anne cameron - an introduction to the data protection act for researchers
TRANSCRIPT
An intro to the Data Protection Act for researchers and how to handle breaches
Anne Cameron, Legal Compliance Manager
Where to go for help?• http://http://www.kcl.ac.uk/aboutkings/governance/index.aspx
• For further information or guidance, email: [email protected] or telephone 020 7848 4344
Personal information: the big picture
The Data Protection Act 1998 (DPA)•Sets the broad rules, supersedes the 1984 Act•Implements EU directive
Scope of the Act•What is personal data?•What is sensitive data?•What is a data controller?•What is a data subject and what are their rights?
8 data protection principles
Sanctions•Oversight by the ICO•Damages for mishandling personal information
But hold on isn’t there an exemption for research…•Scope of s.33 •Important to see it in relation to the rest of the Act – all the other principles still apply
The Data Protection Act 1998 The Act says that Data Controllers must process personal data in accordance with 8 data protection principles
1.fairly and lawfully2.only for specified and lawful purposes3.that are adequate, relevant and not excessive4.that are accurate and, where necessary, up to date5.for no longer than is necessary6.in accordance with individual’s rights7.securely8.in the EEA
Why bother to look after it?
•Optimum use of data•Widest circulation of findings•Minimum hassle with administration•Containable future liabilities
Who is responsible anyway?
• PI is responsible during the course of the
study and for making proper
arrangements afterwards
• Sponsor/ employer sets the context
• For roles and responsibilities in research
governance see the Research
Governance Framework for Health and
Social Care
The College good practice framework
Mandatory requirements• Academic Regulations for Research Degrees• Guidelines on Good Practice in Academic Research• Research ethics committees, College and NHS
College policies• Information Security Policy• Data Protection Policy and Freedom of Information Policy• Records Management Policy• Data Loss assesment and reporting procedure
Documentation and support• IT Security Toolkit • Records Management Toolkit• Ethics support
Before my research: funding applications
•Funders make requirements which are binding on the recipient after the award is made
•May seek detailed information about information management within the project
•Will refer to specific policies, for instance Wellcome Guidelines on Good Research Practice
Before my research: ethics
•Requirements from research councils. See the MRC and ESRC
•Mandatory for relevant College research
•Mandatory for NHS research
Before my research: participants and consent
•Targeting participants. Are they approaching you or are you approaching them?
•Fair processing notices. What are they and are they required for my research?
•Can I ever get access to information without further consent?
During my research: processing personal data
•What does data processing mean under the DPA? The conditions in Schedule 2 and, where relevant, Schedule 3 apply •What are the risks with careless processing?•Some types of information raise other legal issues. Defamatory material for instance must be handled carefully
During my research: anonymisation
•What does anonymisation actually mean?
•What are the legal implications of anoymisation?
•Does everything always have to be anonymised?
During my research: data sharing and exchange
•Is it legitimate to share personal data with co-researchers?
•How far can personal data be shared beyond the team?
•There are special considerations when personal data crosses borders. Exchanges within the EEA are all under the same privacy regime. Outside the EEA different rules apply
After my research: retention
•Why bother to keep research information at all?
•If I need to keep it then how long should I keep it for?
•If I need to destroy it then what’s the best way?
After my research: reuse
•Can data be used for other, different research?
•Remember that the public has a right of access to College information under the Freedom of Information Act 2000. This covers research information too
•What happens when data subjects die? Does the DPA still apply?
The Undertaking As a result of personal data losses at King’s the Information
Commissioners Office has had College sign an Undertaking as
follows:-
What this means to you.
If you work/carry put research at King’s and hold personal data you have two choices
If you hold personal data on a laptop, smart phone , USB stick or other mobile devices
they must be encrypted.
Or
You don’t carry personal data on those devices.
Doesn’t exist on it’s own
• The common law of confidence• Even though the DPA allows access the law of
confidence may still apply• Duty may arise in contract• Human Rights Act 1998• Human Tissue Act 2004 ( effect September
2006)• Ethical and professional standards • Health and Social care Act 2012 ( for sec251)
• Contd.
Records
P: 0207 848 2283
Legal Compliance
P: 0207 848 4344
Contacts and questions
Any questions?