With one million people treated every 36 hours, routinely collected UK National Health Service (NHS) health data has huge potential for medical research. Advances in data acquisition from electronic patient records (EPRs) means such data are increasingly digital and can be anonymised for research purposes. NHS England’s care.data initiative recently sought to increase the amount and availability of such data. However, controversy and uncertainty following the care.data public awareness campaign led to a delay in rollout, indicating that the success of EPR data for medical research may be threatened by a loss of patient and public trust. The sharing of sensitive health care data can only be done through maintaining such trust in a constantly evolving ethicolegal and political landscape. We propose that a dynamic consent model, whereby patients can electronically control consent through time and receive information about the uses of their data, provides a transparent, flexible, and user-friendly means to maintain public trust. This could leverage the huge potential of the EPR for medical research and, ultimately, patient and societal benefit.JMIR Med Inform 2015;3(1):e3
The United Kingdom National Health Service
The UK National Health Service (NHS) provides health care for over sixty million citizens throughout their lives. Around one million people are treated every 36 hours , with vast amounts of information about patients’ treatment and outcomes collected in their medical records. These “cradle to grave” records are increasingly captured within electronic patient record (EPR) systems rather than on paper. The United Kingdom has national EPR coverage in primary care, and coverage in secondary care (hospital) is increasing. While these records are primarily for health care delivery, such data have huge potential for medical research as well.
The reuse of NHS health care data, such as is routinely stored in these EPRs, has enabled medical research for decades. It has led to a huge expansion in our knowledge, with associated important public health impact, through observational research in areas such as epidemiology, drug safety, outcomes research, vaccines, and health services research. Examples of positive benefit range from how, in the 1940s and 50s, national statistics played a major part in identifying the rising incidence of lung cancer mortality and discovery of its link with smoking, more recently, disproving a suggested link between the measles, mumps, and rubella vaccine and autism .
Much research has been possible in England through initiatives such as the Clinical Practice Research Datalink (CPRD), The Health Improvement Network, and QResearch, whereby researchers can access anonymized primary care EPR datasets . Linkage of patient data to national cancer and mortality registers, and to Hospital Episode Statistics, has been available for researchers more recently [ ]. As an indication of volume, there are now over 900 peer-reviewed publications from CPRD alone. Linked datasets have also been made available for research in the devolved nations, drawing on the strengths of a unique, widely used Community Health Index number in Scotland [ ], and on linkage between health care and social care data in Wales [ ].
However, despite clear health care benefits from analysis of high quality data, the success of EPR data for research may be threatened by a loss of trust from patients. Sensitivities abound which need careful management, particularly with respect to the confidentiality of health data. Perception by the public that their personal health care data are being used inappropriately, either shared with organizations such as insurance companies or being sold for profit, leads to distrust. This loss has been exemplified by adverse public reaction to NHS England’s care.data program .
Public Concern and Confidence
Public and patient views about the confidence and trust in the use of EPRs cannot be considered homogeneous. Research has highlighted that the public are often broadly supportive of the use of EPR data for research, while concomitantly having little knowledge of how data held in EPRs are shared, and also articulating concerns about privacy of their data. For example, in a recent study, 80% of UK people supported confidential access to their medical records for research . Nicolson [ ] and Kass et al [ ] highlight that the public had little knowledge of how their EPR was accessed, used, and shared. Support for EPR data sharing is often grounded in safeguards to protect privacy [ - ]. Concerns expressed within studies [ ] and surveys [ ] mainly relate to the type of recipient, (ie, anxieties are greater with respect to access by the pharmaceutical industry compared with university academics) anonymity, and types of information shared, with patients less willing to share information as it takes on more of a personal nature [ ]. The potential for privacy breaches and data misuse are of particular concern [ ]. Privacy invasion concerns were found to be greater among Scottish people, black and minority ethnic groups [ ], and among those with lower socioeconomic status or living in rented accommodations [ ]. These trends are repeated globally. A recent survey [ ] among adult social media users in the United States indicated a willingness to share health data (92% with a medical condition agreed with sharing their health data to help research) despite potential risks (76% worried that health data that they share may be used in detrimental ways).
These concerns about the potential misuse of health data in EPRs are examined in the next section, which focuses on the challenges faced by England’s care.data initiative. The dynamic consent approach, which manages patients’ consent preferences, is presented as a possible solution.
Concerns About Care.data
Much important UK population health research has successfully used anonymized primary care data. Although much progress has been made, the United Kingdom does not yet have national coverage of EPRs within secondary care. Research into medical conditions managed in hospitals has required bespoke research studies at significant cost and effort, for example, the establishment of national drug safety registers for medication prescribed only by hospital specialists . Access to routinely collected data from emergent hospital EPR systems could solve this problem. Linkage of EPR data across primary and secondary care would enable examination of health problems managed in both settings. Indeed, NHS England’s care.data program plans to collate general practitioner records and link to hospital records on a national scale, significantly increasing the volume and depth of data for research and other uses [ ]. In time, wider linkage to other information such as social care, dental records, and biobanks will progress [ ]. This paradigm shift in “big data” would expand research opportunities, but, as the public response to care.data revealed [ , ], it also raised important challenges in terms of patient confidence and trust in how EPRs are used in medical research. These challenges include anonymity and the role of consent. When more and more parts of an individual’s information are pieced together, even if anonymized, the chances of reidentification increase [ ]. As more datasets are linked and whole genome sequencing becomes part of standard clinical care, this problem will worsen [ ], and risk loss of public trust.
Personal data are routinely collected in the NHS with patients’ implicit consent, with data processing governed by the Data Protection Act (DPA). Access to personal health care data is permitted only for those directly involved in their care. Informed, explicit, and voluntary (opt-in) consent is required for access to identifiable patient-level data for research. However, consent is not required when anonymized data are used for research. Linkage of personal data from primary and secondary care by the care.data program does not require patient consent under the Health and Social Care Act (2012). This individual-level data is only subject to limited anonymization . Nevertheless, a fair processing obligation under the DPA requires that data subjects know what happens to their data. NHS England’s two main approaches to ensure fair processing are: (1) an opt-out process with the default assumption that routine NHS data can be used for approved research, and (2) a public awareness campaign to inform patients of data processing and use. There have been criticisms of both.
Opt-Out Versus Opt-In
Opt-out makes the moral assumption that people are content for their anonymized health data to be used to benefit public health. However, anyone who objects to sharing data outside the NHS, or to sharing certain types of data, will have to opt-out of sharing any information with anyone . Mass opt-out, perhaps worsened by misunderstanding of the risks, could result in a marked reduction of potential participants and threaten research validity. It is worth noting that opt-in systems also have challenges of uptake and representativeness for population research. Furthermore, proposed amendments to the European Union Data Protection Directive (95/46/EC) may render opt-out unlawful [ ]. Opt-in relies on active patient participation. Some evidence shows that this is what people expect, despite not being legally required [ , ]. It avoids problems arising through patients feeling lack of control over the fate and flow of their electronic data [ ].
Knowledge of the Data Recipients
In early 2014, care.data ran a public awareness campaign including a national leaflet delivery, a patient telephone information line, and social media activities. These described how health data from primary and secondary care EPRs may be used, who might receive it, provided reassurance on the safeguards in place, and explained how to opt-out. The campaign received criticism for not adequately conveying its benefits and safeguards . Although the campaign met the DPA fair processing requirements and Caldicott 2 review recommendations [ ], the population-level approach lacked reassurance of individual patient data flow. Advocates believe studying deidentified data in safe havens does not threaten confidentiality, but the public understanding of data safe havens is questionable, and needs proper explanation. Access by “other approved organizations” remains a grey area, raising concerns for potential participants [ ]. At the time of writing, care.data rollout had been deferred [ ]. The observed discourse between patients’ general support for reuse of routine data for research and concerns raised around care.data may be explained by the ambiguous nature of the information disseminated in its awareness campaign. Also, the positive attitudes revealed from research cannot be easily translated to the care.data campaign; caution should be heeded in doing so, and experience warrants independent research.
Dynamic Consent in Medical Research
A solution to the challenges described above is to move to a more effective, on-going model of patient information and consent . Using consent as the basis for sharing medical data stored in EPRs addresses the technological limitations associated with anonymization techniques, while also respecting the autonomy of patients. Making it dynamic could allow patients to more readily provide or withdraw their consent over time, while also providing information to patients about how their personal data are used. This could list data recipients, and demonstrate how EPR data sharing has contributed toward better health care by providing lay summaries of research results from the studies toward which their data have contributed.
The Dynamic Consent model  is one solution that provides a participant centered approach to consent ( ). It provides additional functionality by exploiting technology to allow on-going engagement and maintenance of research participants’ consent preferences (“expressions”). The UK Ensuring Consent and Revocation project [ ] developed a prototype comprising privacy-enhancing technologies, such as policy-driven privacy-aware access control and obligation management, within an overall Web 2.0 compatible technical architecture. State of the art enterprise information technology and cryptographic techniques wrap and bind patient information with consent expressions and enterprise policies. Novel techniques such as attribute-based encryption [ ], identity-based encryption [ ], and functional encryption [ , ] each provide suitable techniques for the binding of different classes of metadata with information, and the control of access to that information. Information can flow throughout and between health care information systems, while assuring patient information is handled in accordance with regulations. Patients could also track and audit their information usage, change privacy settings, and choose how and when they are contacted [ ]. It enhances confidence by passing control to patients, with data flow controlled at the level of consent, thereby avoiding the broad opt-out, which does not satisfy a patient’s wish to allow access to some groups/projects, but not others (ie, academic researchers, but not the pharmaceutical industry). It also avoids problems arising through patients feeling they have no control over the fate of their EPR, and because of this, may avoid seeking treatment through fear of insurance refusal, loss of employment, or stigmatization [ ]. The implementation of Dynamic Consent through a convenient computer-based interface allows for the possibility of using videos, animation, and other formats to increase the communication to the patients, including the presentation of lay summaries of research results.
A legitimate concern raised by Dynamic Consent is that it may present new ethical questions around user coresponsibility and social exclusion . Representative uptake might be problematic, as groups with lower socioeconomic status may be less likely to engage with opt-in models [ , , ].
At the institutional level, Dynamic Consent implies an e-infrastructure that is able to collect consent, to allow data permissions to direct the flow of data to recipients, to capture a complete audit trail of data recipients, and to receive comprehensive, up-to-date lay summaries of research findings to feed back to patients. Scalability is thus constrained by the provision, maintenance of such systems, and infrastructure. We are currently exploring hospital patients’ perceptions of health information security, and the role of consent in health data use and EPR access, with positive early results.
Dynamic Consent alone will not adequately provide a population of well informed, engaged, and e-Health literate research participants. However, it does provide a platform to develop the ethical and engagement framework to ensure respect for the rights, needs, and expectations of diverse participants. It may also play a role in widening participation in an age where health care is increasingly characterized by digital innovations. As the experience of care.data has shown, public trust is fundamental to the successful use of data held in EPRs. Dynamic Consent may provide a transparent, flexible, and user-friendly means to inform and maintain that trust.
Background work was partially supported by the Technology Strategy Board; the Engineering and Physical Sciences Research Council; and the Economic and Social Research Council (Grant number EP/G002541/1) for JK, EW, and DL. JK was supported under a Wellcome Trust Award (Grant number 096599/2/11/Z). An MRC Clinician Scientist Fellowship (Grant number G0902272) and the Arthritis Research UK Center for Epidemiology (Grant number 20380) supported WGD. KS was supported by Arthritis Research United Kingdom funding.
HW, KS, and WD wrote the first draft, with EW, DL, JK, and CS providing technical and ethicolegal advice.
Conflicts of Interest
- NHS Confederation. Key statistics on the NHS URL: http://www.nhsconfed.org/priorities/political-engagement/Pages/NHS-statistics.aspx [accessed 2014-05-08] [WebCite Cache]
- Smeeth L, Hall AJ, Fombonne E, Rodrigues LC, Huang X, Smith PG. A case-control study of autism and mumps-measles-rubella vaccination using the general practice research database: Design and methodology. BMC Public Health 2001;1:2 [FREE Full text] [Medline]
- Wallace P, Delaney B, Sullivan F. Unlocking the research potential of the GP electronic care record. Br J Gen Pract 2013 Jun;63(611):284-285 [FREE Full text] [CrossRef] [Medline]
- Health and social care data access request service. URL: http://www.hscic.gov.uk/dars [accessed 2014-09-04] [WebCite Cache]
- ISD Scotland. Information services division URL: http://www.isdscotland.org/ [accessed 2014-09-04] [WebCite Cache]
- Jones KH, Ford DV, Jones C, Dsilva R, Thompson S, Brooks CJ, et al. A case study of the secure anonymous information linkage (SAIL) gateway: A privacy-protecting remote access system for health-related research and evaluation. J Biomed Inform 2014 Aug;50:196-204 [FREE Full text] [CrossRef] [Medline]
- Bell A. Guardian Comment Network. Why you should be angry about changes to NHS patient data policy URL: http://www.theguardian.com/commentisfree/2014/jan/20/nhs-patient-care-data-policy-medical-information? [accessed 2014-09-04] [WebCite Cache]
- Ipsos Mori/AMRC. 2011 Jun 9. Public support for research in the NHS URL: http://www.ipsos-mori.com/researchpublications/researcharchive/2811/Public-support-for-research-in-the-NHS.aspx [accessed 2014-05-08] [WebCite Cache]
- Nicholson L. Information governance: Exploring public attitudes to electronic health records. 2009. Information governance: Exploring public attitudes to electronic health records URL: http://www.scimp.scot.nhs.uk/wp-content/uploads/documents/ECS/CFS%20Focus%20Group%20Final%20report%20v3%20Aug%2008.pdf [WebCite Cache]
- Kass NE, Natowicz MR, Hull SC, Faden RR, Plantinga L, Gostin LO, et al. The use of medical records in research: What do patients want? J Law Med Ethics 2003;31(3):429-433. [Medline]
- Barrett G, Cassell JA, Peacock JL, Coleman MP, National Cancer Registry. National survey of British public's views on use of identifiable medical data by the National Cancer Registry. BMJ 2006 May 6;332(7549):1068-1072 [FREE Full text] [CrossRef] [Medline]
- Luchenski SA, Reed JE, Marston C, Papoutsi C, Majeed A, Bell D. Patient and public views on electronic health records and their uses in the United kingdom: Cross-sectional survey. J Med Internet Res 2013;15(8):e160 [FREE Full text] [CrossRef] [Medline]
- Consumers Health Forum of Australia. 2011. eHealth and electronic health records: Current consumer research URL: https://www.chf.org.au/pdfs/rep/rep-691-eHealthresearch-feb11.pdf [accessed 2014-11-10] [WebCite Cache]
- Sciencewise/Ipsos MORI. 2014. What patients and the public think about health research URL: http://www.hra.nhs.uk/patients-and-the-public-2/how-the-hra-works-with-patients-and-the-public/what-patients-and-the-public-think-about-health-research/ [accessed 2014-05-08] [WebCite Cache]
- Whiddett R, Hunter I, Engelbrecht J, Handy J. Patients' attitudes towards sharing their health information. Int J Med Inform 2006 Jul;75(7):530-541. [CrossRef] [Medline]
- Simon SR, Evans JS, Benjamin A, Delano D, Bates DW. Patients' attitudes toward electronic health information exchange: Qualitative study. J Med Internet Res 2009;11(3):e30 [FREE Full text] [CrossRef] [Medline]
- Grajales F, Clifford D, Loupos P, Okun S, Quattrone S, Simon M. National Academy of Sciences. Feb. 2014. Social networking site and the continuously learning health system: A survey URL: http://www.iom.edu/Global/Perspectives/2014/~/media/Files/Perspectives-Files/2014/Discussion-Papers/VSRT-PatientDataSharing.pdf [WebCite Cache]
- Zink A, Askling J, Dixon WG, Klareskog L, Silman AJ, Symmons DP. European biologicals registers: Methodology, selected results and perspectives. Ann Rheum Dis 2009 Aug;68(8):1240-1246. [CrossRef] [Medline]
- England NHS. NHS care data. The care.data programme – collecting information for the health of the nation URL: http://www.england.nhs.uk/ourwork/tsd/care-data/ [WebCite Cache]
- Lyons RA, Ford DV, Moore L, Rodgers SE. Use of data linkage to measure the population health effect of non-health-care interventions. Lancet 2014 Apr 26;383(9927):1517-1519. [CrossRef] [Medline]
- Taylor J. National Voices. Care.Data: picking up the pieces URL: http://www.nationalvoices.org.uk/caredata-picking-pieces [accessed 2014-09-05] [WebCite Cache]
- Goldacre, B. The NHS plan to share our medical data can save lives – but must be done right URL: http://www.theguardian.com/society/2014/feb/21/nhs-plan-share-medical-data-save-lives [accessed 2014-09-04] [WebCite Cache]
- Weber GM, Mandl KD, Kohane IS. Finding the missing link for big biomedical data. JAMA 2014 Jun 25;311(24):2479-2480. [CrossRef] [Medline]
- Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y. Identifying personal genomes by surname inference. Science 2013 Jan 18;339(6117):321-324 [FREE Full text] [CrossRef] [Medline]
- Shaw D. Care.data, consent, and confidentiality. Lancet 2014 Apr 5;383(9924):1205. [CrossRef] [Medline]
- Donnelly L. The Telegraph. EU proposals could outlaw giant NHS database URL: http://www.telegraph.co.uk/health/healthnews/10585305/EU-proposals-could-outlaw-giant-NHS-database.html [accessed 2014-05-08] [WebCite Cache]
- Robling MR, Hood K, Houston H, Pill R, Fay J, Evans HM. Public attitudes towards the use of primary care patient record data in medical research without consent: A qualitative study. J Med Ethics 2004 Feb;30(1):104-109 [FREE Full text] [Medline]
- Mandl KD, Szolovits P, Kohane IS. Public standards and patients' control: How to keep electronic medical records accessible but private. BMJ 2001 Feb 3;322(7281):283-287 [FREE Full text] [Medline]
- Royal College of General Practitioners. RCGP. RCGP voices concerns about care.data URL: http://www.rcgp.org.uk/news/2014/february/rcgp-voices-concerns-about-care-data.aspx [accessed 2014-05-08] [WebCite Cache]
- Department of Health. Apr 24. 2013. Caldicott review: Information governance in the health and care system URL: https://www.gov.uk/government/publications/the-information-governance-review [accessed 2014-05-08] [WebCite Cache]
- Kirby T. Controversy surrounds England's new NHS database. Lancet 2014 Feb 22;383(9918):681. [Medline]
- Triggle N. BBC News Health. Giant NHS database rollout delayed URL: http://www.bbc.co.uk/news/health-26239532 [accessed 2014-05-08] [WebCite Cache]
- Dixon WG, Spencer K, Williams H, Sanders C, Lund D, Whitley EA, et al. A dynamic model of patient consent to sharing of medical record data. BMJ 2014;348:g1294. [Medline]
- Kaye J, Whitley EA, Lund D, Morrison M, Teare H, Melham K. Dynamic consent: A patient interface for twenty-first century research networks. Eur J Hum Genet 2014 May 7. [CrossRef] [Medline]
- EnCoRe Project. 2014. EnCoRe: Ensuring consent & revocation URL: http://www.hpl.hp.com/breweb/encoreproject/index.html [accessed 2014-05-07] [WebCite Cache]
- Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data ACM CCS (2006). URL: https://eprint.iacr.org/2006/309.pdf [accessed 2014-09-04] [WebCite Cache]
- Shamir A. Identity-based cryptosystems and signature schemes. In: Blakely GR, Chaum D, editors. Advances in cryptology: Proceedings of CRYPTO 84. Berlin: Springer-Verlag; 1985:47-53.
- Dan B, Sahai A, Waters B. Functional encryption: Definitions and challenges. In: Theory of cryptography: 8th theory of cryptography conference, TCC 2011, Providence, RI, USA, March 28-30, 2011, Proceedings (Lecture Notes in Computer Science / Security and Cryptology). USA: Springer; 2011.
- Goldwasser S, Kalai Y, Popa RA, Vaikuntanathan V. How to run Turing machines on encrypted data. Zeldovich N (2013) URL: http://eprint.iacr.org/2013/229.pdf [accessed 2014-09-04] [WebCite Cache]
- Bratan T, Stramer K, Greenhalgh T. 'Never heard of it'- understanding the public's lack of awareness of a new electronic patient record. Health Expect 2010 Dec;13(4):379-391. [CrossRef] [Medline]
|CPRD: Clinical Practice Research Datalink|
|DPA: Data Protection Act|
|EPR: electronic patient record|
|NHS: National Health Service|
Edited by G Eysenbach; submitted 08.05.14; peer-reviewed by S Cunningham-Burley, S Denaxas; comments to author 17.07.14; revised version received 09.09.14; accepted 07.10.14; published 13.01.15Copyright
©Hawys Williams, Karen Spencer, Caroline Sanders, David Lund, Edgar A Whitley, Jane Kaye, William G Dixon. Originally published in JMIR Medical Informatics (http://medinform.jmir.org), 13.01.2015.
This is an open-access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR Medical Informatics, is properly cited. The complete bibliographic information, a link to the original publication on http://medinform.jmir.org/, as well as this copyright and license information must be included.