The use of patient information in research
Organisations that undertake significant amounts of research involving patients or service users will generally have a research governance function or research office dealing with the mechanics of grant application, consent requirements, research ethics committee approval, etc. Those participating in research will normally give informed consent for participation in the research, but should also be informed about and give consent for the uses to which the information collected about them during the research will be put. Caldicott Guardians should ensure that this happens automatically. They may also be asked to advise in situations where a research may involve the use of personal information without consent, for example where consent is impracticable to obtain.
Personal data used for research must comply with the provisions of the Data Protection Act 2018—specifically the second principle:the purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and the personal data so collected must not be processed in a manner that is incompatible with the purpose for which it is collected.
Whenever possible, person-identifiable information should not be used for research or audit purposes. Research ethics committees now routinely require patient information to be anonymised or pseudonymised. However, particular care should be taken with ‘small number data’ when even with anonymisation or de-identification it may still be possible to identify individuals.
If identifiable information must be used, and consent is genuinely not practicable, then in England and Wales, approval may be obtained from the Secretary of State for Health under Section 251 of the National Health Service Act 2006, on the recommendation of the Confidentiality Advisory Group (CAG) of the Health Research Authority (HRA). CAG provides independent expert advice on the appropriate use of confidential information. It reviews applications for the use of person-identifiable information for research and other secondary purposes, and advises the HRA on whether the use is sufficiently justified. Its key purpose is to protect and promote the interests of patients and the public whilst at the same time facilitating appropriate use of confidential information for purposes beyond direct care.
In Scotland, a Public Benefit and Privacy Panel for Health and Social Care, which fulfils a similar function to CAG. In Northern Ireland the legislation equivalent to Section 251 is the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016.