Abstract
For decades, medical researchers in the UK have highlighted difficulties accessing patient data for research. 1 They have described multiple challenges: the parallel regulatory frameworks protecting personal data through data protection law (the ‘UK GDPR’) and common law protecting the disclosure of confidential information; the ethical principles enshrined in professional medical practice reinforcing the importance of medical confidentiality; and an undercurrent of public concern about potential for confidential patient information (CPI) to be exploited or abused. In March 2020, this complex landscape was disrupted through the publication of control of patient information or ‘COPI’ notices by the Secretary of State for Health and Social Care to mandate the sharing of CPI for COVID-19 purposes. After two years and four extensions, most of these notices have now been withdrawn. This experience provides a useful natural experiment for those who have been calling for streamlined governance of patient data for research purposes and suggests a number of lessons for future regulatory directions.
The regulatory framework and the COPI notice experience
The regulation of data relating to individuals and their health is highly complex and fragmented. In England, the same patient information may be governed by data protection law (i.e. the UK GDPR), the common law of confidentiality and myriad principles, guidelines and policies. Overlaying these are different decision-making, advisory or regulatory bodies who have oversight of health and patient data. Indeed researchers have been voicing frustration at this complicated and bureaucratic framework for many years. When the COVID-19 pandemic struck, a range of emergency measures were taken to facilitate the rapid sharing of data for a range of relevant purposes, including for COVID-19 research. Fast track ethics review systems were developed, 2 and crucially, the normal rules and processes governing disclosure of CPI were suspended by the introduction of ‘COPI notices’.
Ordinarily, disclosure of CPI for research requires either the patient’s consent or approval from the National Health Service (NHS) Health Research Authority following an application to the Confidentiality Advisory Group for ‘section 251 support’. But in order to combat the COVID-19 pandemic, the Secretary of State for Health and Social Care used existing powers under the COPI Regulations to issue notices that set aside the duty of confidentiality where disclosure of patient information was necessary for COVID-19 purposes. 3 The notices went further in mandating the targeted range of individuals and institutions (including general practitioners [GPs] and NHS Digital) to disclose information if a legitimate request was made.
Over the last two years, the notices have been reviewed and extended on four occasions. The notices have now been withdrawn with one new notice introduced which provides for specific continued sharing and processing of data via the OpenSafely platform (see further below). This will expire on 30 April 2023.
What was the impact of the COPI notices on research?
Many researchers reported that the COPI notices had a significant impact in improving access to patient information. 4 This view was confirmed in our own research, which documented an unprecedented surge of data activity. 5 This included public health surveillance and research to monitor, understand, evaluate and mitigate the threat from the SARS-CoV-2 virus. Our analysis of the impact of the COPI notices on genetic/genomic research in England and Wales identified an unparalleled breadth, scale and quality of research citing reliance on the COPI notices (Table 1).
Selected research studies which relied on COPI notices.
GenOMICC. https://genomicc.org/ (accessed 23 November 2022).
COVID-19 Genomics UK (COG-UK) consortium. Explainer. https://www.cogconsortium.uk/the-cog-uk-project-hospital-onset-covid-19-infections-hoci-study/ (accessed 23 November 2022).
University of Portsmouth. Sequencing and Tracking of Phylogeny in COVID-19. https://researchportal.port.ac.uk/en/projects/sequencing-and-tracking-of-phylogeny-in-covid-19 (accessed 23 November 2022).
UK Health Security Agency. The SIREN study: answering the big questions. https://ukhsa.blog.gov.uk/2021/03/11/the-siren-study-answering-the-big-questions/ (accessed 23 November 2022).
UK Health Security Agency. SIREN: One year on. https://ukhsa.blog.gov.uk/2021/06/18/siren-one-year-on/ (accessed 23 November 2022).
UK Biobank.COVID-19 data. https://www.ukbiobank.ac.uk/enable-your-research/about-our-data/covid-19-data (accessed 23 November 2022).
What lessons should we draw from this experience?
A radical response to this experience would be to argue that it has demonstrated that data sharing and processing for public interest research purposes can be de-regulated, perhaps even to mandate disclosure of data for all health research. However, there are important reasons this would be a profound mistake.
First, although there is evidence of a high level of public support for use of data for research into COVID-19, this support is not unqualified.A series of citizens’ juries which explored views relating to the use of patient data during the pandemic in England found that a majority were in favour of data sharing initiatives continuing for as long as they were valuable. However, many jurors were also concerned that there was a lack of transparency. 6 Transparency and good governance were felt to be important, even in the middle of the pandemic.
Second, the example of the General Practice Data for Planning and Research (GPDPR) initiative in England demonstrates that streamlining of data sharing for research with significant potential health benefits cannot be assumed to have public support. 7 In response to NHS Digital’s plans to automatically collect GP data for planning and research purposes without the need for individual or GP consent, many patients acted with their feet and exercised their national data opt-out. 8 In part, this may have been due to a lack of publicity about the rationale for the GPDPR scheme and what it intended to achieve; polling by Which found that 55% of adults in England were unaware of the plans even two months after it was launched. 9 However, this explanation diminishes the very real concerns of patients and stakeholders 10 about how patient data will be used. The GPDPR experience reiterates that public trust and confidence in data-sharing are key. While hard-won, they can be easily destroyed, and they require comprehensive and systematic efforts to sustain them.
The importance of secure and privacy-preserving data processing
Alongside the COPI notices, there has been a shift from dissemination of copies of patient information to researchers, to enabling access to data within secure and controlled research environments (bringing researchers to the data). Technical advances have enabled organisations (such as Genomics England) to develop secure research environments where researchers are able to carry out analyses without being able to extract identifying patient-level data and confidential information. These have been referred to as trusted research environments (or TREs). The aforementioned citizens’ juries found the greatest support for this form of research data processing using the platform OpenSAFELY. Ben Goldacre, who led the development of OpenSAFELY, published a Government-commissioned review into the use of health data for research and analysis in April 2022, making the complete transition from dissemination to TRE-based processing the central part of his recommendations for reform of the system. 11 The Government has welcomed this recommendation and, in its strategy for health and social care data in England ‘Data Saves Lives’, 12 committed to exploring and investing in secure data environments at national and regional levels. It is also notable that the only remaining COPI notice enshrines the use of OpenSAFELY for the analysis of electronic health data. 13
Transparency and engagement with the public is crucial
In themselves, technical safeguards and secure environments are unlikely to be enough to secure popular support for research using CPI without consent. Transparency has been emphasised as crucial many times over and it is a consistent message that patients and the public would like more information about how data are used and the rights, obligations and limits that apply. However, as we found in our review of evidence on public attitudes to data sharing for COVID-19 research, even transparency will not be a sufficient condition for securing popular support if other features that work together to reinforce trust and confidence are missing. 5 Chief among these is meaningful public engagement and involvement in discussions about data governance and use. For example, discussions of what amounts to public benefit, the trade-offs that may be involved and, if consent is not being used as a mechanism to enable choice, the extra effort required to fulfil ethical responsibilities and secure support. Moreover, not all research can be carried out within TREs and, in future, capturing novel data through unconventional methods (such as the voluntary integration of citizen-generated data) 14 may require new forms of data governance, such as data trusts and data intermediaries. As Natalie Banner, former lead for Understanding Patient Data suggests, ‘[i]nvestments in data infrastructure need to be accompanied by investments in engagement and public participation in decision making’, 15 and the establishment of large-scale secure data environments must not become ‘black boxes’ that risk undermining public support all over again.
The way ahead
There are some very positive signs that the recommendations of the Goldacre review will be adopted and that the Government is committed not only to ensure secure data processing but also to genuine and meaningful dialogue with the public as a prerequisite to establishing new data collections and enabling research analysis without specific consent. Arguably, with COVID-19 at the top of our minds, the time is right for a broad public dialogue about the uses of health data and the social contract or licence that underpins it, with the potential that this can finally unlock the power of patient data for all research in the public interest.
Key messages
Regulatory changes facilitating research access to CPI for COVID-19 purposes (the ‘COPI notices’) have had a positive impact on research. This does not imply that all the existing law and governance around secondary use of patient data should be removed. The future is in the use of TREs to securely and transparently process most patient data for research alongside deep and genuine patient engagement about who is allowed to analyse the data and for what purposes. Only after this has been put in place can longer-term adjustments to the legal and governance arrangements be made without jeopardising public support.
