This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 5 minute read

Largest ever UK research programme to collect personal data from 5 million volunteers

An ambitious new project is currently underway with the goal of becoming the UK’s “largest ever health research programme”.[1] Up to 5 million volunteers will donate samples and health information to the programme, called “Our Future Health”, in order to enable researchers to find ways to detect, prevent and treat diseases earlier. As of July 2022, Our Future Health has opened up appointments for volunteers to donate blood samples, provide measurements such as blood pressure and cholesterol levels and fill out questionnaires in order to build a data-rich resource.[2] The aim is to create an incredibly detailed picture of the nation’s health with a diverse demographic which can inform researchers focussing on dementia, cancer, diabetes, heart disease and strokes.

How will volunteers’ health data be used?

Volunteers’ blood samples will be divided up so that part of the sample can be used to extract genetic information about the individual, while other parts of the sample will be stored for future research which could, for example, involve testing cholesterol or blood sugar levels. The health information derived from volunteers will be for research purposes primarily, but there is the possibility that volunteers will also be able to receive personal feedback from samples, DNA and other data or be offered the opportunity to participate in further research studies.

While some research may be carried out by Our Future Health itself, research studies will primarily be done by researchers around the world from organisations such as universities, charities or commercial entities within industries. Findings from such research may be published and made publicly available and researchers may also commercialise and profit from the discoveries they make. 

Should volunteers be concerned for their privacy?

Our Future Health, which has been done in partnership with the NHS, follows in the footsteps of similar initiatives to compile individuals’ health data and use it for medical research. One such example is the General Practice Data for Planning and Research (GPDPR) which was a UK initiative whereby all patient data from GP practices in England would be collected and processed centrally by NHS Digital, with the goal of using this information to plan and improve healthcare services and support research. This programme, however, was indefinitely postponed due to concerns over the privacy and security risks of individuals’ health information being transferred and held centrally in this way.[3]

Given the privacy challenges faced by previous data collection initiatives, it is no surprise that Our Future Health has published a significant amount of information in relation to the safeguards they have put in place to ensure that individuals’ personal data is kept secure. Our Future Health sets out that it will encrypt personal data and keep health data in a “de-identified” form – this means that volunteers’ names and contact details are kept separate from their health information which is shared with researchers. Contact information can only be accessed by a limited number of administrative staff, primarily for the purpose of asking volunteers whether they would like to participate in follow-on research or receive feedback on their personal health.

In terms of sharing data, Our Future Health note they will only share data with registered researchers whose research is approved, health-related, for the public good and in line with the consent volunteers have given (under the common law, consent is generally required to share patient data for research, even if consent is not the legal basis relied on by a controller under the GDPR). Further, researchers working on an approved project can only access de-identified data through a trusted research environment (TRE) which is a highly secure computing environment, where work is subject to clear rules and strict controls.

The potential issues of “de-identified” data

“De-identified” data has no legal definition but it is not the same as anonymised data, which under Recital 26 General Data Protection Regulation (GDPR) is “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is no longer identifiable”.

It is unlikely that separating volunteer names and contact details from their health data will render health data anonymous in GDPR terms, especially in cases where health conditions of volunteers may be unique or very rare or where there is a detailed medical record. The fact that Our Future Health is sequencing DNA, which by its nature, is entirely unique to a person also means that health information shared with researchers could be traced back to individual volunteers. In practice it is not unusual for health data used in research not to be anonymised to a GDPR standard. This is because it can be near impossible to effectively anonymise health data without stripping it of its value. So instead, the aim of de-identifying data, as opposed to anonymisation, is to enhance the security of the data, while retaining its value and richness as a data source. Restricting use of the data to TREs reduces the opportunities for re-identification, so that the privacy of individuals is protected even where full anonymisation cannot be achieved.

Further, health information is considered “special category data” under the GDPR to which certain additional and more restrictive obligations apply in relation to its processing and security. These obligations continue to apply to data which is only de-identified. Given all of these considerations, it will be interesting to see how Our Future Health balances the competing aims to provide sufficient data to provide value to researchers and protect its volunteers’ privacy.

Are we finally harnessing the value of health data?

This initiative, however, could be a first step in the UK catching up to nations such as Denmark which already has a long tradition dating back to 1968 of collecting and using healthcare data to improve its healthcare system and for treatment and research. The Danish Health Authority employ statisticians, epidemiologists and economists to monitor and analyse the population’s aggregated health data and its digital health strategy has already reduced the number of outpatients by 75%.[4] The success of such countries demonstrates the value of harnessing the value of population’s health data to improve healthcare more generally, and with the appropriate privacy safeguards in place, Our Future Health could be a step in the right direction.

If you would like to read more about the Our Future Health initiative please see further details on their website: https://ourfuturehealth.org.uk/

================================================

[1] https://ourfuturehealth.org.uk/news/the-uks-largest-ever-health-research-programme-to-transform-the-prevention-detection-and-treatment-of-diseases/

[2] https://ourfuturehealth.org.uk/news/our-future-health-goes-live-to-the-public/

[3] https://www.thelancet.com/journals/landig/article/PIIS2589-7500(21)00148-5/fulltext

[4] https://www.privacycompliancehub.com/gdpr-resources/data-sharing-in-the-nhs-needs-to-happen-but-not-without-building-trust-first/

Subscribe to receive our latest insights - on the topics that matter most to you - direct to your inbox, at your preferred frequency. Subscribe here

Tags

life sciences, data protection and privacy, health tech, life sciences regulatory, value in data