Law & Governance
Commentary: Data Protection and the Promotion of Health Research: If the Laws Are Not the Problem, Then What Is?
Data protection laws offer such broad exemptions for research that research ethics boards and data custodians lack sufficient guidance as to when it may be acceptable to release data to researchers without consent. The result: idiosyncratic institutional policies that create major challenges for researchers conducting multi-centred studies. The 2005 CIHR Best Practices for Protecting Privacy in Health Research provide an important first step towards greater clarity. However, there is still a need to translate these Best Practices into harmonized policies. This should be seen as an opportunity rather than a threat. Clear rules for data protection will reinforce public trust, which is essential for continued access to personal information for research.
[To view the French abstract, please scroll down.]
Lack of clear guidanceIn general, data protection laws offer such broad exemptions for research that research ethics boards (REBs) and data holders (e.g., hospitals, provincial Ministries of Health) lack sufficient guidance as to the conditions under which it may be acceptable to release data to researchers without consent. Similarly, the Tri-Council Policy Statement (TCPS) offers little guidance in this area (Canadian Institutes of Health Research et al. 1998). Nor are there consistent messages coming from legal counsel. All this reinforces the anxiety of data holders over releasing the information in their custody. So, idiosyncratic policies have been developed, many of which go beyond the requirements of the law. This creates major challenges for researchers conducting multi-centred studies - both in terms of start-up delays and consistency in protocol across sites. The problem is further compounded when research crosses borders - not because there are major differences in legislation, but because of uncertainty over the equivalency of legislation and concern over loss of control over the data.
New models of researchOur frameworks for governing research - data protection laws, the TCPS, REBs and other institutional structures - are still largely geared towards discrete studies with tightly defined research goals that can be tied to specific data collections. Increasingly, though, researchers are developing registries and data/biobanks that will serve as research platforms for numerous research studies yet to be conceived. As electronic health records are harnessed for research, the distinction between what is care, what is quality improvement and what is research has blurred, as has the distinction between surveillance for public health purposes versus research. With regard to these databases, several questions arise. For example:
- Are the approval and ongoing oversight of these research
platforms the purview of the institutions from which the data were
gathered or the research ethics board? If the registries are a
compilation of data from several sites, how can one coordinate the
- What are the criteria by which these research platforms will be
reviewed - both at the time of their creation and for ongoing
- Once the database has been approved, is it necessary for a REB
to review each and every project that emanates from such a
database? If so, is there a need for full review?
- Is individual consent required for inclusion of individuals' data in these prospectively developed databases? If so, what constitutes a valid consent if the research questions cannot all be explicitly defined ahead of time?
An Important First Step towards Greater ClarityThe Canadian Institutes of Health Research have taken an important initial step in addressing these problems. After months of development and consultation, in October 2005, the CIHR Best Practices for Protecting Privacy in Health Research were released (CIHR 2005). These guidelines were developed for researchers, REBs and data holders to assist them in how best to apply data protection principles in the design and conduct of research involving humans. They build on the TCPS and the Fair Information Principles that are the foundation of our data protection legislation. The guidelines provide concrete examples, ethical principles and frameworks to assist researchers and REBs, thus preserving the decision latitude for REBs in their deliberations. While not restricted to observational studies, it is in this area that the guidelines offer their greatest potential for assistance.
The guidelines cover use of population records, administrative databases, clinical databases, survey data and linkages of these. They also wade into the murky territory of registries and biobanks for which the future uses of personal information are either unarticulated or only generally described. The document is particularly instructive in the area of determining whether it is impracticable to obtain individual consent for the use of personal data.
Further Steps NeededMere promulgation of these guidelines, though, is insufficient. The document itself is lengthy and does not provide "off-the-shelf" answers. There is still a need for readers to take the guidelines and adapt the principles-based approaches to their specific context. The CIHR is working with the National Council on Ethics in Human Research and the Canadian Association of Research Ethics Boards to implement these guidelines into practice. Similar efforts need to be undertaken with health information custodians (e.g., hospitals, provincial Ministries of Health) and with researchers. If the guidelines do become widely adopted by the research community and data holders as their source document in making policies, they could go a long way in providing a harmonized approach to privacy protection across provincial jurisdictions and in guiding any future legislation in this area.
In addition, the appropriate infrastructures are needed to conduct research using health data. While methods currently exist to anonymize data sets while still allowing for linkage of information from different data sources (Statistical Policy Office et al. 1994; Eurostat 1996; Sweeney 1997, 2002), outside of a handful of large research data centres across the country, there is very little expertise in appropriately de-identifying and managing these large data sets to maintain security and confidentiality. Many provinces lack the staff to manage data requests for research purposes or the expertise to de-identify data sufficiently before releasing them.
Finally, the future of health research lies in going beyond linkage and analysis of administrative data sets. Increasingly, research will combine administrative data with clinical records, individual surveys, and genetic information. These latter activities require individual contact, so consent will still be required. To manage this, we need to move from a project-by-project to a broader, more systemic approach to consent for research use of personal information (O'Neil 2001; Willison 2003; Caulfield et al. 2003). Our current structures for doing this just do not fit.
What Can We Expect in the Future?Data protection laws call for accountability in the use of personal information. Researchers can anticipate closer scrutiny regarding their use of such information. For example, researchers may be asked to justify whether particular data elements such as date of birth are needed and whether the data can be collected in a less identifiable format - e.g., year of birth rather than date of birth. REB approval will probably be required before data collected for one study can be used to answer a new, unrelated research question, or to permit one researcher to share data with another.
Researchers can also expect greater accountability for safeguarding data in their possession, whether through physical means (e.g., locked doors and filing cabinets), technical means (e.g., password protections for computer files) or procedural means (e.g., confidentiality agreements, data sharing agreements). This point raises concerns about the liability of research institutions for the management of data on the part of their faculty. Again, this calls for a systemic response on the part of research institutions and not just individual researchers.
Adapting to the new data protection laws will take time and will require creative solutions on the part of the research community. It will also have real costs. This should be seen as an opportunity rather than a threat. Clear rules for data protection will reinforce public trust, which is essential for continued access to personal information for research.
La protection des données et la promotion de la recherche sur la santé : si les lois ne sont pas le problème, alors quel est-il?
RésuméLes lois sur la protection des données prévoient des exemptions si vastes pour la recherche que les comités d'éthique de la recherche et les dépositaires de données n'ont pas suffisamment de balises pour déterminer quand il leur est loisible de divulguer des données aux chercheurs sans consentement. Résultat : des politiques institutionnelles particulières qui créent des défis majeurs pour les chercheurs qui mènent des études réparties dans plusieurs centres. Les Pratiques exemplaires des IRSC en matière de protection de la vie privée dans la recherche en santé (2005) constituent une première étape importante vers une plus grande clarté, mais encore faut-il transformer ces pratiques exemplaires en des politiques harmonisées. Cela devrait être perçu comme une occasion plutôt qu'une menace. Des règles claires en matière de protection des données contribueront à renforcer la confiance du public, un élément essentiel pour assurer un accès continu aux renseignements personnels à des fins de recherche.
About the Author(s)
Donald J. Willison, ScD
Centre for Evaluation of Medicines, St. Joseph's Healthcare
Department of Clinical Epidemiology & Biostatistics,
McMaster University, Hamilton, ON
Correspondence may be directed to Don Willison, Centre for Evaluation of Medicines, St. Joseph's Healthcare, 105 Main Street East, P1, Hamilton, ON L8N 1G8; tel.: 905-522-1155 Ext. 4911; fax: 905-528-7386; e-mail: firstname.lastname@example.org.
Canadian Institutes of Health Research, Natural Sciences and Engineering Research Council of Canada, and Social Sciences and Human Research Council of Canada. 1998 (with 2000, 2002 updates). Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans. Ottawa: Authors. Retrieved September 8, 2006. http://www.pre.ethics.gc.ca/english/ policystatement/policystatement.cfm.
Canadian Institutes of Health Research Privacy Advisory Committee. 2005 (September). CIHR Best Practices for Protecting Privacy in Health Research. Retrieved September 8, 2006. http://www.cihr-irsc.gc.ca/e/documents/pbp_sept2005_e.pdf.
Caulfield, T., R.E.G. Upshur and A. Daar. 2003. "DNA Databanks and Consent: A Suggested Policy Option Involving an Authorization Model." BMC Medical Ethics 4: 1-4.
Eurostat. 1996. Manual of Disclosure Control Methods. Luxembourg: Office for Official Publications of the European Communities.
O'Neil, O. 2001. "Informed Consent and Genetic Information." Studies in History, Philosophy, Biology & Biomedical Science 32(4): 689-704.
Statistical Policy Office, Office of Information and Regulatory Affairs, and Office of Management and Budget. 1994 (May). Report on Statistical Disclosure Limitation Methodology. Statistical Policy Working Paper 22. Retrieved September 8, 2006. http://www.fcsm.gov/working-papers/wp22.html;.
Sweeney, L. 1997. "Weaving Technology and Policy Together to Maintain Confidentiality." Journal of Law, Medicine & Ethics 25(2&3): 98-110.
Sweeney, L. 2002. "k-anonymity: A Model for Protecting Privacy." International Journal on Uncertainty, Fuzziness and Knowledge-based Systems 10(5): 557-70.
Willison, D.J. 2003. "Privacy and Secondary Use of Data for Health Research. Experience in Canada and Suggested Directions Forward." Journal of Health Services Research and Policy 8(3 Supp. 1): 17-23.
Be the first to comment on this!
Personal Subscriber? Sign In
Note: Please enter a display name. Your email address will not be publically displayed