PDF - MRC Ethics Series: Personal Information in Medical Research

MR

C E

thics Series

Personal Informationin MedicalResearch

Personal Informationin MedicalResearch

Health and Social Care Act 2001: "Section 60"new guidance added - January 2003

Guidance for recipients of MRC support and for potential applicants

This guidance sets out newprocedures that need to befollowed by those undertakingor planning research thatinvolves the use of individualpatient data where consentfrom the individual patientsconcerned has not or will notbe obtained.

1. Background“Section 60 of the Health and SocialCare Act 2001 enables the Secretaryof State to support and regulate theuse of confidential patient informationin the interest of patients or thewider public good. Parliament agreedto the creation of this power toensure that patient identifiableinformation currently needed tosupport essential NHS activity canbe used, without the consent thatshould normally be obtained,where there is no reasonablypracticable alternative.

Regulations made under Section 60can provide a basis in law for patientidentifiable information to bedisclosed to specified bodies, (eg

cancer registries), for specificpurposes.This type of 'specificsupport' is required if the intendedpurposes for obtaining theinformation are controversial orcomplex and need detaileddescription within the regulations.The approval of Parliament, advisedby the independent statutoryPatient Information Advisory Group(PIAG), is required before suchregulations may be brought into force.

Parliament has also agreed to theestablishment of 'class support'that will provide a lawful basis forusing and disclosing patientidentifiable information to supportrelatively uncontroversial processing,for limited and defined purposes,without the need for dedicatedparliamentary consideration.Theapproval of the Secretary of State,advised where appropriate by PIAG,is required in these circumstances."

(The above text is taken from the Guidance

Notes on the DH website:

www.doh.gov.uk/ipu/confiden, from where more

information can be obtained).

2. GuidanceThis Guidance should be read inconjunction with the Council'sbroader Guidance: "PersonalInformation in Medical Research"(PIMR)1.

2.1 When does Section 60apply?The conditions under Section 60only apply:

For current research, whereidentifiable NHS patient data arebeing used and where individualconsent has not been obtained; orFor proposed research, where theresearchers plan to use identifiableNHS patient data withoutobtaining individual consent.

For newly designed studies, DHexpects that for the large majorityof proposals, it will be possibleeither for the researchers toreceive anonymised data2, or toobtain individual consent. If theresearcher plans to use linkedanonymised data (ie where theindividuals can be identified by theprovider of the data), the provider

will need to obtain approval fromPIAG.This should fall into thecategory of "Class support".

2.2 Existing StudiesThose currently undertakingrelevant studies will need to applyto PIAG as soon as possible. Ifyou are not sure whether you needto apply, you should contact thePIAG Secretariat3 to seek advice. Itis possible that existing studies maybe covered by one of the "Classsupport" approvals that has beenobtained or is currently underconsideration. (Flagging at the NHSCentral Register is one of these,but if you are planning to use thisservice, you are advised to seekconfirmation in writing from thePIAG3 Secretariat that you do notneed to submit your own application).

Even at this stage, the expectation isthat you will go back to theparticipants and seek consent wherepossible. If this is not possible, youwill be asked to explain why. If it ispossible, and you propose to do this,

1 PIMR - available on request from MRC Head Office or on the MRC Website at:http://www.mrc.ac.uk/pdf-pimr.pdf

2 See "PIMR" for definitions3 PIAG Secretariat, Room 1N35A, Quarry House, Leeds LS2 7U. Tel: 0113 254 6019.

Email: [email protected]

you may need to obtain renewedResearch Ethics Committee approval,and should therefore also contactthe relevant REC Secretariats/Chairmen to check whether this isthe case.

2.3 Proposed studiesFor proposed studies in whichindividual consent would not beobtained, approval will need to beobtained according to the processdescribed below:

2.4 How to apply for approval under Section 60

i) First, the applicant should obtain a‘sponsor’ (usually the applicant'semploying organisation).Sponsors should provide a writtenrecommendation, a copy of whichmust be retained by the applicant.

ii) Applicants undertaking medicalresearch must first obtain researchethics committee (REC) approval.Medical researchers are stronglyadvised to read the guidance notescarefully before approaching theREC, and should ensure that allthe required information isincluded in their application tothe REC. Copies of the research

protocol and L/MREC approvalmust be included with theapplication for Section 60 support.

iii)There is a standard applicationform for support under Section60 available on the DH website(www.doh.gov.uk/ipu/confiden/genguide.doc). It can be completedeither online or on a printedpaper copy.

MRC expects applicants, at the timethey submit applications to MRC,either to have obtained RECapproval, or to have submitted theirapplications. It is a requirement thatwork should not start until RECapproval has been obtained.This willbe the case also for Section 60approval. In planning their research,applicants must be sure to allowsufficient time to obtain all thenecessary approvals and fundingbefore they wish to start theirresearch. Further advice on MRCfunding processes may be obtainedfrom the relevant ProgrammeManager, and on Section 60 fromTony Peatfield([email protected])

January 2003

Updates to this guidance are available on MRC’s website: www.mrc.ac.uk

©2000 Medical Research Council. October 2000.Copies available from MRC External Communications 020 7636 5422

The MRC working group which prepared this guidance comprised:

Professor Andy Haines (Chair, Dept of Primary Care & Population Sciences, Royal Free &University College Medical School)Dr Richard Ashcroft (University of Bristol / Imperial College School of Medicine)Dr David Coggon (MRC Environmental Epidemiology Unit)Dr Angela Coulter (The King’s Fund / Picker Institute Europe)Professor Len Doyal (Queen Mary & Westfield College) Dr Elaine Gadd (Dept of Health)Professor Charles Gillis (Dept of Public Health, University of Glasgow)Dr Naomi Pfeffer (Consumers for Ethics in Research / University of North London)Professor Michael Wadsworth (MRC National Survey of Health & Development)Mr Philip Walker (NHS Executive)Mrs Madeleine Wang (Northern & Yorkshire Multi-Centre Research Ethics Committee)Professor Simon Wessely (Dept of Psychological Medicine, Institute of Psychiatry)

Office staffDr Declan MulkeenDr Imogen EvansDr Jenny Baverstock (2000)Mr Stéphane Goldstein (1999)

PERSONAL INFORMATION IN MEDICAL RESEARCH

Personal Information in Medical Research Medical Research Council Ethics Series 3

Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Principles for ethical medical research using personal information . . . . . . . . . . . . . 9

2.1 General Principles2.2 Information disclosed without consent2.3 Decision tree for using personal information

3 Legal principles relevant to research using personal information . . . . . . . . . . . . . . 13

3.1 Confidentiality in law3.2 The Data Protection Act and Human Rights Act3.3 Ethics and the law3.4 Providing advance information3.5 Reducing the need to disclose personal information without consent3.6 Conclusions and implications for current practice

4 Scenarios: using information with and without consent . . . . . . . . . . . . . . . . . . . . . . . 21

4.1 Approaching patients during medical care4.2 Approaching patients from medical records4.3 Research based on existing records and samples only4.4 Using non-medical information to contact people

5 Safeguarding confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5.1 Anonymisation and coding5.2 The research team5.3 Data security

6 Safeguarding other interests of the individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

6.1 Avoiding harm or distress6.2 Feedback and publication

7 Storage and re-use of data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

7.1 Storage7.2 Re-use of data by third parties

8 Information and consent forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

8.1 Patient leaflets and notices8.2 Consent procedures

Annex 1 Checklist for reviewing proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Annex 2 The health professional’s responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Annex 3 The Data Protection Act 1998 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Annex 4 The Human Rights Act 1998 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Annex 5 Other statutory regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Personal information, as used in this guide,refers to all information about individuals,living or dead. This includes written andelectronic records, opinions, images,recordings, and information obtained fromsamples. Although anonymised data is not,strictly speaking, personal information, its useis also covered in this guide.

Personal data, in the context of the 1998Data Protection Act (Section 3.2, and Annex3), comprise information about living peoplewho can be identified from the data, or fromcombinations of the data and otherinformation which the person in control ofthe data has, or is likely to have in future.

Anonymised data are data prepared frompersonal information, but from which theperson cannot be identified by the recipient ofthe information (see Sections 5.1 - 5.7). Theterm is used in the guide when referring tolinked and unlinked anonymised data together.

• Linked Anonymised data isanonymous to the people who receiveand hold it (e.g. a research team), butcontains information or codes thatwould allow others (e.g. thoseresponsible for the individual’s care) toidentify people from it.

• Unlinked Anonymised data containsno information that could reasonably beused, by anyone, to identify people.

Coded data is identifiable personalinformation in which the details that couldidentify people are concealed in a code, butwhich can be readily decoded by those usingit. It is not “anonymised data” (see Section5.2).

Confidential information is any informationobtained by a person on the understandingthat they will not disclose it to others, orobtained in circumstances where it is expectedthat they will not disclose it. The law assumesthat whenever people give personal

information to health professionals caring forthem, it is confidential as long as it remainspersonally identifiable.

Sensitive information. The term “sensitive”is used in this guide to highlight the need forextra care in using information about mentalhealth, sexuality and other areas whererevealing confidential information is especiallylikely to cause embarrassment ordiscrimination. Note that “sensitive personaldata” is defined in the 1998 Data ProtectionAct as including all information about physicalor mental health or condition, or sexual life(Annex 3(B)).

Glossary

4 Medical Research Council Ethics Series Personal Information in Medical Research

Much medical research revolves aroundinformation about people - their age, lifestyle,work, and health - drawn from medicalrecords, scientific tests, surveys andinterviews. Sometimes, the information alsoreveals facts about relatives and relationships.These types of information are sensitive andprivate for many people, although attitudesand expectations vary widely.

Respect for private life is a human right, andthe ability to discuss information inconfidence with others is rightly valued.Keeping control over facts about one’s selfcan have an important role in a person’s senseof security, freedom of action, and selfrespect. It can also protect against unfairdiscrimination.

The confidentiality of information patients giveto doctors is central to the doctor-patientrelationship, and to the public’s trust in healthcare professions. There is little researchevidence on how people view the use of thisconfidential information. The limited evidenceavailable suggests that when asked, the vastmajority are willing for information about themto be passed to others, under tight controls, ifit will advance medical practice. But manypeople will not know how information aboutthem might be used, and many others may noteven know the sort of information that iscontained in their medical records.

Although caution is therefore needed in usingany personal medical information, this mustbe balanced against the potential forimproving the quality of care by improvingthe flows of information within the healthcare system. At present, compared with whatmight be achieved:

• information is fragmented, and toodifficult to share. It is always difficult tobuild up a complete picture of the careand treatment people receive - fromtheir GP and in hospital - in order toquestion whether this could beimproved.

• information is often incomplete, andsome activities are better documentedthan others. The results of hospital caretend to be well recorded, while theresults of home care or preventivemedicine are more difficult to measureand record.

• the information that is available is notanalysed fully. Research into theeffectiveness of the health services, andinto factors affecting the health ofpeople in the UK needs to bestrengthened if we are to continueimproving the health ofthe nation.

Medical Research Council staff and grant-holders make widespread use of personal datain clinical research, in clinical trials,epidemiology, and other public healthresearch. In 1972, the MRC set out its viewson the conditions under which informationabout identifiable patients could be obtainedand used in research. More detailed guidancewas issued in 1985 and 1994. Since 1972,medical research based on records and surveyshas led to many important advances inknowledge in the UK, including:

• recognition of new variant CJD and itsrelation to the BSE epidemic;

• improvements in the organisation andquality of cancer treatment


1 Introduction

• better understanding of suspectedhealth hazards - for example, Gulf Warrelated illness and leukaemia in peopleliving near to nuclear facilities;

• reliable evaluations of new preventivemeasures and treatments - for example,the benefits to people at risk of heartdisease from aspirin, warfarin,cholesterol lowering drugs and vitamins;

• ways of reducing cot deaths;• assessments of the health care needs of

special groups in society, such as elderlypeople;

• identification of adverse drug reactions.

Over the same period, there have been nocases where doctors following these guidelineshave been judged in law to have breachedconfidentiality. But some people involved inresearch do take exception to the wayinformation about them is used, and manypeople have strong, general, concerns aboutthe way public and private organisations usepersonal data.

From time to time, therefore, we have to askwhether the standards that researchers setreflect those society currently expects of us.Many people have a concern that moderninformation and communication technologiesmight lead to more casual, or frequent,infringements of privacy. And most peoplenow expect the medical professions, andmedical researchers, to be more open andaccountable in their work, and to allowindividuals more opportunity to be involved indecisions that affect them.

The last few years have also seen activediscussion of the implications of the law ondata protection for the use of confidential

information in research. In 1998, the legalsituation changed, with the passing of a newData Protection Act, and a Human Rights Actguaranteeing respect for citizens’ private lives.

Reflecting these changes, this booklet sets outthe ethical and legal principles that shouldnow guide the use of personal information inresearch, and provides a revised code ofpractice. It supersedes the guidance in theMRC ethics booklet Responsibility in the use of

Personal Medical Information for Research (1994)and the relevant sections of the bookletResponsibility in Investigations on Human

Participants and Material and on Personal

Information (1992).

The NHS Information Strategy

At the time of writing, work is under way onan ambitious programme of changes in theNHS, including creating lifelong electronichealth records for every person in the country,improved sharing and movement ofinformation through an NHS informationhighway, and more effective use ofinformation to inform NHS management.The strategy creates important opportunitiesto make some medical research easier andmore effective, and to address some of thecurrent concerns around the use of medicalinformation in research. For example, it maybecome possible to widen the range ofanonymised information that is available anduseful for research. The strategy will alsocreate new opportunities for healthprofessionals and researchers to engage withmembers of the public to explain whyinformation sharing is necessary. Researchersneed to work with commitment and foresightto make the most of these long-termopportunities. At the same time, it has to be


remembered that information systemsdesigned to support routine health care cannotalways be expected to provide the range orquality of information needed for originalresearch.

The status of the guidance

This guidance is primarily for researcherssupported by MRC, who are expected tofollow it as a condition of funding. Theguidance is prescriptive wherever this isappropriate, but like any code of practice, itcannot provide for every possible situation,and exceptions to the general rules willoccasionally arise.

We hope that in addition the guidance will beinformative and helpful to other researchers,to doctors and other health professionalswhose patients’ records may be involved insuch research, to ethics committees, to others reviewing or supervising research, andto the public.

Scope

This guidance covers all uses of personalinformation whether or not it is “personaldata” under the terms of the Data ProtectionAct, and whether or not it is confidential (seeGlossary). Section 2 summarises the keyprinciples that should guide ethical research,both in general situations, and in situationswhere research depends on using informationwithout consent. Section 3 outlines the lawsrelating to confidentiality and personalinformation, how these relate to ethicalprinciples, and discusses the areas wherechanges in practice may be needed. Section 4analyses how the key principles should beapplied in situations where consent can, andcannot be obtained. Sections 5, 6 and 7 give

detailed advice on good practice, and arerelevant to all research using personalinformation.

The guidance addresses the main uses of thisinformation in medical research, including:

• collection of information as part ofclinical trials or other patient-basedresearch;

• use of information from generalpractice or hospital records to approachpeople to participate in studies;

• analysing patterns of disease andtreatment outcomes from existingrecords;

• studying the health of people in aparticular locality, or with a particularjob or lifestyle.

The question of confidentiality often receivesmost attention in epidemiological or surveywork when information is taken from medicalrecords without the person’s knowledge orconsent, but researchers in every area ofclinical and public health research need torespect confidentiality and protect theindividual’s interests by guarding againstaccidental or mischievous disclosures, andensuring the information is not used in wayswhich could cause distress or harm.

Research use of tissue samples or DNAsamples in conjunction with personal dataraises special issues since:

• clinical samples, including stored blood,plasma and serum will often be used toanswer questions unforeseen at the timethey were collected;

• genetic analyses can reveal new


information about an individual, theirfamily members or raise concerns aboutinsurance. Particular care needs to betaken when feeding back informationand in the publication of material;

• this information raises special concernswhen it is, or is seen as being, predictiveof future health;

• some types of genetics research give riseto particular concern - for instanceresearch relating to personality orcognitive function.

Samples, and the information obtained fromthem, cannot be treated in the same way asother data, and are the subject of separateMRC guidance Collections of Human Tissue and

Biological Samples for use in research.

Disease registries often provide the startingpoints for research, and are an essentialresource for improving the quality of healthservices. The NHS Plan1 published in July2000 recognises the importance of registriesin improving disease management. The Houseof Commons Science and TechnologyCommittee report “Cancer research - a freshlook”2 underlined the importance of registries,and the impracticability of only usinginformation in registries with express consent.Because registries are often established forpurposes other than research, and because oftheir diversity, this guidance does not offerdetailed advice on good practice. However, wewould expect the general principles set out inSection 2 - such as the need to make peopleaware of how their information may be used -and much of the advice in Sections 5 through7, to be applicable to research based ondisease registries, and to registries maintainedsolely for research purposes.

Also, while we recognise that it is sometimesdifficult to define clear boundaries betweenresearch and audit, this guide does not attemptto offer a code of practice for the wide rangeof activities and situations included in clinicalaudit. However, we hope that the advice willbe helpful to some of those working in audit.

The guidance does not address in detail thequestion of consent to use information aboutchildren, or adults who are incapable of givingconsent. Separate MRC ethics booklets giveadvice on research involving children (1991)and mentally incapacitated adults (1991). Theethical and legal issues in these areas havebeen actively discussed over the past ten years,and the Scottish Parliament has recentlypassed the Adults with Incapacity (Scotland)Act (2000), which creates a new frameworkfor consent to research. New guidance will beprepared.

Updates and changes

MRC will keep this guidance under review.The law on confidentiality does not givespecific direction on what can and cannot bedone in various situations, but some points oflaw may be clarified in time. In some areas ofwork, the need for disclosures withoutconsent should decrease with time.

This guide, and all other MRC ethics guides,are available on MRC’s website – atwww.mrc.ac.uk – and changes will behighlighted there as they arise.

Notes

1 www.nhs.uk/nhsplan

2 House of Commons Science and Technology

Committee, Sixth report, Session 1999-2000


General principlesThe following principles should guide allMRC-funded research involving people ortheir information:

1 Personal information of any sort which

is provided for health care, or obtained

in medical research, must be regarded

as confidential. Wherever possible

people should know how information

about them is used, and have a say in

how it may be used. Research should

therefore be designed to allow scope

for consent, and normally researchers

must ensure they have each person’s

explicit consent to obtain, hold, and

use personal information. In most

clinical research this is practicable.

2 All medical research using identifiable

personal information, or using

anonymised data from the NHS which

is not already in the public domain,

must be approved by a Research

Ethics Committee.3

3 All personal information must be

coded or anonymised as far as is

possible and consistent with the needs

of the study, and as early as possible in

the data processing. Only personalidentifiers that are essential should be held.

4 Each individual entrusted with patient

information is personally responsible

for their decisions about disclosing it.

Health professionals disclosinginformation should, in particular, ensurethey are familiar with the advice of theGeneral Medical Council on disclosuresfor research. Health care organisations

should be aware of the research conductedwithin the organisation, and should ensureresearch teams are accountable to them.

5 Researchers must ensure that personal

information is handled only by health

professionals or staff with an

equivalent duty of confidentiality.

6 Principal investigators must take

personal responsibility for ensuring (as

far as is reasonably practical) that

training, procedures, supervision, and

data security arrangements are

sufficient to prevent unauthorised

breaches of confidentiality.

7 Researchers must also have procedures

in place to minimise the risk of

causing distress to the people they

contact in the course of their research.

Researchers must also be aware that,despite their best efforts, occasionaluntoward events may occur and plan forhow to deal with these.

8 At the outset, researchers must decide

what information about the results

should be available to the people

involved in the study once it is

complete, and agree these plans with

the Research Ethics Committee.

However, researchers must also beprepared to reconsider if there areunforeseen findings from the study, anddiscuss the appropriate response with aresearch ethics committee.


2 Principles

2.1

Information disclosed without consentSituations arise in which medical researchquestions can only be answered using personalmedical information, but where it is notfeasible for those responsible for theindividual’s care to contact all the relevantpeople to seek their consent. Based on theethical and legal advice it has received (Section3), the Medical Research Council considersthat in some circumstances it is justifiable touse personal information, and disclose it to alimited number of other people, withoutconsent.

The principles governing research usinginformation without consent are:

1 Hospitals and practices involved in

research must develop procedures

for making patients aware that their

information may sometimes be

used for research, and explaining

the reasons and safeguards. Ifpatients object to their informationbeing passed to others, patients shouldhave the opportunity to discuss thiswith their doctor, and their objectionsmust be respected.

2 When consent is impracticable

confidential information can only be

disclosed without consent only if:

• the likely benefits to society

outweigh the implications of the

loss of confidentiality, so that it

is clearly in the public interest

for the research to be done;

• there is no intention to feed

information back to the

individuals involved or take

decisions that affect them, and;

• there are no practicable

alternatives of equal

effectiveness.

Research must have been plannedwith confidentiality in mind: fromthe earliest stages of planning astudy, researchers and/or thoseresponsible for patient care shouldhave given careful considerationto whether consent could be madepracticable. The judgement thatconsent is impracticable is neverthat of the researcher alone:unless an ethics committeeconcurs, and health professionalsagree to participate in the studyon this basis, the research cannottake place.

3 The infringement of

confidentiality must be kept to a

minimum. Even where there is astrong justification for the study, thedesign must minimise the volumeand sensitivity of the personalinformation that is disclosed, and thenumber of people who have accessto it before it is coded oranonymised. If the disclosure madeis to allow researchers to contactpeople, consent should be obtainedthen to gather the furtherinformation needed, and to hold andprocess their information.

The diversity of medical research makes itimpossible to be prescriptive about theinterpretation of these principles. Finaldecisions on the value and acceptability of a


2.2

2.2.1

2.2.2

2.2.3


2.3

Can consent beobtained beforeany informationis released?

Can anonymousdata be used?

Would consentbe possible withother validstudy designs?

Are patientsalready made awaretheir info may be usedfor research?

Ensurearrangementsfor respectingobjections

Will studyinvolvethe patients?

Can action betaken to remedythis?

Consideralternativesettings forstudy

Design study tominimise datadisclosed withoutconsent

Assess sensitivityof information andsafeguards forconfidentiality

Assess potentialimplications of resultsand feedback

Is the studylegally andethically justified?

LREC / MRECapproval?

Agreementof data-holder

Conductstudy

Approach basedon medicalhistory

Doctorapproaches

Approachdirectly to askto participate

DoesLREC / MRECapprove?

Do healthprofessionalssupport study?

Figure 1 – Using existing personal information in researchA simplified decision tree


research protocol have to lie with theresearchers, the health professionals, and theethics committee involved, and theorganisations which are responsible forsupporting and overseeing the work.4 Whenconsidering whether disclosures are justified,one useful aid to thinking might be to askwhether, if the proposed disclosure and thereasons for it became widely known, areasonable person would see it asunacceptable. A second, narrower test mightbe to ask whether there are any grounds forsupposing that, if consent could be soughteffectively, people would be likely to refuse toallow their records to be used.

The conditions in which consent might bepractical or impractical, ways of reducing theneed for disclosures without consent, and theprovision of advance information, arediscussed further in sections 3 and 4.

Notes

3 Or, where appropriate, the Scottish Privacy

Advisory Committee

4 Principally, the bodies employing researchers,

such as MRC, Universities, NHS Trusts

2.2.4


Confidentiality in lawIn the UK, the confidentiality of personalinformation is addressed primarily inCommon Law. The Data Protection Act 1998superimposes on this a framework of rightsand duties and principles governing the use ofinformation in electronic form or structuredpaper records. These are discussed below, andSections 3.3 to 3.6 consider how compliancewith the law relates to ethical researchpractice.

In Common Law, anyone who receivesinformation must respect its confidentiality(that is, not disclose it without consent orother strong justification) if they receive it onthe understanding that it is confidential, or incircumstances where there is an implicitexpectation that they will not reveal it toanyone else. But while Common Lawestablishes some core principles, it does notspecify when confidential information may ormay not be disclosed to others, in research ormost other activities. Individuals andorganisations using confidential informationhave to take responsibility for deciding what isjustified and acceptable on a case by case basis.

Common Law enshrines the principle that todisclose confidential information about aliving person without consent is, generallyspeaking, to wrong an individual. In law, anyinformation doctors have about their patientsmust be regarded as confidential, evenaddresses that might be publicly availableelsewhere (for instance, in the electoralregister), because the information is given inthe expectation that it will not be passed on.Disclosing confidential personal informationdoes not have to cause direct harm or distressfor it to be unlawful - any unjustified use of

confidential information that weakens trust inthe doctor-patient relationship could also beseen as actionable.5

However, Common Law also recognises thatit can be in the public interest for doctors todisclose confidential personal information,and that the nature and scale of the disclosurehas to be balanced against the benefits tosociety. Interpretations of this balancingjudgement vary, and there are few courtrulings relevant to the sorts of limiteddisclosures involved in research. The legaladvice to MRC is that the legality of usingconfidential information in research withoutconsent, could only be judged on a case bycase basis, taking into account:

• necessity - were there alternative,practicable, ways of conducting thestudy, which would have allowedconsent to be obtained? Couldanonymous data have been used?

• sensitivity - how much did theinformation reveal about the individual,and was it particularly likely to lead toworry or distress, or damage the doctor-patient relationship?

• importance - was the research welldesigned, and likely to make a significantcontribution to knowledge in the area?

• safeguards - was the amount ofinformation disclosed as small aspossible? Were all reasonable steps takento guard against unintended leaks ofinformation and to maintain trust? Wasthe risk that the study or its findingsmight cause distress minimised?

• independent review - was thejustification for the research reviewed bya Research Ethics Committee?

3 The Law as a guide to Good Practice

3.1

3.1.1

3.1.4

3.1.2

3.1.3


• expectations - if explicit consent wasnot possible, were there reasonableefforts to make people involved awareof how medical records were used, sothey had an opportunity to raise anyspecial concerns?

Since anonymised data derived from medicalrecords is no longer information aboutidentifiable people, disclosing it does notbreach the duty of confidence to the patient,and these tests do not need to be applied.

Despite the fact that research projects mayhave been approved by a Research EthicsCommittee, and authorised by a HealthAuthority or Trust, individual doctors remainaccountable for their use of their patients’information. The same applies to those whoreceive confidential information: members ofa research team must always be aware thatthey share a similar duty of confidence todoctors, and that revealing any personalinformation they hold without good reason -whether resulting from neglect, ignorance, ormalice - is potentially actionable.

This is a controversial area of law, and MRC isaware that there are other interpretations ofCommon Law, some of which would argue forfreer use of personal records, and some whichhold that the public interest can only justifydisclosing confidential information wherethere is an extraordinary threat to the health ofthe nation or individuals. MRC has sought tobase its guidance on a position that cancommand broad support, and is consistentwith the policies of the Department ofHealth6 and General Medical Council.7

The Data Protection Act, the HumanRights Act and other statutoryregulationsThe UK’s 1984 Data Protection Act, and the1998 Data Protection Act, which replaces it,are both based on the concept of “fairprocessing”. The main principles in the laware explained in Annex 3, but in brief, fairprocessing means that an individual shouldnormally have the opportunity to know whatorganisations hold information about them,and why. When people give information, theyshould be told what it will be used for and towhom it will be passed. They will also beentitled to check records held about them andcorrect errors.

The Act covers only “personal data”, whichcomprises information about living people whocan be identified from the data, or identifiedfrom combinations of the data and otherinformation which the person in control of thedata is likely to have, either now, or at somefuture time. Data which have previously beenanonymised are outside the scope of the Act.

The law recognises that research needs specialfreedom to use information in ways notforeseen when it was first collected, and toarchive and re-use data. Research work that isnot used as a basis for decisions affecting theindividuals involved, and which is unlikely tolead to substantial damage or distress, is givenspecial exemptions in these areas (see Annex 3).

The law also sets conditions on when “sensitivepersonal data”, such as information abouthealth, religion, or ethnicity, can be processed.One condition is that the use of the data isnecessary for medical purposes, (which aretaken to include medical research and the

3.2

3.2.1

3.2.2

3.2.3

3.2.4

3.1.5

3.1.6


management of healthcare services), and theprocessing is done by a health professional or aperson with an equivalent duty ofconfidentiality. This condition is in addition tothe need to conform to Common Law, and toother sections of the Data Protection Act.

Despite the exemptions mentioned above, theAct is important for research. Fair processingrequires that when Health Authorities, hospitals,and doctors know patient information willprobably be used for specific research projects, atthe time it is collected, they must tell patientsthis. Health professionals and researchers mustgive careful thought to whether their use ofinformation might cause substantial damage or

distress. Information gathered primarily forresearch but which will also be used to informclinical decisions, or which will result inindividuals receiving significant new healthinformation about themselves, must comply withevery part of the Act.

The Human Rights Act (1998) (Annex 4)established the European Convention on HumanRights as part of UK law. This guarantees theright to respect for private and family life. Thebody of legal work on the interpretation of thisright is still growing, but MRC’s legal advice isthat, like Common law, it provides for judge-ments on the balance between the rights of theindividual and the legitimate needs of society.

NON-MEDICAL SOURCEMEDICAL SOURCE

Yes, if able to consent

if no significant feedback

Individual controls useof their information

Common Law onconfidentiality

Data Protection Actapplies in full

Data Protection Actapplies with researchexemptions

LREC / MRECapproval

Yes

Yes

No

Yes

Wherepossible

Yes

If resultsimpact onindividuals

Yes,

Yes

Wherepossible

No

If resultsimpact onindividuals

Assumeyes, if nosignificantfeedback

Yes

No

No

No

No

Yes

Yes

Yes

Yes

Yes

Expected*

No

Yes

No

Yes

Expected*

Informationused in

clinical careand research

Informationused in

research only

Linkedanonymised

Unlinkedanonymised

Generalpersonal

information

Surveysand

questionnaires

Researchdatabases

* MRC expects MREC or LREC approval or equivalent.

Table 1 – Controls on the use of information in medical research

3.2.5 3.2.6


Other relevant statutory regulations are listedand summarised at Annex 5.

Information about dead people, and

historical records

The Data Protection Act does not apply toinformation about a person who is deadbefore the information is disclosed. CommonLaw on confidentiality, similarly, is notnormally held to apply to information aboutdead people, although this is a grey area of thelaw. However, if the use of information abouta dead person intruded on the privacy of theirrelatives - for example, because it revealedinformation about hereditary conditions ortransmissible diseases - then the relativesmight be able to take action under HumanRights legislation.

All NHS records are covered by the PublicRecords Act 1958: GPs’ records becomepublic records when they are forwarded to theappropriate local authorities after the death ofthe patient. While most public records areclosed for 30 years, all NHS records relating toa person’s physical or mental health are closedfor 100 years. The few records kept for longterm reference or research are fully open tothe public after this point. The Public RecordsOffice will sometimes allow bona fide social,historical or medical researchers access torecords within this period, if confidentialitycan be guaranteed.

Ethics and the lawThe principles and arguments that underlieethical reasoning about the use of personalinformation in research are often broadlyconsistent with the legal principles discussedabove. Interpretations of the law can vary

widely, and some interpretations may permituses of information that are unethical.Therefore, researchers and healthprofessionals should ask first of all whethertheir actions will reflect ethical andprofessional codes, and secondly, whethertheir actions will be consistent with the law.

Over and above legal constraints, there is anethical imperative not to engage in researchwhich might harm an individual, whether byrevealing personal information, or by leadingto some intervention in a person’s life - such asdiscovering new facts about their health - thatmight be against their interests, without theirconsent. As in all other areas, the presumptionshould be in favour of allowing individualsthemselves to participate in any decision thatmight affect their interests. Research must notundermine trust in the confidentiality of thedoctor-patient relationship, or respect forprivacy and confidentiality. Even if it isapparent that a particular use of informationcannot embarrass or harm an individual,researchers must ask whether their use ofinformation goes against what a reasonableperson might expect, and if so, whether it will,in the short or longer term, erode trust inhealth professionals or in medical research.

Despite the absence of legal protection, (seeabove) there is clearly an ethical obligation tocontinue to respect the confidentiality ofmedical information after death, andresearchers should make sure that disclosures of information are fully justified.Many living people would be distressed by the thought that information about theirprivate lives might be casually revealed aftertheir deaths, especially in the yearsimmediately after their death.

3.3.2

3.3.3

3.2.9

3.3

3.3.1

3.2.8

3.2.7


In dealing with disclosures without consent,many international and national ethical codeshold that research based only on records thatwill not directly affect the individual is one ofthe few areas where research without explicitconsent can be justified. The consensus is thata balancing judgement is needed, setting therisks - often minimal - of harming theindividual’s interests or undermining respectfor confidences more generally, against thelikely long-term benefits of the research forsociety as a whole. However, there has beenlittle emphasis on the need to ask firstwhether consent is practicable, or advice onhow to weigh the different factors in reachinga balancing judgement.

The principles in Section 2, and the remainderof this guidance, draw on both ethical andlegal advice.

Providing advance information aboutuse of medical recordsOne of the most important steps that can betaken to address the ethical concerns, and toaddress the legal need for “fair dataprocessing”, is to ensure that all NHS patients,are made aware of how records are generallyused in research. Explaining what is done, why,and what benefits might accrue, would protectthe doctor-patient relationship, improve trustin research, and build realistic expectations ofconfidentiality. This was advocated by MRC in1986, and became Department of Healthpolicy in 19969, but is not yet widely practisedin the Health Service.10

It is important, however, that this is not seenas consent to use medical records for anypurpose, without either express permission, or

proper consideration of the necessity,justification, and potential for harm.

We also have to bear in mind that it will takesome time for information leaflets and noticesto substantially change awareness of the uses ofmedical records. Other steps need to be taken,such as asking explicitly for agreement to theuse of records in research at an appropriatetime, which may be when new patients registerwith practices, or on first attendance atoutpatients, or on admission to hospital.

Providing advance information also raises thequestion of how to respond when peopleobject to their information being disclosed forresearch outside of the care team. A request forabsolute confidentiality should be discussedwith the patient, and has to be respected in allnormal situations.11 If a research study relevantto their health arose in future, their doctorwould have to arrange to discuss the study withthem and seek their explicit consent beforepassing on their name: in reality, time pressureswould often mean that they would lose theopportunity to participate in the study.

Stated, general objections to disclosurewithout consent for unspecified studies shouldnot prevent the inclusion of unlinkedanonymised information about the patient inaggregated data or statistics (in contrast to thesituation where a person declines to consentto a specific study).

Reducing the need to discloseconfidential informationAs previously mentioned, the long termdevelopment of the NHS InformationStrategy will present opportunities to avoid

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.5

3.5.1

3.3.5

3.4

3.3.4


disclosures of confidential informationwithout consent. Better arrangements for datatransfer, standardisation of diagnostic andtreatment codes, and improvements in qualitycontrol, will gradually make anonymised datafrom IT systems more useful in research.Public awareness of how medical informationis used will also increase.

In the medium term, improving theinfrastructure for health services and publichealth research, especially in primary care,could reduce the need for disclosures, or theirscale. Within the MRC’s General PracticeResearch Framework, the presence of researchnurses in participating practices means that thepreliminary work of selecting patients toreceive invitations to participate in clinical trialsor surveys can sometimes be done without anyinformation leaving the primary care teamuntil the patient has consented. Where patientdetails have to be checked centrally beforeinvitations are sent, medical details can oftenbe separated from names and addresses, andcodes used to produce standard lettersprepared without clerical staff seeingidentifiable medical information.

Other primary care networks have, or aredeveloping, similar arrangements andprocedures. Researchers should always askwhether their questions can be answered byworking only with practices that have theability to handle information in this way.

Conclusions and implications forcurrent practiceClinical and public health research based on,or using, medical records and other personalinformation is essential if we are to continue

to improve public health and health care - inwhich individuals, as citizens and members ofsociety, have an obvious interest. On the basisof the advice summarised above, the MedicalResearch Council considers that it should bepossible to undertake the full range ofresearch needed in the UK, though somechanges in practice are needed.

MRC’s advice to health professionals providinginformation, and to researchers usinginformation, is that they must remain awarethat they can be held accountable for theirdecisions on the use of confidentialinformation. On the question of consent,Common Law does not provide specificanswers on when confidential information canand cannot be passed to others withoutconsent, but the advice to MRC has been thatuse of personal information without explicitprior consent can be legally justified in certaincircumstances. Health professionals anddoctors must therefore ensure they are familiarwith the advice from MRC, the Department ofHealth, the General Medical Council, andother bodies and should closely follow theseguidelines to help ensure that their use ofrecords is ethically and legally defensible, andto minimise the risk of any challenges.

Confidentiality remains a contentious area oflaw, and MRC cannot guarantee that researchersor doctors will always be safe from legalchallenges by following the guidelines, orbecause their work has been approved by anEthics Committee, even though ethics approvalis very important. As the General MedicalCouncil advises: “The decision of a researchethics committee would be taken into accountby a court if a claim for breach of confi-dentiality were made, but the court’s judgement

3.5.2

3.6

3.6.1

3.5.3

3.6.2

3.6.3


would be based on its own assessment ofwhether the public interest was served.”

Current practice varies across the country, butthere are 4 areas in which change may be needed:

• patients must, as a matter of course, begiven information about how theirinformation may be used, and anopportunity to register and/or discusstheir concerns throughout the healthservice. Where this is not the norm,researchers should press for change;12

• researchers have a duty to assessthoroughly, early in the design of astudy, whether consent to use personalinformation is practicable, or could bemade so, and to base research onexplicit consent where practicable;

• researchers, health professionals andmanagers need to work together todevelop the skills, informationtechnology and infrastructure tofacilitate records based research andreduce dependence on disclosureswithout consent;

• employers need to ensure that all staffusing personal information in researchhave a duty of confidence that is wellestablished through contracts, codes ofconduct, and training.

Some of these changes in practice may meanhigher research costs: MRC policy has alwaysbeen to fund its research to the levelreasonably needed for the work to be donewell, safely, and ethically.

The research team’s accountability to the NHSbodies responsible for the patients’ care(assuming the researchers are not themselves

NHS staff) can be an important safeguard. It isessential for those responsible for research in theNHS bodies involved to be aware of every studyconducted, and to be able to call the researchteam to account if needed. Used as part of aneffective research governance framework,honorary NHS contracts can play an importantrole in strengthening accountability. TheDepartment of Health is currently (Autumn2000) consulting on proposals for strengtheningresearch governance in the NHS: MRC supportsmoves to strengthen governance frameworks,and to clarify roles and responsibilities.

The practicability of consent

It is difficult to offer detailed advice on whenconsent is or is not practicable. The mostcommon reasons why consent obtainedthrough the team responsible for a person’shealthcare may be impracticable are likely to bethe sheer size of the group being surveyed, orthe likelihood that many will be uncontactable.However, these obstacles have to be judged inthe context of the structure of the relevantparts of the health service: what is impracticablein one setting is not necessarily impracticableeverywhere. Other factors may include:

• before a person is asked to participatein a study, someone independent oftheir doctor, but with the doctor’spermission, has to review their records,so that the decision to invite someoneto participate is based on specific anduniform criteria;

• excluding people from whom consentcannot be obtained might bias a survey,so that people with a particularbackground, medical history, or attitudewere disproportionately represented.For example, when studying apparent

3.6.4

3.6.5

3.6.6

new health syndromes, or links betweentreatments and side effects, small orbiased samples can give dangerouslymisleading results.

Very exceptionally, the nature of the researchitself may be such that seeking consent, initself, might cause harm or distress. As ahypothetical example, if a study aimed toexamine correlations between parents’ mentalhealth and unexplained child deaths, it wouldbe difficult to seek consent without riskingcausing serious distress. Similar dilemmas mayoccur in research using tissue samples togenerate new information , and thesesituations are discussed in separate MRCguidance “Collections of Human Tissue andBiological Samples for use in research”.

These rare situations call for carefulconsideration by researchers and ethicscommittees of where the balance of thepatients’ interests lies, and of:

• the scope to adopt special consent orcounselling procedures that makeinformed consent achievable. It isimportant to bear in mind, however,that this standard of informed consenthas to be reliably achieved throughoutthe study if it is to be acceptable.

• the public health importance of thequestion.

• the likely consequences of eventualpublication of the results.

When the risks and the implications of notseeking consent have been fully assessed, thefinal decisions should be based on whether,despite these risks, it is in the public interest.

Notes5 That is, a person might have grounds for taking

legal action against the person who disclosed it..6 Health Service Guidance (96) 18 “The Protection

and Use of Patient Information”. Department ofHealth, March 1996.

7 “Confidentiality: Protecting and ProvidingInformation”, GMC June 2000.

8 See, for example, Canada’s Tri-Council PolicyStatement Ethical Conduct for Research Involving

Humans (1998); New Zealand Health InformationPrivacy Code (1994).

9 Health Service Guidance (96)18 The Protection and

Use of Patient Information. Department of Health,March 1996.

10 Report on the Review of Patient-Identifiable Information.

The Caldicott Committee. Department ofHealth, 1997

11 Exceptions might occur if disclosure couldprevent harm or death directly, or address otherparticularly serious and important problems.

12 Model patient information leaflets or notices willbe available from MRC’s website in 2001, and amodel is available in Health Service Guidance(96)18 The Protection and Use of Patient Information.


3.6.7

3.6.8

3.6.9


Personal medical information is used in

almost every type of clinical and public

health research, and different research

scenarios raise different ethical, practical

and legal issues. Outlined below are

some of the processes currently used in

research.The scenarios are not intended

as formulae for good practice, and do

not cover every type of research, but are

offered as examples for discussing how

principles translate into practice, both

when consent can be obtained and when

it cannot.Whether a particular approach

is ethical in a given case will depend on

the circumstances of the project.

Approaching patients during medical care

Scenario A

Patients referred to a specialist centre in ateaching hospital are often involved in thecentre’s programmes of research on thecauses and progression of a disease. Theirparticipation is discussed with them by theconsultant when they are first referred. Aseries of studies by a team of doctors,scientists and technicians draws togetherinformation on lifestyle, previous medicalhistory, data from blood samples, X-rays, andCT scans, and information from hospitalrecords about long-term outcomes.

Scenario B

A clinical trial of a new treatment is open topatients presenting in a general practice withdefined symptoms. Their GP discusses theirparticipation with them, before passing detailsto a trials office, to check eligibility andarrange entry in the trial.

In patient-based research involving directcontact with the individual, consent willalways be possible, and, therefore, essential.There must be a written record of consent,13

which includes written permission to use thepatient’s information in the research, even if itseems a small issue alongside the patient’sconsent to participate in the research itself,and need not distract from this decision.Patients should also be aware that they havethe right to opt out of a study at any time.The main ethical and practical questions, ifany, about the use of personal information in

4.1

4.1.1

SCENARIOS4 Using information with and without consent


these studies are likely to stem from:

• adequacy of data security and coding /anonymisation and, training andsupervision of the group of people whowill use the information;

• Longer term storage of the data, or re-useby other groups, or in other research areas.

These are generic questions that have to beaddressed in every area, and are discussed inSection 5.

Consent will also be practicable and essentialin most prospective studies - for instance,where a health professional takes details frompatients knowing that the information will beused for research as well as for normal healthcare, consent must always be obtained.Researchers should also consider whether it isappropriate to seek permission to use theinformation again in other studies, and if so,what the patient needs to know about these studies.14

Approaching patients from medical records

Scenario C

Research based on linked

anonymised data

To investigate the prevalence of asthma in apopulation, a study aims to research a cohortof new cases of asthma from a selection ofpatients from a network of General Practices.The GPs at the practices have already beenpart of a number of studies and each practicehas the support of a part-time research nursefor studies of this kind. The nurse takes

personal details of all the patients recorded assuffering from asthma or prescribed relevantmedication, and replaces the names with acode before passing details to the researchteam. The research team identify a sub-set ineach practice who should be invited toparticipate in more detailed studies, and theresearch nurse approaches them, using lettersand information leaflets provided, to seektheir consent.

Scenario D

Disclosing names and addresses before

consent is obtained

To study the health of an ageing population, aproject aims to contact a large sample of thepeople aged 50-69 in several districts who areregistered with local GPs, inviting them tocomplete a questionnaire and attend theirpractice for a check up and tests. The generalpractices consider that they cannot carry out theadministrative work of making contact with eachperson and obtaining consent, even if paid, andinstead, they provide the research team withnames and addresses. A letter signed by the GP isthen sent to each person, explaining the projectand asking if they will participate. No otherpersonal information is provided from the GP’srecords until a person has agreed to participate.

Scenario E

Disclosing information about

medical history

To test ways of maintaining the long-termhealth and quality of life of people with heartdisease, a study needs to contact several tens ofthousands of potential volunteers, with a

4.1.2

4.2


history of angina, heart attacks, bypass surgeryor other carefully defined conditions. A team ofresearch nurses identifies people meeting thesecriteria from a range of different records atdozens of centres, and after checking with theGP, the trials office prepares letters to eachindividual, on behalf of their GP.

In each of these scenarios, the first question toask is whether reasonable efforts have beenmade to make patients aware that theirinformation may be used for research or otherpurposes not directly connected to theirtreatment (see Sections 2 and 3.4 above). Thismight seem unnecessary in Scenario C, whichinvolves no disclosure of confidentialinformation or personal data outside theGeneral Practice, and is unlikely to raise legal orethical issues other than those mentioned in 4.1.1 above. But even here, steps should betaken to make patients aware that personalinformation is used in research in the practice,and throughout the NHS, and that the careteam includes research staff. In Scenarios Dand E, making patients aware of how theirinformation is used is not only ethicallyimportant, but would also help to minimise therisk of legal challenge to researchers and health professionals.

Scenarios D and E illustrate the situations thatgive rise to most ethical and legal uncertainty.Scenario D involves the disclosure of a limitedamount of personal information given inconfidence without consent, and thejustification for this would need to be carefullyconsidered by the health professionals andresearchers involved, and by an ethicscommittee. If patients had previously been

given general information about how theirrecords might be used, and opportunity toraise objections, then this very limiteddisclosure would be unlikely to give rise to anyserious objections. If patients had not beengiven information, then more caution wouldbe needed: there would need to be a clearjustification for conducting the research in this setting, and the potential benefits would have to outweigh the breach ofconfidence involved.

Scenario E involves disclosing informationabout medical history. While the number ofpeople who have access to the information isstrictly limited, the information is undoubtedlyconfidential and sensitive personal data, withpotential to cause some embarrassment orperhaps even discrimination if disclosed. Manyother types of medical information, such asinformation about mental health or sexuality,would be much more sensitive, and more likelyto cause distress or embarrassment if disclosed.

If patients were aware of how their recordsmight be used, the researchers, healthprofessionals and ethics committee involvedwould need to satisfy themselves that thedisclosure was necessary and justifiable, andthat the information would be used properly(see 4.1.1). The detail of what patients wereroutinely told about their records, and thedegree of sensitivity of the information, wouldbe important factors in the decision.If patients were not aware that theirinformation might be used in this way, thisproject would be unacceptable unless therewere a strong justification, based on theabsence of alternatives and clear potential tobenefit health.

4.2.1

4.2.2

4.2.4

4.2.3


The reasons why consent cannot be obtained atthe outset differ in Scenarios D and E. In D it isbecause of the practicality of GPs undertakinglarge amounts of additional administrative work,in writing letters, chasing and checking replies,and answering queries. In E direct access tomedical records is needed to ensure the rightpeople are identified using consistent andobjective criteria, which requires appropriatelytrained and supervised researchers. In bothscenarios, the disclosure of identifiableinformation might be reduced or even avoided ifthe study could be based in general practiceswith good facilities for doing research.

The second ethical issue that studies of thissort raise is how to contact people in a way thatis unlikely to cause worry or embarrassment.The first approach to people identified frommedical records should normally involve aletter signed by the health professionalresponsible for their care giving informationabout the research, or accompanied by a letterfrom the researcher which does so. As well asshowing respect for the doctor-patientrelationship, this is a vital step in checking thatthe information on which the researcher acts isup to date, and that those approached are notrecently bereaved or likely to be distressed forany other reason. The advice of the person’sdoctor in this area must always be followed.The same principles apply to approaches basedon data from disease registries.

It is acceptable for research teams to providetrained clerical support for the healthprofessional, to prepare and distribute lettersand related correspondence, if the clerical staffare bound by a duty of confidence, and theresearch cannot be in a setting where the careteam has the capacity to do this themselves.

The initial letters sent to patients shouldnormally cover all, or some of the following:

• why the research is being carried out,and how participation could help;

• how the patient has been selected;• that the patient’s doctor has considered,

and fully supports, the study;• that there is no obligation to participate,

and that their decision will not affecttheir care;

• what will be involved i.e. in terms oftime, interviews, treatment,examinations etc.;

• the benefits (if any) that participants canhope to gain from the research, andwhether the study will involve anycommitment of time, discomfort, orrisk on their part;

• that confidentiality will be safeguarded;• a contact point in the medical / research

team for queries or information. Ifpractical, this would be someone alreadyknown to the person;

• a reply form if the patient is willing to givepermission without further discussion.

When it is proposed to visit a patient at home,advance notice should be given in the form ofa letter from their doctor, explaining thepurpose of the procedures, the reason, thename of the investigator, and how they willidentify themselves. It must always be madeclear that the patient is free to withdraw fromthe study at any stage. People should normallybe given a simple response form with an SAEand adequate time to return it. Providing aFreephone number is also helpful. The careteam or researchers should either confirm bytelephone, or wait for positive writtenconfirmation that the person is willing to meet

4.2.5 4.2.8

4.2.9

4.2.6

4.2.7


them before calling in person. If the personhas previously agreed to take part in the study,and knows a visit will be involved, then it isreasonable to assume that it is acceptable tocall at the time suggested unless told otherwise.

Where the study relates to a well definedgroup, it is usually helpful to publicise thestudy through newsletters, support groups andsimilar channels, before, or at the same timeas, making direct approaches to individuals.Information needs to be provided in alanguage that is easy to understand.

Contacting ward patients and

patients attending clinics

If the people being contacted are in hospital, orattending a clinic, the patient should be askedfirst if they will see the researcher, or a memberof the care team should introduce the patientto the researcher. Hospitals should also explain,in the information they give to patients, thatthey may be approached by researchers.

Research based on existing recordsand samples only

Scenario F

Stored tissue samples from former cancerpatients are to be examined for biochemicalmarkers that might hel predict how the diseasewill progress, and results will be related to datafrom medical records on the patient’scondition, treatment and outcome. There willbe no feedback to the patients, and there is noneed to subsequently monitor the longer-termsurvival of the patients. Thus the data can beanonymised (unlinked) before the analysis, but

names have to be used to identify patients andsamples when the data are first gathered.

The fact that a study does not require contactwith patients is not in itself a reason for notcontacting people for consent, if consent ispracticable. The justification for this studywould need to be considered against thecriteria in Section 2, in the same way as (D)and (E) above, though here, the minimal useof identifiable information would be a veryimportant consideration. This type of researchalso raises the question of when it is right tocreate new biological information about anindividual with or without consent, and thesebroader issues are dealt with in the MRCethics booklet “Collections of Human Tissueand Biological Samples for use in research”.

Scenario G

Information from hospital records is to beanalysed anonymously (unlinked) to identifyrisk factors predicting poor outcomes fromsurgery. As the hospital staff cannot beredeployed to extract and anonymise theinformation, a trained nurse or clerical officerfrom the research team is assigned to copyand anonymise the information.

Here too, although the justification for thestudy would still need to be considered by anEthics Committee, the infringement ofconfidentiality is minimal, and there areunlikely to be significant ethical or legalobjections to this aspect of the study.

4.3.1

4.3.2

4.2.10

4.2.11

4.3


4.4.1

4.4.2

Using information from non-medicalsources to contact people

Scenario H

To address concerns about the safety of anindustrial process, a research study aims tocontact all those who lived in the vicinity ofa plant, or who worked there, to survey theirlong-term health.

Direct approaches to members of the publicidentified from the electoral roll or otherpublic sources do not require consent oragreement of the individual’s doctor, but it isusually advisable to notify local GeneralPractitioners before carrying out a study in anarea. MRC expects medical studies of this sortto be reviewed by an LREC or MREC, eventhough it is not obligatory. Direct postalapproaches are generally less likely to lead todistress or misunderstanding than “cold”telephone calls.

Selection by social or disability group

If the research focuses on the health ofdistinct socio-economic groups (e.g. homelessor disadvantaged people) or people ofminority ethnic groups, researchers shouldconsider whether community organisations orother bodies that might be able to representtheir interests should be made aware of thestudy, and should have the opportunity ofcommenting on the research. When workingin areas where there may be significantimmigrant populations, and when workingwith groups with sensory or learningdisabilities, researchers should also checkwhether translators or some other help withcommunication is needed. It is also possiblethat some research participants may preferinterviewers of the same gender.

Selection by employment

Occupational surveys to assess risks fromwork activities, accidents, or from exposure toparticular hazards or toxic substances areoften based on employers’ records. Prior tosuch a survey, discussions should take placewith representatives of the staff involved,with management, the occupational healthservice, and where possible with the staffthemselves. A normal approach would bethrough a letter confirming that the employerand Trade Union agreed to the study takingplace. Publicity through newsletters etc.should also be considered, depending on thesensitivity of the issue being studied.

Notes

13 In a few settings, signed consent is not

appropriate, notably in self-administered,

anonymous questionnaires – but the uses to

which the information will be put must always

be made clear to individuals before they fill in

the form

14 See Section 8.2

4.4

4.4.3


5.1.1

5.1

5.1.2

Anonymisation and codingInformation should be modified so that some,or all, of those who might see it are not awareof individual identities, as early as possible indata processing. Although anonymisation mayintroduce delays and increase risks of error,even a simple coding system provides asafeguard against accidental or mischievousrelease of confidential information.

It is important to distinguish between thedifferent ways in which personal data can bemodified to conceal identities. The definitionswe have used in this guide are:

Coded information contains informationwhich could readily identify people, but theiridentity is concealed by coding, the key towhich is held by members of the researchteam using the information. This might bedone, for example, to limit the number ofpeople who had access to information aboutidentifiable individuals, to reduce the risk ofaccidental disclosure, or when presentingresults. This helps to meet legal and ethicalobligations to protect personal information,but the research team still holds identifiablepersonal data, and the use of coded data fallswithin the scope of the Data Protection Act.

Linked Anonymised Data is anonymous tothe research team that holds it, but containscoded information which could be used toidentify people. The key to the code might, forexample, be held by those responsible for theindividual’s care, or by the custodians of alarger research database or register.

Unlinked Anonymised Data containsnothing that has reasonable potential to beused by anyone to identify individuals: the link

to individuals has been irreversibly broken. Asa minimum, unlinked anonymous data mustnot contain any of the following, or codes forthe following:

• name, address, phone/fax. number,e-mail address, full postcode,

• NHS number, any other identifyingreference number,

• photograph, or names of relatives.

With both linked and unlinked anonymiseddata, there is sometimes potential to deduceindividuals’ identities through combinations ofinformation, either by the people handlingresearch data, or by those who see thepublished results. The most importantpotential identifiers are:

• rare disease or treatment, especially if aneasily noticed illness/disability isinvolved;

• partial post-code, or partial address;• place of treatment or health

professional responsible for care;• rare occupation or place of work;• combinations of birth date, ethnicity,

place of birth, and date of death.

Researchers should always consider - whendesigning studies, before passing informationto others, and before publishing information - whether data containcombinations of such information that mightlead to identification of individuals or verysmall groups. Exactly how much of this

potentially identifying information can be

safely included in data that is assumed to

be “unidentifiable” can only be judged on

a case by case basis, taking into account thesample size, the ways in which results will be

5 Safeguarding confidentiality

5.1.3

5.1.4


published and used, and all othercircumstances of the study.

Both types of anonymisation can help avoid the

need to disclose confidential medicalinformation without consent. Linked data istypically used where it may be necessary torefer back to the original records for furtherinformation, or for verification, or if it isplanned to provide feedback to patients orthose responsible for their care. Unlinked dataensures absolute confidentiality, but byprecluding follow-up, verification or feedback,may be incompatible with the research aims,or the interests of the participants and thehealth service.

If it is practical and reliable, the removal,or coding, of identifying information shouldbe done within the team or organisationresponsible for the individual’s care. Wherethis is not possible, it is preferable for amember of the research team to help with theanonymisation rather than for identifiableinformation be used.

Anonymised data and ethical review

Research Ethics Committee approval isrequired for the use of coded and anonymiseddata from NHS medical records. The use ofanonymous personal data is much easier tojustify ethically and legally, but it must stillonly be used for bona fide research in thepublic interest. Removing all apparentpersonal identifiers will not always protect apatient’s identity - for example in cases of raredisease - and anonymous data can still lead tonew and disturbing information about groupsor districts.

Data in Clinical Studies

In small scale clinical studies, which involvefrequent reference by research and medicalstaff to current patients’ conditions, encodingand decoding information can present asignificant obstacle to effective team work,and increases the risk of an error that couldaffect the patient’s care. Use of weaker codes(such as initials) in processing research data isacceptable where patients have already givenconsent to the use of their information inresearch as well as for their care, and when itcan be guaranteed that only a small number ofresearch staff will have access to theinformation.

The research teamMembers of a research team who use personalmedical information should be placed under aduty of confidentiality equivalent to that of ahealth professional. To reinforce this duty:

• Universities and other researchorganisations must ensure that allcontracts and codes of conduct makeclear that any breach of confidence is agrave disciplinary matter;

• team leaders must ensure all staff,students, visiting workers, andcollaborators fully understand thestandards expected, and the importanceof confidentiality;

• team leaders and line managers shouldensure that information and advice onprinciples and practice in this area isreadily available.

The Medical Research Council’s staff codealready creates such an obligation, and it isreinforced by staff training and induction.

5.1.5

5.1.6

5.1.7

5.1.8

5.2.1

5.2


As discussed in section 3.6.5, MRC supportsmoves to clarify responsibilities for researchgovernance in the NHS, and strengthenaccountability of researchers to NHS bodiesthrough ensuring better internal informationsystems and other means.

Access to personal information that is neitheranonymised nor coded must be restricted tothe smallest number that will allow the studyto be done effectively. Access to encoded oranonymised data must also be under thecontrol of the medical director or principalinvestigator, but the numbers with access canbe larger.

Data SecurityEnsuring data are secure is a legal obligationunder the Data Protection Act: the level ofsecurity, and the cost and effort involved,should reflect the nature of the informationand the harm that might result fromunauthorised disclosure or loss. Everyresearch team must maintain writtenprocedures for keeping electronic and writtenpersonal information secure, which must beenforced and reviewed at regular intervals.The measures needed to protect IT systemsand data transfers, in particular, need frequentreview and expert local advice should besought. For this reason, the guidelines thatfollow should be viewed as a checklist, ratherthan as a comprehensive guide.

Responsibilities

There should be clearly assignedresponsibilities for: overall management andcontrol of research data; rapid response tobreaches of security or leaks; management ofthe software; maintenance of backup regime

and disaster recovery arrangements; ensuringduplicate files are kept to the minimumneeded, controlling access rights, and changingaccess rights promptly when the teamchanges. The person or people responsiblewill normally report directly to the principalinvestigator on issues of data security.

Responsibilities for data security or disposal atthe end of a project (see Section 7) must alsobe clear. If archived, data must be accordedthe same level of security as when they were inactive use. If destroyed, all copies of the datamust be destroyed in a secure way. Records ofdestruction must be kept as these may berequired for audit or other purposes later.

Physical Environment

• Rooms containing paper documents orcomputers should be accessible only toa limited number of authorisedpersonnel;

• All relevant servers, routers, gatewaysand other critical equipment should behoused within a secure area;

• Workstations which are logged ontopersonal research data should not be leftunattended;

• Data stored on laptop computers andother mobile machines are always athigher risk of loss or theft. Identifiablepersonal data should only be stored onthese machines in special circumstances– for instance, when patients areinterviewed and the data entered directlyonto computer. Data thus stored on alaptop computer should then betransferred to a secure computer at theearliest opportunity and wiped from theportable’s memory.

5.2.2

5.2.3

5.3

5.3.1

5.3.2

5.3.3


Electronic Environment

• Access rights to data and applicationssoftware should be clearly defined andstaff authorised to access personal datashould be formally notified in writing ofthe permissible scope of their access;

• For each application, system usersshould have a valid user system accountname, i.e. a username ID, and apassword known only to that user toprevent unauthorised use of systems.Users should be forced by systems toalter their passwords regularly – thefrequency may vary according to theconstraints of the system software butshould be aimed at maintaining highlevels of security. Passwords must not bewritten down or shared with other usersunder any circumstances. “Temporary”user accounts should not be used;

• A confidentiality warning messageshould be displayed on entering systems,informing the user that the systemcontains confidential information and isfor authorised users only;

• Users should ensure that, at log-off,documents recently used and containingconfidential information are clearedfrom applications on start up;

• Personal medical information shouldnot normally be sent over the Internetvia attached documents, FTP, or othersystems. Where this has to be done, thedata should be reliably encrypted.Databases transferred by mail should besent by registered post.

Notes

15 In the accepted information technology sense

of the term, overcoming the accidental loss of

some or all of the data stored on a system

5.3.4


Avoiding harm or distressApart from the possibility of allowing personalinformation to leak out by accident or throughdeliberate wrong-doing, researchers also needto be alert to the possibility of causing harmor distress through:

• approaching people or families who maybe distressed, bereaved, or mentally ill;

• errors in the data used to contactpeople;

• feeding back findings to studyparticipants and / or families (evenwhere they have requested this);

• publishing findings which could belinked back to participants;

• publishing findings which lead todiscrimination;

• allowing re-use of data for otherpurposes without proper ethicalsupervision.

The best safeguard against approaching thewrong people, or contacting people who maybe distressed by the approach, is the role ofthe person’s doctor in approving the approach,and, where possible, in making the initialapproach. However, occasional errors arealways possible, and research staff should beprepared to respond to mistakes sensitivelyand promptly.

The potential for harm to the interests of adefined group may be unavoidable whereresearch has the potential to highlight thatgroup as having, for example, poor healthbehaviour or being “at risk” from a particularlocal environmental hazard, or where theresearch may confirm stereotypes.Researchers must try to anticipate these issuesbefore ethical review, and must consider

whether any risk of harm is outweighed bylonger term benefits to society, and / or tothe group. Researchers must also considerconsulting the groups involved, or theirrepresentatives, to explain their work, andlisten to any concerns.

Feedback and publicationThe question of when study participantsshould have access to new informationspecifically about them or their family that isgenerated in research is dealt with in theparallel MRC guide Collections of Human Tissue

and Biological Samples for use in research.

The results of clinical trials, records-basedresearch and epidemiological surveys can havesubstantial implications for individuals. Peoplewill be concerned about new risks, or potentialside-effects of treatment, to which they mayhave been exposed, especially if they did notknow about the research. Those who have arelevant illness will wonder whether this is as aresult of the exposure or treatment.Researchers should liase with HealthAuthorities, Health Boards, General Practices,relevant consumer organisations or otherbodies to ensure people have easy access togood information and advice, beforepublishing findings which are likely to becontentious or worrying.

The people who have participated in a studyshould, wherever feasible, be notified of theoutcome of the study, and told of the generalresults. If researchers feel it is impossible orinappropriate to do this, the reasons should bediscussed with the ethics committee whenapproval is sought.

6 Safeguarding other interests of the individual

6.1

6.1.1

6.1.2

6.1.3

6.2

6.2.1

6.2.2

6.2.3


Individuals and families must never beidentified in publications without signedconsent for that specific publication.Researchers must avoid publishing potentialidentifiers, such as date of birth or death,which might appear innocuous to the researchteam but which could reveal the patient’sidentity to close relatives or friends. Caution isalso needed when publishing research aboutsmall groups of people, such as work ondisease clusters, patient case series in aparticular centre, and research on newtreatments or rare adverse reactions, especiallyif the findings are likely to attract a lot ofmedia attention. In these cases there is aparticularly high risk that groups and casesmay be identified by deduction.

6.2.4


StorageResearch records need to be preserved for thelonger-term for a number of reasons - otherthan for historical posterity. Firstly, records maybe needed later on for scientific validation ofresearch, or for future research and audit.Secondly, occasionally there is a need for accessto records over the whole lifetime of patients,both by the patients themselves (who may havecontinuing long-term concerns about their ownhealth) and their clinicians – for instance, wheretrials of novel treatments were involved.

MRC would expect that research recordsrelating to clinical or public health studiesshould be maintained for twenty years, toallow adequate time for review, reappraisal, orfurther research, and to allow any concernsabout the conduct or consequences of thework to be resolved. Beyond this date, fullrecords may need to be retained for a fewstudies only, such as those which were ofhistorical importance, where novel clinicalinterventions were first used, those whichhave proved controversial, or where researchis ongoing. In the remaining clinical andpublic health studies, and all other studies forwhich consent was obtained, a subset of theoriginal records, covering the protocol, theconsent procedure, the people who consentedto take part,16 and any records of adverseeffects should be retained until thirty yearshave elapsed.

MRC’s expectation is that once a research teamceases to exist, when the team leader moves toanother centre, or when the team stops workingin a particular area, the responsibility for theirinformation passes to the University, Hospital,or research centre. If records are to be stored inthe long-term, a custodian must be designated

for them, and the custodian’s role must includeensuring that information is treated inconfidence. If, in due course, the records are tobe archived, this should be done in securerepositories. Areas where records may beconsulted should be equally secure.

Re-use of data by third partiesResearchers obtaining information withconsent should, wherever possible, anticipatelikely needs to archive the data, and to sharedata sets with other researchers, and make thisclear to the people involved. Consent to thisshould be distinct from consent to theprimary use of the information. Existing datasets can be shared with other researchersprovided this is not inconsistent with whatparticipants were told about how the datawould be used. For example, the use ofclinical trial data for meta-analyses should not,in our opinion, require new consent.

In any case where research data are sharedwith another group for new studies:

• The custodian must ensure that thegroup accepts a duty of confidence andprotects confidentiality through trainingprocedures, etc, to the same standardsas the custodian. Normally, onlyanonymised data should be passed on;

• The custodian must ensure thatpersonal data are not passed to acountry without legal protection forpersonal data equivalent to that in theUK, unless the custodian first assuresthemselves that the data will beadequately protected in practice. Underthe terms of the Data Protection Act1998, there are no special restrictions on

7 Storage and re-use of research data

7.1

7.1.1

7.1.2

7.1.3

7.2

7.2.1

7.2.2


transfers of identifiable data within theEuropean Economic Area nations.17

Outside of the EEA - e.g. for data sentto the USA, or any developing country -the custodian must either: remain ableto control the use of the datatransferred; anonymise the data; orobtain the individuals’ explicit consentto send their data to another centre.Further details are available on theWebSite of the Office of the DataProtection Commissioner:www.dataprotection.gov.uk;

• The third party must not pass on thedata to any other group;

• Individuals may not be re-contactedexcept via their doctor, or, in the case ofcohorts who have given consent, theoriginal research group. Re-contactingindividuals involved in past studiesrequires some sensitivity, as this maycause anxiety and – with the march oftime – people may not wish to have areminder from the past. Re-contactingshould therefore only be carried out if itis absolutely necessary, and only withLREC/MREC approval. It should bemade clear in the information andconsent documents that informationfrom one study may be used in laterstudies;

• LREC/MREC approval is needed forany use of identifiable data, and for anyunidentifiable data taken from NHSrecords not already in the publicdomain;

• LREC/MREC approval is not neededfor re-use of unidentifiable dataobtained directly from studyparticipants, or for re-analysis, by anyresearch group, of unidentifiable data

from previous research;• Where the research group that

conducted the study no longer exists,the custodian of the data must ensurethat the same standards are applied, andthat LREC/MREC approval is obtainedwhere necessary.

Notes

16 Unless the study used anonymised and

unlinked information.

17 These are: Austria, Belgium, Denmark,

Finland, France, Germany, Greece, Iceland,

Ireland, Italy, Liechtenstein, Luxembourg,

Netherlands, Norway, Portugal, Spain,

Sweden and the UK.


Patient leaflets and noticesThe Department of Health guidelinesProtection and Use of Patient Information (1996)provide advice on informing patients and amodel notice that can be adapted to suit localneeds. Centres active in research will normallywish to include some additional specific infor-mation about their research in patient leaflets.This could cover: the reasons for research;the fact that Universities (or other researchorganisations) work closely with the hospitalor practice and regularly receive information;the main sources of funds for the research;that research is independently reviewed; andthat all research staff have the same duty ofconfidence as the health professionals caringfor them. Patients should also be told whomto contact if they have any concerns.

Consent proceduresWhere patients are asked to participate in anyclinical study, the patient information sheetmust directly refer to the treatment ofpersonal data, and explain:

• who will have access to their data;• the confidentiality of the data (including

reference to coding / anonymisation ifnecessary);

• what will happen to the data once thestudy is complete.

Where information is being gathered for large scale or long-term studies, such ascohort studies, the information provided mayneed to include all or some of the following,depending on the nature of the study and thecommitment the person is being asked to make:

• the types of studies the records or healthdata may be used for and the conditionsthat may be investigated;

• who will be responsible for custodianshipof the information (normally this will bethe person in charge of the study and/ orthe principal investigator) and to whatorganisation they belong;

• the arrangements for protecting thepatient’s confidentiality;

• who will have access to the data;• the uses to which the data will be put;• whether and how the individual or their

doctor will be contacted again;• the arrangements for actively feeding

back information to participants, orproviding access to research results;

• (if relevant) that anonymised andunlinked data may be passed on to otherresearchers;

• that they may ask to see the informationheld about them and withdraw from thestudy at any time (if the study designallows data linkage);

• who to contact if they have any concernsabout the use of their data;

• what happens to the data once the studyis complete;

• how they will find out about any changein the study’s direction or custodianship.

If it is expected that data - apart fromanonymised and unlinked data - may be usedin other, secondary studies, the informationmay need to explain as well:

• any possible impact of secondary studieson their interests;

• how they can find out about secondarystudies;

• what sorts of information might be

8 Information and consent forms

8.1.1

8.1

8.2

8.2.1

8.2.2

8.2.3


passed to others, under what conditions;• that secondary studies would have to be

approved by an ethics committee.

Notes

18 Further advice information and consent forms

can be found in the MREC Guidelines for

Researchers on Patient Information Sheets


Context

• Is the study based on a group ofpatients, or a data set, for which consenthas already been obtained?

• Could the study (or parts of it) be donewith consent ?

• How well informed are patients in thehospitals / practices about how theirinformation is used? What would theyreasonably expect? Have they had anopportunity to express any concerns?

Justification for the study

• How sensitive is the informationinvolved? Are there any particular risksof harm or distress?

• What impact, if any, could the studyfindings have on the people involved?

• Do the benefits outweigh anyforeseeable risks?

• If consent to the study is impracticable,do its potential benefits to people, asindividuals or as members of society,outweigh the infringement ofconfidentiality, and any risks of harm ordistress?

Conduct of the study

• If people are being approached, whenare they being approached and why?

• If people are being approached, willthey get adequate explanation ofmotives and safeguards, and of theirright to opt out. Will it be clear to themthat the doctor responsible for their caresupports the approach?

• Will the information be anonymised(linked or unlinked) or encoded, and ifso at which stage in the project?

• What people will have access topersonal information during the study?Have they been made formally aware oftheir duty of confidence, and suitablytrained?

• Do procedures for day to day work,electronic data security, and recordsstorage offer adequate protection forpersonal information?

• What sorts of findings are likely, andwhat arrangements are there for theseto be fed back to the people involved -if appropriate?

• What will happen to the data after thestudy is complete?

Annex 1Checklist for records-based research


A All health professionals have both aresponsibility to protect their patients’confidentiality, and a responsibility forsupporting high quality, ethical, researchwhich is likely to benefit their patients asmembers of the UK public, in the longerterm. Health professionals, and especiallythose involved in research, should ensurethat patients are provided with effectiveinformation about how medical recordsare used, and why this is important. Thisshould limit the occasions whenresponsibilities to patients and toresearch appear to conflict.

B Health professionals are personallyresponsible for assuring themselves thattheir use of confidential information isjustified, that practical safeguards toprotect confidentiality are in place, and,in particular, that Research EthicsCommittee approval has been obtained.They should remember that the ultimateresponsibility for protecting theirpatients’ legal rights and their employer’s

interests lies with them, and shouldensure they are familiar with guidancefrom the GMC and other bodies.

C Doctors should normally:

• write a letter to patients when they arefirst asked to participate in the study;

• ensure they know which patients willbe involved, and provide researcherswith any advice about patients’circumstances that will help themavoid causing worry or distress.Doctors may sometimes need toadvise against approaching a particularindividual, without necessarily giving

any reason if the reason is itselfconfidential. This is especiallyimportant if the patients will be askedto consent to any physical examinationor invasive procedures;

• ensure they are familiar with the designof the study and the safeguards, andable to answer patients’ queries, eventhough the researchers may be thenormal contact point for participants;

• when they can do so effectively, and itis consistent with the study design,doctors should anonymise (linked or

unlinked) the information beforepassing it on to researchers.

Annex 2Responsibilities of a doctor providing personal information


Data Protection PrinciplesA The 1998 Act, like its predecessor, is

based around a set of core principles.

1 Personal data shall be processed

fairly and lawfully and, in partic-

ular, shall not be processed unless:

(a) at least one of the conditions in

Schedule 2 is met, and

(b) in the case of sensitive personal

data, at least one of the conditions

in Schedule 3 is also met.

2 Personal data shall be obtained

only for one or more specified and

lawful purposes, and shall not be

further processed in any manner

incompatible with that purpose or

those purposes.

3 Personal data shall be adequate,

relevant and not excessive in

relation to the purpose or purposes

for which they are processed.

4 Personal data shall be accurate and,

where necessary, kept up to date.

5 Personal data processed for any

purpose or purposes shall not be

kept for longer than is necessary for

that purpose or those purposes.

6 Personal data shall be processed in

accordance with the rights of data

subjects under this Act.

7 Appropriate technical and

organisational measures shall be

taken against unauthorised or

unlawful processing of personal

data and against accidental loss or

destruction of, or damage to,

personal data.

8 Personal data shall not be

transferred to a country or territory

outside the European Economic

Area unless that country or territory

ensures an adequate level of

protection for the rights and

freedoms of data subject in relation

to the processing of personal data.

Personal data means “data which relate to a living

individual who can be identified (a) from those data),

or, (b) from those data and other information which is

in the possession of, or is likely to come into the

possession of, the data controller.”

The “data controller” is “a person who (either alone or

jointly or in common with other persons) determines the

purposes forwhich, and the manner in which any

personal data are, or are to be, processed.”

B The “sensitive data” referred to in thefirst principle includes all informationrelating to a person’s physical or mentalhealth or condition, sexual life, racial orethnic origin, religious or political beliefs,

trade union membership, or (alleged)crimes. The references to processing data“fairly and lawfully” draw in the conceptof “fair processing” (such as ensuringpeople are not deceived as to the reasonswhy information is being collected fromthem) and also mean that anything whichis unlawful under Common Law, cannotbe acceptable under the Act.

Annex 3The Data Protection Act 1998


C Ordinary personal data cannot beprocessed unless: (The conditions listedbelow are those most likely to berelevant).

Schedule 2

1 The data subject has given his

consent to the processing. (or)

4 The processing is necessary in order

to protect the vital interests of the

data subject. (or)

5 The processing is necessary:

(a) for the administration of

justice […]

(d) for the exercise of any other

functions of a public nature

exercised in the public interest by

any person. (or)

6 (1) The processing is necessary for

the purposes of legitimate interests

pursued by the data controller or by

the third party or parties to whom

the data are disclosed, except where

the processing is unwarranted in any

particular case by reason of

prejudice to the rights and freedoms

or legitimate interests of the data

subject.

(2) The Secretary of Sate may by

order specify particular

circumstances in which this

condition is, or is not, to be taken to

be satisfied.

Schedule 3

In addition, sensitive data cannot be processedunless:

1 The data subject has given his

explicit consent to the processing of

the personal data. (or)

8 (1) The processing is necessary for

medical purposes and is

undertaken by :

(a) a health professional, or

(b) a personal who in the

circumstances owes a duty of

confidentiality which is

equivalent to that which would

arise if that person were a

health professional.

(2) In this paragraph “medical

purposes” includes the purposes of

preventive medicine, medical

diagnosis, medical research, the

provision of care and treatment and

the management of healthcare

services.

D Use of data for medical research willnormally be justifiable under Sections (1)or (6) of Schedule 2, and Sections (1) or(8) of Schedule 3. However, the fact thatuse of medical records is acceptableunder these clauses of the Act does notnecessarily mean it is lawful or fair: italso to be consistent with Common Lawon confidentiality, and with generalconcepts of fairness.

E The Act recognises that research workand statistical work often requireinformation to be processed

in ways other than those for which it wascollected, and that it is oftenunreasonable to expect members of the public to know aboutthis processing, or to have the right toaccess the data. Research is given specialexemptions in Section 33 of the Act.


Research, history and statistics

33(1) In this section, “research purposes”includes statistical or historicalpurposes; “the relevant conditions”in relation to any processing ofpersonal data means the conditions:(a) that the data are not processed to

support measures or decisionswith respect to particular individuals, and

(b) that the data are not processed insuch a way that that substantialdamage or substantial distress is,or is likely to be, caused to anydata subject.

33(2) For the purposes of the second dataprotection principle, the furtherprocessing of personal data only forresearch purposes in compliance withthe relevant conditions, is not to beregarded as incompatible with thepurposes for which they areobtained.

33(3) Personal data which are processedonly for research purposes areexempt may, notwithstanding thefifth data protection principle, bekept indefinitely.

33(4) Personal data which are processedonly for research purposes areexempt from section 7 if - (a) they are processed in compliance

with the relevant conditions, and(b) the published results of the

research or any resulting statisticsare not made available in a formwhich identifies data subjects orany of them.

(Note: Section 7 of the Act deals with individuals’

right to access the data that organisations hold on them)

33(5) For the purposes of subsections (2)to (4) personal data are not to betreated as processed otherwise thanfor research purposes merely becausethe data are disclosed:(a) to any person, for research

purposes only(b) to the data subject or a person

acting on his behalf(c) at the request, or with the

consent, of the data subject or aperson acting on his behalf

(d) in circumstances in which theperson making the disclosure hasreasonable grounds for believingthat the disclosure falls withinparagraph (a), (b), or (c).


The 1998 Act incorporates the rights andfreedoms set out in the 1950 EuropeanConvention on Human Rights into UK law.The Act gives UK courts the authority to rulethat existing or new UK laws are incompatiblewith these rights and freedoms. The Actmakes it unlawful for a public authority, by itsacts or failures to act, to conduct itself in amanner incompatible with the Convention.Courts can hear cases brought by peopleaffected by the actions or inaction of publicbodies, and can order public bodies to makeredress or pay damages.

The interpretation of the Act in the UK willtake account of previous rulings by theEuropean Court of Human Rights.

The Convention covers matters such as:

• protection of property• the right to life• prohibition of torture• prohibition of slavery and forced labour• right to liberty and security• right to a fair trial• prohibition of punishments without

legal foundation• right to respect for private and family

life• freedom of thought, conscience and

religion• freedom of expression• freedom of assembly and association• the right to marry

The Act sets out situations in which laws canrestrict these rights, for example to preventcivil disturbance or protect public health, andpossible justifications for public bodiesinfringing these rights. In relation to the right

to respect for private and family life, the Actstates:

1 Everyone has the right to respect for hisprivate and family life, his home, and hiscorrespondence.

2 There shall be no interference by apublic authority with the exercise of thisright except such as in accordance withthe law and is necessary in a democraticsociety in the interests of nationalsecurity, public safety or the economicwell-being of the country, for theprevention of disorder or crime, for theprotection of health or morals, or for theprotection of the rights and freedoms ofothers.

The confidentiality of medical informationabout a person is seen as an integral part ofrespect for privatand family life. PreviousEuropean cases dealing with disclosures ofmedical information in criminal cases andother areas have focussed on:

• whether the disclosure was inaccordance with national law

• whether it was necessary• whether it was proportionate (i.e. no

greater than needed for the purpose).

Annex 4The 1998 Human Rights Act


Aside from the Data Protection Act 1998,there are other statutes and regulations on thedisclosure of information:

• The NHS (Venereal Diseases)Regulations 1974 and the NHS Trusts(Venereal Diseases) Directions 1991,prevent the disclosure of any identifyinginformation about a patient examinedor treated for a sexually transmitteddisease (including HIV and AIDS) otherthan to a medical practitioner (or to aperson employed under the direction ofa medical practitioner) in connectionwith and for the purpose of either thetreatment of the patient and/or theprevention of the spread of the disease.

• The Human Fertilisation andEmbryology Act 1990, as amended bythe Human Fertilisation andEmbryology (Disclosure ofInformation) Act 1992, limits thecircumstances in which information maybe disclosed by centres licensed underthe Act.

• The Abortion Regulations 1991 imposeobligations on medical practitionerswho carry out terminations ofpregnancy to notify the Chief MedicalOfficer and to provide detailedinformation about the patient. TheChief Medical Officer may then onlydisclose that information in accordancewith the provisions of the regulations.

Source: ‘For the Record: managing records inNHS Trusts and Health Authorities’,Health Service Circular HSC 1999/053 (March

1999).

Annex 5Other statutory requirements

Other publications in this series

The Ethical Conduct of Research on Children, December 1991 (reprinted 1993).

Responsibility in the use of Animals in Medical Research, July 1993.

Responsibility in the use of Personal Medical Information for Research – Principles and

Guide to Practice, Prepared for Council’s standing Committee on the Useof Medical Information for research, 1985. Reprinted with minorrevisions as footnotes, September 1994. To be revised 2001.

Principles in the Assessment of Medical Research and Publicising results, January 1995.

MRC policy and procedure for inquiring into allegations of scientific misconduct,

December 1997.

The Ethical Conduct of Research on the Mentally Incapacitated, December1991Reprinted August 1993.

Collections of Human Tissue and Biological Samples for Use in Human Research.

Available January 2001.

20 Park Crescent, London W1B 1AL

Telephone: 020 7636 5422 Facsimile: 020 7436 6179

Website: www.mrc.ac.uk

Health & Medicine

PDF - MRC Ethics Series: Personal Information in Medical Research