Patients who consent to a course of treatment should be presumed to have given “implied consent” to having their data used for medical research, a review of data sharing across government has concluded.

The NHS should also develop a system to allow approved researchers to identify patients who would be happy to take part in research for which explicit consent is needed, the review by Information Commissioner Richard Thomas and director of the Wellcome Trust Mark Walport adds.

However, the review, ordered by Prime Minister Gordon Brown in October, emphasises that information should only be shared by organisations if “robust” systems to protect personal information and privacy are in place and if they have told users what will be done with their data.

“Implied consent is not satisfactory without considerable transparency,” the report says. “In the case of the NHS, we strongly encourage it to build on existing efforts to educate patients by making general and widely advertised statements about how people’s information might be used in the future.”

The data sharing review was set up to examine the use of information in the public and private sectors, the operation of the Data Protection Act 1998, other legal sanctions and the powers of the Information Commissioner. It was announced before HM Revenue and Customs lost two disks containing the personal data of 25m people in the post, although it notes that it became “altogether more apposite” when the scandal broke.

It repeats earlier statements from Mr Thomas stressing the importance of public trust in the way that organisations handle and store personal information. But it concludes that few organisations have “high levels of accountability and transparency” when it comes to handling and storing information and that most employees will not know who is responsible for data handling or who is accountable if things go wrong.

The report also concludes that most people will have “little insight” into how public or private bodies handle their data or who they share it with. It says “action is needed on both fronts” – but that organisations should be clear about what they want to do with data before they invest in databases and other technologies to capture it.

In its list of almost 20 specific recommendations, the report’s authors say organisations should overhaul their corporate governance requirements on handling and storing personal information and improve training for staff. It also says they should publish clear privacy statements, improve their consent documentation and publish a list of all the bodies with whom they share information.

On the broader front, the review says the government should participate in European moves to update data protection legislation and take other measures to make it easier to amend UK law, particularly as it relates to data sharing between public bodies.

It argues that the Information Commissioner’s office should become an Information Commission, with stronger powers, including a statutory right to enter premises and to be information of data breaches. And it calls for a government review of data aggregation sites.

However, it says that some measures should be taken to make it easier for information to be used for research and analysis, including the creation of “safe havens” in which approved researchers could work.

Overall, it argues that no new measures can be “a substitute for good judgement and common sense.” But it also argues that change is needed to “secure the many benefits that flow from appropriate information sharing, while avoiding and minimising the potentially serious harm that [this] may cause.”


Data Sharing Review Report