I was forwarded an article written by Mary Louisa Toynbee and published in the Guardian a couple of days ago, decrying the failure of the U.K. NHS’ care.data program. This was an ambitious plan to curate anonymised patient electronic medical and social care records into a single database for the purposes of research and improving care. The concept was (and still remains) laudable but implementation was deeply flawed, largely due to lack of transparency (data was sold to private companies without prior announcement), poor management and lack of effective public communication.

Screenshot from the Guardian website: Article on the failure of UK care.data

Singapore has several smaller and much more limited initiatives, one of which is the National Intensive Care Unit Registry. This only involves public sector hospitals, however. There does not appear to be a requirement for informed consent for data collection, nor a way for patients/families to opt out of the Registry. It was announced last year that the data – anonymised or otherwise – would not be made public (although presumably the ICU researchers will eventually publish papers arising from analyses of the data). I am heartened that this initiative seems to be supported by the public, or at least no one cared enough about his/her (potential future) loss of data privacy enough to raise a fuss.

There is a natural tension between data sharing and privacy protection, especially with respect to research. Benefits and risks have to be weighed, with an acceptable equilibrium found that may well differ for different cultures and societies. Too much privacy protection, and major potential benefits will be lost – it will be far harder to find and confirm associations between exposures (like antibiotics or smoking) and disease (from antibiotic-resistant microbes or cancer), or to determine whether certain clinical practices are sound. Too little, and the risk of private data getting leaked/hacked/released without permission becomes correspondingly greater.

The ramifications of our personal data protection act (PDPA), instituted in 2013, are now being felt in biomedical research, and it appears to have shifted the pendulum well in favor of privacy protection to the detriment of some areas of research. The key area affected is retrospective studies. Some might feel that there is little value in retrospective research (it is hard to publish such results in “high impact” journals, for example, compared to prospective research), but they are far cheaper to organise, and do unearth interesting associations and hypotheses to test if done well. In the past, it was relatively easy to get a “waiver of consent” from research ethics review boards – if the patient has been discharged from the hospital for a year, it is often deemed unnecessary to contact them for consent of use of medical data if such data could reasonably be anonymised. Now, the bar for waiver of consent has been raised much higher, making most retrospective studies truly impractical (or at the very least far more costly). Identifying and contacting patients as potential research subjects (controls for case-control studies for example) has also become more difficult with the PDPA strictly enforced.

There are ways to still continue much of such research (at a greater cost), including the setting up of data intermediaries or institutional “data anonymisers”. Government agencies are not subject to PDPA – therefore no consent is required for the NICUR data collection for example – and the data they collect can be released for research after proper anonymisation. However, working with government agencies has its own special challenges. 

In the short to medium term, we are likely to see a significant reduction in certain forms of biomedical research as a consequence of tighter data protection. It will be good to see more public discussion and efforts to ascertain what our society feels is the optimal equilibrium between data privacy and sharing, especially with regards to publicly funded research.