Role of Law in the Regulation of Science_ Medicine _ Technology by sammyc2007

VIEWS: 88 PAGES: 51

									  Role of Law in the Regulation of
  Science, Medicine & Technology:
   Medical Research, Public Health & Data Protection & Law


Promoting Health Research & Protecting Patient Rights
         Office of the Data Protection Commissioner
                     29th November, 2006



                Asim A. Sheikh B.A., LL. M.
                   Barrister-at-Law

                        Lecturer in Legal Medicine
                       Forensic and Legal Medicine
              Faculty of Medicine, University College Dublin
Role of Law in the Regulation of
Science, Medicine & Technology
   Role of Law
    –   prevention of harm
    –   protection of society
    –   provision of certainty
    –   standards of care
    –   Adversarial system – objective forum of exposure


   Role of Science, Medicine & Technology
    – progress / amelioration of quality of life?

          “Why is progress a prerequisite reserved almost exclusively for
            the activities we call science?...Does a field make progress
            because it is a science, or is it a science because it makes
                                       progress?”
                           Kuhn TS. The Structure of Scientific Revolutions
      The Law and Kuhn's
      Critique




            1

                                                                   2
         Normal
         Science         PARADIGM SHIFT
                                                                 New
                                                               Paradigm




People work within   Paradigm Shifts require
                     guidance of the Law to ensure
the parameters of
theparadigm,         smooth transition from one
                                                     Occurs as a result a
indulging in         paradigm to next
                                                     reconstruction of the original
'Puzzle-Solving'.                                    field from new fundamentals,
                                                     changing the field's initial
                                                     theory, methods and
                                                     applications.
    Interface of Law, Science & Medicine
               some examples
   Medical Practitioners Act
   Diamond v. Chakrabarty (US - 1980) - living matter is patentable
   EC Directive: 98/44/EC; On the Legal Protection of Biotechnological
    Inventions
   Clinical Trials Acts 1987, 1990, Clinical Trials Directive
   Human Fertilisation and Embryology Act (UK – 1990)
   Best v. Wellcome Foundation Ltd (Ire – 1993) - pertussis vaccine -
    scientific evidence
   DNA Evidence cases
   Grimes v Kennedy Krieger Institute (Maryland, US – 2000) – consent
    in children – non-therapeutic medical research and RECs
   Safety, Health and Welfare at Work Act, 2005 and regulations
    (biological, chemical)
“...it seems to me imperative that the moral, social
     and legal issues raised by this case should be
   considered by Parliament. The judges‟ function
      in this area of the law should be to apply the
    principles which society through the democratic
  process, adopts, not to impose their standards on
      society. If Parliament fails to act, then judge-
  made law will of necessity through a gradual and
  uncertain process provide a legal answer to each
                new question as it arises.”

         Lord Browne-Wilkinson in Airedale NHS Trust v. Bland
                                            [1993] All ER 821
          The Tort System

              Clinical Negligence



 Principles
     of           The Tort          Litigation
    Risk          System
Management




                 Judgment
Ideals of Law in Medicine
   Self-determination
   Consent
   Best interests of patient
   Full disclosure of information
 Protection  of Privacy and
    Confidentiality
Data Protection
    Background I: General Concerns

 Increased Activity in non-statutory medical
  research
 Concerns over patient data
 Freedom of Information
 Change to electronic patient records
  (EPR)
 Change in Data protection law
 Increased move toward embracing of
  consent doctrine in clinical practice
  “As the information society proceeds apace, public unease about
new technologies needs to be firmly laid to rest…This survey shows
              that public anxieties are, if anything, on the increase.”
                                         Joe Meade, DP Commissioner, 2003
             Background II: Law
   Constitution
   Universal Declaration on Human Rights, 1948
   European Convention on Human Rights, 1950
   Council of Europe Convention on Data Protection, 1981
   Data Protection Act, 1988
   Freedom of Information Act, 1997-2003
   Convention on Human Rights and Biomedicine, 1997
   EU Directive on Data Protection, 1995 and Data Protection
    (Amendment) Act 2003
   European Recommendation No R (97) 5 on the Protection of
    Medical Data (Council of Europe, Committee of Ministers),
    13/2/97
   Convention on Human Rights Act, 2003
   Ethical & Legal Doctrine of Confidentiality
   Common Law
European Convention on Human Rights

   Everyone has the right to respect for his private life
    and family life, his home and correspondence
   There shall be no interference by a public authority
    with the right except such as is necessary in a
    democratic society in the interests of national
    security, public safety or the economic well-being of
    the country, for the prevention of disorder or crime,
    for the protection of morals, or for the protection of
    the rights and freedoms of others.
      The Irish Constitution & Privacy

   The Irish Constitution does not expressly provide
    for a Constitutional right to privacy
   However, Irish case law provides authority which
    indicates that the citizen may invoke the personal
    rights provisions of Article 40.3.1 of the
    Constitution so as to require the State to protect
    and vindicate the citizen‟s right to constitutional
    privacy:
   Kennedy v. Ireland [1987]
     Convention for the Protection of Human Rights and Dignity
                  of the Human Being with regard
           to the Application of Biology and Medicine:
       Convention on Human Rights and Biomedicine, 1997

Chapter III – Private life and right to information
Article 10 – Private life and right to information

1.     Everyone has the right to respect for private life in relation
       to information about his or her health;

2.     Everyone is entitled to know any information collected
       about his or her health. However, the wishes of individual
       not to be so informed shall be observed;

3.     In exceptional cases, restrictions may be placed by law on
       the exercise of the rights contained in paragraph 2 in the
       interests of the patient.
  “There can be no exceptions to the ordinary
      requirements of disclosure in the case of
     research as there may well be in ordinary
medical practice. The researcher does not have




                                                       Disclosure in Medical Research
       to balance the probable effect of lack of
      treatment against the risk involved in the
    treatment itself. The example of risks being
      properly hidden from a patient where it is
 important that he should not worry can have no
 application in the field of research. The subject
of medical experimentation is entitled to full and
frank disclosure of all the facts, probabilities and
    opinions which a reasonable man might be
expected to consider before giving his consent.”
      Halushka v. University of Saskatchewan (1965)
       The Nuremberg Code

   “The voluntary consent of the human subject
is absolutely essential... and should have sufficient
 knowledge and comprehension of the elements of
  the subject matter involved as to enable him to
 make an understanding and enlightened decision.
    This latter element requires that before the
    acceptance of an affirmative decision by the
experimental subject there should be made known
  to him the nature, duration, and purpose of the
                    experiment ”
   The Helsinki Declaration

Article 1

 “The World Medical Association has developed
  the Declaration of Helsinki as a statement of
     ethical principles to provide guidance to
   physicians and other participants in medical
   research involving human subjects. Medical
   research involving human subjects includes
    research on identifiable human material or
                 identifiable data.”
    The Helsinki Declaration

Article 22

     “In any research on human beings, each
potential subject must be adequately informed of
   the aims, methods, sources of funding, any
     possible conflicts of interest, institutional
   affiliations of the researcher, the anticipated
 benefits and potential risks of the study and the
              discomfort it may entail…”
 The Helsinki Declaration

“...The subject should be informed of the right to
    abstain from participation in the study or to
    withdraw consent to participate at any time
 without reprisal. After ensuring that the subject
  has understood the information, the physician
   should then obtain the subject's freely-given
     informed consent, preferably in writing…”
                  Case Law

   Geoghegan v. Harris (2000, HC)

   R v. Department of Health, ex parte Source
    Informatics Ltd [2000]
   Durant v. FSA (CA) [2003]

    – Change from importance of use of information to
      maintenance of anonymity of information?
Processing means performing any operation
or set of operations on data including:


   – obtaining, recording or keeping the data
   – collecting, organising, storing, altering or adapting
     the data
   – retrieving, consulting or using the data
   – disclosing the data by transmitting, disseminating
     or otherwise making it available
   – aligning, combining, blocking, erasing or
     destroying the data.
Section 2: Protection of Privacy of Individuals with regard
    to Personal Data (1st STEP) - General Obligations

In relation to Personal Data (PD) a DC will ensure that that data shall:
(a) be processed fairly
(b) be accurate and complete and, where necessary, kept up to date,
(c) The data shall:

    – (i) be kept only for one or more specified, explicit and legitimate
      purposes,
    – (ii) not be further processed in a manner incompatible with that
      purpose or those purposes,
    – (iii) be adequate, relevant and not excessive in relation to the purpose
      or purposes for which they were collected or are further processed,
      and
    – (iv) not be kept for longer than is necessary for that purpose or those
      purposes

(d) appropriate security measures shall be taken against unauthorised access to,
or unauthorised alteration, disclosure or destruction of, the data, in particular
where the processing involves the transmission of data over a network
            1st     Exemption - s2(5)
Previous paragraphs (ii) & (iv)
(a) “do not apply to personal data kept for statistical or research or
other scientific purposes, and the keeping of which complies with such
requirements (if any) as may be prescribed for the purpose of
safeguarding the fundamental rights and freedoms of data subjects…
And

(b) “the data or, as the case may be, the information constituting such
data shall not be regarded for the purposes of paragraph (a) of the said
subsection as having been obtained unfairly by reason only that its use
for any such purpose was not disclosed when it was obtained,

if the data are not used in such a way that damage or distress is, or is
likely to be, caused to any data subject
   Ramifications for personal data for a
    secondary use
   Seems to be case – data could be used
    for a secondary purpose – not first
    considered
   But such secondary use – cannot cause
    harm or distress to data subject
What are the basics of „fair processing‟?

    In section 2D – when obtaining data
     from Data Subject

     – the identity of the data controller
     – the purpose in collecting the data
     – the persons or categories of persons to
       whom the data may be disclosed
     – any other information which is necessary
       so that processing may be fair
    If not obtaining information from
    data subject but from another
    source then:
   Data Subject should know:
     – Identity of representative of DC and name of original
       DC
     – Categories of data concerned

   However: if this is for purposes of
    historic/scientific research and this information
    would be impossible to get or involve a
    disproportionate effort

     – Then DPC can lay down conditions
         Section 2A: Processing of Personal Data
                       (2nd STEP)
   PD shall NOT be processed unless - Fulfill S2 requirements and 1 of the following:
   the data subject must have given consent to the processing or
   the processing must be necessary for one of the following reasons -
     –   the performance of a contract to which the data subject is party
     –   in order to take steps at the request of the data subject prior to
     –   entering into a contract
     –   compliance with a legal obligation, other than that imposed by contract
     –   to prevent injury or other damage to the health of a data subject
     –   to prevent serious loss or damage to property of the data subject
     –   to protect the vital interests of the data subject where the seeking of
         the consent of the data subject is likely to result in those interests
         being damaged
     –   for the administration of justice
     –   for the performance of a function conferred on a person by or under
         an enactment
     –   for the performance of a function of the Government or a Minister of
         the Government
     –   for the performance of any other function of a public nature
     –   performed in the public interest by a person
             Section 2B: Processing of Sensitive Personal Data
                                (3rd STEP)
   SPD shall NOT be processed unless - Fulfill S2 & S2A requirements and 1 of the
    following:
   the data subject‟s consent is explicitly given;
   the processing must be necessary for:
      –  for the purpose of exercising or performing any right or obligation which is conferred or
         imposed by law on the data controller in connection with employment
      –  to prevent injury or other damage to the health of the data subject or another person,
         or serious loss in respect of, or damage to, property or otherwise to protect the vital
         interests of the data subject or of another person in a case where, consent cannot be
         given, or the data controller cannot reasonably be expected to obtain such consent
      –  to prevent injury to, or damage to the health of, another person, or serious loss in
         respect of or damage to, the property of another person, in a case where such consent
         has been unreasonably withheld
      –  it is carried out by a not for profit organisation in respect of its members or other
         persons in regular contact with the organisation
      –  the information being processed has been made public as a result of steps deliberately
         taken by the data subject
      –  for the purpose of obtaining legal advice, or in connection with legal proceedings, or is
         necessary for the purposes of establishing, exercising or defending legal rights
      –  for medical purposes – undertaken by a health professional
      –  is carried out by political parties or candidates for election in the context of an election
      –  for the purpose of the assessment or payment of a tax liability
      –  in relation to the administration of a Social Welfare scheme.
2nd
Ex



3rd
Ex
 „Medical Purposes & Health Professional‟
  2nd Exemption (Research Exemption)
   Defined as:

“„medical purposes‟ includes the purpose of preventive medicine, medical
diagnosis, medical research, the provision of care and treatment and the
management of healthcare services.”


“„health professional‟ includes a registered medical practitioner, within the
meaning of the Medical Practitioners Act, 1978, a registered dentist, within
the meaning of the Dentists Act, 1985, or a member of any other class of
health worker or social worker standing specified by regulations made by the
Minister after consultation with the Minister for Health and Children and any
other Minister of the Government who, having regard to his or her functions,
ought, in the opinion of the Minister, to be consulted”
  3rd    Exemption - s2B(1)(b)(xi)
Where:

“…processing is authorised by regulations that are made by
the Minister and are made for reasons of substantial public
interest.”




    …then sensitive personal data can be processed
        4th    Exemption - s2D(4)

Where giving of information to a data subject in relation to
the purpose/s of the data when that data is for the purposes
of historical or scientific research and “the provision of the
information specified therein proves impossible or would
involve a disproportionate effort…”




   …then that information does not have to be given
   s4(4)-DC cannot disclose info about a
    3rd party unless 3rd party consents,
    unless identity can be omitted and 3rd
    party is rendered unidentifiable
1. Data must be processed, fairly – which means that a data subject
   should know the following:

(a) the identity of the data controller or a nominated a representative
(b) the purpose or purposes for which the data are intended to be
    processed, and
(c) any other information which is necessary to enable processing in
    respect of the data to be fair to the data subject such as information
    about the recipients of the data (s2D)

In this section of the Act, the data subject is not required to give
consent. It is the data controller who must provide information

if data is being obtained from someone or somewhere other than the data
subject, then, the data subject should be informed of the above
    information
and the identity of the original data controller and the category of data
before the information is processed or if to be disclosed to a third party,
before such disclosure. In scientific research if the provision of this
information is impossible or involves a disproportionate effort, then it would
not have to be disclosed if conditions laid down by the Minister are met
(currently non such exist) (s2D4).
2. Data must be accurate, complete and, where necessary, kept up
   to date, kept only for one or more specified, explicit and
   legitimate purposes. The data shall not be further processed in a
   manner incompatible with that purpose or those purposes, shall
   be adequate, relevant and not excessive in relation to the
   purpose or purposes for which they were collected or are further
   processed, and shall not be kept for longer than is necessary for
   that purpose or those purposes (s2).

  However, the use of data for secondary purposes in scientific
  research is permitted and would not be regarded as „unfair
  processing‟ even though such secondary use was not initially
  disclosed if (i) any prescribed requirements are complied with to
  safeguard the fundamental rights and freedoms of the data
  subject and (ii) the data are not used in such a way that damage
  or distress is, or is likely to be, caused to any data subject
  (s2(5)).

  In this section of the Act also, the data subject is not required to
  give consent. It is the data controller who must provide
  information).
3. Adequate security measures must be taken to protect data.

4. Personal Data (identifiable data) shall not be processed unless
   s2 is complied with and 1 additional requirement of s2A is met.

  This could be the data subject giving his/her consent to the
  processing

  (Article 7 of the Directive uses the words „unambiguous
  consent‟ and in article 2(h), consent is defined as “…any freely
  given specific and informed indication of his wishes by which
  the data subject signifies his agreement to personal data.”) or
  instead,

  if one of number of other conditions were met. However, apart
  from the consent condition, none of these would seem to be
  relevant to medical research or public health (except when the
  processing is required to protection the vital health interests of
  a data subject or in the public interest) and thus, for personal
  medical data (identifiable), consent must be given (s2A).
5. Sensitive Personal Data (health/medical data)
   shall not be processed unless in addition to
   satisfying the conditions of sections 2 and 2(A), at
   least one of the additional listed conditions is also
   met.

   This could be the data subject giving his/her
   consent explicitly to the processing or instead if
   one of a number of other conditions are met.

   Here the one of most note is the processing of
   data for medical purposes which includes medical
   research („medical research exemption‟) (and
   also to protect the vital health interests of a data
   subject or in the public interest) (s2B).
       Medical Research Concerns
   Issue of explicit consent – e.g. in epidemiological studies

   Secondary use of data

   Issue of Anonymisation

   Issue of data protection policies

   There are no consistent guidelines in EU member states. Some have
    opted for a more, seemingly, liberal approach, for example, Sweden, in
    the application of the medical research exemption.

   Others however, such as France and Germany, have opted for a less
    liberal approach.

   The lack of consistency has not helped in the interpretation of the
    Directive.
“A blanket requirement for anonymisation
of data, as well as informed consent from
all individuals to use identifiable data about
them, would jeopardise the methodological
integrity of research and audit. This would
not just hinder the progress of medical
knowledge but might lead to completely
incorrect conclusions. This would be against
the public interest and make the process of
clinical governance impossible…”
                                   BMJ 2000


            “…it would appear that the Directive will, in many
                              circumstances, shift the balance
            in favour of obtaining clearer, more unambiguous
                                 Consent from individuals than
                                 has been the case up to now.”
                                      DP Commissioner, 2002
“Consent has a role to play but it does not emerge as a trump card.
  Indeed some might argue that the broad and indistinct categories of
   justifications for processing without consent potentially weaken the
     protection that is afforded to informational privacy interests. The
  model, however, is, as always, a search for a balance and few could
        deny that privacy protection showed sometimes bow to other
  interests. But the devil is in the detail of determining which interest
      should be weighed in the balance and how far privacy should be
         compromised in any given case. The example of research is
     particularly apt. Some member states, for example Denmark and
     Austria, allow research on secondary uses of patient data, that is,
     uses beyond those for which the data were first obtained, without
   the need for patient consent so long as the national data protection
 office gives prior approval. The United Kingdom also has mechanisms
 for allowing research using patient data subject to rigorous review…It
    is to be noted with some regret, however, that a culture of caution
    has grown up around the workings of the Data Protection Act such
  that there is a widespread belief that the law now hinders research.
             In the main, we consider this to be unfounded.”
                             Mason & Laurie, Law & Medical Ethics (2006)
   Two general categories of data require to be considered:

    – (a) retrospective/archived/historical data (where consent for the
      current use was never obtained or is inadequate) and
    – (b) prospective/future data, for which, how and what type of
      consent should be obtained needs to be discussed.


   In relation to the former, the questions that arise are:

    – (i) when does a researcher require to re-obtain consent (where the
      data is identifiable) and if this cannot be obtained (due to
      impossibility/disproportionate effort) can the research progress?
    – (ii) Can the researcher continue carry out the research by
      anonymising the data and if so, who should anonymise this data?
    – (iii) If the research would prove futile by anonymisation can it be
      pseudo-anonymised and (iv) what onus is there on a research ethics
      committee to ensure that the research proposal is in accordance
      with the Data Protection Act?
   The exemptions exist for reason, however,
   do not allow data controllers to by-pass their obligations to
    ensure that prior to health and personal data, being
    processed, a subject:
     – (i) is given information in relation to their data and
     – (ii) in certain circumstances, gives his/her consent prior to the
       processing of their data.

   Other practitioners, whilst discussing the concerns, have
    also stated that:

    “…health professionals need to understand current
           anxieties about the ways in which health
     information is handled; they need to learn the rules
    and apply them and accept that unfettered access to
       personal health information is a thing of the past
        and that, among the many tools they need for
         modern clinical practice are those of skilled
                  information management.”
    Chalmers and Muir, “Patient privacy and confidentiality: The debate goes on; the
     issues are complex, but a consensus is emerging.” BMJ, 2003;326:725–6, 2003)
Data Protection Principles
1 Personal data shall be processed fairly and lawfully and, in particular,
shall not be processed unless:
(a) The conditions of section 2 are satisfied and
(b) at least one of the conditions in s 2A is met, and
(c) in the case of sensitive personal data, at least one of the conditions
    in s 2B is also met.

2 Personal data shall be obtained only for one or more specified and
lawful purposes, and shall not be further processed in any manner
incompatible with that purpose or those purposes.

3 Personal data shall be adequate, relevant and not excessive in
relation to the purpose or purposes for which they are processed.

4 Personal data shall be accurate and, where necessary, kept up to date.

5 Personal data processed for any purpose or purposes shall not be
kept for longer than is necessary for that purpose or those purposes.
6 Personal data shall be processed in accordance with the rights
of data subjects under this Act.

7 Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing of personal
data and against accidental loss or destruction of, or damage to,
personal data.

8 Personal data shall not be transferred to a country or territory
outside the European Economic Area unless that country or
Territory ensures an adequate level of protection for the rights
And freedoms of data subject in relation to the processing of
personal data.
   Moving forward
Best Practice Models?
MRC Guidelines, 2000
Learning from Experience,
Privacy & the Secondary Use of
Data in Health Research
Lowrance W
Nuffield Trust, 2002
                         Conclusions
   Increased move toward maximum disclosure of information – utilisation
    of proper and clear provision of information over the use of patient
    information
   Consent as the first port of call, would overcome all obstacles – but is
    not necessarily required if exemptions are invoked (medical research
    exemption)
   Specific information, however, must be provided to data subjects
   Personal information must be protected
     – Kept confidential
     – Anonymised (utilisation of Privacy Enhancing Techniques – PETs)
     – Definitions of „anonymous;
   Where anonymisation cannot be achieved
     – Require ethics approval
     – Adequate safeguards in place to ensure safety
   Properly considered research policies
   Assistance of
     – Ethics Committees
     – Data Protection Commissioner
                     Other Options
   In certain limited circumstances for public health screening
    reasons:
    – Health (Provision of Information) Act, 1997 (Cancer Registry)

    – Allows passing of data from bodies to other bodies with permission
      of Minister of Health

   Pass Similar legislation on a limited basis:
    – S60 Health and Social Care Act 2001, UK
    – Health Service (Control of Patient Information) 2002, UK – public
      health patient data

   this should done only with careful consultation: need to
    avoid panic reactions?

   The Data Protection Acts 1988 and 2003: Implications
    for Medical and Public Health Research in Ireland
    (Health Research Board, 2007 – forthcoming)
This lecture or any of the information
          given therein is not
  and should not be taken to be or
  relied on as legal medico-legal or
       medico-ethical advice.
         No reproduction or distribution
        without prior permission of author


         All Notes © Asim A. Sheikh BL, 2006

								
To top