‘Blueprint’ for trust in use of health data outlined

Cerys Wyn Davies and Louise Fullwood of Pinsent Masons said comments made by Dr Nicola Byrne are particularly relevant to organisations active in the health and social care sectors – from NHS bodies and other health or care providers, to software suppliers and other technology providers – and especially to those organisations exploring how artificial intelligence (AI) systems might be used to improve services and patient outcomes.

Dr Nicola Byrne is the national data guardian for health and social care. She has been in the role, which has a statutory footing, for three years – a role that involves providing independent advice to the government and health and social care system on the use of people’s confidential information across health and adult social care in England. On Thursday, following her recent re-appointment, she published an article in which she highlighted how she is seeing people express concern and doubts about third parties using their health data.

Byrne said that trust and confidence in the use of data needs to be built and that this requires organisations demonstrating, rather than merely claiming, they can be trusted with the data. She said they can do this by being “clear with people about who can access the data, for what purpose, who is making the decisions and on what terms, and how the public can have a say” and embedding principles of privacy, transparency, accountability and fairness into their handling of the data.

Byrne said that organisations should not just “focus on the positive aspects of data use” when engaging with data subjects, but also address “potential risks, safeguards, and plans for when things go wrong”.

“People have valid concerns about cyber-crime, data breaches, and disruption to critical services,” she said. “Organisations must demonstrate they not only have strong data privacy protections in place but also well-thought-out and tested business continuity plans. These plans are crucial to ensure they can continue to deliver safe care even if their digital systems are unavailable.”

Organisations also need to provide people with confidence that they have “effective measures” in place to “prevent inappropriate access to people’s medical records by those who work in or alongside health and care organisations”. She said provision should be made for “enforceable and impactful” sanctions in the event of breaches “to uphold public trust in the integrity of the system itself”.

According to Byrne, there are real benefits to be obtained if people consent to the use of their health data to further medical research – even if that research does not directly benefit the individual providing access to their data. However, she said that while there is a “strong indication that the majority of people are in favour of using their data for research and planning”, she has noticed that “national data opt-out rates … continue to rise”, meaning an increasing number of people are not consenting to the use of their data for research and planning purposes. She cited potential reasons for this in her article.

“Many people … may feel uneasy about private companies managing data on behalf of the NHS, or about commercial organisations accessing data for research or innovation,” Byrne said. “Concerns include whether companies’ values align with those of the NHS, the extent of commercial profit made from NHS data, and whether the NHS is getting fair value back, for example, in terms of financial or treatment benefits.”

She said those concerns can be allayed if there is “demonstrably strong, transparent and trustworthy governance around decision-making, demonstrating public benefit, and implementing safeguards” – and if organisations are “transparent and operate within the boundaries of public expectations”.

“Respecting the duty of confidentiality owed to our most personal information requires more than just respecting our privacy,” Byrne added. “It also involves ensuring we can trust that our data will only be used in ways that we would expect and support.”

Cerys Wyn Davies of Pinsent Masons said winning patient trust over data use has been a challenge organisations in the health and social care sectors have faced for years.

“As an example, former health secretary Sajid Javid, who championed the potential of using NHS data better to improve the planning and delivery of healthcare services and support innovation in life sciences more broadly, himself acknowledged ‘that there is more to do to build trust in the use of data and reassure the public that the data will be used securely’,” Wyn Davies said. “Those comments, made in 2022, followed the failure of initiatives such as the care.data scheme years previously – because inadequate consideration was given at the outset to potential privacy concerns and the extent to which patients could control how their data was used, and by whom.”

“Trust in data use is an issue that needs particular consideration at a time when organisations in the health and social care sectors, as in other areas of the economy, are exploring how AI could improve the way they operate and deliver improved health and care outcomes for patients – use of AI will only heighten the problems of trust and bias if fundamental concerns over use of data are not addressed, so it is now even more important to develop mechanisms in this and other sectors to further understanding and trust,” she said.

Louise Fullwood, also of Pinsent Masons, said Byrne’s comments are relevant not just to those that directly handle NHS data.

“Third parties involved in the processing of NHS data – whether through outsourcing arrangements, or through the supply of software or other technology and related services, should take note of Byrne’s comments, and her aspirations for building trust and for straight talking are equally applicable to any organisation involved in handling healthcare data,” Fullwood said.

“Better education and public information on health data processing, its benefits, and the security of such processing, is needed to increase patient consents for data sharing in order to maximise its potential to improve services and outcomes,” she said.

Fullwood advises on a number of European projects exploring the potential of patient data sharing improve services and outcomes – including PIONEER+ and PRAISEU that seek to improve prostate cancer outcomes. She said practical challenges arise in the context of obtaining clear and freely given patient consents, as is the legal requirement, across such projects.

“There is an observed difference in patient consent rates, which varies according to factors such as socioeconomic status, race, and age, and this can result in data which is not fully representative of a population. Increasing patient awareness of benefits and trust would help to reduce this,” she said.