'The journey of research data: Accessing nordic health data for the purposes of developing an algorithm' by Katharina Ó Cathaoir, Hrefna Dögg Gunnarsdóttir and Mette Hartlev in (2002) 22(1) Medical Law International comments
This article traces the journey of Nordic health data requested for developing a healthcare algorithm. We focus on the legal requirements and highlight that differences in the legislation of Denmark, Norway and Iceland, and the interpretation thereof by responsible bodies, can pose a barrier for scientific researchers. In addition, non-legal institutional requirements or practices may hamper data access. First, despite some European harmonization, the mandate of research ethics committees and the data protection authorities vary in the three countries. Second, domestic institutions impose tailored requirements, sometimes only allowing domestic or affiliated researchers to access data sets. Third, the manner in which a dataset is collected, catalogued and stored has implications for data access. We make several recommendations for increasing transparency in Nordic data access, such as, increasing knowledge sharing regarding interpretation of General Data Protection Regulation (GDPR) criteria, adopting clearer regulations and pursuing greater citizen engagement in secondary use of health data.
Nordic health research is promising and collaboration has the potential to bring scientific breakthroughs that may not be possible alone. Moreover, Nordic countries are highly digitized, depending on electronic health records and a centralized personal identification number that connects information about the individual, spanning demographic and health data. With universal, tax-funded access to healthcare, rich, curated datasets are available, such as national patient registries, prescription and laboratory registries, and comprehensive biobanks that can be coupled with other health data. For this reason, several national and Nordic initiatives have been proposed for improving access to health data for research purposes.
Despite this promise, previous research has identified legal barriers to Nordic research. Obtaining access to data has long been described as slow and complicated. Varying legal requirements mean that pan-Nordic research continues to require legal expertise in the relevant countries. The difficulties of gaining access to sensitive data have been brought to the fore with the entry into force of the General Data Protection Regulation (GDPR), to which scientists have needed to ‘adapt’. Although an aim of the GDPR is to improve cross-border data flows, faced with the prospect of large institutional fines for non-compliance, researchers describe an ‘extra burden’ of compliance.
The GDPR has led to health data governance fragmentation, as Member States implement the legal basis for research differently. Furthermore, ethics regulation forms a separate but important part of this landscape. As Høyer describes it, ‘today, data create intense anxieties as people seek to balance competing interests and value registers, and ... ethics regulation is part of the negotiation’.
The aim of this article is to trace the journey of Nordic health data requested for the purpose of developing an algorithm. The article approaches the topic from the perspective of an ongoing Nordic research project, PM Heart, which combines data and researchers based in Denmark, Norway and Iceland. The objective of the project is to develop and eventually clinically implement personalized medicine (PM) in cardiology with the purpose of avoiding over treatment, as well as under treatment, in ischemic heart disease (IHD). The project combines existing and prospective Nordic health data to differentiate between different subgroups of IHD and potentially identify the cause of the IHD in the individual patient. Using machine learning, researchers aim to create a clinically integrative IHD algorithm that will estimate the risk of future complications in the individual patient based on all available and relevant data rather than only a few routinely applied parameters. The algorithm-generated risk estimate will later be used clinically as a decision support tool to improve patient management.
Our premise is that the differences in the requirements in the legislation of Nordic countries, and the interpretation thereof by responsible bodies, can pose a barrier for scientific researchers. In addition, there may be non-legal institutional requirements or practices that hamper access to data. This suggests that researchers must fulfil various legal and practical requirements imposed by legislatures, data controllers and institutions in each country.
The paper seeks to contribute to the literature in several ways. First, it provides an early evaluation of how the GDPR’s research provisions are being interpreted and implemented. Second, it provides socio-legal insights by drawing on legal doctrinal method and interviews with (non-legal) researchers to also reflect the law through their eyes. Third, the article offers insights into three Nordic jurisdictions where limited practice and literature is available in English.
'Confidentiality and public interest disclosure: A framework to evaluate UK healthcare professional regulatory guidance' by Paul Snelling and Oliver Quick in the same journal comments
Confidentiality and disclosure of information in the public interest present difficult dilemmas for healthcare practitioners and call for clear legal and regulatory guidance. The common law duty of confidence, and established exceptions to it, are shaped by medical practice and detailed guidance produced by the General Medical Council. Guidance issued by other healthcare regulators in a highly fragmented environment is at best unclear and at worst inaccurate. This article assembles and justifies a framework of evaluation against which regulators’ guidance can be assessed, focussing on the specific issue of when the duty of confidentiality can be set aside in the public interest. Comparison of statutory regulators’ guidance reveals wide variation which creates uncertainty for practitioners confused by inconsistency between guidance documents. The results of this analysis raise questions about the relationship between common law and regulatory guidance, in particular, whether it is appropriate to recognise different standards for different healthcare professions. This article argues that there is an opportunity to correct this anomaly and ensure appropriate consistency as part of a wider review of healthcare professional regulation.
Confidentiality and disclosure of information are complex areas of professional responsibility, of interest to healthcare practitioners since antiquity. Despite being one of the least litigated areas of medical practice, the British Medical Association (BMA) has received more queries relating to confidentiality than other areas of ethical concern, indicating professional uncertainty about legal and regulatory guidance. Confidentiality is centrally important to therapeutic relationships3 and has a clear basis in both utilitarian and deontological theories of ethics. While classic codes of medical ethics describe the duty of confidentiality in absolute terms, it is widely accepted that the duty is qualified and permits exception in the public interest.
Finely balanced decisions about whether public interest disclosure is justified are made by healthcare professionals, and although a decision is unlikely to be so urgent as to constitute a medical emergency, neither will all circumstances allow for a thorough examination with a full range of clinical, ethical, and legal texts and opinions available. These decisions can be challenged through the courts and fitness to practise hearings held by professional regulators. Hitherto, most decisions have been made by doctors, aided by comprehensive guidance written by their regulator, the General Medical Council (GMC). However, in recent years, the range of statutory regulation has increased with non-medical health care professionals solely accountable for their decisions. The relationship between GMC pronouncements and the common law has been established for over 100 years, and with its guidelines for 50 years. However, in the absence of case law involving non-medical regulated health care professionals, a key question for healthcare law and practice arises: Is disclosure by non-medical health professionals held to the same standards as in medical practice, or do different legal and professional standards apply?
This article examines this unanswered question by comparing the confidentiality guidelines of eight non-medical regulators against a framework reflecting medical practice in GMC and Department of Health (DH) guidance. Following contextual introductory information about medical confidentiality, professional regulation, and the role of standards and guidelines, the framework is introduced and defended with analysis of five questions for consideration by healthcare professionals contemplating public interest disclosure. The questions are applied to guidance from the statutory regulators, and inconsistencies identified. The article concludes with further discussion and recommended remedies.