NIGB
Legal requirements for use of personal data in research
OnCore UK / NRES Training workshop
Ethical Principles relating to consent for use of samples & related data in research
Karen ThomsonInformation Governance LeadN
AT
ION
AL
INF
OR
MA
TIO
N G
OV
ER
NA
NC
E B
OA
RD
Interaction with the Human Tissue Act
NIGBGoverning use of tissue
• Human Tissue Act 2004
Governing use of personal & confidential data
• Data Protection Act 1998• Common law duty of
confidentiality• Human Rights Act 1998
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
The point of intersection is identifiable tissue
Information Tissue
Interaction with the Human Tissue Act NIGB• De-identified tissue only comes under HTA
• Identifiable tissue comes under both HTA and information law.
• Use of identifiable tissue therefore requires a legal basis both for its use i.e. the purpose and for its provision in identifiable form (disclosive of personal information)
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
What are we going to cover? NIGBN
AT
ION
AL
INF
OR
MA
TIO
N G
OV
ER
NA
NC
E B
OA
RD
• Role of the NIGB
• Legal and policy requirements for processing of personal data for research
– Section 251 & the Health Service (Control of Patient Information) regulations 2002/1438
• Interaction between data & tissue legislation
– Section 251 & how it applies to tissue
• Issues
Role of the NIGB NIGB• Established by Health & Social Care Act 2008
• To promote higher standards for information governance across health and social care
• Members either publicly appointed or represent Health and Social Care stakeholders
• The NIGB’s Ethics and Confidentiality Committee advises Secretary of State on Section 251 (not REC)
• Territorial extent – England, Section 251 England & Wales
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
Legal requirements NIGBLegal requirements for processing confidential personal data
Common law duty of Confidentiality
Data Protection Act 1998 Human Rights Act 1998NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
Common Law of Confidentiality NIGB• Information must be confidential in nature
• Information that is communicated in confidence as part of the relationship
• Confidentiality survives death
• May be limited by– Consent (Informed, with capacity, freely given)– Statute/Court order– Public interest favours disclosure
See the NHS Confidentiality Code of Practice
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
Human Rights Act 1998 NIGB• Right to privacy (Article 8)
• BUT breaches by the state may be justified provided they are “necessary [for]…public safety… [or] the protection of health”
• Disclosures must be proportionate based on the particular circumstances of individuals
• 3 tests considered– has there been interference with privacy?– is there justification?– is the justification proportionate to the breach?N
AT
ION
AL
INF
OR
MA
TIO
N G
OV
ER
NA
NC
E B
OA
RD
Data Protection Act 1998 NIGB DPA defines personal data as “data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of the data controller…”
In other words if it is identifiable, it’s personal
If data are effectively anonymised then they are no longer personal data and can be used without restriction.N
AT
ION
AL
INF
OR
MA
TIO
N G
OV
ER
NA
NC
E B
OA
RD
Data Protection Act - 8 principles NIGB1) Fairly and lawfully;
2) Obtained for specific purposes and only used for compatible purposes;
3) Adequate, relevant & not excessive;
4) Accurate;
5) Only kept for as long as necessary for the agreed purpose;
6) In accordance with the rights of the subject;
7) Kept securely;
8) Only transferred outside European Economic Area (EEA) with equivalent protections.N
AT
ION
AL
INF
OR
MA
TIO
N G
OV
ER
NA
NC
E B
OA
RD
NIGBSection 33 provides exemptions for research:
• Further processing for research is to be regarded as a compatible purpose
• But this does not remove onus on NHS bodies to inform patients about the use for research purposes;
• And it only applies where research is a secondary purpose.
• Data can be kept indefinitely
• Exemption from subjects’ access rightsNA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
DData Protection ActResearch exemptions
NIGBSection 251 & the Health Service (Control of Patient Information) Regulations 2002 [SI 1438] permit the common law duty of confidentiality to be set aside for medical purposes where:
- anonymised data cannot be used
- and where consent is not practicable.
• Medical purposes include medical research.
• These powers can only be used to improve patient care, or in the public interest.
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
DExemption from the duty of confidentiality
Human Tissue Act 2004 NIGB• HT Act is not retrospective, differentiation
between existing and new holdings
• For existing holdings (living or deceased) consent not required to use the tissue for research but the CoP and Schedule 1 indicate consent should be sought where practicable;
• From an information law perspective, if there is no consent then must be anonymised.
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
Human Tissue Act 2004 NIGB• New holdings for the living - consent from the
individual is needed but tissue may be used without consent where it has been de-identified for the researcher - it is needed for identifiable tissue.
• New holdings for the deceased – the consent of the individual prior to death, or the consent of the family is required, irrespective of identifiability;
NB Vital status is at the point tissue is collected.NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
Implications for research NIGBGiven the need to adhere to both HTA and information law requirements this raises questions:
• How to select and obtain relevant samples?
• How to link data and tissue?
• How to obtain consent to use data and tissue for research?
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
How S251 can apply to tissue NIGB
• All of the above involve processing data prior to obtaining consent for use of the tissue.
• Support under the Section 251 regulations has a role in addressing these questions where prior consent has not been obtained for the disclosure of confidential patient information or where identifiable tissue is needed.
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
How S251 can apply to tissue NIGBUse of tissue only
• Permitting disclosure of personal data to select relevant patients and request their tissue samples.
• At the point the tissue is received by the researcher it should be de-identified and the researcher should no longer hold the identifiable data used to request the samples.
• But this does not override the requirements for consent under the HTAN
AT
ION
AL
INF
OR
MA
TIO
N G
OV
ER
NA
NC
E B
OA
RD
How S251 can apply to tissue NIGBLinking data and tissue
• Permitting disclosure of confidential data both to allow requests for suitable tissue samples and to link the tissue samples and patient information together.
• Both the data and tissue should be de-identified but using a common pseudonym or code to allow linkage in de-identified form.
• But this does not override the requirements for consent under the HTA.N
AT
ION
AL
INF
OR
MA
TIO
N G
OV
ER
NA
NC
E B
OA
RD
How S251 can apply to tissue NIGBIdentification to seek consent
• Permitting disclosure of confidential patient information to allow researchers to select and identify patients in order to seek their consent to participate in research either directly or through the use of data or tissue or both.
• Key principles include that the first point of contact comes from an organisation which has provided relevant care to the individual (ie their GP or hospital clinic).
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
Issues NIGBConsent – blanket, generic consent is of questionable validity - how to get the balance right? Is this an area where data and tissue are different?
S.251 cannot be used to facilitate contacting family members / person in a qualifying relationship to seek their consent.
Personal data has a broad definition so when is data or tissue effectively de-identified?
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
De-identification NIGBWhen is anonymised data anonymous?• Personal data
“data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of the data controller…”– i.e. combination of identifying data items or
other information available which makes data identifiable and therefore personal.
– To cease being personal data all means of identification should be removed prior to disclosure.
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
De-identifying data NIGB• Sufficient identifiers should be removed or where they
are needed encrypted so that they are “machine readable” but not “human readable” – still personal & confidential data. NB - This should be done before researcher receives it, where consent is absent.
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
Strong Identifiers
• NHS number
• Date of Birth
• Date of Death
• Postcode
• Name
• Address
• GP practice code
Other Identifiers
• Ethnicity
• Local patient identifier
• Other geographic identifiers
– Local Authority area
– PCT
• Gender
Is pseudonymised data anonymous? NIGB• Pseudonymised data
– data that has been coded so that it is not identifiable to the recipient but which can be linked longitudinally and across different sources if a common pseudonym is used.
• The pseudonymisation key must NOT be held by the receiving body, otherwise identifiable
• There remains a degree of risk as to the identity of some individuals, therefore still personal data but can be used with safeguards:– data disclosure / sharing contracts which require the recipient
not to seek to identify individuals and not to disclose the data to 3rd parties.
• Apply pseudonymisation techniques & evaluate identifiability before release & withhold or redact.N
AT
ION
AL
INF
OR
MA
TIO
N G
OV
ER
NA
NC
E B
OA
RD
Key messages NIGB• Consent is needed for use of data and tissue
but exemptions for both
• HTA governs consent for use of tissue
• Information law governs consent for use of personal data
• Identifiable tissue comes under both and consent is needed both for use and disclosure
– support under S.251 regulations can be sought where consent is not practical
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
NIGB
www.nigb.nhs.uk
Email: [email protected]
Email for ECC: [email protected]
Tel: 020 7633 7052
NA
TIO
NA
L IN
FO
RM
AT
ION
GO
VE
RN
AN
CE
BO
AR
D
Top Related