In early April this year, Prime Minister Starmer announced the UK government's plans to boost biomedical research by ensuring access to large sets of health data. A Health Data Research Service will be set up and host data from various divisions of the National Health Service (the “NHS”). The Health Data Research Service will provide “a secure single access point to national-scale data sets” and help expediate biomedical research.
The establishment of the Health Data Research Service appears to be a response to the Sudlow Review, a recent independent evaluation by Professor Cathie Sudlow of the UK's health data landscape which found that although the UK possesses a wealth of health data, the current systems for accessing, sharing and linking this data are often “difficult, slow or impossible”, hindering research and the potential to improve patient care and public health. The Sudlow Review recommends, among other measures, the establishment of “a national health data service in England with accountable senior leadership”.
Health data is – by its very nature and by legal definition – personal data. Access to that data comes, therefore, with inherent privacy concerns and data protection requirements attached. While the Health Data Research Service is being set up and its ethics and governance frameworks are to be announced, members of the UK government and other senior officials have already recognised the possible privacy and data protection implications of the access to health data through the Service. As similar public and private data-sharing initiatives in the United Kingdom, the United States and Europe suggest, these privacy implications have both ethical and legal dimensions.
Privacy, ethical and legal requirements
They typically revolved around:
Anonymisation: Health data stored in databanks is typically anonymised, i.e. data points that directly or indirectly identified a patient or a research participant are removed. Anonymisation, however, operates on a spectrum. Irreversibly anonymised data in principle does not qualify as personal data. If, however, anonymised data can be re-identified through reasonable technical means (e.g., advanced data analytics), it still constitutes personal data. That means, its further processing for biomedical research must still meet the applicable ethical standards and requirements of the privacy and data protection legislation.
The basis for ethical and lawful secondary use of health data: Health databanks typically rely on a combination of lawful bases when initially collecting and processing health data from patients and research participants. These bases often include patients’ or participants’ explicit consent, public health interest, scientific research, and legitimate interests. Whether research organisations could draw on these initial bases for their subsequent data processing depends on a number of factors. They habitually involve the purpose of biomedical research (public or private), the compatibility of subsequent data processing with the original purposes of data collection, and the proportionality of such processing.
Transparency and disclosure: Patients and research participants must be notified of the subsequent processing of their data for biomedical research unless such notification involves disproportionate efforts. Research organisations must comply with this legal obligation within a reasonable period after obtaining the personal data, but at the latest within one month.
Data minimisation: Research organisations must access and process volumes and types of health data of types only to the extent necessary for the specific purposes of their research project.
Appropriate privacy safeguards for harm prevention: Prior to data processing, research organisations must put in place adequate technical and organisational measures for privacy and data protection, such as pseudonymisation or other privacy-preserving techniques (e.g., differential learning, differential privacy), cybersecurity safeguards and data breach reporting protocols. Such measures must shield patients and research participants from the risks of substantial damage or substantial distress resulting from data processing.
Use of advanced data analytics tools, such as predictive analytics and artificial intelligence: These technologies are considered to heighten privacy risks. Their use for processing health data likely necessitates AI and data protection impact assessments, especially if the health data could potentially be de-anonymised or research participants could otherwise be re-identified.
Data transfer and processing terms: These terms govern researchers’ rights and obligations while accessing and processing health data in the respective databank. As with any contract, breach of these arrangements may trigger contractual and financial liability.
To successfully navigate these privacy and data protection implications,
Research organisations must:
Adopt and operationalize their own data management policies and procedures;
Proactively manage privacy risks through data protection and AI risk assessments, their regular reviews and updates, and state-of-the art privacy and cybersecurity safeguards;
Cooperate with databanks and hospitals to meet, as needed, the transparency and disclosure requirements highlighted above;
Be prepared to enter into data processing agreements with the databanks, attend to their requirements and manage contractual liability;
Appointment of an independent data protection officer (DPO) to guide and steer these processes.
Do you want to learn more about how to set up your privacy and data protection protocols with regards to biomedical research with health data? Join us for our upcoming webinar Innovating with Health Data: Regulatory Opportunities and Key Requirements in the UK and the EU! Email Kate Collocott at kate@datadrivenlegal.com or register here.
