Data protection

Many patients are surprised that health data is not better utilised, especially within national health systems. However, it is also known from surveys that members of the public are concerned about what they read and hear about data breaches. Many of those breaches are in other industry sectors. People are sometimes anxious about how well their health data can be securely stored and communicated where it is needed.

Because accurate data is so important for our healthcare systems, public bodies, care professionals and industry need to work together to enable the better use of health data, and to do it in trustworthy ways.


Patients are really willing to donate data but there is always the aspect of trust
— Mitchell Silva
 

Mitchell Silva, patient representative


The results of the use of health data must be translated back into improvements for patients.


Shared and aggregated health data

Data is originally collected by different organisations, for different purposes, most commonly to support the health and care to individuals. These organisations hold patient data in order to ensure that patients continue to receive the best possible care. It is generally accepted by most health systems, and by most patients, that an organisation like a hospital will examine its own collection of patient data in order to identify ways that it can improve the quality, timeliness and safety of care that its teams deliver. However, this data can be aggregated at a larger population level, for a wider range of learning and improved health care for patients across a wide range of settings. This may be within a country or across many countries.


It is absolutely essential that the privacy of individuals is protected when using their health data for learning, quality improvement and research.


Data protection measures

GDPR

Personal data about European citizens is legally protected, most recently through the introduction of the General Data Protection Regulation (GDPR) in May 2018. Patients must now be told how their data will be used, for what purposes, and how it will be protected. In some situations patients will be asked to formally consent to particular uses of their data, for example by signing a consent form.


Codes of practice

Health data users need to adopt strict codes of practice that comply with the GDPR. Codes of practice can also ensure that the purposes for which data is used meet the following criteria:

  • they have a legal basis

  • they are in society’s interests

  • they are ethical.

It is expected by patients that health data users will only use the data for the purposes that are permitted.


Information security measures

Information security is a method that uses different measures to protect computer systems, networks and their data from any accidental or deliberate disclosure, access or damage. An organisation using health data must adopt recognised information security practices to protect the data in their possession and while being used by their staff.