Data Protection and Medical Data Posted by John on 27 May 2015

The recent news that a set of medical records, some dating back as far as 1984, were soon to be destroyed, raised some eyebrows recently. As is often the case, there is a ‘story within the story’, and this time, it was a veritable tour through the Irish Data Protection legislation. 

The records in question are ‘Heel Prick’ test cards, each holding a minute blood sample taken from an infant within hours of birth. These samples are used to screen each newborn baby for a range of conditions, in order to begin appropriate treatment and care as early as possible in the child’s life. 

About three years ago, it emerged that Temple St Children’s Hospital, which co-ordinates the blood analysis for the Irish hospitals, had kept all such cards going back 28 years. In fact, the hospital had even more in storage up until the previous year, when a flood reduced a further 15 years’ worth of these records to a soggy mess. Once it became known that this data was still extant, an eclectic mixture of interested parties began to set out their arguments, either for further retention or immediate destruction of the records. 

Naturally, some members of the medical and clinical research sectors recognised the value of the data as a unique source of information on the health of a sizeable proportion of the Irish population. Also interested in the retention of the data were members of the criminal justice fraternity, who realised that the samples offered a de facto starter kit for a national DNA database, containing as they do the genetic identifiers of most Irish citizens aged between 0 (low risk of offending) and 28 (slightly older than the average occupant of our state prisons). Weighing in on the other side of the debate came the learned guardians of our Civil Liberties, citing Data Protection legislation as a primary basis for the immediate destruction of these records. 

Their primary argument for destruction was based on Rules 1 and 2 of the legislation – namely that the data was a) not being processed fairly in that it was being stored for unspecified future use, and b) that having been acquired for a specific purpose, the initial testing for certain illnesses, that function had long ago been satisfied, and there was no justification for retaining the data. 

Since the story came to light a couple of years ago, there has been considerable lobbying by these various groups with the HSE, the Department of Justice, and the Office of the Data Protection Commissioner. This ended recently with the publication in the national press of a formal notice to the readers – not quite accompanied with fanfare, colours and bright lights, it nestled unobtrusively in the bottom corner of an inside page, and was easily overlooked. In brief, the statement, issued by the HSE but with clear reference to Data Protection legislation, explained the background to the case, and set out the following approach, which appears to have been agreed by the above-named organisations: All blood samples from infants born between 1984 and 2002 (i.e. ten or more years old) will be ‘disposed of’ during 2013. 
Thereafter, on a rolling basis, cards will be destroyed once they are more than ten years old. The story doesn’t quite finish there, however. The HSE offers individuals the right to determine the use and processing of their own personal data, where records still exist. Therefore, people born between 1984 and 2002 have until March 31st 2013 to request the return of their sample card (those still underage can have the data requested on their behalf by a parent or guardian). 

Anyone born after 2002 can also request that their blood card be disposed of during the coming months, i.e. before it reaches its new, ten-year ‘shelf life’. Conclusion It has been an interesting case, demonstrating a range of data management challenges, including fair processing, establishing specific purpose(s), parental consent for processing, excessive and incompatible processing, safe and secure (and waterproof) storage, the challenge to preserve the currency and accuracy of data, the appropriate retention schedule for such sensitive data, and last but not least, the right of the individual to a copy (or in this case, the original) of their data on request. 
It isn’t often that one case study encapsulates such an extensive range of Data Protection considerations. And it looks like it will rumble on for a while longer – under the headline “Unique Irish DNA database could be used for life-saving medical research” the Royal College of Physicians of Ireland issued a press release on its web-site on January 18th, pleading for the retention of at least a meaningful sample of the blood data, even in anonymised format, for research purposes. 

Destruction of this “priceless national asset”, which offers “a unique bio-historical archive of pre-immigration Ireland” they claim, “is the easy but wrong option”. 

Anonymisation would certainly take the data beyond the reach of the DP legislation, but the sense is that to allow this point would be to open the gates to the possibility of further requests for retention, prolonging the original failure. 

Perhaps we are already learning from this experience – in the same week as the notice of the proposed ‘disposal’ appeared in the national papers, another story appeared proposing to make DNA profiling mandatory for prisoners convicted in Ireland for particularly serious crimes. 
So while the Heel Prick cards may be shredded in due course, a DP compliant DNA database could well be part of our future. Hugh Jones is a consultant tutor delivering the ICS’s Data Protection certification programme.