It is essential that patient data is kept safe and secure, to protect your confidential information. There are four main ways that privacy is protected:
Data protection is a balancing act
Do the benefits of using patient data outweigh the risks? Could something go wrong, and what would be the impact? Sharing patient data will never be totally risk-free, but there must be appropriate measures in place to make sure any risk is as low as reasonably possible. Data is de-identified wherever possible. There are audit processes to check who is accessing data, and robust penalties can be issued where data is misused.
Can I be identified from the data?
Personally identifiable data can only be used if you give your permission or where it is required by law, and even then only with robust safeguards. It cannot be used for insurance or marketing purposes without your consent. Some data will be used to produce statistics that are published monthly by your health care authority, for example hospital emergency waiting times or vaccination coverage. The information can only be openly published if the data is anonymised, so it is not possible to identify any individual.
Spectrum of identifiability
In practical terms there is a wide spectrum of identifiability. This ranges from fully identifiable personal data, to data that has been through a robust anonymisation process. The bar is very high for data to be considered 'anonymous' under GDPR, which means there are lots of purposes for data use that still count as personal data. The identifiability of data depends both on the features of the dataset and on the environment where it is held and used.
For example, data that is not identifiable on its own may become so if it is combined with other data. Some environments used to store data therefore include technical controls on what the data can be linked to and limitations on who can access it. The controls used to protect the data are just as important as the qualities of the data itself.
The key issue regarding health data use for purposes beyond your care is the balance that needs to be struck between maximizing the potential benefits and protecting against possible harms. Generally, the utility of health data is highest when few safeguards are imposed, but this also increases the potential risks with regards to privacy protection and the security of the data.
There are two types of health data that are currently treated differently: identifiable and anonymised data.
When data is rendered completely anonymous, it is not considered to be a personal data anymore and therefore doesn't fall under the mandate of the General Data Protection Regulation, which only applies to identifiable data. The anonymisation process itself protects individuals from potentially harmful outcomes. Anonymisation is a continuum: there are different techniques that offer different levels of protection, such as those described below.
Data aggregation refers to the pooling of data, so that individuals can no longer be identified, such as in the example provided below.
Individual data: A is fully vaccinated against COVID-19, B is fully vaccinated against COVID-19 etc.
...and aggregate data: In this population, 80% of people are fully vaccinated against COVID-19.
Data swapping happens where certain characteristics at an individual level are rearranged. This allows researchers to still perform analysis on the entire dataset, but comparisons on an individual level have become meaningless, such as in the following example.
Same dataset, swapped:
Small cell risk analysis
A small cell risk analysis is a statistical analysis used to measure the risk of re-identification when only a small group of people is concerned, for example in the case of rare diseases or when many variables are combined.
Advantages and disadvantages related to anonymous data.
Identifiable data are all types of data where it is possible to trace back to the individual person behind the data. This includes both:
All data that is considered to be identifiable is protected by the GDPR. This data can only be used if organisations can show they have a lawful reason for using the data, known as a 'legal basis'. In the EU and the UK, organisations will usually use your data with your ‘consent’ or without your consent if the use of your data can be considered ‘a task in the public interest’, or a ‘legitimate interest’. Click here if you want to learn more about your rights under the GDPR.
A task in the public interest
Examples of tasks in the public interest include surveillance of illness and disease, archiving for historical or scientific purposes, and supporting an institution while they are performing a task defined previously by a regulation. Identifiable data can be reused for any task in the public interest when proper oversight is guaranteed (see below).
Informed consent can be used as a legal basis to collect data in a clinical or research context. Asking for consent respects individual autonomy but it can also be burdensome, both for researchers and citizens alike who need to spend time, resources and energy to confirm their preferences every time. Additionally, in some circumstances it may be nearly impossible to obtain consent from some individuals, where their data is needed for a specific project. For example, when data from years ago needs to be accessed to determine trends and evolutions.
Advantages and disadvantages related to identifiable data
Different types of bodies can ensure the uses of health data for purposes beyond individual care are respectful of the regulation and citizens' privacy.
Under which conditions should health data be used for purposes beyond individual care?