2. What is health related data
• Self declared data
– E.g health and lifestyle
• Health care records
– E.g. hospital records
• Generated data
– Eg. Blood groups, FBC
• Acquired data
– E.g. Income group
3. Data related to person
• Personal data
• Identifying data
• Identifiable data
• Anonymised data
• Sensitive data
• Aggregated data
4. Questionnaire
• This is a self declared questionnaire
– can you identify the categories from earlier slide?
5. What is sharing of data
• A reciprocal exchange of data;
• One or more organisation/s providing data to a third
party or parties;
• Several organisations pooling information and making it
available to each other;
• Several organisations pooling information and making it
available to a third party or parties;
• Exceptional, one-off disclosures of data in unexpected
or emergency situations; or
• Different parts of the same organisation making data
available to each other.
6. Advantages to sharing data
• Furthering medical studies – diagnostic or
curative
• Gaining better understanding of physiology
and processed.
• Social and epidemiological impact
• Quality of care
• …..
7. Legal constrains for sharing this data
Information-sharing is related to a number of different
pieces of legislation:
Local authority responsibilities for sharing information
under the Care Act 2014
The common law duty of confidentiality
The Human Rights Act 1998, Article 8 (the right to respect
for private life)
The Data Protection Act 1998
The Crime and Disorder Act 1998
The Mental Capacity Act 2005
General Data protection regulation 2016
8. EU declaration 2016
Individuals
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights related to automated decision
making and profiling
9. ICO : code of practice
• Processed lawfully, fairly and transparent manner
• Collected for specified purpose
• Adequate and relevant and limited to necessary
• Accuracy is maintained
• Data subject will not be identifiable for longer
than necessary
• Processed in a secured manner and protected
against unexpected loss or destruction
• Rights of the individual will be protected
10. ICO code of practice
This is handled in four ways:
Ethical approval for study
Explicit consent from individual
Follow security guidelines from ICO
Develop strong governance around this data
11. Ethics and consents
Consent or explicit consent for data sharing is most likely to be
needed where:
• confidential or particularly sensitive information is going to be
shared without a clear legal basis for doing so;
• the individual would be likely to object should the data be
shared without his or her consent; or
• the sharing is likely to have a significant impact on an
individual or group of individuals.
Ethics should specify
• who you are;
• why you are going to share personal data;
• who you are going to share it with – this could be actual
named organisations or types of organisation.
12. security
Data Best Practices for different data types
Security Policies and Procedures and trained in application
You will need to:
• design and organise your security to fit the type of personal data
you disclose or receive and the harm that may result from a
security breach;
• be clear about which staff members in the organisations involved
in the sharing are responsible for ensuring information security.
They should meet regularly to ensure appropriate security is
maintained;
• have appropriate monitoring and auditing procedures in place;
and
• be ready to respond to any failure to adhere to a data sharing
agreement swiftly and effectively.
13. Data sharing/access agreements
• Purpose
• Organisations & people
• Data items
• Accuracy, security, relevance, usability ..
• Retention, termination and sanctions
• Procedures: access request, queries,
complaints
• Access and governance
14. Data management Framework
Ethics Management committee
• Members should have lay person on panel
• Interested parties should be represented
Data access committee
• Implementers of DAA
• SAB
• Data governance officers
Caldicot guardians
15. Compliance Locally
• data formats,
• accuracy of data,
• retention period,
• deletion arrangements,
• roles and permissions
17. Cat 3 data
• This data is considered sensitive and
irrespective of setting will never be held
associated with the individuals personal
identifiable information
20. What we do
• Recruit volunteers both healthy and patient
• Get signed consent
• Get lifestyle and general health data based on
questionnaire
• Sample collected – blood
• Blood groups FBC
• Extraction of DNA/ sera/ Plasma
• Metabolon, serotyping and metabolomic markers
• Clincial records
• Additional questions …
21. Distinct Data types
• The personal communication data
• Identification data
• Phenotype data
• Specific clinical data
• Blood data
• Genotype data
• Metabolomics data
• Study involvement data
• ….
22. Our experience
• Keep personal and contact details separate
from rest *
• Questionnaire data separately *
• Genotype data separately
• …
• Maintain different identifiers
• Mapping files stored securely *
• Study paperwork and study data*
23. Tools specifically designed for
collection of this information
• Questionnaire: REDCap
• Maintain visit personal data: CIVI CRM
• Maintain questionnaire data: Open clinica,
CaBig
• Controlled vocabularies: SNOMED CT, DM+D,
ICD, CDISC, HPO
• I2B2 integrated pseudo-anonimized views.
24. Policy guidelines
• Data Protection
• Confidentiality
• Information Security – NHS toolkit
compliance, ISO27001
• Caldicott principles
•
• These policies must cover manual, verbal and
computer-based information.
25.
26. Federated organisation
• CRF and BRU/ BRCs over England
• Exchange between the hospital and university
or institute.
• Requirement for exchange formats and
controlled vocabulary
Hinweis der Redaktion
Local authority responsibilities for sharing information under the Care Act 2014
Under the Care Act 2014 a local authority must:
set up a safeguarding board; the board will share strategic information to improve local safeguarding practice
cooperate with each of its relevant partners; each relevant partner must also cooperate with the local authority.
Clause 45 of the Care Act focuses on ‘supply of information’. This relates to the responsibilities of others to comply with requests for information from the safeguarding adults board.
The statutory guidance to the Care Act emphasises the need to share information about safeguarding concerns at an early stage; information-sharing agreements or protocols should be in place.
Designated adult safeguarding managers in the local authority and its partner agencies are responsible for ensuring that information shared about individuals alleged to have caused harm is in accordance with human rights, data protection and confidentiality requirements. [7]
The common law duty of confidentiality
Confidentiality is an important principle that enables people to feel safe in sharing their concerns and to ask for help. However, the right to confidentiality is not absolute. Sharing relevant information with the right people at the right time is vital to good safeguarding practice.
All staff and volunteers should be familiar with their internal safeguarding procedures for raising concerns. They can also contact either the police or the local authority safeguarding lead for advice, without necessarily giving an individual’s personal details, if they are unsure whether a safeguarding referral would be appropriate.
Some basic principles:
Don’t give assurances about absolute confidentiality.
Try to gain consent to share information as necessary.
Consider the person’s mental capacity to consent to information being shared and seek assistance if you are uncertain.
Make sure that others are not put at risk by information being kept confidential:
Does the public interest served by disclosure of personal information outweigh the public interest served by protecting confidentiality?
Could your action prevent a serious crime?
Don’t put management or organisational interests before safety.
Share information on a ‘need-to-know’ basis and do not share more information than necessary.
Record decisions and reasoning about information that is shared.
Carefully consider the risks of sharing information in relation to domestic violence or hate crime.
The Caldicott principles
The sharing of information in health and social care is guided by the Caldicott principles. These principles are reflected in the Data Protection Act and are useful to other sectors:
Justify the purpose(s).
Don’t use personal confidential data unless it is absolutely necessary.
Use the minimum personal confidential data necessary for purpose.
Access to personal confidential data should be on a strict need-to-know basis.
Everyone with access to personal confidential data should be aware of their responsibilities.
Comply with the law.
The duty to share information can be as important as the duty to protect patient confidentiality.
The Human Rights Act 1998
Under Article 8 of the European Convention on Human Rights, individuals have a right to respect for their private life.
This is not an absolute right and can be overridden if necessary and in accordance with the law.
Interference must be justified and be for a particular purpose.
Justification could be protection of health, prevention of crime, protection of the rights and freedoms of others.
A decision to share information and the reasoning behind it should be recorded.
The Data Protection Act 1998
The Data Protection Act 1998 sets out the parameters for sharing information appropriately and safely.
The basic principles
Any personal information should be shared on the basis that it is:
necessary for the purpose for which it is being shared
shared only with those who have a need for it
accurate and up to date
shared securely and in a timely fashion
not kept for longer than necessary for the original purpose.
Vital interest
‘Vital interest’ is a term used in the Data Protection Act to permit sharing of information where it is critical to prevent serious harm or distress, or in life-threatening situations. If the only person that would suffer if the information is not shared is the subject of that information, and they have mental capacity to make a decision about it, then sharing it may not be justified.
Resources
The Information Commissioners Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The Crime and Disorder Act 1998
Any person may disclose information to a relevant authority under Section 115 of the Crime and Disorder Act 1998, ‘where disclosure is necessary or expedient for the purposes of the Act (reduction and prevention of crime and disorder)’. [11] ‘Relevant authorities’, broadly, are the police, local authorities, health authorities (clinical commissioning groups) and local probation boards.
Understanding the Mental Capacity Act 2005
‘Professionals and other staff need to understand and always work in line with the Mental Capacity Act 2005. They should use their professional judgement and balance many competing views. They will need considerable guidance and support from their employers if they are to help adults manage risk in ways that put them in control of decision making if possible’. [7]
The Mental Capacity Act will apply if there is any doubt that the person concerned has the mental capacity to make specific decisions about sharing information or accepting intervention in relation to their own safety.
The Mental Capacity Act ‘Code of practice’ states that: ‘The person who assesses an individual’s capacity to make a decision will usually be the person who is directly concerned with the individual at the time the decision needs to be made’. [12]
In most cases a worker should be able to assess whether a person has the mental capacity to make a specific decision – see the two-stage functional test of capacity.
The two-stage functional test of capacity
In order to decide whether an individual has the capacity to make a particular decision, you must answer two questions:
Stage 1: is there an impairment of or disturbance in the functioning of a person’s mind or brain? If so,
Stage 2: is the impairment or disturbance sufficient that the person lacks the capacity to make a particular decision?
The Mental Capacity Act states that a person is unable to make their own decision if they cannot do one or more of the following four things:
understand information given to them
retain that information long enough to be able to make a decision
weigh up the information available to make the decision
communicate their decision – this could be by talking, using sign language or even simple muscle movements such as blinking an eye or squeezing a hand.
Other considerations
Every effort should be made to find ways of communicating with someone before deciding they lack capacity to make a decision.
Different methods (e.g. pictures, communication cards or signing) should be used to support people with communication difficulties to make sure their views are heard.
Family, friends, carers or other professionals should be involved as appropriate.
The mental capacity assessment must be made on the balance of probabilities – is it more likely than not that the person lacks capacity?
You must be able to show in your records why you have come to your conclusion that capacity is lacking for the particular decision in question.
Case study: David Open
The key principles of the Act
You should understand the basic principles of the Mental Capacity Act when making decisions about sharing personal information for safeguarding purposes. There are five key principles.
Principle 1: a presumption of capacity. Every adult has the right to make their own decisions and must be assumed to have capacity to do so unless it is proved otherwise. This means that you cannot assume that someone cannot make a decision for themselves just because they have a particular medical condition or disability.
Principle 2: individuals being supported to make their own decisions. A person must be given all practicable help before anyone treats them as not being able to make their own decisions. This means you should make every effort to encourage and support people to make the decision for themselves. If lack of capacity is established, it is still important that you involve the person as far as possible in making decisions.
Principle 3: unwise decisions. People have the right to make decisions that others might regard as unwise or eccentric. You cannot treat someone as lacking capacity for this reason. Everyone has their own values, beliefs and preferences which may not be the same as those of other people.
Principle 4: best interests. Anything done for or on behalf of a person who lacks mental capacity must be done in their best interests.
Principle 5: less restrictive option. Someone making a decision or acting on behalf of a person who lacks capacity must consider whether it is possible to decide or act in a way that would interfere less with the person’s rights and freedoms of action, or whether there is a need to decide or act at all. Any intervention should be weighed up in the particular circumstances of the case.
Unwise decisions
A person with capacity is entitled to make unwise decisions relating to abuse.
If a person making an unwise decision lacks capacity to make that decision, then a decision needs to be made by others in the person’s best interests.
‘Best interests’ decisions must comply with the Mental Capacity Act.
It may be necessary and justified to contest an unwise decision if it appears to be related to exploitation, coercion, grooming, undue influence or duress.
Individuals should be given the opportunity to disclose undue influence and seek appropriate support.
If a person with capacity is making an unwise decision that puts others at risk then it may be justified to share information without their consent.
Resources
SCIE MCA resources
Seven golden rules for information-sharing
The Mental Capacity Act Code of practice
Data Protection Act
https://ico.org.uk/media/1068/data_sharing_code_of_practice.pdf
1. Information Commissioner’s foreword 4
2. About this code 6
Who should use this code of practice? 7
How the code can help 7
The code’s status 7
3. What do we mean by ‘data sharing’? 9
‘Systematic’ data sharing 9
Ad hoc or ‘one off’ data sharing 10
Sharing with a data processor 10
Sharing within organisations 10
4. Data sharing and the law 11
The public sector 11
Private and third sector organisations 12
Human rights 13
5. Deciding to share personal data 14
Factors to consider 14
Conditions for processing 15
6. Fairness and transparency 17
Privacy notices 17
Telling individuals about data sharing 18
Who should tell the individual? 19
Sharing without the individual’s
knowledge 19
Ad hoc or ‘one off’ data sharing 20
Mergers and takeovers 20
Buying and selling databases 22
Emergency response planning 22
7. Security 23
8. Governance 26
Responsibility 26
Data sharing agreements 26
Privacy impact assessments (PIAs) 27
Data standards 27
Reviewing your data sharing
arrangements 30
9. Individuals’ rights 32
Access to information 32
Individuals’ objections 33
Queries and complaints 34
10. Things to avoid 35
11. The ICO’s powers and penalties 36
12. Notification 38
13. Freedom of Information 39
14. Data sharing agreements 41
15. Data sharing checklists 46
Data sharing checklist
– systematic data sharing 46
Data sharing checklist
– one off requests 47
Annex 1 – The Data Protection principles 48
Annex 2 – Glossary 49
Annex 3 – Case studies 52