Organisations that conduct research must

• have a legitimate and legal basis for using the data

• show that their research is in society’s interests

• conduct the research ethically, usually with the approval of an independent ethics review board or committee.

Researchers need to adopt strict codes of practice and security measures that comply with the GDPR. Codes of practice can ensure that the research purposes for which data are used meet the above criteria – they have a legal basis, are in society’s interests and are ethical. Surveys reinforce the strong message that the research must bring benefits to patient care, through improved services, new treatments and greater patient safety. This requirement ensures that the results of research using health data are translated back into improvements for patients.

It is expected by patients that researchers who are given access to data in order to conduct research will protect the data with strong security measures, and only use the data for the purposes that are permitted.

The data must be treated with care, and ideally each researcher should only be given access to the parts of the data they require to conduct their part of a research analysis. Data must always be handled securely. This is important because each person has some unique health characteristics. Even if their identifying details have been removed to anonymised or depersonalise the data, it is sometimes possible to have a clue about the identity of the person from their clinical information. For example, if somebody has a rare condition that perhaps only a few people have in their city or country, has an unusual combination of diseases, or has had a pioneering operation which was publicised, this means they could be identified. It is therefore important that researchers are trained in how to protect data securely and have to adhere to a code of conduct. That code of conduct must make clear that researchers cannot disclose data to anyone else, and must not use it for any purposes except for the approved research. The public in general should always be assured that their preferences for how their data are used are being respected.

All healthcare and research stakeholders need to work together with patients and members of the public in applying codes of conduct and rules that everybody finds acceptable. Codes of conduct and other rules about protecting data must be made public, so there is full transparency to everybody about what rules must be obeyed and what conduct is expected from all research users.