The Data Protection Commissioner (“DPC”) has just published the results of a Data Protection Public Awareness Survey. Respondents were asked, “should your medical records be made available for the purpose of advancing medical research?” 18% of respondents voiced an outright ‘no’; 57% said yes but only with the patient’s consent; and 13% said they would allow their medical records to be released without giving specific consent where the data is anonymised.

Any medical research using a patient’s medical records will involve the “processing” of sensitive personal data. This requires the express consent of the patient in order to meet the legal obligations set out in the Data Protection Acts 1988 and 2003 (the “Acts”). Where a patient’s medical data is going to be used for a purpose other than the patient’s treatment, an informed and explicit consent should be sought as soon as possible after a patient presents at a health facility .

The Acts include some exceptions to the requirement to obtain a patient’s explicit consent. Internal medical research or clinical audits can be carried out without the patient being informed, as long as there is no damage or distress likely to be caused to the patient. However this is confined to ‘internal medical research’ and not research carried out eg by a third party drug company. Where patient data is being used for third party research, it must be anonymised, it is not necessary to obtain a patient’s consent before processing their personal data. Irrevocable anonymisation of patient’s data must be carried out by the health facility before the data is accessed by a third party. To avoid data duplication and maintain the integrity of the trial, the data controller should use a unique coding system or pseudo name, to ensure the individual cannot be identified either on its own or in conjunction with other data in the possession of or likely to come into the possession of the controller.

Health service providers may hold historical data where no explicit consent has been obtained to use the data for medical research. The DPC suggests putting a system in place to try to capture patient consent. Twice writing to the data subject asking for a response, telephoning once thereafter and finally, if no response is received, submit the case for internal ethics committee approval, has been suggested by the DPC to be good practice. However advice should be obtained before embarking on this.

The DPC tries to strike a balance between the necessary availability of data for medical research and the protection of the patent’s data protection rights. Informed consent and/or anonymisation of patient records are the basics of complying with the Acts. Our dedicated Data Protection team works with many healthcare clients in advising on a wide range of data protection issues, with a strong focus on finding practical solutions.