Abstract
With one million people treated every 36 hours, routinely collected UK National Health Service (NHS) health data has huge potential for medical research. Advances in data acquisition from electronic patient records (EPRs) means such data are increasingly digital and can be anonymised for research purposes. NHS England’s care.data initiative recently sought to increase the amount and availability of such data. However, controversy and uncertainty following the care.data public awareness campaign led to a delay in rollout, indicating that the success of EPR data for medical research may be threatened by a loss of patient and public trust. The sharing of sensitive health care data can only be done through maintaining such trust in a constantly evolving ethicolegal and political landscape. We propose that a dynamic consent model, whereby patients can electronically control consent through time and receive information about the uses of their data, provides a transparent, flexible, and user-friendly means to maintain public trust. This could leverage the huge potential of the EPR for medical research and, ultimately, patient and societal benefit.
Keywords: dynamic consent, electronic patient record (EPR), medical research, confidentiality, privacy, governance, NHS, data linkage, care.data
The United Kingdom National Health Service
The UK National Health Service (NHS) provides health care for over sixty million citizens throughout their lives. Around one million people are treated every 36 hours [1], with vast amounts of information about patients’ treatment and outcomes collected in their medical records. These “cradle to grave” records are increasingly captured within electronic patient record (EPR) systems rather than on paper. The United Kingdom has national EPR coverage in primary care, and coverage in secondary care (hospital) is increasing. While these records are primarily for health care delivery, such data have huge potential for medical research as well.
The reuse of NHS health care data, such as is routinely stored in these EPRs, has enabled medical research for decades. It has led to a huge expansion in our knowledge, with associated important public health impact, through observational research in areas such as epidemiology, drug safety, outcomes research, vaccines, and health services research. Examples of positive benefit range from how, in the 1940s and 50s, national statistics played a major part in identifying the rising incidence of lung cancer mortality and discovery of its link with smoking, more recently, disproving a suggested link between the measles, mumps, and rubella vaccine and autism [2].
Much research has been possible in England through initiatives such as the Clinical Practice Research Datalink (CPRD), The Health Improvement Network, and QResearch, whereby researchers can access anonymized primary care EPR datasets [3]. Linkage of patient data to national cancer and mortality registers, and to Hospital Episode Statistics, has been available for researchers more recently [4]. As an indication of volume, there are now over 900 peer-reviewed publications from CPRD alone. Linked datasets have also been made available for research in the devolved nations, drawing on the strengths of a unique, widely used Community Health Index number in Scotland [5], and on linkage between health care and social care data in Wales [6].
However, despite clear health care benefits from analysis of high quality data, the success of EPR data for research may be threatened by a loss of trust from patients. Sensitivities abound which need careful management, particularly with respect to the confidentiality of health data. Perception by the public that their personal health care data are being used inappropriately, either shared with organizations such as insurance companies or being sold for profit, leads to distrust. This loss has been exemplified by adverse public reaction to NHS England’s care.data program [7].
Public Concern and Confidence
Public and patient views about the confidence and trust in the use of EPRs cannot be considered homogeneous. Research has highlighted that the public are often broadly supportive of the use of EPR data for research, while concomitantly having little knowledge of how data held in EPRs are shared, and also articulating concerns about privacy of their data. For example, in a recent study, 80% of UK people supported confidential access to their medical records for research [8]. Nicolson [9] and Kass et al [10] highlight that the public had little knowledge of how their EPR was accessed, used, and shared. Support for EPR data sharing is often grounded in safeguards to protect privacy [8-12]. Concerns expressed within studies [13] and surveys [14] mainly relate to the type of recipient, (ie, anxieties are greater with respect to access by the pharmaceutical industry compared with university academics) anonymity, and types of information shared, with patients less willing to share information as it takes on more of a personal nature [15]. The potential for privacy breaches and data misuse are of particular concern [16]. Privacy invasion concerns were found to be greater among Scottish people, black and minority ethnic groups [12], and among those with lower socioeconomic status or living in rented accommodations [11]. These trends are repeated globally. A recent survey [17] among adult social media users in the United States indicated a willingness to share health data (92% with a medical condition agreed with sharing their health data to help research) despite potential risks (76% worried that health data that they share may be used in detrimental ways).
These concerns about the potential misuse of health data in EPRs are examined in the next section, which focuses on the challenges faced by England’s care.data initiative. The dynamic consent approach, which manages patients’ consent preferences, is presented as a possible solution.
Concerns About Care.data
Much important UK population health research has successfully used anonymized primary care data. Although much progress has been made, the United Kingdom does not yet have national coverage of EPRs within secondary care. Research into medical conditions managed in hospitals has required bespoke research studies at significant cost and effort, for example, the establishment of national drug safety registers for medication prescribed only by hospital specialists [18]. Access to routinely collected data from emergent hospital EPR systems could solve this problem. Linkage of EPR data across primary and secondary care would enable examination of health problems managed in both settings. Indeed, NHS England’s care.data program plans to collate general practitioner records and link to hospital records on a national scale, significantly increasing the volume and depth of data for research and other uses [19]. In time, wider linkage to other information such as social care, dental records, and biobanks will progress [20]. This paradigm shift in “big data” would expand research opportunities, but, as the public response to care.data revealed [21,22], it also raised important challenges in terms of patient confidence and trust in how EPRs are used in medical research. These challenges include anonymity and the role of consent. When more and more parts of an individual’s information are pieced together, even if anonymized, the chances of reidentification increase [23]. As more datasets are linked and whole genome sequencing becomes part of standard clinical care, this problem will worsen [24], and risk loss of public trust.
Personal data are routinely collected in the NHS with patients’ implicit consent, with data processing governed by the Data Protection Act (DPA). Access to personal health care data is permitted only for those directly involved in their care. Informed, explicit, and voluntary (opt-in) consent is required for access to identifiable patient-level data for research. However, consent is not required when anonymized data are used for research. Linkage of personal data from primary and secondary care by the care.data program does not require patient consent under the Health and Social Care Act (2012). This individual-level data is only subject to limited anonymization [22]. Nevertheless, a fair processing obligation under the DPA requires that data subjects know what happens to their data. NHS England’s two main approaches to ensure fair processing are: (1) an opt-out process with the default assumption that routine NHS data can be used for approved research, and (2) a public awareness campaign to inform patients of data processing and use. There have been criticisms of both.
Opt-Out Versus Opt-In
Opt-out makes the moral assumption that people are content for their anonymized health data to be used to benefit public health. However, anyone who objects to sharing data outside the NHS, or to sharing certain types of data, will have to opt-out of sharing any information with anyone [25]. Mass opt-out, perhaps worsened by misunderstanding of the risks, could result in a marked reduction of potential participants and threaten research validity. It is worth noting that opt-in systems also have challenges of uptake and representativeness for population research. Furthermore, proposed amendments to the European Union Data Protection Directive (95/46/EC) may render opt-out unlawful [26]. Opt-in relies on active patient participation. Some evidence shows that this is what people expect, despite not being legally required [15,27]. It avoids problems arising through patients feeling lack of control over the fate and flow of their electronic data [28].
Knowledge of the Data Recipients
In early 2014, care.data ran a public awareness campaign including a national leaflet delivery, a patient telephone information line, and social media activities. These described how health data from primary and secondary care EPRs may be used, who might receive it, provided reassurance on the safeguards in place, and explained how to opt-out. The campaign received criticism for not adequately conveying its benefits and safeguards [29]. Although the campaign met the DPA fair processing requirements and Caldicott 2 review recommendations [30], the population-level approach lacked reassurance of individual patient data flow. Advocates believe studying deidentified data in safe havens does not threaten confidentiality, but the public understanding of data safe havens is questionable, and needs proper explanation. Access by “other approved organizations” remains a grey area, raising concerns for potential participants [31]. At the time of writing, care.data rollout had been deferred [32]. The observed discourse between patients’ general support for reuse of routine data for research and concerns raised around care.data may be explained by the ambiguous nature of the information disseminated in its awareness campaign. Also, the positive attitudes revealed from research cannot be easily translated to the care.data campaign; caution should be heeded in doing so, and experience warrants independent research.
Dynamic Consent in Medical Research
A solution to the challenges described above is to move to a more effective, on-going model of patient information and consent [33]. Using consent as the basis for sharing medical data stored in EPRs addresses the technological limitations associated with anonymization techniques, while also respecting the autonomy of patients. Making it dynamic could allow patients to more readily provide or withdraw their consent over time, while also providing information to patients about how their personal data are used. This could list data recipients, and demonstrate how EPR data sharing has contributed toward better health care by providing lay summaries of research results from the studies toward which their data have contributed.
The Dynamic Consent model [34] is one solution that provides a participant centered approach to consent (Figure 1). It provides additional functionality by exploiting technology to allow on-going engagement and maintenance of research participants’ consent preferences (“expressions”). The UK Ensuring Consent and Revocation project [35] developed a prototype comprising privacy-enhancing technologies, such as policy-driven privacy-aware access control and obligation management, within an overall Web 2.0 compatible technical architecture. State of the art enterprise information technology and cryptographic techniques wrap and bind patient information with consent expressions and enterprise policies. Novel techniques such as attribute-based encryption [36], identity-based encryption [37], and functional encryption [38,39] each provide suitable techniques for the binding of different classes of metadata with information, and the control of access to that information. Information can flow throughout and between health care information systems, while assuring patient information is handled in accordance with regulations. Patients could also track and audit their information usage, change privacy settings, and choose how and when they are contacted [34]. It enhances confidence by passing control to patients, with data flow controlled at the level of consent, thereby avoiding the broad opt-out, which does not satisfy a patient’s wish to allow access to some groups/projects, but not others (ie, academic researchers, but not the pharmaceutical industry). It also avoids problems arising through patients feeling they have no control over the fate of their EPR, and because of this, may avoid seeking treatment through fear of insurance refusal, loss of employment, or stigmatization [28]. The implementation of Dynamic Consent through a convenient computer-based interface allows for the possibility of using videos, animation, and other formats to increase the communication to the patients, including the presentation of lay summaries of research results.
Figure 1.
Dynamic consent interface. The origin of the image is from HW Communications and the University of Oxford.
A legitimate concern raised by Dynamic Consent is that it may present new ethical questions around user coresponsibility and social exclusion [13]. Representative uptake might be problematic, as groups with lower socioeconomic status may be less likely to engage with opt-in models [21,22,40].
At the institutional level, Dynamic Consent implies an e-infrastructure that is able to collect consent, to allow data permissions to direct the flow of data to recipients, to capture a complete audit trail of data recipients, and to receive comprehensive, up-to-date lay summaries of research findings to feed back to patients. Scalability is thus constrained by the provision, maintenance of such systems, and infrastructure. We are currently exploring hospital patients’ perceptions of health information security, and the role of consent in health data use and EPR access, with positive early results.
Conclusions
Dynamic Consent alone will not adequately provide a population of well informed, engaged, and e-Health literate research participants. However, it does provide a platform to develop the ethical and engagement framework to ensure respect for the rights, needs, and expectations of diverse participants. It may also play a role in widening participation in an age where health care is increasingly characterized by digital innovations. As the experience of care.data has shown, public trust is fundamental to the successful use of data held in EPRs. Dynamic Consent may provide a transparent, flexible, and user-friendly means to inform and maintain that trust.
Acknowledgments
Background work was partially supported by the Technology Strategy Board; the Engineering and Physical Sciences Research Council; and the Economic and Social Research Council (Grant number EP/G002541/1) for JK, EW, and DL. JK was supported under a Wellcome Trust Award (Grant number 096599/2/11/Z). An MRC Clinician Scientist Fellowship (Grant number G0902272) and the Arthritis Research UK Center for Epidemiology (Grant number 20380) supported WGD. KS was supported by Arthritis Research United Kingdom funding.
Abbreviations
- CPRD
Clinical Practice Research Datalink
- DPA
Data Protection Act
- EPR
electronic patient record
- NHS
National Health Service
Footnotes
Authors' Contributions: HW, KS, and WD wrote the first draft, with EW, DL, JK, and CS providing technical and ethicolegal advice.
Conflicts of Interest: None declared.
References
- 1.NHS Confederation. [2014-05-08]. Key statistics on the NHS http://www.nhsconfed.org/priorities/political-engagement/Pages/NHS-statistics.aspx.
- 2.Smeeth L, Hall AJ, Fombonne E, Rodrigues LC, Huang X, Smith PG. A case-control study of autism and mumps-measles-rubella vaccination using the general practice research database: Design and methodology. BMC Public Health. 2001;1:2. doi: 10.1186/1471-2458-1-2. http://www.biomedcentral.com/1471-2458/1/2. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 3.Wallace P, Delaney B, Sullivan F. Unlocking the research potential of the GP electronic care record. Br J Gen Pract. 2013 Jun;63(611):284–285. doi: 10.3399/bjgp13X668023. http://bjgp.org/cgi/pmidlookup?view=long&pmid=23735377. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 4.Health and social care data access request service. [2014-09-04]. http://www.hscic.gov.uk/dars.
- 5.ISD Scotland. [2014-09-04]. Information services division http://www.isdscotland.org/
- 6.Jones KH, Ford DV, Jones C, Dsilva R, Thompson S, Brooks CJ, Heaven ML, Thayer DS, McNerney CL, Lyons RA. A case study of the secure anonymous information linkage (SAIL) gateway: A privacy-protecting remote access system for health-related research and evaluation. J Biomed Inform. 2014 Aug;50:196–204. doi: 10.1016/j.jbi.2014.01.003. http://linkinghub.elsevier.com/retrieve/pii/S1532-0464(14)00004-5. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 7.Bell A. Guardian Comment Network. [2014-09-04]. Why you should be angry about changes to NHS patient data policy http://www.theguardian.com/commentisfree/2014/jan/20/nhs-patient-care-data-policy-medical-information?
- 8.Ipsos Mori/AMRC. 2011. Jun 9, [2014-05-08]. Public support for research in the NHS http://www.ipsos-mori.com/researchpublications/researcharchive/2811/Public-support-for-research-in-the-NHS.aspx.
- 9.Nicholson L. Information governance: Exploring public attitudes to electronic health records. 2009. Information governance: Exploring public attitudes to electronic health records http://www.scimp.scot.nhs.uk/wp-content/uploads/documents/ECS/CFS%20Focus%20Group%20Final%20report%20v3%20Aug%2008.pdf.
- 10.Kass NE, Natowicz MR, Hull SC, Faden RR, Plantinga L, Gostin LO, Slutsman J. The use of medical records in research: What do patients want? J Law Med Ethics. 2003;31(3):429–433. doi: 10.1111/j.1748-720x.2003.tb00105.x. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 11.Barrett G, Cassell JA, Peacock JL, Coleman MP, National Cancer Registry National survey of British public's views on use of identifiable medical data by the National Cancer Registry. BMJ. 2006 May 6;332(7549):1068–1072. doi: 10.1136/bmj.38805.473738.7C. http://www.bmj.com/cgi/pmidlookup?view=long&pmid=16648132. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 12.Luchenski SA, Reed JE, Marston C, Papoutsi C, Majeed A, Bell D. Patient and public views on electronic health records and their uses in the United kingdom: Cross-sectional survey. J Med Internet Res. 2013;15(8):e160. doi: 10.2196/jmir.2701. http://www.jmir.org/2013/8/e160/ [DOI] [PMC free article] [PubMed] [Google Scholar]
- 13.Consumers Health Forum of Australia. 2011. [2014-11-10]. eHealth and electronic health records: Current consumer research https://www.chf.org.au/pdfs/rep/rep-691-eHealthresearch-feb11.pdf.
- 14.Sciencewise/Ipsos MORI. 2014. [2014-05-08]. What patients and the public think about health research http://www.hra.nhs.uk/patients-and-the-public-2/how-the-hra-works-with-patients-and-the-public/what-patients-and-the-public-think-about-health-research/
- 15.Whiddett R, Hunter I, Engelbrecht J, Handy J. Patients' attitudes towards sharing their health information. Int J Med Inform. 2006 Jul;75(7):530–541. doi: 10.1016/j.ijmedinf.2005.08.009. [DOI] [PubMed] [Google Scholar]
- 16.Simon SR, Evans JS, Benjamin A, Delano D, Bates DW. Patients' attitudes toward electronic health information exchange: Qualitative study. J Med Internet Res. 2009;11(3):e30. doi: 10.2196/jmir.1164. http://www.jmir.org/2009/3/e30/ [DOI] [PMC free article] [PubMed] [Google Scholar]
- 17.Grajales F, Clifford D, Loupos P, Okun S, Quattrone S, Simon M. National Academy of Sciences. Feb. 2014. Social networking site and the continuously learning health system: A survey http://www.iom.edu/Global/Perspectives/2014/~/media/Files/Perspectives-Files/2014/Discussion-Papers/VSRT-PatientDataSharing.pdf.
- 18.Zink A, Askling J, Dixon WG, Klareskog L, Silman AJ, Symmons DP. European biologicals registers: Methodology, selected results and perspectives. Ann Rheum Dis. 2009 Aug;68(8):1240–1246. doi: 10.1136/ard.2008.091926. [DOI] [PubMed] [Google Scholar]
- 19.England NHS. NHS care data. The care.data programme – collecting information for the health of the nation http://www.england.nhs.uk/ourwork/tsd/care-data/
- 20.Lyons RA, Ford DV, Moore L, Rodgers SE. Use of data linkage to measure the population health effect of non-health-care interventions. Lancet. 2014 Apr 26;383(9927):1517–1519. doi: 10.1016/S0140-6736(13)61750-X. [DOI] [PubMed] [Google Scholar]
- 21.Taylor J. National Voices. [2014-09-05]. Care.Data: picking up the pieces http://www.nationalvoices.org.uk/caredata-picking-pieces.
- 22.Goldacre, B. [2014-09-04]. The NHS plan to share our medical data can save lives – but must be done right http://www.theguardian.com/society/2014/feb/21/nhs-plan-share-medical-data-save-lives.
- 23.Weber GM, Mandl KD, Kohane IS. Finding the missing link for big biomedical data. JAMA. 2014 Jun 25;311(24):2479–2480. doi: 10.1001/jama.2014.4228. [DOI] [PubMed] [Google Scholar]
- 24.Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y. Identifying personal genomes by surname inference. Science. 2013 Jan 18;339(6117):321–324. doi: 10.1126/science.1229566. http://www.sciencemag.org/cgi/pmidlookup?view=long&pmid=23329047. [DOI] [PubMed] [Google Scholar]
- 25.Shaw D. Care.data, consent, and confidentiality. Lancet. 2014 Apr 5;383(9924):1205. doi: 10.1016/S0140-6736(14)60594-8. [DOI] [PubMed] [Google Scholar]
- 26.Donnelly L. The Telegraph. [2014-05-08]. EU proposals could outlaw giant NHS database http://www.telegraph.co.uk/health/healthnews/10585305/EU-proposals-could-outlaw-giant-NHS-database.html.
- 27.Robling MR, Hood K, Houston H, Pill R, Fay J, Evans HM. Public attitudes towards the use of primary care patient record data in medical research without consent: A qualitative study. J Med Ethics. 2004 Feb;30(1):104–109. doi: 10.1136/jme.2003.005157. http://europepmc.org/abstract/MED/14872086. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 28.Mandl KD, Szolovits P, Kohane IS. Public standards and patients' control: How to keep electronic medical records accessible but private. BMJ. 2001 Feb 3;322(7281):283–287. doi: 10.1136/bmj.322.7281.283. http://europepmc.org/abstract/MED/11157533. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 29.Royal College of General Practitioners RCGP. [2014-05-08]. RCGP voices concerns about care.data http://www.rcgp.org.uk/news/2014/february/rcgp-voices-concerns-about-care-data.aspx.
- 30.Department of Health Apr 24. 2013. [2014-05-08]. Caldicott review: Information governance in the health and care system https://www.gov.uk/government/publications/the-information-governance-review.
- 31.Kirby T. Controversy surrounds England's new NHS database. Lancet. 2014 Feb 22;383(9918):681. doi: 10.1016/s0140-6736(14)60230-0. [DOI] [PubMed] [Google Scholar]
- 32.Triggle N. BBC News Health. [2014-05-08]. Giant NHS database rollout delayed http://www.bbc.co.uk/news/health-26239532.
- 33.Dixon WG, Spencer K, Williams H, Sanders C, Lund D, Whitley EA, Kaye J. A dynamic model of patient consent to sharing of medical record data. BMJ. 2014;348:g1294. doi: 10.1136/bmj.g1294. [DOI] [PubMed] [Google Scholar]
- 34.Kaye J, Whitley EA, Lund D, Morrison M, Teare H, Melham K. Dynamic consent: A patient interface for twenty-first century research networks. Eur J Hum Genet. 2014 May 7; doi: 10.1038/ejhg.2014.71. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 35.EnCoRe Project. 2014. [2014-05-07]. EnCoRe: Ensuring consent & revocation http://www.hpl.hp.com/breweb/encoreproject/index.html.
- 36.Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data ACM CCS (2006) [2014-09-04]. https://eprint.iacr.org/2006/309.pdf.
- 37.Shamir A. Identity-based cryptosystems and signature schemes. In: Blakely GR, Chaum D, editors. Advances in cryptology: Proceedings of CRYPTO 84. Berlin: Springer-Verlag; 1985. pp. 47–53. [Google Scholar]
- 38.Dan B, Sahai A, Waters B. Theory of cryptography: 8th theory of cryptography conference, TCC 2011, Providence, RI, USA, March 28-30, 2011, Proceedings (Lecture Notes in Computer Science / Security and Cryptology) USA: Springer; 2011. Functional encryption: Definitions and challenges. [Google Scholar]
- 39.Goldwasser S, Kalai Y, Popa RA, Vaikuntanathan V. How to run Turing machines on encrypted data. [2014-09-04]. Zeldovich N (2013) http://eprint.iacr.org/2013/229.pdf.
- 40.Bratan T, Stramer K, Greenhalgh T. 'Never heard of it'- understanding the public's lack of awareness of a new electronic patient record. Health Expect. 2010 Dec;13(4):379–391. doi: 10.1111/j.1369-7625.2010.00608.x. [DOI] [PMC free article] [PubMed] [Google Scholar]