Data privacy issues in health research

Data privacy remains a huge topic in the life sciences sector given the sheer volume of personal data that is involved in any type of research using health data of individuals.

For many companies, undertaking clinical trials or clinical investigations will be part and parcel of bringing their products to market. General research using health data to help better understand diseases and their treatments is also commonplace, irrespective of whether those data are initially gathered in the context of a clinical trial or treatment by healthcare institutions.

Since exiting the European Union (EU), the United Kingdom has its own version of the General Data Protection Regulation (GDPR), with much the same areas of uncertainty that existed under the EU GDPR. As the EU GDPR is the basis of the UK GDPR, guidance issued by the European Data Protection Board (EDPB) can still be helpful to aid interpretation. There are also resources available from the Health Research Authority (HRA) and we expect the Information Commissioner’s Office (ICO) to issue guidance for the research provisions within the UK GDPR and the Data Protection Act 2018 (DPA 2018) during the course of this year. The Data Protection and Digital Reform Bill proposes more substantial data protection reform (more on that here), with scientific research specifically called out as an area where the current complexities can act as a deterrent. The proposed changes envisage a clearer definition of what constitutes processing for scientific research, and a way for researchers to obtain consent to an area of scientific research where it is not possible to identify fully the purposes for which the personal data is to be processed at the time of collection. There is a long way to go before this becomes law, but the proposed revisions look helpful at this stage.

Where we often see issues arise under the current rules, particularly at the contract drafting stage, in some of the key areas of interest for health research are:

  • Whether the parties are dealing with personal data
  • What relationship the parties have to the personal data and each other
  • Cross-border issues, such as the extraterritorial effect of the UK GDPR
  • The concept of consent in health research

There are of course other data protection issues that are relevant depending on the research being undertaken, but these are outside the scope of this article.

Are we dealing with personal data?

It is generally accepted that, in a clinical setting, personal data will be collected and processed in relation to each patient. The data will include things like patient name, number, address information and information about their health.

If those data are then used for research purposes, identifying information relating to each patient is usually stripped out before it is used for the intended research purpose. This concept of de-identified data can then lead to the assumption that there is no personal data and data protection provisions are not required in a contract for health research.

For truly anonymous information this is true; it will not be classified as personal data and will be outside the scope of data protection laws.

The issue in health research is that de-identified data is usually only pseudonymised; information which identifies an individual has been removed and replaced with a different identifier such as a number or other code with a separate data set which holds the key to re-identify the individuals (commonly used for example in clinical trials where a site will hold the full data set and key to the code and the sponsor will receive the coded data set). If it is possible at any point to use any reasonably available means to re-identify the individuals to which the data refers, that data will not have been effectively anonymised and is only pseudonymised. Those data are therefore still personal data for the purposes of data protection laws (both in the UK and EU).

Note that the proposed revisions in the Data Protection and Digital Information Bill would improve this situation for the UK, by more narrowly defining when an individual is “identifiable” and expanding the definition of when personal data is pseudonymised.

What is our relationship with the data and the other organisations involved?

By now the concepts of data controllers and data processors are familiar. As a brief recap:

  • A data controller is the entity that decides the purposes and means of processing (alone or with others)
  • A data processor is the entity that processes personal data on behalf of the data controller

In health research, these concepts can lead to one legal entity being both a controller and a processor in relation to the same individual’s data depending on the context of the activity that they are carrying out.  

The HRA uses the example of a research study in a care organisation to illustrate how the care organisation may be a controller and a processor at the same time. If we use the example of a clinical trial, the sponsor of the clinical trial is generally expected to be classed as a data controller (even if they never receive personal data) as they determine the purpose and the means of processing of personal data by providing the study protocol and reporting mechanisms. The trial subjects may however be general patients of the hospital where the clinical trial is taking place, for whom the hospital maintains a wider patient record. Clearly, when the hospital is processing personal data in the context of managing its own patient records, it will be acting as a data controller. For the purposes of the trial, the hospital would be acting as a processor of data collected through following the trial protocol. However, in some cases, that data may overlap with general patient record data. Additional complexities will arise where the hospital wants to undertake its own research using data collected in a study, or where the hospital is involved in shaping the study protocol.

Before drafting contracts for health research, it will therefore be important to understand in advance what the arrangements in relation to personal data are in order to ensure the relationships of the parties to each other and the data are properly captured.

Cross-border issues

Although the concept of extraterritorial scope was introduced by the EU GDPR more than four years ago, it is still causing issues in the health research space. The concept has been adopted under the UK GDPR, meaning that it will apply to controllers or processors established in the UK, regardless of whether the processing itself takes place in the UK or not.

One of the biggest hurdles appears to be getting entities outside of the UK or EEA to accept that data protection laws other than those in their own jurisdiction may apply to them if they are processing personal data on behalf of an entity based in the UK. (Those subject to the EU GDPR do normally understand this concept.) This misunderstanding can lead to issues both in the negotiation of the contract wording and also in the ability to comply with the transparency obligations for which a data controller is responsible.

Using the example of a clinical trial again: as a data controller, a sponsor will be responsible for ensuring that certain information is made available to the individual. Generally, relevant privacy information will cover who the sponsor is, what data is being collected and processed and why. It is also usual to state whether it will be shared with any third parties and what the rights of the data subject are. This information should be provided at the point of collection from the individual.

A simple way of providing this information is to include it in the patient information pack or informed consent form (although see the next section for issues arising for consent). In order to be able to do this, the trial site will first need to accept that their activities in undertaking the clinical trial are subject to the UK GDPR.

Resistance often arises because trial sites are concerned that they will have to apply UK GDPR to all of their data processing activities – that is not the case. They will only have to comply with UK GDPR to the extent that their activities fall within its scope. The exercise of establishing each party’s relationship with the data can therefore be very helpful in clearly defining what data are in scope and when the corresponding data processor obligations arise.

Consent v consent

When talking about health research, we often talk about informed consent of the study subjects. It is part of the core ethical requirements for research involving humans and will have been drilled into researchers and healthcare professionals. There is also a concept of informed consent as a legal basis for processing of personal data. The two concepts are different, and it is important to separate them in health research.

If consent is the legal basis relied upon for processing of personal data under the EU or UK regime, all processing activities have to stop if that consent is withdrawn, and the data deleted. It may also be difficult to satisfy the requirements of freely given consent, such as in a scenario where study subjects are participating in a trial where they have no other treatment options.

Where possible, it is therefore better to process personal data in health research under one (or more) of the other available legal bases. The EDPB has also emphasised this in guidance relating to clinical trials and health research. Examples of what may be a more appropriate legal basis, depending on the context, include that processing of general personal data is necessary for the performance of a task carried out in the public interest or for a legitimate interest of the controller. For special category data (which includes health data) an additional legal basis is required for processing and in some circumstances controllers are able to rely on processing being in the public interest in the area of public health or for scientific purposes. Getting the legal basis for processing of personal data in health research right from the outset can avoid a potential waste of resources if a study subject decides they no longer want to participate – data which was gathered and processed before they withdraw from the study would not be affected from a data protection perspective if the consent to participate is de-coupled from data privacy related legal bases.

In conclusion

We have explored in this article some of the considerations and pitfalls in dealing with data protection in health research. This is an evolving picture with new legislation and guidance emerging. However, early consideration and planning can help to avoid some of the potential problems that may arise later on and delay or derail the research.

Learn more about our life sciences and data protection services.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.