How do people feel about companies accessing health data?
The Wellcome Trust recently commissioned Ipsos MORI to look into what people think about commercial organisations having access to health data from patient records. Although a better system of access to this kind of information has a massive potential to improve health, people are naturally cautious about how sensitive, complex data is used – especially by companies. Natalie Banner, from the Wellcome Trust's policy team, explains the key findings from the research, and what we have learned about creating a system that people can trust.
Health data from patient records has a huge potential to help advance medical research and improve healthcare. If data can be gathered about the health and illness of a whole population, it's possible to answer many pressing questions about the causes and risk factors for disease, the effectiveness and safety of treatments and to help develop new drugs for patients.
For example, health data has been used to check the safety of whooping cough vaccines in pregnant women, and to inform the development of NICE guidelines for best practice in cancer treatments.
But if data is going to be used for these kinds of purposes, it's essential that people are able to trust the system that's collecting and managing their data. Previous research has indicated that while most people would be happy for their personal data to be used for research, they are much less comfortable with the idea of a commercial organisation having access to health data.
That is why we commissioned Ipsos MORI to undertake a major project to explore how people feel about different types of company accessing patient data. Over 200 people participated in workshops across the country, and 2,000 took a survey that aimed to establish what people understood about health data use, what they’d find acceptable and where the ‘red lines’ are with companies accessing this kind of data.
The report is out today, and it's extremely timely. Dame Fiona Caldicott, the National Data Guardian for Health and Care, is currently undertaking a review looking at how patients should be able to opt out of their identifiable patient data being used for purposes beyond their direct care. The findings from our research with Ipsos MORI, on a specific and controversial aspect of data use, should help contribute to discussions about how this system should work and – crucially – how it must be communicated.
Searching for clear public benefit
The research found that most people were not aware that data from their patient records could potentially be used for purposes beyond improving their own care, whether that’s within the NHS or beyond, by academic researchers, charities or commercial organisations.
It was also unclear to people whether the data from their health records could potentially be used to identify them and this was a source of real concern for many.
There are different kinds of commercial organisation that might seek to access health data, and we gathered a series of case studies to test out people’s views on the specifics of each. For example:
a pharmaceutical company using information from millions of patient records to check for any long-term effects of a drug they've developed
a pharmacist having access to a patient’s Summary Care Record when handling their prescriptions
a company analysing patient data to track patterns in hospital performance
an insurance body using patient data to help refine calculations for their critical illness premiums.
People's attitudes towards these cases were, unsurprisingly, complex. In general, participants in the workshops tended to accept companies accessing health data when it was clear that there was a public benefit. It also mattered who the organisation was, what kind of data was used and how it was being protected from misuse.
Safeguarding the data
Safeguards and restrictions are extremely important in ensuring the system for managing data is trustworthy. In fact, many of the safeguards that people wished to see in place actually do exist and have been strengthened within the current system of data governance – but they're not at all widely known about.
For example, users of data have to sign contracts that specify precisely what they can do with the data and prevent it from being passed on to third parties, and the vast majority of data goes through a process of anonymisation before anyone is permitted to access it.
Just under half of those surveyed also wanted to see sanctions and fines if companies are found to have misused data, and this is a position the Wellcome Trust strongly supports: if a system is going to be trusted by people, there have to be meaningful, robust sanctions for anyone who doesn't play by the rules.
In the survey, a significant minority of people said they would not want commercial organisations to access health data under any circumstances.
Being open and honest
Overall, the findings from this research make a strong case for there being much more open, honest communication with patients about how their data is used. Research can bring some amazing benefits in terms of better patient care and improving health, but people want to know more about why data from their records is important to enable this research to happen.
That's something that we at the Wellcome Trust are keen to do: help explain how valuable patient data can be in making a real difference to medical research and healthcare.
At the same time, the government and the NHS need to be really clear who can and can't have access to health data and what restrictions and safeguards are in place to protect it, including 'red lines', for example for insurance and marketing uses. It's also important for those who really don't want their data to be used by anyone beyond their care that there’s an option to opt out and a clear explanation of how this choice will be honoured.
It is only by creating a transparent, robust system of governance with clear communication that people will have reason to feel their data is in good hands. This research gives us new insight into what people think about companies accessing health data, which is a crucial element to the debate about what the appropriate use, and protection, of patient data should look like.