Data sharing in healthcare

Healthcare providers collect and use information on your health to understand your medical history. Information can be shared between different systems, so that different services can see a person’s medical records. For example, your doctor might share information about your recent visit with your consultant in a hospital or your physiotherapist. It can be really useful for all professionals involved in your care to see the full picture of your medical history. This can help save time at appointments and be very valuable in emergency situations.

Health information is essential for research into new drugs, devices or treatments and to understand more about diseases. Many countries collect patient data together in a central database. This information does not normally include personal details such as names and addresses. This is so people cannot be easily identified from the data. It can then be shared with scientists from universities and hospitals to carry out important research.

This data could also be shared with health services in other countries and between different external organisations. For example, some health organisations may sell data on to drug (pharmaceutical) companies working on new treatments or health insurance companies. Big data sets, such as a country’s medical records, are very valuable to these commercial organisations who have to pay to access them.

You have a right to choose whether or not your data can be shared. Some health organisations will ask you to fill in a consent form before you share your data. This will ask for your permission (consent) to use and store your health data. The form should tell you how the information will be used and whether the organisation you are sharing your information with, will sell it or not. If you are not happy with your information being shared, you do not have to give your permission.

In some cases, instead of asking for your permission, organisations may assume you are happy to share your information unless you tell them otherwise. In this case, you can still choose to contact an organisation and ask them not to share you information.

Some consent forms will also tell you if they will remove key personal information before your data is shared so that you cannot be easily identified. This could include your name, medical number or address. This may make you feel more comfortable about agreeing to your data being shared as the information appears anonymous.

There is some debate about whether data can be truly anonymous now. As more and more data are collected, data sets can be linked together. It has therefore become easier to eventually identify a person by piecing together different information that exists about them online. However, it is still best practice to remove personal information before data is shared.

If you are concerned about this, you could ask the organisation about exactly what information will be removed before it is anonymised. This can help you decide about whether you are happy to give permission to share this information.

In most countries, there are laws governing how data is collected and shared. This means that data cannot be shared without your permission. You should always be told how your data will be used and stored before you agree to share it with an organisation.

In the EU, the General Data Protection Regulation (GDPR) outlines the standards that organisations must meet legally to collect and store data. The GDPR is the strongest data protection law in the world and covers all EU countries. The UK also subscribes to this law. The standards organisations must meet include:

• Be honest and open about how data will be used and why it is being collected;
• Give individuals a right to access their personal information;
• Report breaches of information storage, for example, if data is accessed, changed or stolen;
• Assign a data protection officer to manage the way data is stored and used by their organisation.

Other countries have their own individual laws that are a similar strength to the GDPR. These include Argentina, Canada, Israel, New Zealand, Switzerland, Uruguay and the USA. Most other countries have some data protection laws in place. They may not be as thorough as the GDPR but it is illegal in most countries for data to be shared without your permission.

When you are filling in a consent form, it is good to read the details. A thorough consent form should contain the information that answers the following questions:

• Who am I agreeing to share my data with?
• How long will my information be kept for?
• Will my information be shared with any other organisations?
• How will my data be used once it is shared?
• What is this organisation trying to achieve by collecting the data?
• Is data stored securely and who can access it?
• Will this organisation sell my data?

If the consent form does not answer these questions, you can ask the organisation for the answers before giving your consent.

Data protection laws in most countries cover the storage and use of data collected from apps and websites. In Europe, the GDPR states that websites and apps must openly share the way they collect information. This is usually outlined in a privacy policy that exists on the website or within the app.

You may choose to use a health tracking app or a device that collects information about you – for example daily symptoms. This information will be stored by the app so it is good practice to check that you are happy with how the app is using your information.

Usually before registering for an app, you will be asked to give your permission before you are able to login. You will always have the option to say no if you are not happy with how the app collects your information. Be aware that if you do refuse your permission, this will usually mean you cannot use the app or device until you agree. In that case, it is worth looking around for an app that has a privacy policy you are happy to agree to. You could always ask your healthcare provider to recommend a reliable app or device if you are not sure.

If you want to understand more about data protection laws in your country, search on your government’s website for an overview of the law in your country.

If you are in the EU, you can read more about the GDPR on the EU Commission’s website.

This material was compiled with the help of Professor J.J.M. (Hans) van Delden and Jos Pielage in April 2022. It was produced by the European Lung Foundation for the DRAGON project. Find out more about this project. 

This work has received support from the EU/EFPIA Innovative Medicines Initiative 2 Joint Undertaking – DRAGON grant n° 101005122. Further information at: https://www.imi.europa.eu/

The communication reflects the author’s view and neither IMI nor the European Union, EFPIA, or any Associated Partners are responsible for any use that may be made of the information contained therein.