Embed Size (px)
Citation preview
Good governance in cross-sectoral data sharing and data linkage for research and evaluation purposes
29 September 2011 Graeme Laurie
Edinburgh Law School
SHIP: improving governance for all
• Reducing burden & uncertainty and increasing transparency
• Setting standards: Principles & Best Practices
• Responsibilities: Data Flows & Data Controllers
• Seeking buy-in from stakeholders
• Providing uniform and high-quality advice in single structure
• The importance of proportionate governance
The SHIP model (under construction)
Data permissions Data release
Non-NHS
Data controller
National
PAC
(ISD, GROS)
Local PAC
or equivalent
(NHS HB)
Non-NHS
dataset
Local HB
dataset
ISD dataset
Referral of
data request
Data
request
Research
Coordinator
Advice &
guidanceTraining
Researcher approval
Safe haven
Researcher approval and secure access
National
RDC (NSS)
National
Indexing
ServiceCreation and
storage of
linked dataset
What does proportionate governance look like?
1) What is at stake? (principles and best practices)
(2) Who is involved and who is responsible? (data controllers)
(3) What are the benefits, burdens and risks involved with each application? (an appropriate risk assessment)
(4) What is an appropriate research pathway for this application? (engaging the right people and principles – avoiding unnecessary
regulatory burden)
(1) What is at stake?Principles and Best Practices
• Principles: foundational starting points for deliberation and action
• Best practice: instances of implementation of principles to a high standard
• Content:
• Public interest and the importance of research
• Privacy/Anonymisation/Consent/Data Protection
• Authorising/advisory bodies
• Governance/Access
• Trusted Third Parties (where appropriate)
• Clinical Trials
• Cross-sector sharing and sharing agreements
• Public engagement and benefit sharing
Principles and Best Practices examples
1. Public interest
Principles
Scientifically sound and ethically robust research is in the interest of protecting the health of the public.
The responsible use of health data should be a stated objective of all organisations adhering to this instrument.
Best Practice
It is the data controller's responsibility to ensure the development of transparent policies that demonstrate their understanding of public interest and the basis upon
which they will use and disclose health data;
Principles and Best Practices examples3. Consent
Principles
Personal data must not be used without consent unless absolutely necessary…
Where obtaining consent is not possible/practicable, then (a) anonymisation of data should occur as soon as is reasonably practicable and/or (b) authorisation from an
appropriate oversight body/research ethics committee should be obtained.
Best practices
Where there is the prospect of future use of data that is unknown at the time of consent, then data subjects should be informed of the broad purposes for which the data might be
used. These purposes will delimit the appropriateness of any future use…
Where consent is not to be obtained, the reasons for this must be clearly articulated and adequately justified.
Principles and Best Practices examples
11. Cross-sector sharing
Principles
Where ethical & legal standards are met, data should be made accessible to trusted researchers across disciplines. The value of such cross-sector sharing should be recognised.
Along with the potential benefits, risks should also be identified and appropriately addressed. In particular, assurance of reciprocal privacy standards across sectors is
necessary.
The unnecessary duplication of approval procedure(s) and governance mechanisms should be avoided. Mutual recognition of equivalent standard and procedures should be sought.
Best practice
Clear and easy to understand specifications covering confidentiality, security and privacy, and which define roles and protocols, should be agreed prior to cross-sector data sharing
taking place.
(2) Who is involved and responsible?Data stewards and data controllers
1) When does one become (and stop being) a data controller?
2) What flexibilities exist for the assumption of, or agreement on, data protection responsibilities?
3) Is there a meaningful distinction between data disclosure (surrender responsibility) and data sharing (share responsibility)?
Data controllers: who and what is involved?
The DPA confers the responsibility and liability for compliance with the requirements of the DPA on the Data
Controller.
Identifying the Data Controller(s) in relation to a set of personal data and its processing operations is therefore
key to ensuring that data protection obligations are known and adhered to.
Data controllers: who and what is involved?
Article 29 Data Protection Working Party (2010):
•An actor is not a Data Controller unless in facts and law they have the capacity to set the purposes for the processing of the
personal data;
•A pluralistic situation, with a number of Data Controllers, including with different degrees of responsibility and
liability, is both possible and acceptable.
Data controllers: Key messages
• It is essential to be clear as to who is acting as a data controller with respect to any given data set involving the processing of personal data
• It is possible that one or more parties can act in the capacity as a data controller and will accordingly be held jointly liable
• It is possible to agree between parties who will act as a data controller with respect to a given dataset and/or to agree difference levels of responsibility and liability.
(3) & (4) Mapping categories of application to suitable governance pathways
• Promoting the DCs core purposes (facilitating sharing)
• Safe havens, data extraction and/or travel (responsibilities?)
• Renewals (original application and trust in researcher)
• Sensitive linkages (what counts as additional safeguards?)
• Multiple sector linkages (a role for a national PAC)
• International linkages (in principle the same, but…)
Proportionate Governance
Category 0: Public domain
No further conditions
SHIP: an optimal system?
• Education and Approved Researcher status
• Data Controller Toolkit for decision-making
• Research Coordinator as informed gate-keeper
• Triage: building precedents and trusted relationships
• A national Privacy Advisory Committee as one-stop-shop
• Categories of licence reflecting category of application and risks
• Safe haven; data travel; appropriate sanctions
Next steps?
•Running case studies through the SHIP model
•Shaping good governance as robust proportionate governance
•Engaging the range of stakeholders and refining the model(s)
•Suggestions? [email protected]
•Thank you!
Data Sharing and Best Practice
Deciding to Share•Questions to ask:
• Why do you want to share?• What information do you need to share?• With whom will you share?• When should it be shared?• How should it be shared? • Can the objectives be achieved differently?
Data Sharing and the Law - DPA
•Personal data shall be:1. Processed fairly & lawfully;2. Processed for specified purposes;3. Adequate, relevant & not excessive;4. Accurate & kept up to date;5. Kept no longer than is necessary;6. Processed according to individuals’ rights;7. Kept secure against loss or destruction;8. Not transferred outside the EEA.
Data Sharing and the Law – Vires
•Express Obligations • legal requirement to share
•Local Government (Scotland) Act 1973 (c. 65)•Auditor’s right of access to documents.•100. — 2) …every local authority shall provide an auditor with every facility and all information which he may reasonably require for the purpose of auditing their accounts…
Data Sharing and the Law – Vires
•Express Powers• a stated power to share, but not to the extent of an obligation
•Local Government (Scotland) Act 1973 (c. 65)
•Research and the collection of information.
•87. — (1) A local authority may conduct, or assist in the conducting of,
investigations into, and the collection of information relating to, any matters
concerning their area or any part thereof and may make, or assist in the
making of arrangements whereby any such information and the results of any
such investigation are made available to any government department or the
public.
Data Sharing and the Law – Vires
•Implied Powers• sharing is reasonably incidental to an activity
within express obligations or powers
•Local Government in Scotland Act 2003 (asp. 1)
•Local authorities' duty to secure best value.
•1. - (1) It is the duty of a local authority to make
arrangements which secure best value.
Fairness & Transparency
•Privacy notices:• Who you are
• Why you want to share
• With whom you are sharing
• Passive v Active Privacy Notices
Consent•Consent most likely required where:
• confidential information is to be shared without
clear legal basis;
• individuals may be expected to object;
• where there may be a significant and adverse
impact on an individual/group.
Do NOT seek consent if there is a statutory
requirement
Governance
•Tools for good governance:• Data Sharing Agreements / Protocols
• Privacy Impact Assessments
• Data Standards
• Staff Training
Security of Shared Information
•Areas of concern:• Organisational Security
• Physical Security
• Technical Security
Individuals’ Rights
• Right to Access – sources & disclosures
• Right to Object – unwarranted & substantial
damage or distress
• Right to Accuracy – matters of fact
• Queries and Complaints – internal & external
Notification
•Legal requirement to keep your notification up-to-date:
• Check data sharing is covered;• Amend if necessary.
Things to avoid
•Bad practice:• Failure to inform individuals about sharing
• Sharing excessively
• Sharing irrelevant information
• Sharing inaccurate information
• Sharing insecurely
Information Sharing Protocols
•Structure:• Purpose of Sharing
• Partner Organisations
• Data to be shared
• Legal basis for sharing
• Meeting individuals’ rights
• Governance
