Constraintsand challenges

Health data constraints and challenges

Jyoti Khadake28th October 2016

What is health related data

• Self declared data– E.g health and lifestyle

• Health care records– E.g. hospital records

• Generated data– Eg. Blood groups, FBC

• Acquired data– E.g. Income group

Data related to person

• Personal data• Identifying data• Identifiable data• Anonymised data • Sensitive data• Aggregated data

Questionnaire

• This is a self declared questionnaire– can you identify the categories from earlier slide?

What is sharing of data• A reciprocal exchange of data;• One or more organisation/s providing data to a third

party or parties;• Several organisations pooling information and making it

available to each other;• Several organisations pooling information and making it

available to a third party or parties;• Exceptional, one-off disclosures of data in unexpected or

emergency situations; or• Different parts of the same organisation making data

available to each other.

Advantages to sharing data

• Furthering medical studies – diagnostic or curative

• Gaining better understanding of physiologyand processed.• Social and epidemiological impact • Quality of care• …..

Legal constrains for sharing this dataInformation-sharing is related to a number of different pieces of legislation:

Local authority responsibilities for sharing information under the Care Act 2014The common law duty of confidentialityThe Human Rights Act 1998, Article 8 (the right to respect for private life)The Data Protection Act 1998The Crime and Disorder Act 1998The Mental Capacity Act 2005General Data protection regulation 2016

EU declaration 2016Individuals • The right to be informed• The right of access• The right to rectification• The right to erasure• The right to restrict processing• The right to data portability• The right to object• Rights related to automated decision making and profiling

ICO : code of practice• Processed lawfully, fairly and transparent manner• Collected for specified purpose• Adequate and relevant and limited to necessary• Accuracy is maintained• Data subject will not be identifiable for longer

than necessary• Processed in a secured manner and protected

against unexpected loss or destruction• Rights of the individual will be protected

ICO code of practice

This is handled in four ways:

Ethical approval for studyExplicit consent from individualFollow security guidelines from ICO Develop strong governance around this data

Ethics and consentsConsent or explicit consent for data sharing is most likely to be needed where:• confidential or particularly sensitive information is going to be shared without a clear legal basis for doing so;• the individual would be likely to object should the data be

shared without his or her consent; or• the sharing is likely to have a significant impact on an

individual or group of individuals.Ethics should specify• who you are;• why you are going to share personal data;• who you are going to share it with – this could be actual

named organisations or types of organisation.

securityData Best Practices for different data typesSecurity Policies and Procedures and trained in application

You will need to:• design and organise your security to fit the type of personal datayou disclose or receive and the harm that may result from asecurity breach;• be clear about which staff members in the organisations involvedin the sharing are responsible for ensuring information security.They should meet regularly to ensure appropriate security ismaintained;• have appropriate monitoring and auditing procedures in place;and• be ready to respond to any failure to adhere to a data sharingagreement swiftly and effectively.

Data sharing/access agreements• Purpose• Organisations & people • Data items• Accuracy, security, relevance, usability ..• Retention, termination and sanctions• Procedures: access request, queries,

complaints• Access and governance

Data management Framework

Ethics Management committee• Members should have lay person on panel• Interested parties should be representedData access committee• Implementers of DAA• SAB• Data governance officersCaldicot guardians

Compliance Locally

• data formats, • accuracy of data, • retention period, • deletion arrangements, • roles and permissions

FOIA

• Freedom of information act and how it does/ does not apply

Cat 3 data

• This data is considered sensitive and irrespective of setting will never be held associated with the individuals personal identifiable information

Case studies

• 23 and me

• Care.data

True anonymisation

Is this possible?

What we do• Recruit volunteers both healthy and patient• Get signed consent• Get lifestyle and general health data based on

questionnaire• Sample collected – blood• Blood groups FBC• Extraction of DNA/ sera/ Plasma• Metabolon, serotyping and metabolomic markers• Clincial records• Additional questions …

Distinct Data types

• The personal communication data• Identification data• Phenotype data• Specific clinical data• Blood data• Genotype data• Metabolomics data• Study involvement data• ….

Our experience

• Keep personal and contact details separate from rest *

• Questionnaire data separately *• Genotype data separately• …• Maintain different identifiers • Mapping files stored securely *• Study paperwork and study data*

Tools specifically designed for collection of this information

• Questionnaire: REDCap• Maintain visit personal data: CIVI CRM• Maintain questionnaire data: Open clinica,

CaBig• Controlled vocabularies: SNOMED CT, DM+D,

ICD, CDISC, HPO• I2B2 integrated pseudo-anonimized views.

Policy guidelines

• Data Protection• Confidentiality • Information Security – NHS toolkit

compliance, ISO27001• Caldicott principles

• • These policies must cover manual, verbal and

computer-based information.

Federated organisation

• CRF and BRU/ BRCs over England• Exchange between the hospital and university

or institute.• Requirement for exchange formats and

controlled vocabulary