Data sharing has been vital for healthcare planning and research in tackling Covid-19. Looking beyond the pandemic, the wealth of data and insights our bodies offer can drive future drug discovery and the development of medical technologies.
But there’s a problem: a significant public reluctance to allow healthcare services to share personal health data. A June 2021 survey by the Information Commissioner’s Office (ICO) and Harris Interactive found that only 47% of people would allow the NHS to pass on their data to public sector companies if it were used to improve the delivery of healthcare. The figure is 42% for private companies.
It’s no surprise that a good proportion of the public have reservations. Everyone hopes their data is shared appropriately and responsibly, yet there were 2,431 data security incidents reported to the ICO in the three months to the end of September. Of these, 435 were in the healthcare sector. Many more will have gone unreported.
There’s already been backlash to NHS Digital’s new process for data held by GP practices – the General Practice Data for Planning and Research (GPDPR) data collection. Despite promises that anonymised data will only be used for healthcare purposes and not shared with marketing or insurance companies, more than 1 million people opted out of GPDPR over the summer. NHS Digital deferred the September roll-out of the scheme.
Data sharing reluctance
The dilemma of whether to share healthcare data isn’t isolated to the UK, of course. It’s an endemic issue. A report published in The Lancet in October argued that countries need to strengthen public safeguards on the use of digital health data to avoid growing inequalities in medical outcomes.
Any concerns the public may have had about data sharing will have been exacerbated by the pandemic. Take contact tracing apps, known more broadly as Contact Tracing and Advice Service (CTAS). While test, track and trace is now ubiquitous on smartphones, research from Finland’s Aalto University School of Business has found that income and education levels are often determining factors in downloading and using such apps.
Yanqing Lin, a doctoral candidate from the business school’s department of information and service management who helped lead the research, says: “We know that the effectiveness of CTAS depends highly on public acceptance and adoption, but it’s been less accepted among those who are at a social disadvantage and may have a low trust in authorities and surveillance.”
We have robust mechanisms to ensure anonymity and safety of patient data … There needs to be an education campaign to demonstrate this to the public
Unequal access to smartphones and varying degrees of digital literacy are other factors deemed to influence a person’s reluctance to share data. A common concern is that data will be used for more than just infection control.
“Those with greater access to technology and who have a higher education and income tend to be more accepting of digital contact tracing,” Lin adds.
The research concluded that acceptance is likely to be higher if CTAS uses privacy features or decentralised data storage.
Trust issues
Digital tracing apps can be designed in different ways. A centralised design means data is stored and processed by a central database; a decentralised design sees personal devices manage most of the data storing and processing, with the central database playing just a minor role, Lin explains.
Another issue in focus is identifying data: how it’s managed and stored securely and who can access it. NHS trusts have previously been investigated over staff accessing patient records without authorisation. Other trusts have accidentally leaked the names and dates of birth of diabetes patients and email addresses of HIV patients.
Given that people are worried about what happens to their data once it’s no longer in their hands, how best can the healthcare sector manage data, especially when it’s licensed to private medical technology or drug discovery companies?
Louise Fullwood is healthcare and data expert at law firm Pinsent Masons; she worked in medical research before retraining as a lawyer. According to Fullwood, one way to allay data worries is to use what’s known as a federated database model rather than a centralised database model.
When a centralised model is used, there’s a higher chance of data being misused or shared in a way that people wouldn’t be happy with, says Fullwood. However, a federated model brings the analysis to the data as opposed to moving big databases to licensees.
Fullwood gives the example of a drug company that wants to access a healthcare service database to get a better understanding of potential causes of cancer. Granting it access to a big, centralised database presents risks. Under the federated model, however, the database isn’t transferred, remaining with the healthcare service.
“The drug company can interrogate the database using software to run specific questions, such as what proportion of men who regularly take drug X go on to develop prostate cancer,” says Fullwood. “The drug company doesn’t get access to individual datasets, just aggregated answers.”
As drug development and medical innovation continues to advance, national healthcare services must get a better grasp on data sharing.
“We have robust mechanisms to ensure anonymity and safety of patient data,” says Dr Steve Arlington, president of the Pistoia Alliance. The group was set up by representatives from life sciences and pharmaceutical companies including AstraZeneca and Pfizer to break down healthcare research and development barriers.
“There needs to be an education campaign to demonstrate this to the public and to communicate the wider altruistic value of sharing their health data.”
The failure by healthcare services to reassure the public on data sharing could have an adverse impact on future treatment and patient outcomes.
What the UK can learn from other countries
According to the Open Data Institute, the UK tops the European rankings of the quality and implementation of policies on secondary use of health data. This is defined as the use of data to improve care planning and delivery, drug development, research and policymaking. However, the country is lagging behind when it comes to the ethics of its policies.
As the 2021 research states, “a successful ecosystem for secondary use of health data requires the trust of people and patients [and] ethical and accountability frameworks.”
Here’s what some other European countries that fare better on ethics are doing to improve access and control of health records.
Iceland
This was the first country to develop a patient-facing application programming interface for accessing health records, back in 2017. The Directorate of Health worked with UK firm Digi.me to enable citizens to download digital copies of their health records.
Finland
My Kanta Pages provides patients with access to their records, regardless of whether they use public or private healthcare services. They can also upload data from smartphone apps and wearables. The system is designed to improve transparency by allowing patients to see who’s viewed, processed or handled their data.
Netherlands
MedMij is a national standard for secure data exchange between healthcare users and providers. Citizens can register with accredited apps, websites or other digital tools to retrieve their medical data. It’s regarded as a move towards a more patient-centric approach to healthcare.
Data sharing has been vital for healthcare planning and research in tackling Covid-19. Looking beyond the pandemic, the wealth of data and insights our bodies offer can drive future drug discovery and the development of medical technologies.
But there’s a problem: a significant public reluctance to allow healthcare services to share personal health data. A June 2021 survey by the Information Commissioner’s Office (ICO) and Harris Interactive found that only 47% of people would allow the NHS to pass on their data to public sector companies if it were used to improve the delivery of healthcare. The figure is 42% for private companies.
It’s no surprise that a good proportion of the public have reservations. Everyone hopes their data is shared appropriately and responsibly, yet there were 2,431 data security incidents reported to the ICO in the three months to the end of September. Of these, 435 were in the healthcare sector. Many more will have gone unreported.
