Handling personal information
Often, researchers use personal registers, which can be an indespensable part of a research project. In longitudinal studies, the research is conducted over a longer time - up to thirty years is not uncommon - and aims at following things such as changes in health and social situation for certain population groups to, for example, learn about how certain work conditions affect us in the long term. Such research is essential but the personal information used therein can be sensitive in nature. As the handling of personal information entails risks of infringing on the integrity of the person in question, and moreover can be rather costly, a research project's benefit must be weighed carefully against the costs and risks associated with the handling of personal information.
Personal information refers to all kinds of information that directly or indirectly can be attributed to a living, individual physical person. It can be information on the person's name, personal number, birthdate, nationality, education, family or employment conditions. Other types of information of a less personal character can also be considered personal data. Note that coded information is considered personal data as long as a code key exists.
The EU
In Europe, the European Parliament and the Council of Europe's Directive 95/46/EC on protection of individuals with reference to the handling of personal information and on the free flow of such information has guided development within this area. The directive has enabled the flow of personal information between EU countries, but it is also necessary that member states transmit personal information to a third country only if that country guarantees an "adequate" protection level for the information. The first four countries considered to have attained such a level of protection were Switzerland, Canada, Hungary and the US. A few others have since been added. It is also allowed, among other things, to transmit personal information that is to be used only in a country that has entered the Council of Europe's Convention for the protection of individuals with regard to automatic processing of personal data (see below). The Directive allows EU countries to transmit personal information to another country even if that country does not have an adequate protection level, if the personal information officer (see below) can guarantee the integrity level. In the directive's wake, a number of recommendations and interpretations have been presented by the EU's Data Protection Working Party.
Personal Data Regulation
While rules on official secrets typically govern when data may be released, various Personal Data Acts - they are harmonized over the EU - governs how data are used. According to them, the person in question is to be informed as to which information will be used. A person who submits information to a personal register established for research purposes has a further right to resulting information regarding him or herself. If a person can be identified - registers can also be anonymous - he or she also has the right to demand that incorrect or incomplete information be corrected or completed. The researcher should inform the subject on this issue. It is common that the responsibility to uphold good register practice lies with the research department's chairperson or president.
The principal rule is that the handling of personal information requires consent from the person in question, with an exception for certain handling that is considered necessary. For example, handling of information can be seen as necessary if it concerns a task of public interest. However, if sensitive information is involved, such as information on race or ethnic origin, political opinion, religious or philosophical conviction, membership in a union, or health or sex life, stricter demands apply. According to most of the regulations, handling such information for research requires approval from a research ethics board or the like. The main principles are that the use of sensitive information for statistical purposes must be necessary and that the interest to society must clearly outweigh the risk to an individual's integrity that handling of information can involve. As noted, a condition to be met for personal information from, e.g., patient journals to be released for research purposes is that the release be consistent with relevant provisions regarding secrecy, etc.
USA & International
In research done in collaboration with US researchers, a question of Certificates of Confidentiality might come up. These certifficates are intended to help meet the obligations of confidentiality by preventing forced disclosure of identifiable data during legal proceedings. They are authorized by federal law and granted the U.S. Department of Health and Human Services for information that, if disclosed, "could have adverse consequences or damage subjects' financial standing, employability, insurability, or reputation." The current federal law states that with a Certificate, "persons engaged in biomedical, behavioral, clinical, or other research … may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals."
The first important international guidelines regarding personal information were OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the Council of Europe's Convention for the protection of individuals with regard to automatic processing of personal data. The two were rather similar and were both grounded in the idea of "fair information practices", something that has characterized policy documents the world over since then due to the overwhelming support the two guidelines have received. As opposed to the Guidelines, the Convention - more narrow in content (only ADP, or automatic data processing) - is binding only for the states that have ratified it. OECD has also published Guidelines on Security of Information Systems. The UN's Guidelines Concerning Computerized Personal Data Files can also be mentioned here.
Last updated: 2010-01-04