Heel Pricks. A short thought

Yes. It is a pity that Guthrie cards will be destroyed. Yes, there is potentially valuable data held on them. But there is also a fundamental right to Personal Data Privacy under EU Treaties and there is that pesky thing called the Data Protection Acts/Data Protection Directive.

The DPC investigated the issue of heel prick cards. They negotiated with the HSE to determine a “best fit” solution that struck an uneasy and far from ideal balance between the desire to have a genetic databank and the need to have specific explicit informed consent for the processing of sensitive personal data in that way.

Comments today from Minister Kathleen Lynch that this needs to be looked at again and efforts are underway to prevent the destruction are baffling. “Efforts are underway”? So the Department is actively working to undermine the role and independence of the DPC? Is new legislation being prepared with retrospective effect that will be passed by the end of next week? Is data being anonymised (tricky with genetic data)? Is the HSE going to do a big push to get people to request the cards relating to them and/or their children from the HSE?

What needs to be looked at in my view is the culture and ethos around managing personal data that pervades in some areas of political and civil society. For that is where the root and origin of this dismal scenario lies. (A scenario, as an aside, that has faced private sector organisations with their customer databases on a number of occasions: not obtained lawfully, not obtained for that purpose, destroy it.)

The reason the issue arises with the heel prick tests is that consent was obtained for the processing of blood samples for a very specific purpose – testing for metabolic disorders in neonatal contexts. The consent obtained was for that purpose. No other. Sensitive personal data must be processed on the basis of specific, explicit informed consent. There appears to have been no plan for maintaining the data associated with those samples or for managing the process of obtaining consent for future purposes (or enacting legislation to allow for future purposes without requiring consent). There appears to have been an assumption that these samples could be retained ad infinitum and used for purposes undisclosed, unimagined, or unavailable at the time the samples were originally taken. This was, and is, not the case under Data Protection law.

As an Information Quality practitioner, I am bemused by the optimism that is expressed that the heel prick data would be useable in all cases. What processes are in place to link the data on the Guthrie card to an identifiable individual? Do those processes take account of the person moving house, their parents marrying, divorcing, remarrying (and the name changes that ensue), or the family emigrating? If the Information Governance in the HSE is such that this is rock solid data then great. I’m running a conference and want good case studies… call me!

The quality of information angle is important as it raises a second Data Protection headache – adequacy of information. If the information associated with the actual blood tests is not accurate, up to date, and adequate then a further two principles of the Data Protection Acts come into play.

Yes the destruction of Guthrie cards is a problem (but as Ireland has been doing Guthrie tests since 1966 it has happened before. Yes it is an unsatisfactory situation (but one that appears unavoidable given the legal situation). But the root cause is not the Data Protection Acts or the DPC. The root cause is a failure in how we (as a society) think about information and its life cycle, particularly in Government and Public sector organisations. A root cause is a failure of governance and government to understand the legal, ethical, and practical trade offs that are required when processing personal data, particularly sensitive personal data. A root cause is the failure to anticipate the issues and identify potential solutions before a crisis.

RTE reports that the Minister describes the 12% awareness level of the right to have cards returned to families rather than destroyed as “telling”. But what does it tell us? Does it tell us people don’t care? Or does it tell us that the HSE awareness campaign was ineffective? I would go with the latter. Frankly the lack of information has been stunning and, as always in Irish life, there is now a moral panic in the fortnight before the deadline. And again, the governance of how we communicate about information and information rights is called into question here.

I haven’t seen any data on how often the Guthrie card data was being used for research purposes. I’m sure some exists somewhere. Those arguing for the records to be saved should go beyond anecdote and rhetoric and present some evidence of just how useful this resource has been. We need to move beyond sound-bite and get down to some evidence based data science and evidence driven policy making.

Storing the samples takes physical and economic resource, two things in short supply in the HSE. Storing them ad infinitum without purpose “just in case” creates legal issues. Legally the purpose for which the samples was originally taken has expired. By giving families the option of having the cards returned to them the HSE creates the opportunity for specific informed consent to future testing, while removing the other data protection compliance duties for those records from themselves.

The choice is not an easy one but the Data Protection mantra is “just because you can doesn’t mean you should”. And just because you have to doesn’t mean it is easy or without pain. But by clearly drawing a line in the sand between non-compliant and compliant practices the HSE avoids the risk of future processing being challenged either to the DPC or the ECJ (after all, this is a fundamental human right to data privacy we are dealing with).

Hard cases make bad laws is the old saying. However the corollary is that often good laws lead to hard cases where society needs to accept errors of the past, take short term pain, identify medium and long term solutions, and move on in a compliant and valid manner.

Rather than weeping and gnashing teeth over a decision that is done and past it would behove the Minister and our elected representatives more to focus their efforts on ensuring that the correct governance structures, mind-sets, knowledge, training, and philosophy are developed and put in place to ensure we never find ourselves faced with an unsatisfactory choice arising from a failure to govern an information asset.

Posted in Dad Thoughts, Data Protection, Ethics & Law of Information, Philosophical Musings, Politics & Culture and tagged , , .