Published online by Cambridge University Press: 20 January 2017
Technological advances in the quality, availability and linkage potential of health data for research make the need to develop robust and effective information governance mechanisms more pressing than ever before; they also lead us to question the utility of governance devices used hitherto such as consent and anonymisation. This article assesses and advocates a principles–based approach, contrasting this with traditional rule–based approaches, and proposes a model of principled proportionate governance. It is suggested that the approach not only serves as the basis for good governance in contemporary data linkage but also that it provides a platform to assess legal reforms such as the draft Data Protection Regulation.
1 See for example; Communication from the Commission for a Digital Agenda for Europe, COM(2010) 245 final/2, at p. 29; Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross–border healthcare (OJ L 88, 4.4.2011, p. 45) and Commission Decision 2008/49/EC of 12 December 2007 concerning the implementation of the Internal Market Information System as regards the protection of personal data, (OJ L 13, 16.1.2008, p. 18); Karl A. Stroetmann, Jörg Artmann, Veli N. Stroetmann et al, European Countries on their journey towards national eHealth infrastructures: Final European Progress Report,(2011); Williams, James and Kuziemsky, Craig, “Institutional Liability in the E–Health Era”, 9 Canadian Journal of Law and Technology (2011), pp. 185 et sqq., at p. 192.Google Scholar
2 Lowrance, William, Privacy, confidentiality and health research, (Cambridge: Cambridge University Press 2012)CrossRefGoogle Scholar, Lowrance, William, “Learning from experience : privacy and the secondary use of health data in research”, 8 J Health Serv Res Policy (2003), pp. 2–7;CrossRefGoogle ScholarPubMed Willison, Don, “Privacy and the secondary use of data for health research : experience in Canada and suggested directions forward” 8 J Health Serv Res Policy (2003), pp. 17–23;CrossRefGoogle ScholarPubMed Law, Margaret, “Reduce Reuse, Recycle : Issues in the Secondary Use of Research Data”, Spring IASSIST Quarterly (2005), pp. 5 et sqq., at p. 7;Google Scholar Brown, Julia and Semradek, Joyce, “Secondary Data on Health–Related Subjects: Major Sources, Uses and Limitations”, 9 Public Health Nursing (1992), p. 162;CrossRefGoogle ScholarPubMed Lelliot, Paul, “Secondary Uses of Patient Information”, 9 Advances in Psychiatric Treatment ((2003), pp. 221 et sqq., p. 226.Google Scholar
3 Thomas, Richard and Walport, Mark, Data Sharing Review Report, (2008); Academy of Medical Sciences, A new pathway for the regulation and governance of health research, (2011);Google Scholar Fortin, Sabrina and Knoppers, Bartha, “Secondary uses of personal data for population research”, 5 Genomics, Society and Policy (2009), pp. 80;CrossRefGoogle ScholarOrganisation for Economic Co–operation and Development, Report on the cross–border enforcement of privacy laws, (2006); Organisation for Economic Co–operation and Development , The Evolving PrivacyLandscape; 30 Years After the OECD Privacy Guidelines, OECD Digital Economy Papers, No.176 (OECD Publishing: 2011); Bloomrosen, Meryl and Detmer, Don, “Advancing the Framework: Use of Health Data – A Report of a Working Conference of the American Medical Informatics Association”, 15 Journal of the AmericanInformatics Association (2008), pp. 715–722;CrossRefGoogle Scholar Laurie, Graeme and Sethi, Nayha, Information Governance of Use of Health–RelatedData in Medical Research in Scotland: Current Practices and FutureScenarios, (University of Edinburgh School of Law Working Paper No 2011/26, 2011).Google Scholar
4 The House of Lords Report on Genomic Medicine offers an account of the regulatory hurdles which must be surpassed by researchers in order to gain approval. See House of Lords Science and Technology Committee, Genomic Medicine, Volume 1: Report, (HL Paper 17-I 2009).
5 For example, in contrast to the Privacy Advisory Committee for Scotland, which advises on health data linkages despite a lack of statutory authority, in England and Wales, by virtue of section 251 of the NHS Act 2006,the Ethics and Confidentiality Committee (under the auspices of the National Information Governance Board) enjoys the statutory authority to take such decisions. Additional decision makers charged with overseeing the appropriate sharing of health data include Caldicott Guardians and Research Ethics Committees. This is all in addition to the legal responsibilities to which Data Controllers are subject under the European Data Protection Directive.
6 The Academy of Medical Science, Personal data for public good: using health information in medical research, (2006), at p. 3.
7 For further discussion, Laurie and Sethi, Information Governance of Use of Health–Related Data, supra note 3
8 The Academy of Medical Sciences, Personal data for public good:supra note 6, at p. 29.
9 Kern, Alexander and Maoloney, Niamh, Law Reform and Financial Markets, (Cheltenham: Edward Elgar Publishing: 2011) at p. 8.Google Scholar
10 Julia Black, The Rise, Fall and Fate of Principles Based Regulation, (LSE Law Society and Economy Working Papers 17/2010 2010).
11 Black, Julia, Hopper, Martyn and Band, Christa, “Making a success of Principles–based regulation”, 13 Law and Financial Markets Review (2007), at p. 191.Google Scholar
12 Arjoon, Surendra, “Striking a Balance Between Rules and Principles–based Approaches for Effective Governance: A Risk-based Approach” 68 Journal of Business Ethics (2006), pp. 53 et sqq., at p. 65.CrossRefGoogle Scholar
13 See for example Kaye, Jane et al, “From patients to partners: participant–centric initiatives in biomedical research”, 13 Nature Review Genetics (2012), p. 371.CrossRefGoogle ScholarPubMed
14 UK Data Protection Act 1998 (section 33).
15 The Academy of Medical Sciences, Personal data for public good:supra note 6, at p. 4.Google Scholar
16 We recognise the limitations of anonymisation. For further discussion, see in particular: Ohm, Paul, “Broken Promises of Privacy : Responding to the Surprising Failure of Anonymization” 57 UCLA Review (2010), p. 1701 Google Scholar and Lowrance, William, Privacy, Confidentiality and Health Research, (Cambridge University Press 2012), p. 93–99.CrossRefGoogle ScholarPubMed
17 Arjoon, “Striking a Balance”, supra note 12, at p. 55.
18 See Honderich, Ted (ed.), The Oxford Companion to Philosophy, (Oxford: Oxford University Press, 1995) p. 719 Google Scholar.
19 Braithwaite, John, “Rules and Principles: A Theory of Legal Certainty”, 27 Australian Journal of Legal Philosophy (2002), pp. 47 et sqq., at p. 51 Google Scholar
20 Raz, Joseph, “Legal Principles and the Limits of Law”, 81 Yale Law Journal (1972), pp. 823 et sqq.,, at p. 838.CrossRefGoogle Scholar
21 Larry Alexander and Emily Sherwin, Demystifying Legal Reasoning, (Cambridge University Press: 2008), at p. 11.Google Scholar
22 On the guiding principles of good governance itself, see Independent Commission on Good Governance, The Good Governance Standard for Public Services, (2004), at p. 4.Google Scholar
23 Beauchamp, Tom and Childress, James, Principles of Biomedical Ethics, Fifth Edition, (Oxford University Press 2001) at p. 13.Google ScholarPubMed
24 For a worked example of principles in action and more commentary on ‘specification’, see Gordon, John–Stewart, Rauprich, Oliver and Vollman, Jochen,”Applying the four–principle approach” 25 Bioethics (2011), pp. 293–300;CrossRefGoogle ScholarPubMed Beauchamp, Tom, “Making Principlism practical: a commentary on Gordon, Rauprich and Vollman”, 25 Bioethics (2011), pp. 301–303.CrossRefGoogle Scholar
25 Julia Black, The Rise Fall and Fate, supra note 10, at p. 7 ; Korobkin, Russell, “Behavioral Analysis and Legal Form: Rules vs. Standards Revisited” 79 Oregon Law Review (2000), pp. 23 et sqq., at p. 26.;Google Scholar Frederick Schauer, “The Convergence of Rules and Standards”, 79 New Zealand Law Review (2003), pp. 303 et sqq. at p. 305; MacCormick, Neil, “Reconstruction after Deconstruction: A Response to CLS”, 10 Oxford J. Legal Stud. (1990), pp. 539 et sqq., at p. 545.CrossRefGoogle Scholar
26 Alexy, Robert, A Theory of Constitutional Rights, Translated by Julien Rivers, (Oxford 2002), p. 44 Google Scholar
27 Lyall, Catherine, Papaioannou, Theo and Smith, James (eds), The Limits to Governance: The Challenge of Policy–making for the New Life Sciences, (Ashgate, 2009), pp. 1–17.Google Scholar
28 Beauchamp and Childress, Principles in Biomedical Ethics, supra note 21, particularly at p. 15–19 ; Richardson, Henry, “Specifying, Balancing, and Interpreting Bioethical Principles”, 25 Journal of Medicine and Philosophy (2000), pp. 285 et sqq., at p. 287.CrossRefGoogle ScholarPubMed
29 Gert, Bernard, Culver, Charles and Clouser, Danner, Bioethics: A Return to Fundamentals, (Oxford: Oxford University Press 1997), p. 89.Google Scholar
30 Daniels, Norman, “Accountability for Reasonableness”, 321 British Medical Journal (2000), p. 1300.CrossRefGoogle ScholarPubMed
31 See House of Lords Science and Technology Committee, Genomic Medicine, supra note 4 and text above.
32 Rawls, John, A Theory of Justice, (Clarendon Press:1971)Google Scholar and Rawls, John, Political Liberalism, (New York: Columbia University Press:1993).Google Scholar
33 See further Daniels, “Accountability for Reasonableness”, supra note 28.
34 Beauchamp and Childress, Principles in Biomedical Ethics, supra note 21; Chambers, Tod, The Fiction of Bioethics: cases as literary texts, (York: Routledge 1999), p. 30.Google Scholar
35 Selgelid, Michael, “Universal Norms and Conflicting Values”, 5 Developing World Bioethics (2005), pp. 267 et sqq., at p. 269.CrossRefGoogle ScholarPubMed
36 See in particular – Pulido, Carlos Bernal, “The Rationality of Balancing”, 92 Archiv für Rechts– und Sozial Philosophie (2006), p. 195 Google Scholar and Richardson, “Specifying, Balancing and Interpreting”, supra note 26.
37 Beauchamp and Childress, Principles of Biomedical Ethics, supra note 21.; Aleinikoff, Thomas Alexander, “Constitutional Law in the Age of Balancing”, 96 Yale Law Journal (1987), p. 983.CrossRefGoogle Scholar
38 Harris, John, “In praise of unprincipled ethics”, 29 J Med Ethics (2003), p. 303.Google ScholarPubMed
39 Pulido, “The Rationality of Balancing”, supra note 34.
40 Richardson, “Specifying, Balancing and Interpreting”, supra note 26, at p. 288. ; Dan Callahan, “Principlism and Communitarianism”, 29 J Med Ethics (2003), pp. 287 et sqq., at p. 289 ; Campbell, Alistair, “The virtues (and vices) of the Four Principles”, 29 J Med Ethics (2003), pp. 292 et sqq., at p. 294.CrossRefGoogle ScholarPubMed
41 Black notes that the rhetoric of PBR ‘invokes, not deregulation but a re–framing of the regulatory relationship from one of directing control to one based on responsibility, mutuality and trust’. She continues that the relationship between regulator and regulatee evolves; regulatees ‘adopt a self–reflective approach’ and regulators ‘apply principles’ predictably. See Julia Black, Forms and Paradoxes of principles–based regulation, (LSE Law Society and Economy Working PapersWorking Papers 13/2008 2008), pp. 1 et sqq., at p. 8.
42 Schwarcz, Steven, “The “Principles” Paradox”, 10 European Business Organization Law Review (2009), pp. 175 et sqq., at p. 176.Google Scholar
43 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, Nov. 23, 1995.
44 UK Data Protection Act Part 1 s4(4).
45 Section 55(A) Data Protection Act 1998.
46 UK Data Protection Act Schedule 1 – The Data Protection Principles.
47 Ministry of Justice, “Call for Evidence on EU Data Protection Proposals”, (2012), available on the Internet at <https://consult.justice.gov.uk/digital-communications/data-protectionproposalscfe/supporting_documents/eudataprotectionproposalscallforevidence.pdf> (last accessed on 12 April 2012).; Wong, Rebecca, “Assessing the Status of Medical Information in the light of the UK Data Protection Act 1998”, 5 Web Journal of Current Legal Issues (2008);Google Scholar Hazel Grant, “United Kingdom”, in Catrien Noorda and Stefan Hanloser (eds), E–Discovery and Data Privacy : A Practical Guide (The Netherlands: Kluwer Law International BV 2011), pp. 295 et sqq., at p. 297.
48 Rynning, Elisabeth, “Processing of Personal Data in Swedish Health Care and Biomedical Research”, in Deryck Beyleveld, David Townend, Segolene Rouille–Mirza et al (eds), Implementation of the Data Protection Directive in Relation to Medical Research in Europe (England : Ashgate Publishing 2004), pp. 381 et sqq., at p. 402 Google Scholar.
49 Laurie, Graeme, “Evidence of support for biobanking practices”, 337 British Medical Journal (2008): p. 337.CrossRefGoogle ScholarPubMed
50 It is important to remember, and often forgotten, that consent is but one lawful basis for processing, even when data are sensitive and require both schedule 2 and schedule 3 of the Data Protection Act (1998) must be satisfied.
51 Proposal for a new Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) Brussels, 25.1.2012 COM(2012) 11 final.
52 Draft Recital 7, supra note 46.
53 In fact, proportionality is emerging as a key concept within the regulatory landscape and features in the proposal for a new EU Data Protection Regulation, supra note 46. Note mention of proportionality also appears in draft recitals 133 and 139 and also draft Article 22(4).
54 See draft Recitals 22, 53, 123, 125 and 126.
55 Pursuant to Article 290 TFEU.
56 The following publications offer examples of the research which SHIP has facilitated: Logue, Jennifer et al, “Do men develop type 2 diabetes at lower body mass indices than women?” 54 Diabetologia (2011), pp. 3003–3006; CrossRefGoogle ScholarPubMed Walker, Jeremy et al, “Effect of Socioeconomic Status on Mortality Among People with Type 2 Diabetes; A study from the Scottish Diabetes Research Network Epidemiology Group”, 34 Diabetes Care (2011), pp. 1127–1132.CrossRefGoogle ScholarPubMed
57 SHIP, “A Blueprint for Health Records Research in Scotland”, December 2011, available on the Internet at: <http://www.scot-ship.ac.uk/publications> (last accessed on 04 January 2013).
58 Graeme Laurie and Nayha Sethi, ‘SHIP Working Paper 1: Information governance of use of health-related data in medical research in Scotland: current practices and future scenarios’, 26 U. of Edinburgh School of Law Working Paper (2011), available via SSRN at <http://ssrn.com/abstract=1946258> (last accessed on 04 January 2013). Graeme Laurie and Nayha Sethi, ‘SHIP Working Paper 2: Information governance of use of health-related data in medical research in Scotland: Towards a Good Governance Framework’, 13 Edinburgh School of Law Research Paper (2012), available via SSRN at <http://ssrn.com/abstract=2037117> (last accessed on 04 January 2013).
59 See all, supra note 42.
60 SHIP demonstrates how it complies with the Data Protection “Principles” in its Privacy Impact Assessment. See SHIP, “SHIP Privacy Impact Assessment”, January 2012, available on the Internet at : <http://www.scot-ship.ac.uk/sites/default/files/Reports/SHIP_PIA_v1_040112.pdf> (last accessed on 04 January 2013).
61 Sama, Linda and Shoaf, Victoria, “Reconciling Rules and Principles: An Ethics-Based Approach to Corporate Governance”, 58 Journal of Business Ethics (2005), pp. 1.CrossRefGoogle Scholar
62 Beauchamp, Tom, “The ‘Four Principles’ approach to health care ethics”, in Richard Ashcroft, Angus Dawson and Heather Draper (eds), Principles of health care ethics, 2nd ed. (Chichester: John Wiley and Sons 2007), at pp. 1. et sqq., at p. 8.Google Scholar