Safeguarding the Status Quo: Privacy and Possibility in Research

Individuals’ health data is vital resource for health research and researchers have used this data for decades to understand more about the factors underpinning health and disease. Using large data sets has enabled us to find new ways to treat and prevent ill health. Without this data, we wouldn’t have made major advances in public health such as understanding the link between smoking and lung cancer, and finding out that people with high blood pressure have a higher chance of having heart disease or a stroke. New data regulations put forward by the EU risk damaging health research and progress by preventing researchers from being able to use data that is essential for their work. Beth Thompson, from the Wellcome Trust policy team, explains the importance of striking a balance between personal privacy and the collective good – and why these regulations could be a step backwards for health research…

All of us benefit from the knowledge derived from research involving personal data.

Studies involving personal data are essential to deliver further improvements in healthcare and public health. For many, this raises concerns about who has access to their data, how the data might be used, and whether their data could fall into the wrong hands. Data Protection law must find a way to protect individuals and respect these concerns, while ensuring that live-saving research can go ahead.

All privacy laws across Europe are based on the EU Data Protection Directive, which has achieved a widely accepted balance between protecting individual rights while permitting research. The directive does this by allowing EU member states to set up mechanisms so that sensitive personal data, such as data concerning health, can be used in scientific research. This data can only be used if strong safeguards have been put in place. (More on these below.)

The existing system works on this basis, and so long as the safeguards are followed, scientific researchers may access these large data sets without the need to trace each individual to obtain consent.

This approach has worked well since the directive was introduced over ten years ago and the rules have allowed important research to take place. Individuals’ data has been kept safe and there are no known cases of data breaches or misuse. We want this approach to continue in the new regulation and we oppose the EU Parliament’s suggested amendments, which would undermine this status quo.

Currently the law includes special rules for research because of the proven value of these studies to society. These special rules only apply to genuine scientific research and not for other purposes, such as market research or insurance decisions – and we want to keep it that way. It is very important to us that the research rules included in the new regulation are limited to genuine scientific research, in the same way as the current law. We don’t know of any examples of the research exemptions being misused for other purposes.

Consent is an important principle in health research, but the exemption in the current law is really important because there are instances where the requirement to seek individual consent would undermine the study. (You can read more about consent here.)

Where individual consent is not sought, the law and international guidelines require safeguards to be place, such as review of the research proposal by an independent ethics committee, to ensure that personal data is used appropriately. It is not – and should not be – easy for researchers to use personal health data without consent and many member states already have additional checks in place, carried out by the national data protection authority or a special confidentiality committee.

It is essential that researchers look after individuals’ data. Member states define these safeguards in their own laws and guidance, and typically a combination of technical, legal and organisational measures are used to protect individuals and their data from harm. For example, where possible, researchers use anonymised data or pseudonymised data (where the identity of the individual is masked), rather than fully identifiable data. Data is often encrypted, so that it can’t be read in the event of a data breach. Only genuine researchers who are trained in the safe use of data are allowed to access the data, and even then, they are only able to use the data in a secure environment. Researchers and organisations have contractual obligations to look after data and use it appropriately.

Personal data has made a vital contribution to improving health in the past and can continue to do for years to come. To make sure we all benefit from health research, we need to maintain the special research rules included in our current laws. In turn, researchers must continue to implement robust safeguards and keep up their strong track record of looking after data.

Protecting the future of health research doesn’t mean we have to compromise on the safety of our precious personal data.

Find out more about our new campaign on the EU Data Protection Regulation at www.datasaveslives.eu. We also continue to work on UK issues around the use of information from patient records for research. Read more about the Trust’s work on the use of personal information in research.

Image credits: Nurse in a hospital ward examining notes and Patient Notes both by Justine Desmond, Wellcome Images; Two scientists examining the patterns in data, Wellcome Library