How To Be a Good Researcher Flashcards
What is the problem with confidentiality in research?
Health care professionals and biomedical researchers may have a right, and sometimes even a duty, to share data with others, but they also have a duty to safeguard confidentiality
What is national data opt-out?
You can choose to stop your confidential patient information being used for purposes other than your own care and treatment. This choice is known as a national data opt-out
What are summary care records (SCR)?
‘Summary Care Records (SCR) are an electronic record of important patient information, created from GP medical records. They can be seen and used by authorised staff in other areas of the health and care system involved in the patient’s direct care.’
‘If you are registered with a GP practice in England your SCR is created automatically, unless you have opted out.’
‘When new patients are registered the practice should check they are happy to have an SCR.’
What is the legal framework behind the duty of confidentiality
- confidentiality as a duty in common law
2. relevant statutory law related to the concept of ‘confidentiality’
Confidentiality as a duty in common law
Spycatcher trial by Lord Goff: ‘ … a duty of confidence arises when confidential information comes to the knowledge of a person (the confidant) in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all circumstances that he should be precluded from disclosing the information to others’
Common law does not provide a clear definition of what information should be considered to be confidential. It also does not define clearly when a breach of confidentiality in the public interest can be justified.
Relevant statute law related to the concept of ‘confidentiality’
Human Rights Act 1998
Freedom of Information Act 2000
The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 [Regulation 20 on the duty of candour]
General Data Protection Regulation (GDPR)
Data Protection Act 2018
Data Protection (Charges and Information) Regulations 2018
The Data Protection, Privacy and Electronic Communications Regulations 2019 (or ‘DPPEC Regulations’, for short) amend the GDPR and the Data Protection Act 2018, and rename the former as the ‘UK GDPR’
Human Rights Act 1998
‘1. Everyone has the right to respect for his private and family life, his home and his correspondence.’
However, this right is limited as follows: ‘2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.’
Freedom of Information Act 2000
A key aim of this Act is to promote openness by public authorities. Members of the public have a statutory right of access to a range of information held by public authorities, including e.g. universities and the NHS.
Some anonymised information must be disclosed if requested under this Act.
The Health and Social Care Act 2008
par. 1: ‘A health service body must act in an open and transparent way with relevant persons in relation to care and treatment provided to service users …’
par. 2: ‘As soon as reasonably practicable after becoming aware that a notifiable safety incident has occurred a health service body must—
(a) notify the relevant person that the incident has occurred … and
(b) provide reasonable support to the relevant person in relation to the incident …’
Meaning of ‘notifiable safety incident’
‘“notifiable safety incident” means any unintended or unexpected incident that occurred in respect of a service user during the provision of a regulated activity that, in the reasonable opinion of a health care professional, could result in, or appears to have resulted in—
(a) the death of the service user, where the death relates directly to the incident rather than to the natural course of the service user’s illness or underlying condition, or
(b) severe harm, moderate harm or prolonged psychological harm to the service user;’
Meaning of ‘relevant person’
‘“relevant person” means the service user or, in the following circumstances, a person lawfully acting on their behalf—
(a) on the death of the service user,
(b) where the service user is under 16 and not competent to make a decision in relation to their care or treatment, or
(c) where the service user is 16 or over and lacks capacity (as determined in accordance with sections 2 and 3 of the 2005 Act) in relation to the matter’
General Data Protection Regulation (GDPR)
applies to information about identifiable natural persons in the European Union, with relevance to the European Economic Area as well
Everyone who uses personal data that is not anonymised and that is (intended to be) contained in a filing system must abide by 6 ‘data protection principles’. These principles are also incorporated in the Data Protection Act 2018
The GDPR grants data subjects a number of rights, including rights to:
be informed about how their data is used.
access data (art 12).
have their data corrected if it is incorrect (art. 15).
have their data deleted (art. 17).
Data Protection Act 2018
supplements and tailors the GDPR within UK law.
applies to all of the UK and in relation to all identified or identifiable natural persons.
part 3 (‘law enforcement processing’) implements the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into UK law. This Directive details the requirements to process personal data for criminal purposes, and adopts the same ‘data protection principles’ as the GDPR. Schedule 7 lists the ‘competent authorities’ (e.g. the police) that may process data for law enforcement.
The 6 data protection principles
1: ‘that processing be lawful, fair and transparent’;
2: ‘that the purposes of processing be specified, explicit and legitimate’;
3: ‘that personal data be adequate, relevant and not excessive’;
4: ‘that personal data be accurate and kept up to date’;
5: ‘that personal data be kept for no longer than is necessary’;
6: ‘that personal data be processed in a secure manner’.
Data Protection (Charges and Information) Regulations 2018
organisations that determine the purpose for which personal data is processed (data controllers) must, unless they are exempt, pay a data protection fee, and the Information Commissioner’s Office keeps a register of fee-paying data controllers.