Presentation is loading. Please wait.

Presentation is loading. Please wait.

Good governance in cross-sectoral data sharing and data linkage for research and evaluation purposes 29 September 2011 Graeme Laurie Edinburgh Law School.

Published byAmice Todd Modified over 9 years ago

Similar presentations

Presentation on theme: "Good governance in cross-sectoral data sharing and data linkage for research and evaluation purposes 29 September 2011 Graeme Laurie Edinburgh Law School."— Presentation transcript:

1 Good governance in cross-sectoral data sharing and data linkage for research and evaluation purposes 29 September 2011 Graeme Laurie Edinburgh Law School

2 SHIP: improving governance for all Reducing burden & uncertainty and increasing transparency Setting standards: Principles & Best Practices Responsibilities: Data Flows & Data Controllers Seeking buy-in from stakeholders Providing uniform and high-quality advice in single structure The importance of proportionate governance

3 The SHIP model (under construction) Data permissionsData release Non-NHS Data controller National PAC (ISD, GROS) Local PAC or equivalent (NHS HB) Non-NHS dataset Local HB dataset ISD dataset Referral of data request Data request Research Coordinator Advice & guidance Training Researcher approval Safe haven Researcher approval and secure access National RDC (NSS) National Indexing Service Creation and storage of linked dataset

4 What does proportionate governance look like? 1) What is at stake? (principles and best practices) (2) Who is involved and who is responsible? (data controllers) (3) What are the benefits, burdens and risks involved with each application? (an appropriate risk assessment) (4) What is an appropriate research pathway for this application? (engaging the right people and principles – avoiding unnecessary regulatory burden)

5 (1) What is at stake? Principles and Best Practices Principles: foundational starting points for deliberation and action Best practice: instances of implementation of principles to a high standard Content: Public interest and the importance of research Privacy/Anonymisation/Consent/Data Protection Authorising/advisory bodies Governance/Access Trusted Third Parties (where appropriate) Clinical Trials Cross-sector sharing and sharing agreements Public engagement and benefit sharing

6 Principles and Best Practices examples 1. Public interest Principles Scientifically sound and ethically robust research is in the interest of protecting the health of the public. The responsible use of health data should be a stated objective of all organisations adhering to this instrument. Best Practice It is the data controller's responsibility to ensure the development of transparent policies that demonstrate their understanding of public interest and the basis upon which they will use and disclose health data;

7 Principles and Best Practices examples 3. Consent Principles Personal data must not be used without consent unless absolutely necessary… Where obtaining consent is not possible/practicable, then (a) anonymisation of data should occur as soon as is reasonably practicable and/or (b) authorisation from an appropriate oversight body/research ethics committee should be obtained. Best practices Where there is the prospect of future use of data that is unknown at the time of consent, then data subjects should be informed of the broad purposes for which the data might be used. These purposes will delimit the appropriateness of any future use… Where consent is not to be obtained, the reasons for this must be clearly articulated and adequately justified.

8 Principles and Best Practices examples 11. Cross-sector sharing Principles Where ethical & legal standards are met, data should be made accessible to trusted researchers across disciplines. The value of such cross-sector sharing should be recognised. Along with the potential benefits, risks should also be identified and appropriately addressed. In particular, assurance of reciprocal privacy standards across sectors is necessary. The unnecessary duplication of approval procedure(s) and governance mechanisms should be avoided. Mutual recognition of equivalent standard and procedures should be sought. Best practice Clear and easy to understand specifications covering confidentiality, security and privacy, and which define roles and protocols, should be agreed prior to cross-sector data sharing taking place.

9 (2) Who is involved and responsible? Data stewards and data controllers 1) When does one become (and stop being) a data controller? 2) What flexibilities exist for the assumption of, or agreement on, data protection responsibilities? 3) Is there a meaningful distinction between data disclosure (surrender responsibility) and data sharing (share responsibility)?

10 Data controllers: who and what is involved? The DPA confers the responsibility and liability for compliance with the requirements of the DPA on the Data Controller. Identifying the Data Controller(s) in relation to a set of personal data and its processing operations is therefore key to ensuring that data protection obligations are known and adhered to.

11 Data controllers: who and what is involved? Article 29 Data Protection Working Party (2010): An actor is not a Data Controller unless in facts and law they have the capacity to set the purposes for the processing of the personal data; A pluralistic situation, with a number of Data Controllers, including with different degrees of responsibility and liability, is both possible and acceptable.

12 Data controllers: Key messages It is essential to be clear as to who is acting as a data controller with respect to any given data set involving the processing of personal data It is possible that one or more parties can act in the capacity as a data controller and will accordingly be held jointly liable It is possible to agree between parties who will act as a data controller with respect to a given dataset and/or to agree difference levels of responsibility and liability.

13 (3) & (4) Mapping categories of application to suitable governance pathways Promoting the DCs core purposes (facilitating sharing) Safe havens, data extraction and/or travel (responsibilities?) Renewals (original application and trust in researcher) Sensitive linkages (what counts as additional safeguards?) Multiple sector linkages (a role for a national PAC) International linkages (in principle the same, but…)

14 Proportionate Governance Category 0: Public domain No further conditions

15 SHIP: an optimal system? Education and Approved Researcher status Data Controller Toolkit for decision-making Research Coordinator as informed gate-keeper Triage: building precedents and trusted relationships A national Privacy Advisory Committee as one-stop-shop Categories of licence reflecting category of application and risks Safe haven; data travel; appropriate sanctions

16 Next steps? Running case studies through the SHIP model Shaping good governance as robust proportionate governance Engaging the range of stakeholders and refining the model(s) Suggestions? Graeme.Laurie@ed.ac.ukGraeme.Laurie@ed.ac.uk Thank you!

17 Data Sharing and Best Practice

18 Deciding to Share Questions to ask: Why do you want to share? What information do you need to share? With whom will you share? When should it be shared? How should it be shared? Can the objectives be achieved differently?

19 Data Sharing and the Law - DPA Personal data shall be: 1.Processed fairly & lawfully; 2.Processed for specified purposes; 3.Adequate, relevant & not excessive; 4.Accurate & kept up to date; 5.Kept no longer than is necessary; 6.Processed according to individuals’ rights; 7.Kept secure against loss or destruction; 8.Not transferred outside the EEA.

20 Data Sharing and the Law – Vires Express Obligations legal requirement to share Local Government (Scotland) Act 1973 (c. 65) Auditor’s right of access to documents. 100. — 2) …every local authority shall provide an auditor with every facility and all information which he may reasonably require for the purpose of auditing their accounts…

21 Data Sharing and the Law – Vires Express Powers a stated power to share, but not to the extent of an obligation Local Government (Scotland) Act 1973 (c. 65) Research and the collection of information. 87. — (1) A local authority may conduct, or assist in the conducting of, investigations into, and the collection of information relating to, any matters concerning their area or any part thereof and may make, or assist in the making of arrangements whereby any such information and the results of any such investigation are made available to any government department or the public.

22 Data Sharing and the Law – Vires Implied Powers sharing is reasonably incidental to an activity within express obligations or powers Local Government in Scotland Act 2003 (asp. 1) Local authorities' duty to secure best value. 1. - (1) It is the duty of a local authority to make arrangements which secure best value.

23 Fairness & Transparency Privacy notices: Who you are Why you want to share With whom you are sharing Passive v Active Privacy Notices

24 Consent Consent most likely required where: confidential information is to be shared without clear legal basis; individuals may be expected to object; where there may be a significant and adverse impact on an individual/group. Do NOT seek consent if there is a statutory requirement

25 Governance Tools for good governance: Data Sharing Agreements / Protocols Privacy Impact Assessments Data Standards Staff Training

26 Security of Shared Information Areas of concern: Organisational Security Physical Security Technical Security

27 Individuals’ Rights Right to Access – sources & disclosures Right to Object – unwarranted & substantial damage or distress Right to Accuracy – matters of fact Queries and Complaints – internal & external

28 Notification Legal requirement to keep your notification up-to-date: Check data sharing is covered; Amend if necessary.

29 Things to avoid Bad practice: Failure to inform individuals about sharing Sharing excessively Sharing irrelevant information Sharing inaccurate information Sharing insecurely

30 Information Sharing Protocols Structure: Purpose of Sharing Partner Organisations Data to be shared Legal basis for sharing Meeting individuals’ rights Governance

Download ppt "Good governance in cross-sectoral data sharing and data linkage for research and evaluation purposes 29 September 2011 Graeme Laurie Edinburgh Law School."

Similar presentations

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
NIGB Legal requirements for use of personal data in research OnCore UK / NRES Training workshop Ethical Principles relating to consent for use of samples.

NIGB Legal requirements for use of personal data in research OnCore UK / NRES Training workshop Ethical Principles relating to consent for use of samples.
NATIONAL INFORMATION GOVERNANCE BOARD

NATIONAL INFORMATION GOVERNANCE BOARD
Good Medical Practice Evidence to use for Appraisal Good Medical Practice 2006.

Good Medical Practice Evidence to use for Appraisal Good Medical Practice 2006.
Introduction to Information Governance (IG)

Introduction to Information Governance (IG)
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child

Getting data sharing right for every child
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Fundamentals of IRB Review. Regulatory Role of the IRB Authority to approve, require modifications in (to secure approval), or disapprove all research.

Fundamentals of IRB Review. Regulatory Role of the IRB Authority to approve, require modifications in (to secure approval), or disapprove all research.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Hong Kong Privacy Code on Human Resource Management

Hong Kong Privacy Code on Human Resource Management
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
SAFA- IFAC Regional SMP Forum

SAFA- IFAC Regional SMP Forum
Purpose of the Standards

Purpose of the Standards
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Information Law Report.

National Smartcard Project Work Package 8 – Information Law Report.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview

Similar presentations

Ads by Google