You may not know it, but if you live in the UK and have contacted the NHS with any coronavirus-related health concerns, your data is now being used for research. This is regardless of whether you have previously tried to stop this happening by requesting to use the national data opt-out service.
Data being used may include your medical records or anything collected by healthcare providers in relation to your care. Researchers in universities, government and also private companies are using it to scrutinise the way the virus is transmitted, how the disease progresses, and to help analyse which treatment options are most effective.
Using this data during a time of public emergency may seem reasonable to many people. But this does not avoid the fact that most of us view our medical records as private. So people will rightly be concerned that their data is being shared without their knowledge or consent.
There are two main laws that dictate how healthcare data privacy in the UK is handled: the European-wide General Data Protection Regulation (GDPR), and an additional UK-specific protection called the Common Law Duty of Confidentiality.
Due to the coronavirus pandemic, this second legal duty has been quietly relaxed and the authority of an important review body suspended to allow researchers unprecedented access to patient data.
GDPR and your data
In the UK, the Data Protection Act 2018 turns the principles outlined in the EU’s GDPR into national law.
The legislation also provides details of how such data should be handled and safeguarded, including the importance of identifying the lawful basis under which the data is to be stored and processed. There are six possibilities for such a basis:
3.) Legal obligation
4.) Vital interests
5.) Public task
6.) Legitimate interests
One thing to note with GDPR is that all six legal bases are equal. As a result, although most of us think that we should be asked to provide consent for our data to be used, it is perfectly legal under GDPR to access personal data, including healthcare records, without consent so long as an alternative legal basis is declared.
Duty of confidentiality
Alongside GDPR, the UK has a second legal mechanism designed to protect confidential patient information. The origins of the Common Law Duty of Confidentiality are complex and relate to a number of different acts and regulations, but can be summed up by the phrase “no surprises”. In other words, patients should never be surprised by how their confidential information is being used.
Typically this means that regardless of the legal basis being used under GDPR, patients must still be asked to provide consent for their identifiable data to be used for research.
But, the law also recognises that sometimes it might be important to use confidential patient information without consent. Under a section of the Health Act 2006, the secretary of state for health and social care can provide approval for what might otherwise be a breach of the common law duty of confidentiality. Approval is based on advice from a special committee called the Confidentiality Advisory Group (CAG).
This is a committee that I usually sit on and which meets twice a month to consider applications from researchers who want to use identifiable patient data without consent. Although the committee itself does not approve applications, it does give detailed advice that normally must be followed for applications to be approved.
However, in emergency circumstances the regulations also allow the secretary of state to suspend even this safeguard, essentially bypassing CAG. This is precisely what was announced on March 20, 2020 allowing, in the wording of this control of patient information notice:
NHS Trusts, Local Authorities and others to process confidential patient information without consent for COVID-19 public health, surveillance and research purposes.
Additionally, and so long as the purpose is COVID-19 related, the notice allows the use of data from people who had previously opted out of their data being used for purposes beyond their direct clinical care.
Why is this a problem?
The relaxation of these rules has largely gone unnoticed by the public, but it does make a difference. While all projects involving NHS patients or facilities must still be reviewed by a research ethics committee, the parallel specialist CAG review has now been replaced by informal advice that does not necessarily need to be followed.
What’s more, as CAG review is no longer a legal requirement, coronavirus projects using healthcare data conducted by a variety of other organisations may no longer need to use the NHS review process at all.
As a research ethics committee chair, I have already been concerned by a couple of examples of researchers seemingly “covidising” their projects to take advantage of expedited review processes. Similarly, trying to justify rapidly constructed projects and their prioritisation with little more than “because of coronavirus” is not appropriate.
Patient data is an extremely valuable research resource which now, more than ever, must be handled appropriately. Prioritising research is the right thing to do in order to find answers to the coronavirus pandemic, but any relaxation of rules can lead to people taking advantage. While many researchers can be trusted, history shows there are good reasons for having robust ethics and governance processes in place, and these should not be removed lightly.