Many readers of this blog will be familiar with the stringent protections which the Data Protection Act 1998 (DPA) affords in respect of personal health data (see further the definition of ‘sensitive personal data’ in s. 2 DPA). Thus, for example, if a data controller wishes to avoid contravening the first data protection principle (the fair and lawful processing principle) as and when it is processing health data, it must ensure that: (a) the particular processing is fair and lawful; (b) that it meets one of the conditions provided for in schedule 2 to the DPA and (c) that it meets one of the very narrowly drawn conditions provided for in schedule 3 to the DPA. If the processing is intended to serve the interests of medical research, the data controller will doubtless wish to look in particular at the condition provided for in paragraph 8 of schedule 3. That condition stipulates that the processing must be ‘necessary for medical purposes’ (which includes the purposes of medical research) and be undertaken either be ‘a health processional’ or ‘a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if the person were a health professional’. Of course, the principle which underpins this particular condition is that it is very much in the public interest that, subject to the test of necessity, health data be shared by medical researchers. A recent judgment of the European Court of Human Rights (ECHR) has highlighted the importance of this particular public interest: Gillberg v Sweden (application no. 41723/06).
Read more on Panopticon. The issue that a clinician or entity can give guarantees of confidentiality/non-use of information that can be trumped by the public interest in medical research is something that every clinician or entity needs to consider before collecting data.