Leslie is currently working as a Research Fellow for the Administrative Data Research Centre (ADRC) under the direction of Professor Graeme Laurie. In 2013, the ESRC provided £34 million of funding for four new innovative administrative data research centres and a data service to strengthen the UK's competitive advantage in Big Data. The centres and service together form the Administrative Data Research Network (ADRN) which will enable research based on linked data between government departments to be overseen by a single governance structure that will allow for consistent and robust decision-making. Leslie’s research interests lie primarily within data protection and privacy law, as well as the interface between medicine, technology, ethics and the law.
Before coming to Edinburgh, Leslie graduated with her Bachelor in Arts (History) from University of California, Los Angeles in 2006 before attending Santa Clara University’s Law School in 2007. In 2011, Leslie graduated with her Juris Doctor from Santa Clara and passed the California State Bar Exam to become a licensed attorney in November 2011.
Current Research Interests
In 2011, Leslie commenced an LLM in Commercial Law at the University of Edinburgh, after which she commenced her doctoral studies under the supervision of Dr Gillian Black and Dr Daithí Mac Síthigh. In 2013, Leslie was awarded with the inaugural Maclagan Prize Scholarship from the Mason Institute for Medicine, Life Sciences and the Law for her doctoral studies and now sits on the Executive Committee as PhD Convener. Leslie’s doctoral work focuses on the research governance of social sciences and humanities based research, which explores the public interest justifications for research under legal governance regimes within the UK and Europe.
Leslie is currently a Copy-Editor for SCRIPTed: A Journal of Law, Technology and Society. She also serves as co-convener for the Law School’s IP, IT and Media Law Discussion Group and is part of the organising committee for the 2014 Postgraduate Law Conference in Edinburgh. Leslie is a member of the Society of Legal Scholars and International Association of Privacy Professionals.
Books and Reports
Graeme Laurie, Leslie Stevens, Kerina H. Jones, Christine Dobbs, A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data, (Nuffield Council on Bioethics, 2015)
Abstract: Prepared for the Nuffield Council on Bioethics Working Party on Biological and Health Data and the Expert Advisory Group on Data Access.
Graeme Laurie, Kerina Jones, Leslie Stevens, Christine Dobbs, Nathan Lea, David V Ford, 'The other side of the coin: Harm due to the non-use of health-related data', (2016), International journal of medical informatics, Vol 97, pp 43-51
Abstract: This article uses an international case study approach to explore why data non-use is difficult to ascertain, the sources and types of health-related data non-use, its implications for citizens and society and some of the reasons it occurs. It does this by focussing on issues with clinical care records, research data and governance frameworks and associated examples of non-use.
Graeme Laurie, Leslie Stevens, 'Developing a Public Interest Mandate for the Governance and Use of Administrative Data in the United Kingdom ', (2016), Journal of Law and Society, Vol 43, pp 360–392
Abstract: This article addresses the legal and ethical uncertainties surrounding the use of administrative data for research. Drawing upon best practices developed by the authors in previous data initiatives and engagement with research communities, the article suggests a problematic organisational culture as the most significant barrier to proportionate and good governance of administrative data. Accordingly, the article offers a novel means for data custodians to identify key considerations by introducing a decision-making template that supports public authorities’ assessment of preparedness for data reuse through identification of challenges faced, related to sector-specific practices. As a catalyst for change, the authors advocate a public interest mandate - commitment to safely and ethically use administrative data when it is in the public interest to do so. This is delivered through implementation of the decision-making template, overt commitment to principles of public interest and proportionality, and engagement with stakeholders to address remaining areas of uncertainty.
Leslie Stevens, 'The Proposed Data Protection Regulation and Its Potential Impact on Social Sciences Research in the UK ', (2015), European Data Protection Law Review, Vol 1, pp 97-112
Abstract: This article critically assesses the potential impact of the proposed Data Protection Regulation on the undertaking of social sciences research in the UK, providing practical analysis from the perspective of research involving administrative data. This assessment reveals how changes to the key concepts of anonymisation, personal data and lawfulness may impact upon social sciences research. The approach taken to the regulation of personal versus anonymised data in the proposed Regulation represents a disproportionate and de-contextualised response to the risks involved in undertaking social sciences research that may create disincentives for investing in privacy protective mechanisms. It is positive that there is explicit recognition of research as a legitimate form of data processing. However, negative implications will arise from the introduction of pseudonymous data as a subset of personal data, without proportionate consideration of varying processing contexts and factors surrounding de-identification and specifically, the strict security measures taken to prohibit de-identification in the research context.
Leslie Stevens, '"Innovation in the Law": The Second Annual Edinburgh Postgraduate Law Conference', (2014), SCRIPTed, Vol 11, pp 137-139
Gillian Black, Leslie Stevens, 'Enhancing Data Protection and Data Processing in the Public Sector: The Critical Role of Proportionality and the Public Interest', (2013), SCRIPTed, Vol 10, pp 93-122
Abstract: Data protection in the public sector has suffered from a number of high profile breaches over the last decade, revealing a culture of weak compliance, especially in comparison with that in the private sector. This article examines certain factors which make public sector data processing distinct, and how the lack of clarity regarding the routes to legitimate processing may be exacerbating these problems. By closely examining the jurisprudence regarding Schedule 2 of the Data Protection Act 1998, which provides the legitimate bases for data processing, we reveal the current problems public sector data controllers face in determining whether their processing is “necessary” and therefore legitimate. We determine that the test of necessity is reliant on proportionality, requiring the interest in processing the personal data to be balanced against the data subjects’ data protection and privacy interests. This in turn requires a detailed consideration of the public interests at stake, in providing the public services and respecting the personal data involved. We conclude by providing a structured and coherent three-step test for data controllers to apply in reaching their decision. This test focuses on the critical issues in balancing the competing interests, enabling data controllers to take a principle-based decision as to whether or not their processing is indeed in the public interest, proportionate and necessary – and therefore ultimately legitimate. This three-step test offers greater clarity for data controllers, which in turn should enhance the rigour of their data processing, thereby strengthening the data protection culture and benefiting data controllers, data subjects, and the public at large.
Leslie Stevens, Christine Dobbs, Kerina H. Jones, Graeme Laurie, 'Dangers from within? Looking inwards at the role of maladministration as the leading cause of health data breaches in the UK' in Data Protection and Privacy (Springer 2017) 1-29
Abstract: Despite the continuing rise of data breaches in the United Kingdom’s health sector there remains little evidence or understanding of the key causal factors leading to the misuse of health data and therefore uncertainty remains as to the best means of prevention and mitigation. Furthermore, in light of the forthcoming General Data Protection Regulation, the stakes are higher and pressure will continue to increase for organisations to adopt more robust approaches to information governance. This chapter builds upon the authors’ 2014 report commissioned by the United Kingdom’s Nuffield Council on Bioethics and Wellcome Trust’s Expert Advisory Group on Data Access, which uncovered evidence of harm from the processing of health and biomedical data. One of the review’s key findings was identifying maladministration (characterised as the epitome of poor information governance practices) as the number one cause for data breach incidents. The chapter uses a case study approach to extend the work and provide novel analysis of maladministration and its role as a leading cause of data breaches. Through these analyses we examine the extent of avoidability of such incidents and the crucial role of good governance in the prevention of data breaches. The findings suggest a refocus of attention on insider behaviours is required, as opposed to, but not excluding, the dominant conceptualisations of data misuse characterised by more publicised (and sensationalised) incidents involving third-party hackers.
, Edward Dove, Leslie Stevens, Mark Taylor, 'Analysis: Research and the General Data Protection Regulation - 2012/0011(COD) ' 2016
Graeme Laurie, Leslie Stevens, Kerina H. Jones, Christine Dobbs, 'Better use of data in government consultation ' 2016
Leslie Stevens, Graeme Laurie, 'The Administrative Data Research Centre Scotland: A Scoping Report on the Legal & Ethical Issues Arising from Access & Linkage of Administrative Data' 2014
Abstract: This initial scoping report outlines the original research to be undertaken for the legal work package of the Economic and Social Research Council (ESRC) funded Administrative Data Research Centre-Scotland (ADRC-S), by Professor Graeme Laurie and Ms Leslie Stevens based at the University of Edinburgh, School of Law and J Kenyon Mason Institute for Medicine, Life Sciences and the Law. The report provides an overview of the regulatory context in which administrative data linkages currently operate in Scotland, highlighting the crucial legal and ethical issues which arise from the current mixed legal landscape under which administrative data linkages operate. Adopting an approach that takes into account both the risks and the benefits that can be achieved through administrative data linkage research in the public interest, Laurie and Stevens argue for a principles-based approach to the governance of administrative data used for research purposes. By looking to established best practice in the field of data linkages in the health sector, and most notably the Good Governance Framework developed for the Scottish Health Informatics Programme (SHIP), the paper argues for a approach that will determine which principles can operate in a framework of robust and proportionate governance of administrative data linkages in Scotland. This is the first in a series of papers for the legal work package of the ESRC-funded ADRC-S. Subsequent papers will focus on particular research questions of the legal work package, notably the adaption of a principles based approach to the governance of administrative data; use of historical administrative data and the risks and benefits of commercial involvement in research.