Information governance, ethics and participation

Summary #

“Our experience suggests that IG processes are a ubiquitous challenge in delivering timely and high-quality research with the potential to make a positive impact on health. Currently, such processes are often lengthy, circuitous, opaque, and inconsistent, in a way that creates duplication and wastage of time and effort and is not proportionate to the nature or degree of risk involved.”

LAUNCHES QI study #

“LAUNCHES QI, a project initiative in 2018, aimed to link 5 national data sets to generate understanding about Congenital Heart Disease services, with the intention to: describe patient trajectories through secondary and tertiary care; identify useful metrics for driving quality improvement; and explore variation across services…

In total 47 documents were required for the data application processes, comprising 384 pages. These were required by 11 data controllers or departments and submitted 162 times in total. Each application form asked for similar study information, but each required different wording, structure, and detail, and some seemed unfit for purpose – designed for clinical trials and other interventional studies involving human participants and ill-adapted to data-only studies. The resulting confusion meant that each data controller asked for alterations and further information between one and 9 times before approval was given. This was all in addition to getting research ethics approval from the HRA and gaining Section 251 approval.

Gaining permissions, including university and ethical approval, took 8 months, and the data applications took between 3 and 7 months. Acquiring the data took a further 7 to 10 months. Once this linkage was completed, the researchers received further funding to start a new – but related – study on the same dataset. The approval process to re-use the dataset took a further 2 years and…”

Taylor JA, Crowe S, Espuny Pujol F, et al. BMJ Open 2021

Information governance processes #

“the collection, storage and use of health data is governed by a multi-layered set of overlapping, duplicative and sometimes contradictory policies, regulations, and ethical guidelines managed by the Department of Health and Social Care, the National Data Guardian, the ICO, the Health Research Authority, Medicines and Healthcare Products Regulatory Authority (MHRA), NHS Digital, NHS England, the NHS Transformation Directorate, local trusts, individual universities, GPs, hospitals, and a range of other bodies granted powers by the preceding organisations”

“Even if I or other experienced researchers know how one bit of the forest works, navigating the complexity of the multiple regulators and sources of approval is what befuddles researchers (and the public)”

There is good evidence that research and other useful activities are being unnecessarily hindered by current practice, and there is work ongoing (e.g. the Information Governance Portal) to simplify it.

An overabundance of caution #

“Sometimes people don’t understand the rules so it’s easier for them to say ‘the data protection law won’t allow me to share data with you.’ Usually, the data protection law would actually say you can share as long as you do xyz.”

“Lots of people will say the GDPR is a blocker. It wasn’t supposed to be. It was supposed to be about sharing data. The blockers are all interpretations. Some of it is there are too many independent bodies.”

There are multiple causes of excesive caution in this context, including:

  • Anxiety caused by a belief that patients are against data sharing
  • Anxiety caused by a lack of determinacy in information governance rules
  • Anxiety caused by the mechanisms used for data access
    • “…data dissemination requires decision-makers to trust the recipients of data, and is inherently more risky than TRE access”

Monopolies, resource, and recognition #

“Monopolies over data are one of the largest hurdles that must be overcome…“Guarding” of data, be it for reasons of commercial advantage, academic competitiveness or resistance to the idea of commercial involvement, is harmful to collaboration and only adds expense or prevents research outright. This hampers the effective use of data and stifles innovation (by both public and private sector organisations).”

There are issues around incentivising of the collection, curation, and sharing of data, and it is very much not the case that the cost to the sharing organisation is zero. In summary:

  • It is inappropriate for information governance processes to be used to obstruct data access for other reasons
  • People who have invested time and effort on collecting or managing data that is widely used should be able to access resource to make their work for all sustainable
  • Data collection and curation should be regarded as independent skilled activities with status on a par with writing final data reports
  • The marginal additional costs on an organisation when sharing data should be priced appropriately, and passed on appropriately

Anxiety about performance management, and public accountability #

Healthcare organisations can be concerned that data will be used to “punish” them using performance metrics. There is a further [well founded] fear that “data may be used to monitor activity in a haphazard of inaccurate way, which may require time-consuming rebuttals, or have adverse consequences on clinical work”

A good example of this is the refusal of nearly every NHS Trust in the country to publish their patient experience data in full, even though patients can write whatever they like on Twitter and anything that isn’t defamatory or otherwise illegal on Care Opinion

[the above] has contributed to the culture of closed working practices around NHS service analytics, as the assumption of secrecy around some specific performance measures for individual healthcare organisations has bled over into an assumption of secrecy around the very methods and code by which such metrics are conceived and calculated

Concern about commercial users #

This isn’t particularly relevant to me, so I’m going to skip over it. Basically, it says there are lots of useful examples of commercial use of NHS data, and the following:

by far the largest overall economic benefit for the NHS and the nation is likely to come from whole systemic packages: not clinical trial follow-up data alone, but rather platforms that can execute the entire pathway of a clinical trial in an efficient, digital manner, with proportionate governance… new prospects for innovation open up, some of which may be transferable to other settings and nations. In this regard, the greatest commercial benefit is likely to come from the whole system: well-curated data, in accessible and performant TRE platforms, with appropriate technical documentation, alongside a digitally competent NHS, with clear entry points that are technical as well as “negotiations and meetings”, and above all a workforce with deep competencies that combine generalist data science or software development skills with deep domain knowledge on health data, its strengths and weaknesses, its provenance, and its effective use in analytics and innovation

Exclusive commercial arrangements #

These are bad

Multiple data controllers #

Again, to summarise:

it is hard to argue that it is a sensible or proportionate use of NHS GP time – or even practice manager time – for 6,500 individual GP practices to separately consider all these issues and legal documents, on multiple occasions, for multiple different research projects, both general purpose and singular studies. This requirement also imposes substantial workload and risk on individual clinicians; but it is a natural consequence of the current legal reality that each GP practice is the Data Controller for their own patients’ records, and must separately grant permissions

Patient and public involvement and engagement #

“Well-designed, meaningful PPIE can help to ensure that patient and public trust in research is maintained, and that the individuals to whom records relate are treated with respect and dignity; co-designed PPIE, and co-designed research projects, can also improve the quality of research. Patients and public representatives are the experts of what it is like to experience the care of the NHS, to live with specific conditions, or to care for loved ones experiencing ill health. This means that they often know better than any independent researcher or analyst the most important research questions, the right outcomes to measure, and the best way to ensure that the outputs of any and all research delivers on its ultimate goal: patient and public benefit”

Recommendations #

Going to skim these as well…

IG 13. Revise the definitions of ‘anonymous’, ‘dentifiable’ and ‘linked’ data; add a new category of ‘pseudonymised but re-identifiable’ IG 20. Address the ‘multiple permissions’ problem IG 25. Address exclusive commercial arrangements IG 26. Ensure PPIE expectations are proportionate to the sensitivity and scale of the project IG 27. Provide researchers with easy access to practical guidance, and examples of best-practice