Confidentiality of personal health information used for researchBMJ 2006; 333 doi: https://doi.org/10.1136/bmj.333.7560.196 (Published 20 July 2006) Cite this as: BMJ 2006;333:196
- Dipak Kalra (firstname.lastname@example.org), senior lecturer in health informatics1,
- Renate Gertz, research fellow2,
- Peter Singleton, principal research fellow1,
- Hazel M Inskip, deputy director3
- 1 Centre for Health Informatics and Multi-Professional Education, University College London, London N19 5LW,
- 2 Research Centre for Studies in Intellectual Property and Technology Law, School of Law, University of Edinburgh, Edinburgh EH8 9YL,
- 3 MRC Epidemiology Resource Centre, University of Southampton, Southampton General Hospital, Southampton SO16 6YD
- Correspondence to: D Kalra
Medical research has a long history in the United Kingdom and has generally enjoyed good public support. Researchers take confidentiality seriously and few breaches have been recorded. Concerns over research practices at Alder Hey hospital related to consent rather than confidentiality,1 but they tarnished the overall reputation of research. At much the same time, the Data Protection Act 1998 defined stricter criteria for handling personal data,2 supplementing the provisions in the UK common law of confidentiality. There is thus a legal and a moral impetus to ensure that research is conducted with the maximum respect for participants and their privacy, even if the research is not linked to clinical care. Many questions can be answered without the active participation of individuals, but researchers must strike a careful balance between their pursuit of health improvements for all and their obligation to maintain the privacy of individuals participating in research.
Regulatory framework and legal issues
When patients seek health care they are assumed to give implied consent for the carers to access their health records. The Data Protection Act also permits the use of “sensitive personal data” for medical purposes (including medical research) without consent, provided the user is subject to the same duty of confidentiality as a healthcare professional.
Despite these provisions, it is generally held that explicit consent should be obtained to use identifiable personal data for medical research, particularly for multicentre or secondary research when people who are not part of the original clinical team need access to the data. However, explicit consent cannot always be gained for new research uses of pre-existing data: the participants might no longer be contactable or might …