Data for Child Health: Promoting & Protecting Public Health through Custodianship EAP Brussels, 28 January 2016 Health Databases & Biobanks Promoting & Protecting Public Health through Custodianship Ethics Working Group European Academy of Paediatrics Brussels, Belgium 28 January 2016 Francis P. Crawley Clinical Practice Alliance – Europe fpc@gcpalliance.org 1 FP Crawley, GCPA + EAP, fpc@gcpalliance.org
EU Clinical Trial Regulation The aim of the General Data Protection Regulation: “to reinforce data protection rights of individuals, facilitate the free flow of personal data in the digital single market and reduce administrative burden.”
Article 2 Material ‘This Regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.’
Article 9 Processing of special categories of personal data (h) processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81; or (i) processing is necessary for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Article 83;
Article 81 Processing of personal data concerning health Within the limits of this Regulation and in accordance with point (h) of Article 9(2), processing of personal data concerning health must be on the basis of Union law or Member State law which shall provide for suitable and specific measures to safeguard the data subject's legitimate interests, and be necessary for:
Article 81 Processing of personal data concerning health (a) the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject to the obligation of professional secrecy or another person also subject to an equivalent obligation of confidentiality under Member State law or rules established by national competent bodies; or
Article 81 Processing of personal data concerning health (a) the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject to the obligation of professional secrecy or another person also subject to an equivalent obligation of confidentiality under Member State law or rules established by national competent bodies; or
Article 81 Processing of personal data concerning health (b) reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety, inter alia for medicinal products or medical devices; or (c) other reasons of public interest in areas such as social protection, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system.
Article 81 Processing of personal data concerning health Processing of personal data concerning health which is necessary for historical, statistical or scientific research purposes, such as patient registries set up for improving diagnoses and differentiating between similar types of diseases and preparing studies for therapies, is subject to the conditions and safeguards referred to in Article 83.
Article 83 Processing for historical, statistical and scientific research purposes 1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if: these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner.
Article 83 Processing for historical, statistical and scientific research purposes 2. Bodies conducting historical, statistical or scientific research may publish or otherwise publicly disclose personal data only if: (a) the data subject has given consent, subject to the conditions laid down in Article 7; (b) the publication of personal data is necessary to present research findings or to facilitate research insofar as the interests or the fundamental rights or freedoms of the data subject do not override these interests; or (c) the data subject has made the data public.
Article 7 Conditions for Consent 1. The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes. 2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.
Article 7 Conditions for Consent 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.
Article 8 Processing of personal data of a child 1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology. 2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
Article 8 Processing of personal data of a child 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises. 4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Article 16 The right to retification The data subject shall have the right to obtain from the controller the rectification of personal data relating to them which are inaccurate. The data subject shall have the right to obtain completion of incomplete personal data, including by way of supplementing a corrective statement.
Article 17 The right to be forgotten ‘The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:’
Article 17 Paragraph 3 The controller shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary: (a) for exercising the right of freedom of expression in accordance with Article 80; (b) for reasons of public interest in the area of public health in accordance with Article 81; (c) for historical, statistical and scientific research purposes in accordance with Article 83;
Article 9 Processing of special categories of personal data 1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited. 2. Paragraph 1 shall not apply where: (a) the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or
Health Databases & Biobanks The Purpose to promote public health & individual health perhaps we need to identify ‘health databases & biobanks’ and protect these (from other uses) p
Three Key Concepts Health is our greatest good. Promoting health is a first responsibility of governments and our best investment. ‘My health is (y)our health; (y)our health is my health.’ Health is a shared interest and a shared responsibility.
The Core Value ‘It is the duty of the physician to promote and safeguard the health, well-being and rights of patients, including those who are involved in medical research. The physician's knowledge and conscience are dedicated to the fulfilment of this duty.’ Paragraph 4, Declaration of Helsinki, 2013
Achieve a renewed concept of consent participatory consent Considerations Regarding the WMA Draft Declaration on Ethical Considerations Regarding Health Databases and Biobanks (2015-03-18) Distinguish between human persons & communities and materials & data derived from human persons Achieve a renewed concept of consent participatory consent Custodianship should be the principle framework for health databases & biobanks
‘the good health custodian’ = ‘the good health librarian’ Custodianship Health data may not be considered as other kinds of data; health data is a public good (res publica) Health data, healthcare practice, health sciences, health knowledge may not be owned Replace ‘ownership’ with ‘custodianship’ Health (data) custodianship = ‘the responsible reception, organization, protection, and sharing of health data, information, and knowledge’ ‘the good health custodian’ = ‘the good health librarian’
The Need for Public Authorities The collection, storage, and use of health databases & biobanks should be overseen, regulated, and evaluated by public (health) authorities Current (research) ethics committees should maintain a focus on research on human persons (e.g., role of the Danish Data Protection Agency)