Good governance in cross-sectoral data sharing and data linkage for research and evaluation purposes 29 September 2011 Graeme Laurie Edinburgh Law School

SHIP: improving governance for all Reducing burden & uncertainty and increasing transparency Setting standards: Principles & Best Practices Responsibilities: Data Flows & Data Controllers Seeking buy-in from stakeholders Providing uniform and high-quality advice in single structure The importance of proportionate governance

The SHIP model (under construction) Data permissionsData release Non-NHS Data controller National PAC (ISD, GROS) Local PAC or equivalent (NHS HB) Non-NHS dataset Local HB dataset ISD dataset Referral of data request Data request Research Coordinator Advice & guidance Training Researcher approval Safe haven Researcher approval and secure access National RDC (NSS) National Indexing Service Creation and storage of linked dataset

What does proportionate governance look like? 1) What is at stake? (principles and best practices) (2) Who is involved and who is responsible? (data controllers) (3) What are the benefits, burdens and risks involved with each application? (an appropriate risk assessment) (4) What is an appropriate research pathway for this application? (engaging the right people and principles – avoiding unnecessary regulatory burden)

(1) What is at stake? Principles and Best Practices Principles: foundational starting points for deliberation and action Best practice: instances of implementation of principles to a high standard Content: Public interest and the importance of research Privacy/Anonymisation/Consent/Data Protection Authorising/advisory bodies Governance/Access Trusted Third Parties (where appropriate) Clinical Trials Cross-sector sharing and sharing agreements Public engagement and benefit sharing

Principles and Best Practices examples 1. Public interest Principles Scientifically sound and ethically robust research is in the interest of protecting the health of the public. The responsible use of health data should be a stated objective of all organisations adhering to this instrument. Best Practice It is the data controller's responsibility to ensure the development of transparent policies that demonstrate their understanding of public interest and the basis upon which they will use and disclose health data;

Principles and Best Practices examples 3. Consent Principles Personal data must not be used without consent unless absolutely necessary… Where obtaining consent is not possible/practicable, then (a) anonymisation of data should occur as soon as is reasonably practicable and/or (b) authorisation from an appropriate oversight body/research ethics committee should be obtained. Best practices Where there is the prospect of future use of data that is unknown at the time of consent, then data subjects should be informed of the broad purposes for which the data might be used. These purposes will delimit the appropriateness of any future use… Where consent is not to be obtained, the reasons for this must be clearly articulated and adequately justified.

Principles and Best Practices examples 11. Cross-sector sharing Principles Where ethical & legal standards are met, data should be made accessible to trusted researchers across disciplines. The value of such cross-sector sharing should be recognised. Along with the potential benefits, risks should also be identified and appropriately addressed. In particular, assurance of reciprocal privacy standards across sectors is necessary. The unnecessary duplication of approval procedure(s) and governance mechanisms should be avoided. Mutual recognition of equivalent standard and procedures should be sought. Best practice Clear and easy to understand specifications covering confidentiality, security and privacy, and which define roles and protocols, should be agreed prior to cross-sector data sharing taking place.

(2) Who is involved and responsible? Data stewards and data controllers 1) When does one become (and stop being) a data controller? 2) What flexibilities exist for the assumption of, or agreement on, data protection responsibilities? 3) Is there a meaningful distinction between data disclosure (surrender responsibility) and data sharing (share responsibility)?

Data controllers: who and what is involved? The DPA confers the responsibility and liability for compliance with the requirements of the DPA on the Data Controller. Identifying the Data Controller(s) in relation to a set of personal data and its processing operations is therefore key to ensuring that data protection obligations are known and adhered to.

Data controllers: who and what is involved? Article 29 Data Protection Working Party (2010): An actor is not a Data Controller unless in facts and law they have the capacity to set the purposes for the processing of the personal data; A pluralistic situation, with a number of Data Controllers, including with different degrees of responsibility and liability, is both possible and acceptable.

Data controllers: Key messages It is essential to be clear as to who is acting as a data controller with respect to any given data set involving the processing of personal data It is possible that one or more parties can act in the capacity as a data controller and will accordingly be held jointly liable It is possible to agree between parties who will act as a data controller with respect to a given dataset and/or to agree difference levels of responsibility and liability.

(3) & (4) Mapping categories of application to suitable governance pathways Promoting the DCs core purposes (facilitating sharing) Safe havens, data extraction and/or travel (responsibilities?) Renewals (original application and trust in researcher) Sensitive linkages (what counts as additional safeguards?) Multiple sector linkages (a role for a national PAC) International linkages (in principle the same, but…)

Proportionate Governance Category 0: Public domain No further conditions

SHIP: an optimal system? Education and Approved Researcher status Data Controller Toolkit for decision-making Research Coordinator as informed gate-keeper Triage: building precedents and trusted relationships A national Privacy Advisory Committee as one-stop-shop Categories of licence reflecting category of application and risks Safe haven; data travel; appropriate sanctions

Next steps? Running case studies through the SHIP model Shaping good governance as robust proportionate governance Engaging the range of stakeholders and refining the model(s) Suggestions? Thank you!

Data Sharing and Best Practice

Deciding to Share Questions to ask: Why do you want to share? What information do you need to share? With whom will you share? When should it be shared? How should it be shared? Can the objectives be achieved differently?

Data Sharing and the Law - DPA Personal data shall be: 1.Processed fairly & lawfully; 2.Processed for specified purposes; 3.Adequate, relevant & not excessive; 4.Accurate & kept up to date; 5.Kept no longer than is necessary; 6.Processed according to individuals’ rights; 7.Kept secure against loss or destruction; 8.Not transferred outside the EEA.

Data Sharing and the Law – Vires Express Obligations legal requirement to share Local Government (Scotland) Act 1973 (c. 65) Auditor’s right of access to documents — 2) …every local authority shall provide an auditor with every facility and all information which he may reasonably require for the purpose of auditing their accounts…

Data Sharing and the Law – Vires Express Powers a stated power to share, but not to the extent of an obligation Local Government (Scotland) Act 1973 (c. 65) Research and the collection of information. 87. — (1) A local authority may conduct, or assist in the conducting of, investigations into, and the collection of information relating to, any matters concerning their area or any part thereof and may make, or assist in the making of arrangements whereby any such information and the results of any such investigation are made available to any government department or the public.

Data Sharing and the Law – Vires Implied Powers sharing is reasonably incidental to an activity within express obligations or powers Local Government in Scotland Act 2003 (asp. 1) Local authorities' duty to secure best value (1) It is the duty of a local authority to make arrangements which secure best value.

Fairness & Transparency Privacy notices: Who you are Why you want to share With whom you are sharing Passive v Active Privacy Notices

Consent Consent most likely required where: confidential information is to be shared without clear legal basis; individuals may be expected to object; where there may be a significant and adverse impact on an individual/group. Do NOT seek consent if there is a statutory requirement

Governance Tools for good governance: Data Sharing Agreements / Protocols Privacy Impact Assessments Data Standards Staff Training

Security of Shared Information Areas of concern: Organisational Security Physical Security Technical Security

Individuals’ Rights Right to Access – sources & disclosures Right to Object – unwarranted & substantial damage or distress Right to Accuracy – matters of fact Queries and Complaints – internal & external

Notification Legal requirement to keep your notification up-to-date: Check data sharing is covered; Amend if necessary.

Things to avoid Bad practice: Failure to inform individuals about sharing Sharing excessively Sharing irrelevant information Sharing inaccurate information Sharing insecurely

Information Sharing Protocols Structure: Purpose of Sharing Partner Organisations Data to be shared Legal basis for sharing Meeting individuals’ rights Governance