L10: Ethics and data integrity Flashcards
(10 cards)
why is info from tissue sensititve?
So detailed that individuals may be identified despite anonymisation of other identifiers
May inform about future disease susceptibility in living individuals
…and alike for their relatives
Thus, relevant for e.g. prevention, insurance matters etc
record linkage
Linkage to other tissue and clinical information
Linkage to full medical history
Linkage to demographic information
new tissue acts
Balance between protection of individuals and helping useful research
Subject to different interpretation in different countries, regions and units
Always points toward an IRB or REC process
Under development
GDPR
The General Data Protection Regulation (GDPR) applies across Europe from 25 May 2018. In the UK, the Data Protection Act 1998 will be replaced with a new Act that works alongside the GDPR, providing a data protection framework appropriate for a digital age.
While the GDPR is designed to enhance individuals’ data protection rights, it will also lead to more onerous obligations for data controllers and processors (such as King’s).
Compliance with GDPR is monitored by the Information Commissioner’s Office (ICO)
They can issue enforcement notices (instructions which organisations must follow), prosecute organisations and individuals and impose monetary fines.
They also provide useful information for members of the public and guidance for organisations.
Any King’s related contact with the ICO must be through the Information Compliance team.
why is data protection important?
data protection is important to the university and its stakeholders because:
It protects individuals from the misuse of their personal data. This includes your own personal data as a member of staff.
If we lose or share personal data incorrectly, we could suffer significant fines (up to €20 million or 4% of our global annual turnover, whichever is greater) and reputational damage.
Personal data is a valuable asset to the organisation and its quality, accuracy and integrity can help with important planning and management decisions.
what is personal and sensitive data?
Personal data is data from which a living individual is identifiable or potentially identifiable via all means reasonably likely to be used.
It includes facts and opinions about someone, as well as less obvious data such as location data, online identifiers, economic data, and the culture and social identity of a person.
It can be held in any format including paper, electronic documents, audio, videos or photographs.
The following categories of personal data are considered ‘sensitive data’ in the GDPR:
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Health
Sex life and sexual orientation
Genetic data
Biometric data where processed to uniquely identify a person
(Criminal records and financial data are not categorised as ‘sensitive’ but similar extra safeguards should be applied in any event)
data protection principles
Lawfulness, fairness and transparency : We must identify one of the GDPR’s legal bases (or conditions) before processing personal data. These include:
Consent of the individual
Necessary for performing a contract with the individual (e.g. carrying out activities that are required to help fulfil the ‘student contract’)
Necessary to comply with a legal obligation (e.g. reporting statistics to HESA)
Necessary to perform the university’s official public tasks
(In limited circumstances only) Necessary for King’s legitimate interests
The right purpose: How would you feel if information about you was used without you being aware?
We can only use the information for the purposes for which it was provided.
You should always be mindful as to why you’ve generated or obtained personal data.
Too much or too little: When we use or collect personal data, we must ensure that it is relevant but not excessive.
Nor should we collect or use too little information; there’s no point in keeping it if it’s of no use.
It’s always worth thinking in advance about why you might need to collect personal information, and make sure you have a specific reason for doing so.
Being accurate and relevant: It’s important to make sure that we’re using information that is accurate and relevant.
Not only does this mean we can provide the best service possible, but if we have information that is inaccurate, this could result in errors and could cause distress or damage to individuals.
Always use centralised databases where possible, to make sure that you’re using the most up to date information.
Individuals also have a right to have information corrected if it is inaccurate.
Retaining information: Whilst we keep some information permanently in our archives, we can’t keep all information forever. This is because:
Outdated information may be used in error
As time passes, it becomes more difficult to ensure that information is still accurate
Retaining all the information we produce is resource intensive
Some legislation and guidelines only permit us to retain information for a prescribed period
The university has retention schedules which state how long we need to keep both paper and electronic information for.
Ensuring individual’s rights: Individuals have a right to access information, and can request to see any files or data that we may hold about them. This is called a Subject Access Request.
Any individual can make a request, including members of staff, students and other individuals that we might interact with.
We may have to release factual information, as well as opinions in correspondence or emails.
Keeping information secure: If we lose, damage, or accidentally disclose information, we could potentially receive a fine of up to €20 million or 4% of global annual turnover, whichever is higher. A data breach may also cause individuals damage and distress.
Although we can put lots of technical measures in place to protect information, most security breaches happen by mistake. This can include losing files, accidentally emailing something to the wrong person, or the loss of an USB stick or CD.
It’s your responsibility to make sure that all personal and sensitive data is securely processed.
We’ll learn more about this in the next module, where there will be lots of hints and tips on keeping information secure.
Accountability: The final principle under the GDPR states that organisations must be able to demonstrate compliance with the other principles. It is not enough for King’s to comply, we have to be seen to be complying.
The range of processes that King’s has put in place to demonstrate compliance includes:
Appointing a Data Protection Officer to monitor compliance
Creating an inventory of the university’s main personal data processing activities
Establishing Data Stewards and Data Custodians to support the governance of our core data systems (HR, Students, Finance, Research Management and Estates)
Implementing Privacy Impact Statements for new projects using personal data
transferring info outside of europe
We work globally across a number of projects in the university, with lots of different partners.
Because of the lack of international legislation, if information is stored or transferred to a country outside of Europe, we can’t be guaranteed of its safety.
However, we often have to transfer information internationally to provide services, such as delivering study abroad programmes and collaborating on research.
If you are transferring information internationally for a new purpose, seek advice from the Information Compliance team, so we can make sure that all the necessary safeguards are in place.
think through ethical aspects of
Study question
Study design
Potential harm for participants
Potential benefit for participants
Potential harm for subjects in the future
Potential benefit for subjects in the future
responsibiles of: researcher/trialist, the principle investifator, the institution
practical points
Acknowledge ethical dilemmas
Explain them clearly in lay language
Show that you have means to minimize any harm
Thought experiment: How would the tabloids represent your study in an article about research scandals?
