Using personal health information in medical research

Recent growth in the regulation of research involving patients or their personal data in the United Kingdom—such as research governance, the European clinical trials directive, the Data Protection Act 1998, the Human Tissue Act 2004, the Mental Capacity Act 2005, and guidance from the General Medical Council—has caused delays, higher costs, and sometimes cessation of research projects.¹² Rules around privacy, confidentiality, and consent have become particularly complex and confusing.

The people appointed to protect personal health data sometimes seem to feel no need to facilitate research. These include Caldicott guardians (board members and senior health professionals appointed by each health authority, NHS trust, and primary care group to safeguard the confidentiality of patient information) and data protection officers who often work with medical records departments. These guardians and officers and their organisations are averse to risk and often restrict or deny access to personal medical data, interpreting the Data Protection Act as insisting that patients must consent directly to participate in research or that patients' data must be completely anonymised.

This causes particular problems for epidemiological research,3 which often requires access to routinely collected identifiable personal data, or requires identification of research participants from such data. Obtaining individual consent from large numbers of patients may be onerous or simply impossible, for example if patients have died or moved away, and participation bias may undermine the data. Anonymising data is difficult and expensive and greatly limits their future value.

The information commissioner—an independent official appointed by the Crown to oversee the Data Protection Act 1998, the Freedom of Information Act 2000, and the Environmental Information Regulations 2004—takes a more liberal view. The commissioner has decided that, while obtaining consent for medical research involving identifiable personal health data is the default position, consent is not required where such access to the data is necessary (for example in a research protocol approved by an ethics committee), is considered proportionate and no more with respect to privacy and public interest, and where there is “fair processing” (meaning that the patient should be informed of the data collection and have the right to opt out).4 Even informing the patient may be waived if the effort to do so is disproportionate, especially if the research is “historical or statistical.” Transparency and proportionality are also emphasised in the NHS research governance framework.5 Many data controllers responsible for the implementation of the Data Protection Act seem unaware that there are reasonable exceptions to the general rule of consent.

The risks to the individual patient from epidemiological research, subject to high standards of data handling and preservation of confidentiality, are minimal when compared with the risks in interventional research.6 The potential benefits to the public are great but many people have misinterpreted the regulations to imply that both types of research have similar standards for informing patients and obtaining consent. But proportionality of risk is a judgment, not an absolute, and needs to be considered impartially by an appropriate body independent of the researchers, probably an ethics committee in most cases.

These issues are considered comprehensively in an excellent new report from the UK Academy of Medical Sciences, which argues strongly for a clearer framework for using personal health data in research.7 Furthermore, a paper in this issue by Iversen and colleagues (p 165) supports the arguments of the academy, and might almost have been written to illustrate the worst excess of over-regulation identified by the academy, specifically misinterpretation of the Data Protection Act.8 The contentious issue is less the law than its overly conservative interpretation—although if the Office for National Statistics can't get it right, who can?

One study suggests, however, that the public do not uncritically support free access to their records by medical researchers, though the participants in this work seemed to have only limited understanding of the purposes and conduct of medical research.9 The academy reports consultations with well informed patient groups which have more palatable findings for researchers.7 And Iversen suggests that poor response rates in research are related more to patients' apathy rather than antipathy.8 Both reports argue for greater engagement of the public and more empirical research on these issues.

Are there legal risks for researchers? No researchers in the United Kingdom have been prosecuted for misusing data in properly conducted and approved research, but there is no case law to support the use of data in this way. The General Medical Council's advice, however, seems to lack any consideration of proportionality, and goes beyond the Data Protection Act in requiring express consent for the use of personal data in research (but not in disease registries—a fine distinction) in all but the most exceptional circumstances, where patients are unable to consent or when they cannot be traced.10

There are encouraging signs that some thought is going into containment of bureaucracy, better coordination of research ethics committees, and unified documentation for ethics applications and use of NHS data for other purposes. Recent consultation on the NHS research and development strategy acknowledges the risks inherent in research and promises “not to over-react in ways that stifle potentially valuable research in complex bureaucracy.”11 These matters need urgent resolution, not least so that researchers can mine opportunities presented by the development of electronic data systems in the NHS information technology programme.