Health data constraints and challenges Jyoti Khadake 28 th October 2016
Health data constraints and challenges
Jyoti Khadake28th October 2016
What is health related data
• Self declared data– E.g health and lifestyle
• Health care records– E.g. hospital records
• Generated data– Eg. Blood groups, FBC
• Acquired data– E.g. Income group
Data related to person
• Personal data• Identifying data• Identifiable data• Anonymised data • Sensitive data• Aggregated data
Questionnaire
• This is a self declared questionnaire– can you identify the categories from earlier slide?
What is sharing of data• A reciprocal exchange of data;• One or more organisation/s providing data to a third
party or parties;• Several organisations pooling information and making it
available to each other;• Several organisations pooling information and making it
available to a third party or parties;• Exceptional, one-off disclosures of data in unexpected or
emergency situations; or• Different parts of the same organisation making data
available to each other.
Advantages to sharing data
• Furthering medical studies – diagnostic or curative
• Gaining better understanding of physiologyand processed.• Social and epidemiological impact • Quality of care• …..
Legal constrains for sharing this dataInformation-sharing is related to a number of different pieces of legislation:
Local authority responsibilities for sharing information under the Care Act 2014The common law duty of confidentialityThe Human Rights Act 1998, Article 8 (the right to respect for private life)The Data Protection Act 1998The Crime and Disorder Act 1998The Mental Capacity Act 2005General Data protection regulation 2016
EU declaration 2016Individuals • The right to be informed• The right of access• The right to rectification• The right to erasure• The right to restrict processing• The right to data portability• The right to object• Rights related to automated decision making and profiling
ICO : code of practice• Processed lawfully, fairly and transparent manner• Collected for specified purpose• Adequate and relevant and limited to necessary• Accuracy is maintained• Data subject will not be identifiable for longer
than necessary• Processed in a secured manner and protected
against unexpected loss or destruction• Rights of the individual will be protected
ICO code of practice
This is handled in four ways:
Ethical approval for studyExplicit consent from individualFollow security guidelines from ICO Develop strong governance around this data
Ethics and consentsConsent or explicit consent for data sharing is most likely to be needed where:• confidential or particularly sensitive information is going to be shared without a clear legal basis for doing so;• the individual would be likely to object should the data be
shared without his or her consent; or• the sharing is likely to have a significant impact on an
individual or group of individuals.Ethics should specify• who you are;• why you are going to share personal data;• who you are going to share it with – this could be actual
named organisations or types of organisation.
securityData Best Practices for different data typesSecurity Policies and Procedures and trained in application
You will need to:• design and organise your security to fit the type of personal datayou disclose or receive and the harm that may result from asecurity breach;• be clear about which staff members in the organisations involvedin the sharing are responsible for ensuring information security.They should meet regularly to ensure appropriate security ismaintained;• have appropriate monitoring and auditing procedures in place;and• be ready to respond to any failure to adhere to a data sharingagreement swiftly and effectively.
Data sharing/access agreements• Purpose• Organisations & people • Data items• Accuracy, security, relevance, usability ..• Retention, termination and sanctions• Procedures: access request, queries,
complaints• Access and governance
Data management Framework
Ethics Management committee• Members should have lay person on panel• Interested parties should be representedData access committee• Implementers of DAA• SAB• Data governance officersCaldicot guardians
Compliance Locally
• data formats, • accuracy of data, • retention period, • deletion arrangements, • roles and permissions
FOIA
• Freedom of information act and how it does/ does not apply
Cat 3 data
• This data is considered sensitive and irrespective of setting will never be held associated with the individuals personal identifiable information
Case studies
• 23 and me
• Care.data
True anonymisation
Is this possible?
What we do• Recruit volunteers both healthy and patient• Get signed consent• Get lifestyle and general health data based on
questionnaire• Sample collected – blood• Blood groups FBC• Extraction of DNA/ sera/ Plasma• Metabolon, serotyping and metabolomic markers• Clincial records• Additional questions …
Distinct Data types
• The personal communication data• Identification data• Phenotype data• Specific clinical data• Blood data• Genotype data• Metabolomics data• Study involvement data• ….
Our experience
• Keep personal and contact details separate from rest *
• Questionnaire data separately *• Genotype data separately• …• Maintain different identifiers • Mapping files stored securely *• Study paperwork and study data*
Tools specifically designed for collection of this information
• Questionnaire: REDCap• Maintain visit personal data: CIVI CRM• Maintain questionnaire data: Open clinica,
CaBig• Controlled vocabularies: SNOMED CT, DM+D,
ICD, CDISC, HPO• I2B2 integrated pseudo-anonimized views.
Policy guidelines
• Data Protection• Confidentiality • Information Security – NHS toolkit
compliance, ISO27001• Caldicott principles
• • These policies must cover manual, verbal and
computer-based information.
Federated organisation
• CRF and BRU/ BRCs over England• Exchange between the hospital and university
or institute.• Requirement for exchange formats and
controlled vocabulary