Medical researchers and health care providers must consider moral as well as legal questions on data use, says bioethics body

In a new report on the collection, linking and use of data in biomedical research and health care (225-page / 2MB PDF), the Nuffield Council on Bioethics (NCoB) said organisations wishing to use health data must address moral questions as well as legal issues before proceeding with their data initiatives.

Its report comes as there is an increasing digitisation of data and availability of 'big data' analytics and technologies that can help medical researchers and health care providers gain useful insights into the effectiveness of treatments and members of the public at particular risk from certain diseases, for example. Its publication also comes after privacy issues delayed NHS England's 'care.data' scheme, and as a major UK genome data project gathers pace.

"Consent provides a mechanism to make controlled exceptions to an existing privacy norm for specific purposes (for example, to permit a medical diagnosis or referral) without abolishing the underlying norm," the NCoB said in its report. "However, consent does not itself ensure that all of the interests of the person giving consent are protected nor does it set aside the moral duty of care owed to that person by others who are given access to the information. On its own, consent is neither necessary nor sufficient for ethical extensions of data access."

The NCoB said that anonymising personal data and using it to advance medical science or health care was also not, on its own, sufficient to "guarantee" that the use of the data "is morally acceptable". It said there was a need for "effective governance of the use of data", after highlighting the potential clash between the public interest in using health data to further medical research and the sometimes competing public interest in protecting "individual privacy".

To address the issue, the NCoB said the use of data in biomedical research and health care "should be in accordance with a publicly statable set of morally reasonable expectations and subject to appropriate governance".

The NCoB said that stated expectations must recognise "a person’s profound moral interest in controlling others’ access to and disclosure of information relating to them held in circumstances they regard as confidential" as well as their human rights. Expectations on health data use and re-use should only be set following consultation with "people with morally relevant interests" and the governance and accountability procedures put in place for data initiatives should also be "morally justified", it said.

The NCoB said further research is required to better understand the "potential harms" of the misuse of biological and health data, as well as "the benefits of responsible data use". It said all health data research initiatives in the UK should be "mapped" and that the details used to "actively support both prospective and continuing evaluation of the risks or benefits of any policies, standards, or laws governing data used in biomedical research and health care".

Individuals should be notified about any breach of their privacy in a medical research or health care context and there should be better legal protections to stop people 'blagging' health data, the NCoB said. It also called for new criminal penalties to be introduced into UK law to address the deliberate misuse of data.

"The UK government should legislate to introduce criminal penalties, comparable to those applicable for offences under the Computer Misuse Act 1990, for deliberate misuse of data whether or not it results in demonstrable harm to individuals," the NCoB said in its report.

Among its other recommendations, the NCoB called for greater transparency over the use of cloud services by national health bodies, and said those behind each medical research or health care data initiative should be required to issue a "a public statement of expectations about who may be given access to health data and for what purposes".

The NCoB said there should be a review into the "appropriateness" of partnership initiatives between public health bodies and businesses so to make sure that there is "public benefit" from the use of NHS patient records in research projects. It also said researchers, including those based overseas, should not have access to UK health data unless they are "subject to institutional oversight and effective sanction".