Data privacy and consent management are critical aspects of ensuring that individuals' personal information is handled responsibly and ethically, particularly in healthcare settings where sensitive medical data is involved. Data privacy refers to the protection of personal information from unauthorized access, use, or disclosure, while consent management involves obtaining and managing individuals' permissions for the collection, storage, and processing of their data.
In healthcare, patients entrust providers with their sensitive medical information, expecting that it will be kept confidential and used only for legitimate purposes related to their care. Robust data privacy measures include encryption, access controls, and anonymization techniques to safeguard patient data from unauthorized access or breaches. Additionally, healthcare organizations must adhere to regulatory standards such as HIPAA in the United States or GDPR in the European Union, which outline specific requirements for the protection of patient information and impose penalties for non-compliance.
Consent management plays a crucial role in ensuring that individuals have control over how their data is used. Patients should be informed about the purposes for which their data will be collected and processed, as well as any potential risks or benefits associated with its use. Obtaining informed consent involves providing individuals with clear and transparent information about their privacy rights and giving them the opportunity to consent to or decline the use of their data for specific purposes. Consent management systems help healthcare organizations track and manage patients' consent preferences, ensuring that data is used in accordance with their wishes and legal requirements.
Effective data privacy and consent management practices not only protect individuals' privacy rights but also foster trust and transparency in healthcare relationships. By implementing robust security measures, respecting patients' autonomy, and promoting informed decision-making, healthcare organizations can uphold the principles of data privacy and consent while leveraging data responsibly to improve patient care and outcomes.
1. Welcome
“Data Privacy and consent management in Clinical
Research”
Student’s Name :- K. Sailaja
Student’s Qualification :- Pharm. D
Student ID :- 022/022024
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
1
2. Overview
Data Privacy ( What and Why ).
• Regulatory Framework
• GDPR(principles ,Rights, Terminology),
• HIPAA(Rules, Types of safeguards)
• DPDPA-2023
• Difference between GDPR and DPDPA
• Informed Consent Process
• Consent Management Strategies.
• Emerging Trends in Data Privacy & Consent
Management
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
2
3. Data Privacy VS Data Security VS Data protection
What is Data Privacy?
“Data Privacy” is an area of data protection that concerns the proper handling, processing, storage
and usage of sensitive data including personal data, confidential data. The main aim is to meet the
regulatory requirements and data protection laws as well as protecting the confidentiality of the data.
What is Data Security ?
“Data Security ” is focused on protecting personal data from any unauthorized third-party access or
malicious attacks and exploitation of data. It is set up to protect personal data using different methods
and techniques like network security, access control, breach response, encryption and multi-factor
authentication.
What is Data Protection?
Roughly speaking data protection falls under three broad categories, namely traditional data protection
such as back up and restore copies, data security, and data privacy.
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
3
4. Regulatory Frameworks
1950 - European Convention on Human Rights
2003-2005 - Healthcare Insurance Portability and Accountability
Act (HIPAA) – Privacy and Security Rules (USA)
2016-18 - General Data Protection Regulation (GDPR)(Europe)
2023 - Digital Personal Data Protection Act
(DPDPA) (INDIA)
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
4
5. General Data Protection Regulation (GDPR) ACT- 2018:
What is GDPR?
GDPR is a comprehensive data protection law in the European
Union (EU) that regulates the processing of personal data. It
aims to strengthen individuals' rights regarding their personal
information and imposes obligations on organizations handling
such data to ensure transparency, accountability and the lawful
processing of data.
GDPR Data Protection Principles ( Article 5.1-2)
1.”Lawfullness ,fairness and transparency
2. Data Minimization
3. Confidentiality and integrity
4. Accuracy
5. Accountability
6. Storage limitations
7. Purpose Limitations
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
5
6. GDPR Terminology
Personal Data: Any information related to an identified or identifiable natural person. This includes names, identification numbers, location data, online identifiers,
or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Data Subject: An identifiable natural person whose personal data is processed by a controller or processor.
Data Controller: The entity that determines the purposes, conditions, and means of the processing of personal data. This could be an organization,
business, or individual.
Data Processor: An entity that processes personal data on behalf of the data controller. This could be a service provider or another organization.
Processing: Any operation or set of operations performed on personal data, whether by automated means or not. This includes collection, recording,
organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure, or destruction of data.
Consent: Freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative
action, signify agreement to the processing of their personal data.
Data Protection Officer (DPO): An individual or organization appointed by a data controller or processor to oversee GDPR compliance and data protection
strategy.
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
6
7. GDPR Data Subjects Privacy Rights
GDPR
2018
Right to
Access
Right to
Rectification
Right to
Erasure
(Right to be
Forgotten)
Right to
Restrict
Processing
Right to
Data
Portability
Right to
Object
Rights in
Relation to
Automated
Decision
Making and
Profiling
Right to
Withdraw
Consent
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
7
The General Data Protection Regulation (GDPR) grants several rights to
individuals (subjects) regarding their personal data. Here is a list of the
main rights granted to individuals under GDPR:
8. Health Insurance Portability and Accountability Act,(HIPAA)
2003-2005
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
Privacy rule
Security rule
Breach notification rule
Enforcement rule
Healthcare Providers:
This includes healthcare professionals
such as doctors, nurses,
psychologists, chiropractors, clinics,
hospitals, nursing homes, and
pharmacies, among others, who
transmit any health information
electronically in connection with
transactions for which HHS has
adopted standards.
Health Plans:
Health plans include health insurance
companies, HMOs (Health
Maintenance Organizations), company
health plans, government programs
such as Medicare and Medicaid, and
other types of health insurance
issuers.
Healthcare Clearinghouses:
These are entities that process
nonstandard health information they
receive from another entity into a
standard (i.e., standard electronic
format or data content), or vice versa.
This can include billing services,
repricing companies, and community
health management information
systems.
Health care /Business associates,
which are persons or entities (other
than members of the covered entity's
workforce) who perform functions or
activities on behalf of, or provide
certain services to, a covered entity
that involves the use or disclosure of
protected health information (PHI).
Examples of business associates
include third-party administrators,
billing companies, and legal services
9. Rules of HIPAA
PRIVACY RULE 2003
• The Privacy Rule of HIPAA, officially known as the Standards for Privacy of Individually Identifiable Health Information, sets
national standards to protect individuals' medical records and personal health information (PHI). It regulates how covered
entities use and disclose PHI, granting individuals rights over their health information and ensuring its confidentiality and
security. The Privacy Rule applies to healthcare providers, health plans, and healthcare clearinghouses that transmit health
information electronically.
SECURITY RULE 2005
• The Security Rule of HIPAA establishes standards to safeguard electronic protected health information (ePHI). It requires
covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and
availability of ePHI. The Security Rule aims to protect healthcare data from unauthorized access, use, or disclosure, thereby
enhancing the overall security of electronic health information.
Breach Notification Rule:
The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, the U.S. Department of Health
and Human Services (HHS), and, in some cases, the media, following a breach of unsecured PHI. Covered entities must also
notify HHS annually of breaches affecting fewer than 500 individuals and maintain documentation of breaches.
Enforcement Rule: The HIPAA Enforcement Rule outlines the procedures and requirements for
investigations and penalties related to HIPAA violations. It establishes the authority of the HHS Office
or Civil Rights (OCR) to enforce HIPAA and impose civil monetary penalties for non-compliance)
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
9
10. TYPES OF SAFEGUARDS
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
10
Organizations must document their security management
process, analyze risks to ePHI and implement security
measures to mitigate them
EX: risk assessment , assigning a privacy official, staff training.
Administrative
Safeguards
Organizations must control access to the physical facilities
where ePHI and is stored and secure all workstations and
devices that store or transmit ePHI
EX:Alarm systems, Security systems, Locking areas where PHI
is stored
Physical
safeguard
Organizations must implement the technical safeguards that
include hardware , software, and other technology to limit
access to ePHI
EX: Data encryption, antivirus software, automatic logoff and
audit control.
Technical
safeguards
11. Digital Personal Data Protection Act (DPDPA)
The Digital Personal Data Protection Act (DPDP Act) of 2023 is a significant legislation enacted in India to regulate the processing,
storage, and protection of personal data.
SCOPE:. It aims to enhance data privacy and security standards within the country's digital ecosystem
Consent: It emphasizes the importance of obtaining explicit and informed consent from data subjects before collecting, processing or
sharing their personal data
REQUIREMENTS:-
• Obtain consent from individuals before processing their personal data
• Use personal data only for the purposes for which it is collected
• Protect personal data from unauthorized access, use, disclosure, alteration , or destruction
• Respond to individual’s requests for access, correction , deletion and objection .
• Report data breaches to the DPA
• KEY DATES: Effective from 1/01/2024,complained to be determined but could be as soon as June 2024
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
11
12. Differences between GDPR and DPDP
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
12
PROPERTY GDPR –EUROPEAN UNION DPDPA -INDIA
Jurisdiction
applies to all member states of the
European Union and also governs the
processing of personal data of EU
citizens wherever it occurs globally.
applies solely to India,
Scope:
GDPR covers a broader range of data
including personal data, sensitive
personal data, and data related to
criminal convictions and offenses.
DPDPA regulates the
processing of
personal data within
India
Definitions and
Categories:
PII(Personal identifiable information)
It applies to a broader range of personal
data ,including data that is not stored
/processed electronically
PII:-This act only
applies to digital
personal data
Penalties
€20 million or 4% of the company's
global annual revenue,
150 crore INR-
250crore INR
DPDP -INDIA GDPR-EU WHAT IS IT
Data Principal Data Subject
Person whose data
is being referred to
Data Fiduciary Data Controller
Decision maker of
how data is to be
processed
Data Processor Data Processor
Entity that
performs the
processing of data
Data Protection
Officer(DPO)
Data Protection
Officer(DPO)
13. INFORMED CONSENT PROCESS
Record Keeping.
Method of Consent
Withdrawal of Consent
Consequences of Consent:
Rights of the Data Subject
Legal Basis for Processing
Purpose of Data Processing
Description of Data
Identity of the Data Controller
Provide Clear Information
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
13
14. CONSENT MANAGEMENT STRATEGIES
Clear Documentation:
Provide clear and comprehensive consent forms that outline the purpose of the research, procedures involved, potential risks and
benefits, confidentiality measures and participant rights. Use simple language understandable to the target population.
Informed Consent Process:
Conduct face-to-face meetings between researchers and participants to explain the research study thoroughly. Allow ample time for
participants to ask questions and make an informed decision. Ensure that participants understand the information provided before
obtaining their consent.
Consent Training for Researchers:
Train researchers and staff involved in obtaining consent to ensure they understand the importance of informed consent and how to
communicate effectively with participants. This training should include ethical considerations, communication skills, and protocols for
obtaining and documenting consent.
Respect for Autonomy:
Respect participants' autonomy by allowing them to make voluntary and informed decisions about participating in the research study.
Avoid coercion or undue influence and ensure participants have the freedom to withdraw from the study at any time without
consequences.
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
14
15. CONSENT MANAGEMENT STRATEGIES
Consent Reiteration:
Reinforce consent throughout the research process, reminding participants of their rights and the study's procedures.
Provide ongoing opportunities for participants to ask questions and seek clarification as needed.
Consent Tracking and Documentation:
Maintain accurate records of the consent process, including signed consent forms, documentation of discussions with
participants, and any amendments to the consent documents. Ensure confidentiality and secure storage of consent-
related information.
Adaptation to Participants' Needs:
Tailor the consent process to accommodate participants' cultural, linguistic, and cognitive needs. Use interpreters or
translated materials when necessary, and provide additional support for participants with limited literacy or
comprehension skills.
Regular Review and Updates:
Regularly review consent procedures to ensure they comply with current ethical guidelines and regulatory
requirements. Update consent forms and processes as needed based on feedback from participants, researchers,
and ethical review boards.
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
15
16. Emerging Trends in Data Privacy &Consent
management
• Block chain technology
• Decentralized identifiers
• Artificial Intelligence(AI) consent process
• Consent Management Platforms
• Enhanced participant Education Tools
• Consent for Digital Health Ecosystems
• Biometric Authentication for Consent
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
16
17. Thank You!
www.clinosol.com
(India | Canada)
9121151622/623/624
info@clinosol.com
10/18/2022
www.clinosol.com | follow us on social media
@clinosolresearch
17