An intro to the Data Protection Act for researchers  and how to handle breaches

Anne Cameron, Legal Compliance Manager

Where to go for help?• http://http://www.kcl.ac.uk/aboutkings/governance/index.aspx

• For further information or guidance, email: legal-compliance@kcl.ac.uk or telephone 020 7848 4344

Personal information: the big picture

The Data Protection Act 1998 (DPA)•Sets the broad rules, supersedes the 1984 Act•Implements EU directive

Scope of the Act•What is personal data?•What is sensitive data?•What is a data controller?•What is a data subject and what are their rights?

8 data protection principles

Sanctions•Oversight by the ICO•Damages for mishandling personal information

But hold on isn’t there an exemption for research…•Scope of s.33 •Important to see it in relation to the rest of the Act – all the other principles still apply

The Data Protection Act 1998 The Act says that Data Controllers must process personal data in accordance with 8 data protection principles

1.fairly and lawfully2.only for specified and lawful purposes3.that are adequate, relevant and not excessive4.that are accurate and, where necessary, up to date5.for no longer than is necessary6.in accordance with individual’s rights7.securely8.in the EEA

Why bother to look after it?

•Optimum use of data•Widest circulation of findings•Minimum hassle with administration•Containable future liabilities

Who is responsible anyway?

• PI is responsible during the course of the

study and for making proper

arrangements afterwards

• Sponsor/ employer sets the context

• For roles and responsibilities in research

governance see the Research

Governance Framework for Health and

Social Care

The College good practice framework

Mandatory requirements• Academic Regulations for Research Degrees• Guidelines on Good Practice in Academic Research• Research ethics committees, College and NHS

College policies• Information Security Policy• Data Protection Policy and Freedom of Information Policy• Records Management Policy• Data Loss assesment and reporting procedure

Documentation and support• IT Security Toolkit • Records Management Toolkit• Ethics support

Before my research: funding applications

•Funders make requirements which are binding on the recipient after the award is made

•May seek detailed information about information management within the project

•Will refer to specific policies, for instance Wellcome Guidelines on Good Research Practice

Before my research: ethics

•Requirements from research councils. See the MRC and ESRC

•Mandatory for relevant College research

•Mandatory for NHS research

Before my research: participants and consent

•Targeting participants. Are they approaching you or are you approaching them?

•Fair processing notices. What are they and are they required for my research?

•Can I ever get access to information without further consent?

During my research: processing personal data

•What does data processing mean under the DPA? The conditions in Schedule 2 and, where relevant, Schedule 3 apply •What are the risks with careless processing?•Some types of information raise other legal issues. Defamatory material for instance must be handled carefully

During my research: anonymisation

•What does anonymisation actually mean?

•What are the legal implications of anoymisation?

•Does everything always have to be anonymised?

During my research: data sharing and exchange

•Is it legitimate to share personal data with co-researchers?

•How far can personal data be shared beyond the team?

•There are special considerations when personal data crosses borders. Exchanges within the EEA are all under the same privacy regime. Outside the EEA different rules apply

After my research: retention

•Why bother to keep research information at all?

•If I need to keep it then how long should I keep it for?

•If I need to destroy it then what’s the best way?

After my research: reuse

•Can data be used for other, different research?

•Remember that the public has a right of access to College information under the Freedom of Information Act 2000. This covers research information too

•What happens when data subjects die? Does the DPA still apply?

The Undertaking As a result of personal data losses at King’s the Information

Commissioners Office has had College sign an Undertaking as

follows:-

What this means to you.

If you work/carry put research at King’s and hold personal data you have two choices

If you hold personal data on a laptop, smart phone , USB stick or other mobile devices

they must be encrypted.

Or

You don’t carry personal data on those devices.

Doesn’t exist on it’s own

• The common law of confidence• Even though the DPA allows access the law of

confidence may still apply• Duty may arise in contract• Human Rights Act 1998• Human Tissue Act 2004 ( effect September

2006)• Ethical and professional standards • Health and Social care Act 2012 ( for sec251)

• Contd.

Records

P: 0207 848 2283

E: records-management@kcl.ac.uk

Legal Compliance

P: 0207 848 4344

E: legal-compliance@kcl.ac.uk

Contacts and questions

Any questions?