UK, 31/01/2022.
iToBoS partner, Trilateral Research, recently contributed to a UK government call for policy advice pertaining to the risks, benefits, and ethical and legal considerations of medical data sharing.
The response covers four topic areas, and was heavily informed by Trilateral’s involvement in assessing the impact of data sharing in the iToBoS project.
1. The benefits of sharing data between governments, public bodies, research institutions, and commercial enterprises, as well as the barriers to such sharing
The authors of the report emphasize the value of data sharing in healthcare for multiple uses, including research, diagnosis and treatment, and public health management. The authors take as an example the COVID-19 pandemic, throughout which medical data was used to track the spread of the disease and its variants within and between countries and inform policy responses such as quarantines, school closures, and travel restrictions.
The authors also highlight potential benefits of data sharing that have yet to be fully realized. They note that more efficient data sharing could have enabled faster responses to the COVID-19 pandemic, potentially mitigating its impact. They also argue that cross-sectoral data sharing could streamline healthcare and other social services, which would be beneficial during public health crises and other contexts, providing insights on the impacts of economic and environmental policies on public health, for example. They argue that increased sharing of routinely collected data between hospitals could have impact research, as data from individual hospitals is too regionally concentrated to provide national insights, and sharing could create larger datasets. Finally, they acknowledge the complexities associated with the commodification of data; sharing health data with tech companies is lucrative and could lead to the development of new medical tools, but may undermine public trust in healthcare. The authors stress the importance of using data ethically and legally in such initiatives, and prioritising patient needs and privacy over financial gain.
2. The ethics of sharing individuals’ data in healthcare
The authors emphasise that data sharing should not only be governed by legal and regulatory measures, but also by the principles of data and medical ethics. The central component of data ethics is informed consent, which mandates that individuals are given all relevant information about the collection, storage, processing, and use of their data, understand the risks and benefits of such activities, and can object to the use of their data.
The main principles of medical ethics are autonomy, beneficence, non-maleficence, and justice. Autonomy refers to patients’ right to make independent decisions about their care; in the context of data sharing, patients must not be pressured to share their data to access treatment. Beneficence mandates that medical decisions must maximise the benefit to patients, meaning providers must understand and adequately process data. Non-maleficence means practitioners must avoid committing harm by balancing the risks and benefits of certain actions, including data sharing. Finally, the principle of justice is relevant to the question of equitable resource allocation, which can be facilitated by the analysis of data collected and shared in healthcare settings.
The authors present iToBoS as a case study of ethically and legally compliant data management in medical technology. The project aims to create a tool for early diagnosis of melanoma using Artificial Intelligence (AI) which incorporates data sources including medical records, family history, and genomic data. The project includes a Privacy Impact Assessment to assess legal compliance, and analyses the tool’s ethical and societal impacts. The project provides guidelines about AI and data collection in healthcare for patients and practitioners and includes impact assessments and evaluations of the tool’s algorithms and data management systems to counter common pitfalls of AI technology, including lack of transparency, interpretability, and bias.
3. The application of safeguards and privacy protection to sharing individuals’ data
The authors emphasise the importance of safeguarding personal (identifiable) data, the protection of which falls under the more general right to privacy outlined in agreements such as the European Convention on Human Rights. They detail a number of approaches to safeguarding personal data, beginning by encouraging public authorities like the NHS to adhere to data protection legislation and introduce safety measures to protect personal data. Here, the authors argue pseudonymisation is a more effective safeguard than anonymisation. Pseudonymised data is subject to less strict controls under the GDPR, making it easier to work with. It’s also more secure from a privacy perspective; because direct identifiers are removed, patients’ privacy is protected even in a data breach. These techniques are approaches to data minimisation, which ensures that only the minimum amount of data needed to fulfil objectives is collected, in order to protect patient privacy.
The authors also emphasise the importance of defining the relationship between data controllers and processors, which should be accompanied by legal agreements outlining responsibility for data processing and ensuring data is managed according to ethical and legal values. These documents should be continuously updated according to legal developments and parties’ needs. The authors recommend consulting experts when drafting these agreements in an effort to build confidence in the security of data management and counter the uncertainties currently undermining cross-border data sharing.
4. The extent to which the UK’s National Data Strategy, as well as corresponding drafts and consultations, address data issues
Finally, the authors address the UK’s legislative strategies to govern data sharing. They support the government’s decision to create separate provisions for data processing in research, which define the lawful basis for research and the reuse of personal data. However, the authors argue there remains a need for transparency in privacy policies and procedures, a greater emphasis on valid consent and data subjects’ rights, and implementation of technical and organisational initiatives to protect special categories of personal data. They also raise concerns about the risks created by the government’s relative approach for the re-identification of anonymised and pseudonymised personal data.
Overall, the authors recognise that data sharing can have a significant beneficial impact on the health sector, and encourage the UK government to implement comprehensive technical and organisational measures to protect personal data subjects and enable technological innovation relying on data sharing to progress safely and with respect to privacy rights.