (Provision of Information) Act, 1997, any person may provide any personal information to the National Cancer Registry Board for the purpose of any of its functions; or to the Minister or any body or agency for the purpose of compiling a list of people who may be invited to participate in an approved cancer screening programme.

Frequently Asked Questions 11

• How can researchers avoid duplication of data in respect of the same individual?

• Researchers who obtain anonymised data are sometimes faced with the problem that they may be dealing with two or more data-sets from the same individual. To address this problem, it may be permissible for a data controller to make available anonymous data together with a unique coding, which falls short of actually identifying the individual to the researcher (I.e.a data controller might "code" a unique data-set using a patient’s initials and date-of-birth). The researcher should not be in a position to associate the data-set with an identifiable individual.

Frequently Asked Questions 12

• Can external researchers access patient data for medical research purposes?

• The medical facility/doctor remains responsible for protecting the data and ensuring it is not further disclosed. For your protection, the researchers should be tightly bound by duties of confidentiality. Any data extracted must be anonymised. Patients should be informed.

Frequently Asked Questions 13

• What about Insurance companies?Explicit consent needed. GP’s should inform patients of the type of information and possible consequences of data to be disclosed. Patients should be given time to view contents. Should not send notes-only give nature of complaint, treatment offered and outcome. Consultants reports should not be given – can be obtained direct.

Frequently Asked Questions 14

• Do my patients have a right to see their medical data?

• Yes they do. An individual is entitled to see a copy of any data which you keep relating to him or her on computer. This right of access is subject to a limited exemption in the case of health and medical records, and in the case of social worker records, where allowing access would be likely to damage the physical, mental or emotional well-being of the individual.

Frequently Asked Questions 15Have parents and guardians a right of access

under DP law to data held relating to their children?

• The right of access is that of the person on whom the data are held. However under Section 8 the restrictions on disclosure do not apply in certain circumstances including where a person is acting on behalf of a child. In such circumstances it is a matter for the discretion of the data controller. Case by case –maturity/best interests of child.

CONCLUSION• Information management – principles of

openness, transparency, fairnesss, confidentiality, security. Consistent with ethics.

• Patient information should flow in parallel with patient treatment

• Informed consent of patients for how their data is used