The importance of building trust with health data

In the UK, both north and south of the Border, there are currently plans to create more sophisticated and comprehensive central repositories of health and social care data. Major projects like these have legal and ethical implications, and public trust is essential.

UK GDPR and the processing of personal data

Personal data, including health data, are protected by data protection law, and many people will be aware that data protection laws were enhanced in 2018 by the implementation of the European General Data Protection Regulation (EU GDPR). Following the UK’s exit from the EU, the UK General Data Protection Regulation (UK GDPR) governs the protection of personal data in the UK, alongside the Data Protection Act 2018. The UK GDPR and the EU GDPR are broadly consistent although data protection policy in the UK may diverge from the EU GDPR in the future. The UK GDPR provides a legal framework to embed trust, security and accountability in the processing of personal data.

In some cases, personal data are fully anonymised – ie, it is not possible to identify an individual from the information. If that is the case, then the data will not be classified as being “personal” and the UK GDPR will not apply.

It is becoming less common for data to be truly anonymised, as it is often possible to identify an individual indirectly, if additional information is also made available. This kind of data is referred to as “pseudonymised” and generally involves the replacement of identifiers with reference numbers or unique codes. Pseudonymisation is essentially a method of enhancing security and does not change the status of the data as personal data.

Under the UK GDPR, there must be a lawful basis for all processing of personal data. Many people believe they have a right to consent to any use of their personal data but that is not always the case because Article 6 of the UK GDPR identifies other legal bases for processing personal data as alternatives to the consent option. The UK GDPR recognises that some categories of personal data, including health data, require an enhanced level of protection due to their sensitivity. Therefore, in addition to identifying a proper legal basis for processing health data, one of the specified conditions for processing in Article 9 of the UK GDPR must also be met – for example, that processing is necessary for the provision of health or social care treatment or the management of health and social care systems.

Scotland is widely recognised as being a valuable source of health-related data assets, derived from its population of about 5 million people. Each individual is given their own Community Health Index (CHI) number at birth, which is used whenever the individual interacts with the NHS. With a relatively low rate of migration and an urban, rural and ethnically diverse population mix, the NHS Scotland data sets are attractive sources of information.

For example, the Information Services Division of NHS National Services Scotland holds information on disease incidence by sex, age and geographical location; this can be invaluable to companies looking to assess the initial number of potential candidates for clinical trials.

There are other sources of personal data in Scotland that are used for research purposes, one example of which is the Generation Scotland project. Funded by the Wellcome Trust and based at the University of Edinburgh, Generation Scotland has recruited more than 24,000 people from about 7,000 families who have agreed to be involved in creating an evidence base for researching and understanding health issues.

By combining health data with detailed information on where people live, their occupations and lifestyle, researchers can improve their understanding of the respective influence of nature (genes) and nurture (environment), which could have important implications for how the NHS in Scotland plans and delivers services, and for preventative interventions in relation to conditions such as obesity.

Participation in voluntary projects such as Generation Scotland requires affirmative action but this is not “consent” as a legal basis under Article 6(1)(a) of the GDPR. Instead, Generation Scotland uses two legal bases under Articles 6 and 9 of the GDPR. Its privacy policy states that these are: “1. Performance of a task carried out in the public interest (Article 6(1)(e) in the GDPR); and, where sensitive personal information is involved; 2. Scientific or historical research purposes or statistical purposes (Article 9(2)(j) in accordance with Article 89(1))”.

In cases where data is held by the NHS and shared with third parties for research purposes, the NHS relies on similar legal basis grounds to those used by Generation Scotland. While this is perfectly legitimate, it comes as a surprise to many individuals that the NHS can share personal data, albeit de-identified, with third parties without obtaining individuals’ consent.

In many cases, this may be aimed at benefitting the Scottish population – for instance, sharing data between NHS and social care agencies. However, public interest in personal data sharing is such that any initiatives will need to address transparency of process and decision making in order to retain public trust.

A reminder from south of the Border

On 12 May, the UK Government announced plans to overhaul the current scheme for collecting and sharing data from across the health and social care system.

General Practice Data for Planning and Research (GPDPR) provides for the daily collection of pseudonymised patient data held in GP records, such as information regarding diagnoses, symptoms, test results – including information about physical, mental and sexual health– and other non-health related data, such as ethnicity or sexual orientation.

NHS Digital, which collects data from GP practices to help support care and research, relies on specific public interest grounds as the basis for the collection and sharing of patient data. Therefore, it is not legally obliged to ensure patients provide express consent for the processing of data.

NHS Digital has not published a list of third parties that would be granted access to this data, but has made clear in its transparency notice that all access requests will be assessed to ensure organisations have a legal basis to process the data. This will be overseen by a separate independent body. Details of who NHS Digital has shared data with, in what form and for what purpose should also be published in its data release register.

Patients were originally given until 23 June to opt out of the scheme by printing a paper form and delivering it to their GP. A group of five privacy campaigners threatened legal action in response to these proposals with three main concerns – the opt-out scheme, access for third parties, and security of the data collected.

This resulted in an extension of time for patients to opt-out, with data collection then proposed to commence on 1 September. Over the summer, more than a million people opted out and NHS Digital will now begin a consultation process. It has also agreed that patients can opt out at any time.

Striking a balance

On the face of it, the benefits in bringing together health and social care data to create cohesive portraits of health in the UK seem to be clear but this must be balanced against individuals’ right to privacy, especially given the breadth, depth and sensitivity of the personal data that is to be used for these projects.

The UK GDPR offers a framework to navigate this, however public participation in the design of these projects and trust in the underlying data ethics that underpin them will be key to their success.

Joanna Boag-Thomson is a partner in Shepherd and Wedderburn’s media and technology team. For more information, email: [email protected] or call her on 0141-566 8570.