

  All Discussions  |  

  Welcome Post  |  

  SIG's Charter  |  

  Direct Messages  |   

  Categories  |  

  How-To(Forum)

Considering GDPR etc

Simon

An AI prompt (breaks some!)

It is my suspicion and feeling that the ramifications of ethics, governance and privacy laws etc has created a situation where people in organisations do not currently understand where the boundary between inappropriate and permissible activity within therapies and research lie. The whole topic is treated as if it was a _bogeyman_ to the detriment of those trying to make progress. There are perceptions that are wrong including in the general public's belief that default statement is always "you can't". Consider the restrictions and cautions and freedoms on action created by UK DPA, UK GDPR and PERC and similar legislation, the online safety act etc. Consider the aggregation of conversation and/or data that occurs on online community platforms and in recording progress during physical rehabilitation exercises following recovery from a traumatic event. Consider the need to be ethical and legal in operations of services and research. Summarise what is: Acceptable without further caveat or explicit arrangement, What is acceptable with appropriate arrangements and What would arrangements be and state the boundaries or limits. Assume all involved desire to behave 'correctly' in good faith for the good of individuals, the professions and society

It sounds like you’re encountering a significant challenge in navigating the complex landscape of ethics, governance, and privacy laws within therapy and research. The perception of a restrictive environment, even when unintended by the legislation, can indeed hinder progress. Let’s break down what is generally acceptable, what requires specific arrangements, and the boundaries involved, assuming good faith and a desire to act correctly.
Here’s a summary of the landscape, followed by a more detailed explanation:
Conclusions:

Generally Acceptable (Without Further Caveat or Explicit Arrangement):
- Direct, anonymized observation and analysis for service improvement or research methodology refinement, where no individual’s personal data or identifiable characteristics are recorded or used.
- Using publicly available information that individuals have intentionally and openly shared without any expectation of privacy.
- General discussions about non-identifiable trends or aggregated, anonymized data that doesn’t allow for the re-identification of individuals.
- Adherence to professional codes of conduct and ethical guidelines within the bounds of the law, such as maintaining confidentiality in individual therapy sessions (though data use beyond this often requires further arrangements).
Acceptable with Appropriate Arrangements:
- Collection, processing, and sharing of personal data for direct care or research purposes with explicit, informed consent that meets the stringent requirements of UK GDPR and DPA.
- Aggregation and analysis of pseudonymized or de-identified data for research, service evaluation, or quality improvement, provided robust anonymization/pseudonymization techniques are employed and the risk of re-identification is minimised.
- Recording and sharing of progress during physical rehabilitation with explicit consent, clear articulation of the purpose, who will have access, how it will be stored, and for how long.
- Moderated online community platforms where clear terms of service, privacy policies, and community guidelines are in place, and users are informed about how their contributions and data will be used.
- Utilizing online safety measures as mandated by the Online Safety Act, including age verification where necessary and mechanisms for reporting harmful content.
Boundaries and Limits:
- Processing personal data without a lawful basis as defined by UK GDPR (e.g., consent, legitimate interest where it doesn’t override individual rights, legal obligation).
- Failing to provide clear, transparent, and easily understandable information to individuals about how their data will be used.
- Sharing personal data with third parties without a legal basis or explicit consent (where required).
- Re-identifying anonymized or pseudonymized data without a lawful basis.
- Using aggregated online community data in a way that could inadvertently identify individuals or for purposes beyond what was disclosed in the terms of service and privacy policy.
- Lack of adequate security measures to protect personal data from unauthorized access, loss, or destruction.
- Ignoring individuals’ rights under UK GDPR and DPA, such as the right to access, rectification, erasure, and restriction of processing.
- Processing special category data (e.g., health data) without meeting the specific, more stringent conditions outlined in UK GDPR and DPA.
- Failing to conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
- Activities deemed harmful or illegal under the Online Safety Act, such as the dissemination of illegal content or failing to protect children from harmful material.
  Explanation and Expansion:
  The core principle underpinning UK data protection legislation (DPA 2018, incorporating UK GDPR), the Privacy and Electronic Communications Regulations (PECR), and related laws like the Online Safety Act is the protection of individuals’ rights and freedoms with regard to their personal data and online interactions. This doesn’t inherently mean “you can’t” do things, but rather that you must do them lawfully, fairly, and transparently, with appropriate safeguards in place.
  Generally Acceptable (Without Further Caveat):
  This category is quite limited when dealing directly with individuals or their data. True “no strings attached” acceptability usually involves activities that don’t touch personal data or are based on genuinely public information.
Observing general patterns or refining methodologies: If you’re looking at aggregate trends in how a service is used or evaluating the effectiveness of a research approach without collecting any identifying information about individuals, this is generally acceptable. For example, noting that a particular type of exercise is frequently modified by participants might inform how you design future programs.
Using genuinely public information: If someone has explicitly made information about themselves publicly available online without any expectation of privacy (e.g., a professional profile on a public platform), using this information within the bounds of its public nature is generally acceptable. However, even with public data, aggregation and drawing inferences can sometimes lead to identifiability, so caution is still needed.
High-level anonymized data: Working with data that has been rigorously anonymized to the point where individuals can no longer be identified, directly or indirectly, falls into this category. The key here is the robustness of the anonymization process.
Acceptable with Appropriate Arrangements:
This is where most activities involving individuals and their data will fall. The “appropriate arrangements” are crucial and are largely dictated by the principles and requirements of the relevant legislation.
Explicit, Informed Consent: For collecting, processing, and sharing personal data, especially special category data like health information, explicit consent is often required. This consent must be freely given, specific, informed, and unambiguous. Individuals must understand what data will be collected, for what purposes, who will have access, their rights (e.g., to withdraw consent), and the potential risks. Consent should be documented and easily withdrawable.
Pseudonymization and De-identification: When using data for research or service improvement, pseudonymization (replacing direct identifiers with pseudonyms) and de-identification (removing or masking identifiers) can reduce the risk of identifying individuals. However, it’s crucial to understand that pseudonymized data is still personal data under UK GDPR, and additional safeguards are needed to prevent re-identification. Robust anonymization aims to go further, making re-identification impossible.
Clear Policies and Terms: For online community platforms, clear terms of service, privacy policies, and community guidelines are essential. Users need to understand how their contributions and any associated data will be used, who will have access, and the rules of engagement. Moderation policies are also important to ensure a safe and ethical environment, as required by the Online Safety Act.
Data Processing Agreements: When sharing personal data with third-party processors (e.g., a platform hosting rehabilitation exercise data), a data processing agreement is legally required. This agreement outlines the responsibilities of both the controller (the organization collecting the data) and the processor.
Security Measures: Implementing appropriate technical and organizational measures to ensure the security of personal data is paramount. This includes measures to prevent unauthorized access, data breaches, loss, or destruction.
Data Protection Impact Assessments (DPIAs): For high-risk processing activities, such as large-scale processing of special category data or the use of new technologies, a DPIA is mandatory. This process helps identify and mitigate potential risks to individuals’ privacy.
Boundaries and Limits:
These are the “you absolutely can’t” areas without significant legal and ethical ramifications.
Lack of Lawful Basis: Processing personal data without a valid lawful basis under UK GDPR (e.g., consent, contract, legal obligation, vital interests, public task, legitimate interests) is illegal. For special category data, an additional condition for processing must also be met.
Transparency and Information Deficiencies: Failing to provide clear and comprehensive information to individuals about how their data is being used undermines their rights and the principle of fair processing. Privacy notices must be easily accessible and understandable.
Unlawful Sharing: Sharing personal data with third parties without a legal basis or appropriate consent (where required) is a breach of data protection law.
Re-identification of Anonymized Data: Attempting to re-identify genuinely anonymized data without a lawful reason can be problematic, especially if successful. For pseudonymized data, re-identification without a clear need and legal basis is generally prohibited.
Misuse of Aggregated Data: Even with aggregated data from online communities, using it in a way that could inadvertently reveal individual identities or for purposes beyond what users were informed about is unethical and potentially illegal.
Inadequate Security: Failing to implement appropriate security measures leaves personal data vulnerable and can lead to significant penalties under data protection law.
Ignoring Data Subject Rights: Individuals have several rights under UK GDPR, including the right to access their data, rectify inaccuracies, erase data in certain circumstances, restrict processing, and object to processing. Organizations must have processes in place to respect and facilitate these rights.
Processing Special Category Data Without Strong Justification: Health data, being a special category, requires more stringent conditions for processing. Legitimate interest arguments are often more difficult to justify for this type of data, and explicit consent or processing for health or social care purposes under the control of a health professional are common lawful bases.
Failure to Conduct DPIAs for High-Risk Activities: This is a legal requirement and a failure to do so can result in penalties.
Harmful or Illegal Online Content: The Online Safety Act places duties on online platforms to address illegal and harmful content, particularly concerning children. Failure to implement appropriate measures can lead to significant liabilities.
Moving Forward:
To foster progress while remaining ethical and legal, organizations need to:
Invest in training and education: Ensure that all staff involved in therapy and research have a solid understanding of the relevant legislation and ethical guidelines.
Adopt a “privacy by design and default” approach: Integrate data protection considerations into the design of systems and processes from the outset. Default settings should be the most privacy-protective.
Prioritize transparency: Be clear and open with individuals about how their data will be used.
Implement robust consent mechanisms: Ensure consent is freely given, specific, informed, and unambiguous.
Develop clear policies and procedures: Document your data handling practices, including data collection, processing, storage, and sharing.
Conduct regular DPIAs: Proactively assess and mitigate privacy risks.
Foster a culture of ethical awareness: Encourage open discussion and reflection on ethical considerations in all activities.
By focusing on these principles and implementing appropriate arrangements, organizations can navigate the legal and ethical landscape effectively, enabling valuable progress in therapy and research while upholding the rights and privacy of individuals. The key is to move away from a fear-based “you can’t” mentality towards a framework of “how can we do this safely, ethically, and legally?”

Scroll-Me :)\<-&->


  All Discussions  |  

  Welcome Post  |  

  SIG's Charter  |  

  Direct Messages  |   

  Categories  |  

  How-To(Forum)