Recognising patient's ultimate interests could help address trust issues over use of health data, expert says

Out-Law Analysis | 04 Sep 2015 | 10:37 am | 3 min. read

OPINION: In healthcare the 'fair and lawful' principle of the Data Protection Act should take precedence over the Act's other principles to make sure that patient data is only used in patients' interests. 

This should be the approach even where bodies have consent to use the data in other ways, and would help to address some of the trust issues people have with digital health initiatives.

The lifeblood of any digital initiative is data. Exponential expansion in the volume of patient data should lead to higher quality analysis and a database that is of ever-increasing value. It is therefore no surprise that the NHS views its data as a three tiered asset, essential to the treatment of patients, vital as a resource for research and increasingly important as a potential source of commercial licensing revenue.

However, the problems with the care.data initiative highlight how public trust in digital health projects can be undermined if privacy rights are not adequately provided for. Even addressing privacy in the context of existing data protection laws may not be enough for health bodies to get the public to buy into what they are doing.

People want a comprehensive health record to be instantly available when they require treatment, but they are also concerned about the same data being made available for scrutiny by a prospective employer, or by a financial institution calculating health and life insurance premiums.

Patients' interests are not fully recognised under existing data protection laws. The relationship between data subject and data controller needs rebalanced. That relationship currently provides a data controller with a large degree of autonomy over how personal data can be used where it holds valid processing consents.

However, because people sometimes fail to check or fully understand how their data might be used when giving consent, or grudgingly accept certain uses of their data whilst supporting the use of their data in other ways, the consent regime alone does not protect patients' interests.

To reset the data subject/controller relationship, the fair and lawful processing requirements of the Data Protection Act should have overriding priority over other aspects of data protection law which might otherwise enable use of patient data in ways that are not in those patients' interest.. Reinforcing those principles would provide a further check on the use of patient data by health bodies or third party organisations beyond the sphere of health care, where it is clearly in the interests of patients for their data to be used to influence how they are treated.

By giving recognition to patient interests in this way, law makers would also avoid having to grapple with the complex issue of data ownership. It remains unclear as to whether people own the personal data about them that organisations hold, even though they have certain rights relating to the data under data protection laws.

The Court of Appeal in London ruled last year that information stored electronically cannot be classed as property that someone can exercise possession, except where copyright or database rights subsist in that information.

For health bodies to develop a workable digital health strategy, other steps to promote data privacy are necessary. This means they should obtain the fully informed consent of patients if intending to share their data with third parties or use the data in new ways. This, together with the development of a new global standard governing the anonymisation of personal data, would help grow public trust.

The care.data initiative is a laudable attempt to create a primary source of health care data. However, it falls down because of the flawed belief that an opt-out consent regime would provide sufficient safeguards against misuse.

The high degree of trust that the NHS enjoys as both an organisation and a brand means that it is uniquely well placed to implement a single opt-in arrangement, through which it is empowered to hold and process patient data in a way that demonstrates that the interest of the patient is given absolute primacy.

While the number of patients who sign up to such an opt-in regime would certainly be lower than under an opt-out regime, the clarity in relation to processing rights and hence the increased value of the resulting database should more than compensate for the loss of volumes.

Perhaps more importantly, a strategy which is fully patient focused is surely the best way of both discouraging data misuse while also allowing those who have decided that open data is a fundamental part of modern life, to gain the benefits associated with the unconstrained analysis of big data and product personalisation.

Matthew Godfrey-Faussett is a digital health and data privacy expert at Pinsent Masons, the law firm behind Out-Law.com. A version of this article first appeared in the Guardian.