The protection of privacy in medical research and clinical audit

My previous article about the protection of health data has raised questions about how that relates to research, an issue mentioned in Apple’s HealthKit documentation. Having spent much of my career undertaking, supervising, and scrutinising research on humans – and latterly, a lot of clinical audit too – it might be helpful to explain what happens there in more detail.

Research on humans covers a vast field of activities, ranging from intensive studies performed on small numbers, a gamut of drug trials, through analysis of focus groups and large questionnaire surveys, to whole-population epidemiological studies. There are internationally-agreed ethical standards which are effectively mandatory because compliance with them is obligatory in order to obtain funding, and if you wish to publish your results. However I am not aware of many countries which have enshrined compliance in their laws.

The fundamental documentation for all medical research ethics and principles is the Declaration of Helsinki, which has evolved over a total of seven revisions, and is quite elaborate. Non-medical research usually has parallel ethical standards enforced by professional bodies, such as those adopted by psychologists in the US and in Europe.

Because research is only ever undertaken on volunteers who have given their fully-informed consent, part of the process of obtaining consent involves spelling out in detail how each participant’s personal data will be handled. This is invariably a vital part of the detailed protocol drawn up by the experimenters, approved by an independent ethics committee, and by their funding body.

The accepted standard is that personal data are anonymised at the earliest opportunity, to facilitate their handling and storage. Among the generally-used techniques is identification using a hash key, which I have detailed. This enables researchers to handle data in the open, store it without elaborate encryption or other security, and so on, as it is impossible to identify which data come from which participant, though allowing further data to be added to the correct individuals using the hash generation process. In many studies, it is not necessary to add further data, and simple anonymisation is performed straight away.

The old days of handwritten lab ledgers bearing the name and other identifiers of each participant should be long since gone, apart from within student groups when performing ‘teaching’ experiments, and even there such practices are fast disappearing.

Research is intended to add truly new knowledge; in clinical medicine (and other healthcare areas), there is a lot of ongoing analysis which does not seek new information, but audits the effectiveness and efficiency of what happens in practice, for example. This clinical audit activity does not normally pass through the same amount of scrutiny as formal research. In the great majority of cases, it consists of collecting anonymised data from standard practice, and analysing those data when pooled (rather than for individuals).

You should, according to best clinical practice, be informed by hospitals, clinics, etc., when they are undertaking clinical audit, and be given the right to opt out if you wish. However you are unlikely to be asked to consent to take part, as nothing extra or new is normally done to you. This only applies when the audit deals with anonymous or pooled data: if it requires processing with personal identifiers, for example, then it should follow the procedures used in research.

Some research areas are particularly sensitive and complex – such as those involving genetic (DNA) samples. Because those samples could be held for a long time and could be analysed in the future to yield information whose impact we cannot predict today, ethics committees are careful to protect participants from potential problems. Again the simple way to tackle this is through explicit protocols and anonymisation.

For many, the niggling fear is of opportunistic research: someone with access to a lot of personal health/medical data mining it to see what they can find, without adequately protecting its privacy. Yet again, our legislators have fallen short in making such fishing expeditions illegal. But in reality they are extremely unlikely, as they cannot be funded, any findings cannot be published, and any professionals involved would be putting their livelihoods at risk (as that would be unprofessional conduct).

Interestingly, Apple’s ResearchKit recognises these issues, and the need to comply with the highest standards in medical and related research. It includes detailed provisions for the recording of informed consent to take part, explained in its documentation, and extensive protection of privacy in personal data. ResearchKit is also open source.

Having spent years working with the elaborate procedures which (rightly) protect the rights and privacy of individuals in research, I always find comparison with commercial activities such as marketing quite odd.

Research is overwhelmingly intended for the good of the people, goes to great lengths to protect its participants from any risk, harm, or compromise of their personal information, but operates under the same laws as commercial marketing, which is intended to maximise profit ultimately at the expense of the people, and is only too happy to sell personal data on to whichever ‘business partner’ or ‘third-party’ will pay for it.