Statistics from Altmetric.com
Medical researchers are generally expected to obtain consent before accessing personal health data; problematic if they require personal health data to determine whom to invite. In reality, consent is not an absolute requirement of data protection legislation. Under the General Data Protection Regulation (GDPR), personal data need to be processed securely, lawfully, fairly, transparently and in a manner compatible with why they were originally collected.1 Scientific, research and statistical purposes are not considered incompatible with the initial purposes of data collection.2 Lawfulness is established by meeting one of six criteria, including consent, public interest or legitimate interest.1 GDPR does not define public interest,3 but the Data Protection Act 2018 does not list research as a public interest.4 Therefore, lawfulness of health research based on public interest is likely be established only in exceptional situations, such as a pandemic. Legitimate interest requires that data subjects could reasonably expect their data to be used for the purpose at the time they were collected.1
In the long-COVID in Scotland Study (long-CISS), consent could not be obtained prior to using health records to identify and classify eligible subjects. This population cohort study compared symptoms, daily activities and quality of life among people who had previous laboratory-confirmed COVID-19 with a negative PCR test comparison group matched by age, sex and area deprivation. Therefore, data on test results, age, sex and area of residence were needed to identify and classify individuals prior to sending invitations and obtaining consent. Eligible participants were identified from the Case Management System (CMS), the National Health Service (NHS) Scotland database established to support the ‘Test and Protect’ response to COVID-19. The database provided PCR results to STORM-ID; a digital healthcare company commissioned by NHS Scotland to send individuals their test results.
In long-CISS, Public Health Scotland, the data controller for CMS, identified eligible subjects and provided Storm ID with an extract containing their name, date of birth and telephone number only. Storm ID developed its existing digital platform to automatically send SMS texts to these individuals informing them of the study and inviting them to participate. During an initial authentication step, the recipient keyed in a unique token, provided in the invitation, along with their name and date of birth. If these matched the information in the data extract, the subject was able to provide electronic consent and access the web-based questionnaire. The questionnaire responses were pseudonymised and analysed by the investigators within the national safe haven, a virtual trusted research environment, with results released following disclosure control. At no point could individuals be identified by the investigators. The invitation text included an electronic participant information leaflet, notification that participants were free to withdraw from the study at any time, and contact details to obtain additional information, if required.
Awareness of the study among the general public and potential participants was achieved via a Scottish Government press launch, widespread coverage across traditional and social media, information posted on the Public Health Scotland (Data Controller) website, a study webpage including frequently asked questions and contact details for queries, and information-sharing with long-COVID support groups.
Following the launch, 156 queries were received from the general public (Scottish population 5.5 million): 135 supportive, 16 unrelated to the study, 4 notifying changes of contact details and 1 asking for information on data use. Invitations were sent to 235 699 people in the first tranche, of whom 97 (0.04%) contacted the investigators: 54 for help with technical problems with the app, 24 seeking clarifications (eg, confirmation their responses had been received), 13 unrelated to the study, 4 supportive, 1 to correct their name and 1 requesting Freedom of Information process information (which they did not progress). The response rate was 18%, 5 (0.002%) people withdrew from the study, and 34 947 (80%) ticked that they were happy to be recontacted for further research.
While long-CISS could be justified as public interest in the context of a pandemic, there is an argument for the lawfulness of health research based on legitimate interest, subject to reasonable expectations, awareness and transparency being met. The number and nature of the responses received from the general public and invited individuals, the high recruitment and low opt-out rates, and the very high percentage of participants willing to be recontacted provide convincing evidence (and arguably precedent) that subjects did not consider health research to be inconsistent with how they expect their health data to be used. We hope our findings will inform the debate regarding consent and reassure legislators, data controllers and researchers that accessing personal health data without consent can be done without endangering public trust provided that appropriate steps are taken.
Patient consent for publication
Approval for long-CISS was obtained from the West of Scotland Research Ethics Committee (ref. 21/WS/0020) and the Public Benefit and Privacy Panel provided approval (ref. 2021–0180) following completion of Data Protection Impact Assessment (DPIA), System Security Policy (SSP) and Privacy and Electronics Communications Regulations (PERC) forms.
Contributors JPP had the initial idea. CEH analysed the data. JPP drafted the manuscript. All authors edited and approved the manuscript.
Funding The study is funded by the Chief Scientist Office reference COV/LTE/20/06.
Competing interests None declared.
Provenance and peer review Not commissioned; internally peer reviewed.
If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.