Confidentiality of personal health information used for research

Abstract

Regulatory framework and legal issues When patients seek health care they are assumed to give implied consent for the carers to access their health records. The Data Protection Act also permits the use of “sensitive personal data” for medical purposes (including medical research) without consent, provided the user is subject to the same duty of confidentiality as a healthcare professional. Despite these provisions, it is generally held that explicit consent should be obtained to use identifiable personal data for medical research, particularly for multicentre or secondary research when people who are not part of the original clinical team need access to the data. However, explicit consent cannot always be gained for new research uses of pre-existing data: the participants might no longer be contactable or might have died. Re-contacting participants might cause distress or result in inadvertent disclosure. Wherever possible, the alternative to seeking this consent is to preserve the confidentiality of the data subjects through anonymisation. Given the need to balance public concerns about inappropriate disclosure of data (and their expression in legislation) with the need for access to data for research, an acceptable and achievable model of confidentiality practice now needs to be defined. A recent report from the Academy of Medical Sciences on the use of personal data in medical research suggests some ways forward (see bmj.com).3