Protecting and respecting patient data for health research


GDPR, the Health Research Regulations and their impact

November 2018

As organisers of a Forum for leaders from across the Irish health research community, my organisation, the Medical Research Charities Group (MRCG), yesterday had the privilege to gather together a large group to discuss GDPR, the Irish Health Research Regulations 2018 (part of the Data Protection Act) and their implications for patient-focused research.

The need for ‘explicit consent’ (informed consent that is recorded) by patients, for their health data to be used for research, is at the heart of the new Regulations. It requires that researchers tell patients in advance, in as much detail as reasonably possible, who will see their data and how it will be used for research. With that requirement comes challenges however. There are concerns that some clinical research could stall due to a lack of resources to ensure legal compliance. There are other concerns that valuable biobanks could be destroyed, due to an inability to retrospectively comply with the Regulations. The Regulations provide provision for a committee with the power to grant exemptions for research for which explicit consent cannot been obtained, if it is deemed to be in the public interest. This committee is not yet operational though and a deadline of the end of April 2019 hangs over research that was already in progress prior to August of this year.

What emerged most strongly from the meeting, was that everyone in the room – patients, researchers, medical research charities, clinical research support groups, research funders and policy makers, the Department of Health etc. – all want the same thing. Everyone is eager to ensure that we take the best possible approach to ensuring that patients have control over their potentially sensitive health data but also to ensure that we make the best possible use of that data, in order to improve diagnosis, healthcare and the development of new medicines and treatments.

For many patients, research offers hope for a better life. Others donate samples and give their data for altruistic processes, in the wish that people in the future won’t have to go through what they did. They want to know that their generously given data will be put to good use. Equally however, they want to know that it won’t be sold on to a company without their consent and that sensitive information about them won’t be seen by their neighbour. When being consented for research they don’t want legally compliant but over-whelming patient information leaflets that run to pages and pages. In cases of historic or sensitive data, they don’t want to be re-consented via an insensitive letter in the post or to be bothered for re-consent unnecessarily.

Researchers welcome the need to treat patient data carefully and to clearly inform patients as to the uses and possible future uses for that data. Several at the meeting mentioned that the new Regulations are helpful to them in ensuring a focus on the need for best practice, by everyone in their institutions. They have some well-founded concerns however about the resources and time that they will need to do that correctly; time is not a luxury currently afforded to our healthcare professionals.

A number of researchers in the room expressed genuine feelings of frustration and stress in trying to resolve the need to be legally compliant, with their desire to achieve impact for patients through their own research activities, through sharing data internationally and through opening up their research data for others to interrogate and use. They have some particularly urgent worries about whether research staff, who are not part of a patient’s immediate care team, can review patient records without patients explicitly consenting to that, with a view to offering them an opportunity to participate in clinical research. Without that ability much clinical research could stall. There was also particular concern expressed around large biobanks, for which it would be extremely difficult to obtain re-consent for research purposes that might not have been foreseen at the time of data collection and original consent. If the April deadline cannot be met or extended, there is a real worry that some valuable datasets and associated samples, will be destroyed at the instruction of risk-averse institutions e.g. universities, who do not want to fall foul of the law and who also have a duty to protect their staff from possible legal action. For patients who donated those samples in the good faith that they would be used for research, this could be distressing news.

A critical piece in the puzzle is the soon to be activated Consent Declaration Committee; the committee that will grant exemptions in cases where informed consent was not and cannot reasonably be obtained but where the research is deemed to be of public interest. The deadline to obtain an exemption for research already in progress, is already fast approaching.

Questions for the entire health research community to now focus on are:

  • How do we support the swift and efficient establishment of this Committee (currently in progress)?
  • How do we support researchers in their applications to the Committee?
  • Is there a way to standardise those applications in a way that supports quick-decision making by the Committee?
  • How do we ensure meaningful patient and public involvement in the Committee?
  • And, more broadly, how do we inform the general public about the value of consenting for the use of their data and samples in health research and about what they should expect as part of that process?

Ultimately it is about a balancing of rights. We need to both protect and respect patient data by ensuring that the public keep their faith their sensitive data will be protected whilst respecting their wish and generous consent that it be used for health research.

Dr Avril Kennan, CEO, MRCG