Introduction
Akrivia Health works with a network of 16 mental healthcare organisations (the Akrivia Network) providing them with a service. The service involves de-identification of electronic health record (EHR) data, utilising natural language processing (NLP) to structure unstructured free-text information to make it accessible for authorised researchers without compromising the privacy and confidentiality of patients. This enables researchers to use otherwise inaccessible information to accelerate the trajectory of research in mental health.
Akrivia welcomes the government consultation, and the opportunity to respond, if only to a small part.
Akrivia held a roundtable discussion with members of the Akrivia Network, including research leads and data protection practitioners, to bring together a holistic review of the Consultation’s proposals regarding research and their practical application within the health research landscape, taking into account the wider health research landscape.
Research
Q 1.2.1 To what extent do you agree that consolidating and bringing together research-specific provisions will allow researchers to navigate the relevant law more easily?
Strongly agree- Somewhat agree
Neither agree nor disagreeSomewhat disagreeStrongly disagree
Please explain your answer, and provide supporting evidence where possible.
Response
The feedback we received from our Network members noted that consolidation could make it easier, particular in organisations which did not have a dedicated subject matter expert, or one who was freely available. They did note that many organisations conducting research are large enough to employ or contract an individual to provide specialist advice on data protection, or are processing large scale data that would require the appointment of a data protection officer[1].
Akrivia Health agrees that the consolidation of the law could be useful, noting that consolidating the law around a single topic, rather than harmonising the whole UK GDPR and DPA 2018, would likely lead to amendments and notations within the legislation itself which could be equally confusing. There are existing research frameworks and organisations at national level, such as the Information Commissioner’s Office (ICO), and the Health Research Authority (HRA) that produce guidance on data protection for research purposes and which explain how the law can be complied with. Due to the often complex nature of conducting ethical research, data protection is often one of several areas of law that organisations must comply with, and which they are often equipped to meet.
Q1.2.2. To what extent do you agree that creating a statutory definition of ‘scientific research’ would result in greater certainty for researchers?
Strongly agreeSomewhat agree- Neither agree nor disagree
Somewhat disagreeStrongly disagree
Please explain your answer, and provide supporting evidence where possible.
Response
Recital 159 of the UK GDPR provides a broad definition covering scientific research. It is difficult to see how this definition could be any broader and redefining the risk could plausibly result in the curtailment of research rather than the enablement of it. It is arguable that anyone conducting research using a scientific methodology should be sufficiently knowledgeable about what it is that makes the method scientific to be able to explain and defend the assertion that the research is scientific in nature.
While an amendment could be achieved via legislation, it may be easier to develop clarificatory guidance by the ICO, with input from established research organisations, especially research governance organisations that, like the ICO, have a statutory footing, a good example being the HRA.
Our roundtable participants noted that within health research scientific research is already very well defined, and Research Ethics Committees (RECs) have produced guidance[2] already to help researchers determine whether their activity is ‘research’ or not. Additional work appears superfluous.
Q1.2.3. Is the definition of scientific research currently provided by Recital 159 of the UK GDPR (‘technological development and demonstration, fundamental research, applied research and privately funded research’) a suitable basis for a statutory definition?
- Yes
NoDo not know
Please explain your answer, providing supplementary or alternative definitions of ‘scientific research’ if applicable.
Response
This is effectively the definition as is at present. As the report states, “the UK is ranked second in the world for science and research,” – it stands to reason therefore that the current definition is serving its purpose very well and does not require any amendments.
Q1.2.4. To what extent do you agree that identifying a lawful ground for personal data processing for research processes creates barriers for researchers?
Strongly agreeSomewhat agreeNeither agree nor disagree- Somewhat disagree
Strongly disagree
Please explain your answer, and provide supporting evidence where possible, including by describing the nature and extent of the challenges.
Response
The lawful bases in the UK GDPR are in spirit the same as those in the Data Protection Act 1998[3]. Researchers and research organisations should be familiar with these lawful bases, particularly if they have been conducting research for any length of time.
Our roundtable participants did not think that identifying a lawful basis was a barrier, noting that there are several that could be considered with a reasonable amount of guidance available on the differences between consent, public task and legitimate interest. Participants commented that this can be tricky to initially understand (but did not constitute a barrier), particularly for researchers working across organisations where one organisation can only rely on legitimate interest, and another can rely on public task, for the same purpose of research.
The Network members also registered the view that in health research data protection is but part of a larger regulatory framework, and that confusion from both researchers and research participants can arise from need for consent to comply with the tort of confidentiality, and for collection of human tissue samples, but not for the lawful processing of data.
Q1.2.5. To what extent do you agree that clarifying that university research projects can rely on tasks in the public interest (Article 6(1)(e) of the UK GDPR) as a lawful ground would support researchers to select the best lawful ground for processing personal data?
Strongly agree- Somewhat agree
Neither agree nor disagreeSomewhat disagreeStrongly disagree
Please explain your answer, and provide supporting evidence where possible.
Response
We agree that clarification on this point would be extremely useful, particularly for research institutions like Universities, some of which operate under a royal charter which becomes their public interest ‘as laid out in law’[4]. This should not pose any particular barrier to research, those organisations with a basis laid out in law should reasonably know what that is if it exists.
Q1.2.6. To what extent do you agree that creating a new, separate lawful ground for research (subject to suitable safeguards) would support researchers to select the best lawful ground for processing personal data?
Strongly agree- Somewhat agree
Neither agree nor disagreeSomewhat disagreeStrongly disagree
Please explain your answer, and provide supporting evidence where possible.
Response
The feedback from our roundtable participants was that any new lawful basis(es) must contribute extra value to the existing lawful bases, rather than overly complicate the existing legal framework.
It may support researchers; it might equally confuse researchers into thinking that their previous research didn’t have a lawful basis. A new lawful basis, being subject to suitable safeguards, risks resulting in a zero sum gain, with merely a different set of obligations to meet.
Q1.2.7. What safeguards should be built into a legal ground for research?
Response
Our roundtable participants commented that there are areas of scientific research, like health research, with mature and robust regulatory and compliance frameworks in place. Suitable safeguards could include use of trusted research environments (TREs) utilising ‘five safes’ principles[5], noting that NHSX are due to deliver a minimum TRE specification in March 2022[6].
Q1.2.8. To what extent do you agree that it would benefit researchers to clarify that data subjects should be allowed to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of personal data processing at the time of data collection?
Strongly agreeSomewhat agreeNeither agree nor disagreeSomewhat disagree- Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Response
Akrivia thinks that the inclusion of consent is a slight misnomer in regard to data protection because consent is rarely the lawful basis used in research. The guidance produced by the HRA in consultation with the ICO[7] which recommends that research organisations rely on Article 6(1)(e) or (f) depending on the nature of the organisation.
Consent may be necessary for other requirements involved in research, such as under the tort of confidentiality, the Human Tissue Act, the Mental Capacity Act, and consent for participating in research to meet ethical approval (meeting the ethical principle of autonomy).
Our roundtable participants noted that much would depend on the breadth and depth of the data, and that there were ethical considerations to be made about how broad consent could be ethically. There was a significant level of unease from participants about how they would ‘sell’ this to research participants. Many felt that the emphasis of the question was mis-aligned for the benefit of the researchers rather than aligned to the benefit of the patients. The group were concerns that reliance on this kind of consent could lead in an unethical direction and would undermine public trust in health research.
Akrivia Health notes that the UK GDPR’s definition of consent requires that it be ‘freely given, specific, informed’[8]. An open ended consent for undefined future processing is unlikely to be sufficiently specific, nor provide opportunity to sufficiently inform the data subject about how the data will be used. There is a risk that such consent would not be lawful.
Q1.2.10. To what extent do you agree with the proposals to disapply the current requirement for controllers who collected personal data directly from the data subject to provide further information to the data subject prior to any further processing, but only where that further processing is for a research purpose and it where it would require a disproportionate effort to do so?
Strongly agreeSomewhat agreeNeither agree nor disagreeSomewhat disagree- Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Response
Organisations collecting data directly from data subjects, which they then use for research, are likely to have contact details for data subjects of the research. The rights in data protection law should be applied on an individual basis and not on a cohort basis. While there is no precedent in the UK courts for this, the exemption of disproportionate effort under Article 14(5) has been considered in Poland in which the Administrative Court of Warsaw considered that the cost of informing data subjects did not constitute disproportionate effort[9].
Our roundtable participants highlighted that levels of public distrust in research, particularly when partnered with private sector organisations where data usage is not always easily visible, and voiced concern that removing a key part of transparency would elevate levels of public distrust. This would have a negative impact on the number of individuals volunteering to participate in health research with a consequential impact on public health. The group felt that more transparency is required, not less.
Akrivia Health posits that the proposals for both 1.2.8 and 1.2.10 risk teetering over the brink of ethical activity. The 1978 Belmont Report sets out key principles for ethical research with human subjects; respect for individual autonomy, beneficence, non-maleficence, and justice. These proposals would undermine these principles by disapplying legal provisions that are designed to protect individuals’ freedoms, and make it easier for unscrupulous entities to exploit research participants. Amendments to data protection legislation should be considered in the wider legal and regulatory landscape.
Endnotes
[1] UK GDPR, Article 37(1)
[2] HRA Decision Tool – http://www.hra-decisiontools.org.uk/research/docs/DefiningResearchTable_Oct2017-1.pdf
[3] Data Protection Act 1998, schedule 2 – https://www.legislation.gov.uk/ukpga/1998/29/schedule/2/made
[4] UK GDPR, Article 6(1)(e), (3)
[5] Stokes, P 2017, The ‘Five Safes’ – Data Privacy at ONS, Office for National Statistics, blog accessed 16/11/2021 – https://blog.ons.gov.uk/2017/01/27/the-five-safes-data-privacy-at-ons/#:~:text=We%20do%20that%20in%20a,%3B%20Safe%20outputs%3B%20Safe%20data.
[6] Madden S, Pollard, C 2021, Joining up the dots: driving innovation, research and planning through Trusted Research Environments, blog accessed 16/11/2021 – https://www.nhsx.nhs.uk/blogs/joining-up-the-dots-driving-innovation-research-and-planning-through-trusted-research-environments/
[7] HRA Guidance, Legal Basis for Processing Data, – https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-detailed-guidance/legal-basis-processing-data/
[8] UK GDPR Article 4(11)
[9] II SA/Wa 1030/19 – https://gdprhub.eu/index.php?title=WSA_Warsaw_-_II_SA/Wa_1030/19