The use of patient information in research
Organisations that undertake significant amounts of research involving patients or service users will generally have a research governance function or research office dealing with the mechanics of grant application, consent requirements, research ethics committee approval, etc. Those participating in research will normally give informed consent for participation in the research, but should also be informed about and give consent for the uses to which the information collected about them during the research will be put. Caldicott Guardians should ensure that this happens automatically. They may also be asked to advise in situations where a research may involve the use of personal information without consent, for example where consent is impracticable to obtain.
Person-identifiable information used for research must comply with the provisions of the Data Protection Act—specifically the second principle: personal data must be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes, and should only be used with consent.
Whenever possible, person-identifiable information should not be used for research or audit purposes. Research ethics committees now routinely require patient information to be anonymised or pseudonymised. However, particular care should be taken with ‘small number data’ when even with anonymisation or de-identification it may still be possible to identify individuals.
If identifiable information must be used, and consent is genuinely not practicable, then in England and Wales, approval may be obtained from the Secretary of State for Health under Section 251 of the National Health Service Act 2006, on the recommendation of the Confidentiality Advisory Group (CAG) of the Health Research Authority (HRA). CAG provides independent expert advice on the appropriate use of confidential information. It reviews applications for the use of person-identifiable information for research and other secondary purposes, and advises the HRA on whether the use is sufficiently justified. Its key purpose is to protect and promote the interests of patients and the public whilst at the same time facilitating appropriate use of confidential information for purposes beyond direct care.
In Scotland, a Public Benefit and Privacy Panel for Health and Social Care, which fulfils a similar function to CAG. In Northern Ireland the legislation equivalent to Section 251 is the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (see Annex B). However, as the Act only received Royal Assent in April 2016, at the time of writing none of the sections have yet been commenced, and consequently, in NI there remains no equivalent legal basis to set aside the common law duty of confidence for the time being.