Legal, ethical, privacy, and security issues
Your country, your requirements
Registries provide valuable data for delivering healthcare and generating new knowledge through research, but the privacy of the individual – the data subject – must always be respected.
Regulatory requirements for establishing and maintaining a registry will vary between, and sometimes even within, countries, so it is essential to take advice from appropriate regional or national data protection authorities or institutional research ethics committees at an early stage. Local experts in data protection and privacy laws and ethics will need to consider the purpose of your registry (e.g., healthcare operation, public health, surveillance, or research), the status of the ‘owner’ or ‘controller,’ and the nature and source of the data.
An early, careful decision will need to be made about ownership or custodianship of your registry dataset. Although there is no agreement concerning the ownership of health information – should it be the patient, the healthcare provider, the insurance fund, other stakeholders, or the registry? – from
a practical perspective, an ‘owner’ or ‘controller’ needs to be designated to take responsibility for the registry’s operation within the law and other regulatory frameworks.
Broadly speaking, two lawful bases can be used to protect the rights of privacy and data protection:
- Consent – this must be given freely by the data subject and be specific and informed about how and why their identifiable and clinical data will be collected and used, and how, why, and for how long their identifiable and clinical data will be stored. Any associated risks and benefits should be clearly explained. It should also ideally address any potential future use of the registry for the same or different purposes. The consent process
often includes instructions on the procedures for withdrawal from the registry and retention or destruction of data collected on the subject prior to their instruction to withdraw. Information about how data will be processed must be accessible to data subjects according to literacy levels and language. There are two variations on the consent approach:
-
- Opt-in – this relates to a model in which the default position is that a patient is not in the registry unless they take action and give consent. If participation is all or nothing, it is called broad consent, but an individual’s autonomy can be further respected in this approach by allowing them to choose their level of participation, i.e., participate in some aspects of registry activity according to their assessment of the risks. Such a multiple-option approach is called tiered consent.
- Opt-out – this relates to a model where a patient is in the registry by default unless they take action and request removal. In this situation, if explicit consent is deemed necessary, the ‘respect of persons’ principle is considered subordinate to other ethical principles and values.
- Law – the need to obtain the explicit consent of the data subject can also be ‘waived’ (deemed not required) by an authorized body in certain circumstances and given specific conditions. For example, in some countries and in some situations, health insurance providers or government
insurance agencies have legal authority to use information derived from the patients. However, use of such data is subject to strict privacy agreements that cover its appropriate use. When a registry uses a waiver, it must usually provide readily accessible, publicly available information about its activities as an alternative to individual informed consent.
Under both lawful bases, whether data are being processed for clinical purposes, quality improvement, or research, three general ethical principles need to be applied:
- Respect for persons, including respect for autonomy (self-determination) and protection for persons with impaired or diminished autonomy.
- Beneficence, in other words, maximizing benefits while minimizing harms.
- Justice requires us to treat each person fairly, in keeping with what is morally right or proper.
One important consideration is the nature of the data. Personal data relating to health is generally considered sensitive and, therefore, requires special protection. Of course, a renal registry must collect such data, but some data may be more sensitive than others (e.g., race or ethnicity). The need for each item must be critically assessed and justified.
Another way that the risk of processing personal health information can be lessened is by protecting the individual from being identified in the data, either directly or indirectly. There are several ways to do this:
- Pseudonymization – personal data cannot be linked back to a specific data subject without the use of additional information, a ‘key,’ which must be stored separately with restricted access.
- Encryption – technological measures that make the data unintelligible to anyone without authorized access. This can be applied to data during transmission and storage
- Anonymization – all identifiers are removed so that there is no reasonable possibility of linking the data back to an individual. If data are fully anonymized so that there is no possibility of direct or indirect identification, and any ‘key’ to re-identify is destroyed, data are no longer considered personal data in many jurisdictions. However, anonymization reduces options for longitudinal follow-up and linkage of subjects and considerably limits the data’s value to a registry.
- Aggregation – data are presented at the group level. However, care must still be taken to minimize the risk of re-identification of patients in aggregate data when numbers in sub-groups are small, for example, in tables or when reporting rare events.
In addition, physical, technical, and administrative safeguards will need to be used during data collection, storage, transmission and processing. These security measures must be documented and undergo regular review and revision.
Ethical considerations arise in many of the key aspects of planning and operating a registry. These considerations can affect the scientific, logistical, and regulatory aspects of registry development, as well as claims of property rights.
Based on the three basic ethical principles above, several factors must be included in any consent process. Some of these require special consideration for registry work, such as the subject’s right to withdraw their participation.
At many institutions, an ethics committee (sometimes termed an institutional review board or similar) interprets the regulations to determine what activities require ethical review. Different approvals may be needed for the disclosure of personal information and the participation of patients in a registry.
Where possible, broad permissions should be requested for the analyses undertaken, with minimal restrictions on future use and options for use beyond the primary purpose. You are therefore strongly encouraged to consult your ethics committee early in the planning process to avoid delays, not least to agree on which activities are considered research and which are deemed non-research – public health practice and quality assurance/ improvement projects can have much in common with research projects.
Information about registry operations should be transparent – readily accessible to the public to educate patients and professionals – to build confidence in how privacy is being protected. Indeed, transparency is likely to be a requirement of any approvals.
Close attention to legal, ethical, privacy, security, and other governance matters will ensure wider participation in your registry, building public trust and confidence and ultimately improving patients’ safety and quality of care and generating new knowledge through medical research. The benefits from of including patients at all stages of the governance process are increasingly being recognized.