How does the public view use of personal health and care data for research and what controls need to be in place to protect privacy and establish trustworthiness? These questions have been a constant theme of HDRUK’s Public Advisory Board meetings since we were first recruited about eighteen months ago to provide advice on its mission to unite the UK’s health data.

We’re not the only group grappling with this issue, of course. It’s been a perennial concern of regulators, data custodians, research ethics committees, cyber security experts and privacy campaigners for many years. But with no central coordination in place, those who hold data have tended to set their own rules, resulting in a confusing plethora of access arrangements that are anything but united.

HDR UK is working hard to remedy the problem, building infrastructure to enhance the discoverability and accessibility of the datasets, but the key issue for us is what should be done to ensure the new system earns the support and trust of the public. As a small group of only eleven members, we’re acutely aware that we cannot hope to represent the great diversity of British public opinion. Instead we have to rely on our personal experiences of patient and public engagement, our connections with other groups, and our reading of relevant studies to inform our response.

So we were delighted to see the publication this month of Public Deliberation in the Use of Health and Care Data. Based on a four-day citizen’s summit organised by the OneLondon Local Health and Care Record Exemplar, Ipsos MORI and the Kings’s Fund, with support from the London Councils, the Mayor of London and the NHS in London, the report outlines the collective recommendations of a representative sample of 100 London residents. Their deliberations spanned a wide range of issues to do with health and care data, including the use of de-personalised data for research and development.

Participants were asked to consider the importance of research and development in health and care, the safeguards that should be in place, charging for data access and distribution of returns, and information for the public on how the data have been used. They were positive about the use of de-personalised data in research, seeing it as necessary to improve healthcare and welcoming its potential to improve health and people’s lives.

After listening to inputs from various experts and discussing amongst themselves, they came to the conclusion that a fair and productive partnership between NHS data controllers and those using the data for research and development should meet the following conditions:

  • Benefits (intellectual property, royalties, stake in companies, profits, outputs) to be shared with the NHS equitably
  • Data processing costs to be recoverable through differential charges based on turnover and profit-making
  • Annual reporting on who has accessed the data, how and why it has been used, outputs and impact of the research, and any benefits to the NHS
  • Accountability based on the ‘five safes’
  • No access for insurance companies
  • Clear demonstration of public benefit
  • Public participation in governance and oversight.

The report is ample demonstration, if that were needed, that a randomly selected group of ordinary citizens is more than capable of grasping the complexities of this issue and coming to sensible conclusions when they’re given a chance to quiz the experts and debate amongst themselves. If you’re not familiar with deliberative methods, or even if you are, I strongly recommend you read the report to see how these recommendations were arrived at.

It’s important to bear in mind, however, that the citizen’s summit took place in February 2020, i.e. just before the COVID-19 pandemic became a feature of all our lives. Since then of course, the public has been made even more aware of the potential strengths and limitations of health data for research. It remains to be seen whether this will have a lasting impact on how they weigh up the trade-offs between protecting privacy and enabling data access. We’ll need another citizen’s summit in a year’s time to find out.