Introduction
Research is a core part of the NHS. Evidence is needed to improve patient care, advance understanding of disease, and evaluate interventions. Patient records offer significant potential for research and the increasing use of electronic records offers new possibilities to analyse large volumes of data.
Patient information is both sensitive and private. The general public and patients must have confidence that the security of personal information is protected, and that procedures are in place to safeguard data.
A number of reports have considered the use of personal information in research,1,2 but there remains uncertainty about access to general practice records for research. A consensus meeting was held in May 2008 with GPs, researchers and patient groups to develop guidance for best practice. This document summarises the agreement reached; it has been endorsed by the RCGP. It should apply to all researchers using patient data, whether academic or commercial.
The use of patient information for research
Information from patient records may be used for research in two ways: anonymised or coded information from records may be used without patient involvement, for example for epidemiological research, to monitor trends in infectious diseases, or for pharmacovigilance. Patient records may be used as a starting point to identify participants for research. Potential recruits are then contacted to seek consent to participate.
Some research can be conducted with anonymous information; in other cases, researchers need access to information from which it may be possible directly, or indirectly, to identify a patient. Researchers do not usually need to know an individual's identity but may want data at a person-level. Very few data are truly ‘anonymous’; all clinical data may potentially be sensitive to a patient.
Overarching principles
Safeguarding patient confidentiality
The over-riding priority must be to safeguard patient confidentiality. The best available electronic technologies should be used; the introduction of safe havens and honest brokers — currently being defined by the Research Capability Programme of Connecting for Health — offer significant potential.
Where researchers are to access identifiable patient information, there must be a formal process of accreditation, placing researchers under the same duty of confidentiality as a health professional. This should define appropriate and substantive sanctions, to hold researchers to account should there be any breaches of confidence. This is in line with recent recommendations in the NHS draft constitution handbook and the Data Sharing Review.2
Improving public awareness
Members of the public are generally supportive of the use of personal information for medical research but have little awareness of the various research uses of patient records.3 Improving understanding must be a priority. Information should be provided through two routes: a national programme to raise awareness about the importance of research and the use of patient records; and the provision of information locally through general practices, including when registering with a practice. Transparency is essential: the information should make clear that patients can opt-out of the use of their information in research, if they wish.
The role of the GP
The primary roles of the GP, or healthcare professional, should be to deliver high quality care and act as the patient's advocate. The GP and the practice must retain ultimate responsibility for ensuring appropriate access to data. The GP may need to provide advice to patients about taking part in research or where any feedback is provided after research. GPs may need training and resources to fulfil this role.
Guidance for best practice
Before agreeing to participate in research, a practice should check that a study has been approved by a research ethics committee and other bodies; and that the practice provides an appropriate setting and has the necessary resources. Any potential conflicts of interest must be addressed. The RCGP and the GMC provide guidance.4,5
Use of anonymised data from patient records
The use of anonymised records, where all details that could identify an individual are removed, enables research to be conducted without compromising patient confidentiality. Where anonymised records are used, it is not necessary to seek consent. It is important to raise awareness that records may be used in this way. The anonymisation process should make use of available technologies and be as automated as possible, making use of safe havens where available.
Use of coded data from patient records
In many cases, researchers will need to use data that are coded. Information cannot directly identify an individual but a ‘key’ is available to relink data with identifying information. Patients should not need to give consent for coded information to be used for research, provided they have been informed that records may be used in this way and given opportunities to opt-out. New technologies and encryption methods should be used wherever possible to minimise the risk of identification. Where a code is used, multiple keys should be held, and safe havens and honest brokers used where available.
Use of identifiable data from patient records
The use of identifiable records requires patients to consent to the use of their information. In England, in situations where this is not possible, researchers must apply to the Patient Information Advisory Group for permission. The 2008 Health and Social Care Act transfers this role to NIGB.
Use of patient records as the starting point to identify participants for research
Records may be used to identify potential recruits for a study who are then contacted to invite them to take part. However, there is little clarity about the procedures by which records may be accessed.
The GP must retain responsibility for access to records, but can make a case-by-case judgement as to whether it is appropriate for a researcher to view records to identify potential participants. Where a GP decides a researcher may have limited access to records, there must be a formal process of accreditation, as described above. Researchers should only have access to the minimum amount of information necessary, defined in discussion with ethics committees, the practice and Caldicott Guardians. Patients should be informed that records may be used in this way and given the opportunity to opt-out.
When inviting patients to take part in a study, the GP should screen the proposed list before any contact. The invitation should come from the GP, signed, and on practice-headed paper. It is appropriate for researchers to provide administrative support. It must be made clear that the patient's decision will not affect the quality of their care. The practice retains ultimate accountability for the process.
Informed consent
The process for seeking consent, once the researcher or GP is working directly with the patient, is well established.6,7 It should be clear that participation is voluntary, and that participants have the right to withdraw at any time. Consent (or dissent) should be recorded in the patient record, unless a patient specifies otherwise.
Conclusion
The best practice guidance described in this document is a first step in a process to ensure that patients and GPs have confidence in the processes used to access patient information, and to enable everyone to benefit from the significant research potential of patient records.
Acknowledgments
© Wellcome Trust
Perrin NMR, Mathers N, Watt GCM. Towards a consensus on best practice: use of patient records for research in general practice. London: Wellcome Trust, 2008. Available at: www.wellcome.ac.uk/GPrecords
- © British Journal of General Practice, 2008.