This article argues that personal medical data should be made available for scientific research, by enabling and encouraging individuals to donate their medical records once deceased, similar to the way in which they can already donate organs or bodies. This research is part of a project on posthumous medical data donation developed by the Digital Ethics Lab at the Oxford Internet Institute at the University of Oxford. Ten arguments are provided to support the need to foster posthumous medical data donation. Two major risks are also identified—harm to others, and lack of control over the use of data—which could follow from unregulated donation of medical data. The argument that record-based medical research should proceed without the need to secure informed consent is rejected, and instead a voluntary and participatory approach to using personal medical data should be followed. The analysis concludes by stressing the need to develop an ethical code for data donation to minimise the risks, and offers five foundational principles for ethical medical data donation suggested as a draft code.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
Tax calculation will be finalised during checkout.
It has been argued that data sharing is a misleading concept and should be abandoned: See “Why we should stop talking about data sharing”, Barbara Prainsack (2015), http://dnadigest.org/why-we-should-stop-talking-about-data-sharing/. Accessed July 20, 2018.
Also see: “Data Philanthropy: Where Are We Now?” United Nations Global Pulse. https://www.unglobalpulse.org/data-philanthropy-where-are-we-now. Accessed March 5, 2018.
See https://bodyworlds.com/. Accessed March 5, 2018.
The use of “donate” in the context of the PGP is based on the PGPs own description: See https://www.personalgenomes.org.uk/. Accessed July 20, 2018.
An additional and often overlooked challenge lies in the fact that at least the textual passages of any medical records are likely to be the subject of copyright and would need to be released prior to any donation. However, practical solutions to such challenges could be found, for instance, by reaching an agreement with public health institutions, such as the NHS, on an organisational level.
This approach is clearly associated with some trade-offs, such as the creation of a dataset that is biased in favour of individuals who are willing to donate. However, this is not as such an argument against the choice of focusing initially on those willing to donate, as it has the benefit of using these “low-hanging fruit” to grow a wider social acceptance of PMDD and thus increasing the willingness to donate data.
For example, see: Wellcome Trust Monitor: Wave 3 (full report). https://wellcome.ac.uk/sites/default/files/monitor-wave3-full-wellcome-apr16.pdf. Accessed September 21, 2017.
In the present context, the concept is to be broadly understood, as it is of course difficult to ascertain whether an individual really is an altruist, or whether other motives are behind a choice to act ethically.
See the NHS Digital Business Plan 2017–2018. https://digital.nhs.uk/business-plan-2017-2018. Accessed March 5, 2018.
Zenome—Your DNA is an asset. Zenome is a market. https://zenome.io/. Accessed October 31, 2017.
Understanding Patient Data. http://understandingpatientdata.org.uk/. Accessed March 5, 2018.
With the exception of biobanks, where data are collected for a range of future research studies.
For example, see the Wellcome Trust’s 2013 “Summary report of qualitative research into public attitudes to personal data and linking personal data”, Available at: https://wellcomelibrary.org/item/b20997358#?c=0&m=0&s=0&cv=0.
See: Laurie et al (2014) "A review of evidence relating to harm resulting from uses of health and biomedical data" available at https://nuffieldbioethics.org/wp-content/uploads/FINAL-Report-on-Harms-Arising-from-Use-of-Health-and-Biomedical-Data-30-JUNE-2014.pdf.
As reported by the Finnish Data Protection Office: http://www.tietosuoja.fi/fi/index/blogi/6IUtCELFH/2017/XHtWkkNPr.html.stx. Accessed March 5, 2018.
See: https://www.personalgenomes.org.uk/archive/email-storm-incident-and-apology. Accessed March 5, 2018.
See, for example, Boddington (2014) “Personal Genome Project UK email disaster: If you can’t guarantee privacy, at least try to ensure trust”, available at: http://blog.practicalethics.ox.ac.uk/2014/05/personal-genome-project-uk-email-disaster-if-you-cant-guarantee-privacy-at-least-try-to-ensure-trust/. Accessed March 5, 2018.
See comment by “Julia”: http://blog.practicalethics.ox.ac.uk/2014/05/personal-genome-project-uk-email-disaster-if-you-cant-guarantee-privacy-at-least-try-to-ensure-trust/#comment-104372. Accessed September 5, 2018.
Two workshops on the ethics of medical data donation were held in Oxford in October 2017 and April 2018, which included experts from academia, policy-making and industry. In addition to common principles from the academic literature, valuable points from practice were shared and contributed to the identification of key ethical principles for PMDD. The workshops were supported by a research grant from Microsoft Research.
The term “medical records” is to be loosely understood, as the availability and format will vary between jurisdictions and it is unlikely that medical data are consolidated in one place.
See the concept of post-compliance soft ethics in Floridi (forthcoming).
The Code presupposes some basic data protection and privacy safeguards in line with the legal instruments set out under “Considerations” above. This means that the Code may not be sufficiently detailed in jurisdictions that do not subscribe to those international conventions, and further guidelines may be required.
Boddington, P. (2014). Personal Genome Project UK email disaster: If you can’t guarantee privacy, at least try to ensure trust—Practical Ethics blog, University of Oxford. http://blog.practicalethics.ox.ac.uk/2014/05/personal-genome-project-uk-email-disaster-if-you-cant-guarantee-privacy-at-least-try-to-ensure-trust/#comment-104372. Accessed September 5, 2018.
Finlayson, A. E., Barry, E., Craven, L., Greenhalgh, T. (2017). Primary healthcare, disruptive innovation, and the digital gold rush—The BMJ. http://blogs.bmj.com/bmj/2017/11/21/primary-healthcare-disruptive-innovation-and-the-digital-gold-rush. Accessed March 5, 2018.
Floridi L. (forthcoming), Soft ethics, the governance of the digital, and the general data protection regulation, Philos Trans R Soc Math Phys Eng Sci.
Floridi, L., & Illari, P. (Eds.). (2016). The philosophy of information quality. Berlin: Springer.
Greely H. (2012). Amgen Buys DeCODE—Reflections Backwards, Forwards, and on DTC Genomics. Stanford Law School. https://law.stanford.edu/2012/12/13/lawandbiosciences-2012-12-13-amgen-buys-decode-reflections-backwards-forwards-and-on-dtc-genomics. Accessed March 5, 2018.
Haeusermann, T., Greshake, B., Blasimme, A., Irdam, D., Richards, M., & Vayena, E. (2017). Open sharing of genomic data: Who does it and why? PLoS ONE, 12, e0177158.
Harris, J. (2005). Scientific research is a moral duty. Journal of Medical Ethics, 31, 242–248.
Ipsos Mori (2016) Wellcome Trust Monitor, Wave 3. London: Wellcome Trust. http://dx.doi.org/10.6084/m9.figshare.3145744.
Jones, K. H., Laurie, G., Stevens, L., Dobbs, C., Ford, D. V., & Lea, N. (2017). The other side of the coin: Harm due to the non-use of health-related data. International Journal of Medical Informatics, 97, 43–51.
Krutzinna J. & Floridi L. (Eds.) (forthcoming) The ethics of medical data donation. Springer, Berlin.
Laurie G, Jones KH, Stevens L, Dobbs C. (2014). A review of evidence relating to harm resulting from uses of health and biomedical data. Nuffield Council on Bioethics. Available at http://nuffieldbioethics.org/wp-content/uploads/A-Review-of-Evidence-Relating-to-Harms-Resulting-from-Uses-of-Health-and-Biomedical-Data-FINAL.pdf. Accessed 27 Sept 2018.
Mann, S. P., Savulescu, J., & Sahakian, B. J. (2016). Facilitating the ethical use of health data for the benefit of society: Electronic health records, consent and the duty of easy rescue. Philosophical Transactions of the Royal Society A, 374, 20160130.
Mittelstadt, B. D., & Floridi, L. (Eds.). (2016). The ethics of biomedical big data. Berlin: Springer.
Patil, S., Lu, H., Saunders, C. L., Potoglou, D., & Robinson, N. (2016). Public preferences for electronic health data storage, access, and sharing—Evidence from a pan-European survey. Journal of the American Medical Informatics Association, 23, 1096–1106.
Prainsack B. (2015). Why we should stop talking about data sharing. DNAdigest. http://dnadigest.org/why-we-should-stop-talking-about-data-sharing/. Accessed July 20, 2018.
Prainsack, B. (2017). The “We” in the “Me”: Solidarity and health care in the Era of personalized medicine. Science, Technology, & Human Values, 43, 21–44.
Prainsack B. (2018). Data Donation: How to Resist the iLeviathan in Krutzinna J. & Floridi L. (Eds.) (forthcoming) The ethics of medical data donation. Springer.
Prainsack, B., & Buyx, A. (2017). Solidarity in biomedicine and beyond. Cambridge: Cambridge University Press.
Richardson, R., & Hurwitz, B. (1995). Donors’ attitudes towards body donation for dissection. The Lancet, 346, 277–279.
Riederer, B. M., Bolt, S. H., Brenner, E., Bueno-López, J. L., Circulescu, A. R., Davies, D. C., et al. (2012). The legal and ethical framework governing Body Donation in Europe—1st update on current practice. European Journal of Anatomy, 16(1), 1–21.
Riso, B., Tupasela, A., Vears, D. F., Felzmann, H., Cockbain, J., Loi, M., et al. (2017). Ethical sharing of health data in online platforms—which values should be considered? Life Sciences, Society and Policy, 13, 12.
Rosen, R. (2017). Are disruptive innovators in GP provision strengthening or weakening the NHS? BMJ: British Medical Journal. https://doi.org/10.1136/bmj.j5470.
Shaw, D. M., Gross, J. V., & Erren, T. C. (2015). Data donation after death. The Lancet, 386, 340.
Shaw, D. M., Gross, J. V., & Erren, T. C. (2016). Data donation after death. EMBO Reports, 17, 14–17.
Sheehan, M. (2011). Can broad consent be informed consent? Public Health Ethics, 4, 226–235.
Steinsbekk, K. S., Ursin, L. Ø., Skolbekken, J.-A., & Solberg, B. (2013). We’re not in it for the money—Lay people’s moral intuitions on commercial use of ‘their’ biobank. Medicine, Health Care and Philosophy, 16, 151–162.
Taddeo, M. (2016). Data philanthropy and the design of the infraethics for information societies. Philosophical Transactions of The Royal Society A Mathematical Physical and Engineering Sciences, 374, 20160113.
Vayena, E., & Tasioulas, J. (2015). “We the scientists”: A human right to citizen science. Philosophy Technology, 28, 479–485.
Floridi’s and Taddeo’s contributions to this paper have been funded as part of the Privacy and Trust Stream—Social lead of the PETRAS Internet of Things research hub. PETRAS is funded by the Engineering and Physical Sciences Research Council (EPSRC), grant agreement no. EP/N023013/1. Krutzinna’s and Floridi’s contributions have been funded by a Microsoft research grant. We express our gratitude to Microsoft Research for funding the research that led to the elaboration of this document. We are also extremely grateful to the participants of two workshops on the Ethics of Data Donation, held by the Digital Ethics Lab at the Oxford Internet Institute, University of Oxford, for their valuable contribution to the preparation of this document.
Funded by Microsoft Research.
Conflict of interest
All authors declare no conflict of interest.
Appendix: An Ethical Code for Posthumous Medical Data Donation
The importance and value of brain, body, organ and tissue donation after death has long been recognised, and relevant regulatory and ethical frameworks have been put in place to manage such donation. Medical data, which also hold enormous potential for medical research and for the improvement of health and social care on a large scale, has not as yet been incorporated into such frameworks. Neither is it currently possible to donate one’s medical data posthumously. However, enabling such posthumous medical data donation (hereafter PMDD) is in the interest of individuals and society at large. It is important to make medical data available for scientific research by enabling and encouraging individuals to donate their medical recordsFootnote 23 after death, similarly to how they can already donate bodies or body parts. This is why a research project on PMDD, developed by the Digital Ethics Lab at the Oxford Internet Institute at the University of Oxford has led to the formulation of this Ethical Code for Posthumous Medical Data Donation (hereafter the Code), which sets out the guiding ethical principles for such donations. An important limitation to note is that the Code focuses exclusively on ethical aspects. This means that important practical issues relating to law and governance will have to be addressed prior to and during its implementation.Footnote 24
Recalling the Convention for the Protection of Human Rights and Fundamental Freedoms of the Council of Europe, Rome, 4.XI.1950.
Recalling the Convention on Human Rights and Biomedicine and the additional protocols to the Convention of the Council of Europe, Oviedo, 4.IV.1997.
Recalling the Universal Declaration of Human Rights, 10.XII.1948 and the Universal Declaration on the Human Genome and Human Rights, 11.XI.1997 and the International Declaration on Human Genetic Data of the United Nations, 16.X.2003.
Recalling the Universal Declaration of Bioethical Principles of the United Nations 19.X.2005.
Recalling the Declaration of Helsinki of the World Medical Association, 1.VI.1964.
Recalling the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), and repealing Directive 95/46/EC.
- Commercial exploitation:
The sale, lease or commercial licensing of the data. It shall also include uses of the data to produce or manufacture products or services for general sale.
The person-source of the data, or data subject.
Any donor-related data.
Repository (often online) built to facilitate access to data.
- Directly identifying data:
Any data that make possible the identification of the person concerned, without disproportionate efforts.
- De-anonymised/pseudo-anonymised/coded data.:
Any data that make possible the identification of the person concerned only through the use of a simple tool, such as a key.
- Fully-anonymised data:
Any data that do not make possible the identification of the person concerned without disproportionate efforts.
- Information on hereditary disease:
Any data which is either predictive of genetic disease or can serve to identify the person as a carrier of a gene responsible for a disease or detect a genetic predisposition or susceptibility to a disease, whereas scientific proof for validity of that information is present.
- Informed Consent:
Informed, free and express decision to donate one’s PMR after death for research purposes.
- Personal Medical Record (PMR):
The health data stored about a person within the health system.
- Posthumous Medical Data Donation (PMDD):
The giving of one’s PMR for research purposes upon death.
- PMDD activities:
Activities such as obtaining, handling, processing, storing and distributing of data, including all associated research activities.
- PMDD institution (PMDDI):
The PMDDI is the institutional body acting as steward of all donated data.
Any person with a legitimate interest in conducting research, whether affiliated with an academic, commercial, public, private or other institution. It shall not include private individuals.
Institution holding and maintaining the data. The steward assumes full responsibility for compliance with the legal and ethical rules that apply to collecting, processing and managing the data.
Any person involved in collecting, storing, handling, processing, accessing, or managing the data.
The Code of Ethics on Posthumous Medical Data Donation (hereafter ‘the Code’) has been developed to establish the guiding ethical principles for Posthumous Medical Data Donation (hereafter ‘PMDD’), in recognition that PMDD constitutes an act that is both meaningful to an individual and valuable to the public and as such should be facilitated.
The key objective of the Code is to state the fundamental ethical principles which should govern all PMDD activities. In addition,
Any applicable national laws or local regulations are to be complied with at all times. The Code does not replicate, amend or overrule but complements any such instruments.Footnote 25
Participation in PMDD activities is and remains voluntary; this includes every person’s right to accept or refuse participation at any point.
The autonomy and confidentiality of all donors and their families shall be respected.
Special care will be taken in all PMDD activities to avoid discrimination against, or stigmatisation of, an individual, a family or a group.
Every care will be taken that the collected data is used, and in line with the purposes for which it was donated, namely for ethically and scientifically sound research, and that it is not abandoned.
The research process and the ethical guidelines will be reviewed by an independent body on a regular basis to take into account any new developments in technology, law, and society. The results of such a review will be made public.
The Code shall apply to the full range of PMDD activities involving donated personal medical records (hereafter ‘PMR’). It shall not apply to other types of health-related data, nor shall it apply to donations made by living donors. For the purposes of the Code, PMDD shall not include donations made to private institutions for the purposes of commercial exploitation. The Code shall apply to donors, users, and researchers.
Foundational Ethical Principles
Five foundational principles aim to guarantee a minimum ethical standard to be maintained in all PMDD activities:
Human dignity and respect for persons.
Promotion of the common good.
The right to Citizen Science.
Quality and good data governance.
Transparency, accountability, and integrity.
Human Dignity and Respect for Persons
Human dignity and respect for persons shall be paramount in all PMDD activities. In particular,
The dignity of the donor shall be protected at all times.
The preferences and values of the donor shall be honoured at all times.
The privacy of the donor shall be maintained.
Potential harm to the donor, any relatives and/or next of kin shall be minimised.
Promotion of the Common Good
The purpose of the PMDD database is to provide the means to generate and disseminate new medical knowledge to benefit the public. The donor’s wish to promote the common good by contributing to biomedical research shall be respected. This means:
To maximise the morally good outcome, all PMDD shall be publicly accessible, and all research findings and results based on the data shall be published under an open licence.
Where the acceptance of a donation to the database carries a significant risk to relatives and/or family members, a careful balancing of harms and benefits should take place, which may lead to the rejection of the donation. Such rejections should be limited to serious cases of harm, to reduce the risk of excluding particularly valuable datasets, such as those relating to rare diseases and less common conditions. In all instances, the relatives and family members of the donor should be engaged in the process as much as is practically feasible to gain their support for the donation.
Prohibition of unethical research using PMDD without exception.
Prohibition of commercial exploitation of PMDD data where this could unfairly restrict access to treatments or cures.
Requesting proof of adequate benefit sharing measures prior to granting access to the PMDD database to a researcher.
The Right to Citizen Science
Citizens’ right to participate in the scientific process in its entirety should be recognised and respected at all times. In particular,
All donations should be accepted, unless there are solid grounds for rejecting a particular donation, such as a disproportionate risk of harm to others.
The optimal use of donated data shall be guaranteed, and data shall not be abandoned.
All results and findings shall be shared with the public in an accessible and timely manner.
The public shall be actively involved in the further development of PMDD and encouraged to participate in deliberations about the wider social impact of PMDD.
Quality and Good Data Governance
Quality management and data governance shall be taken seriously when accepting, handling or using PMDD data. In particular,
Users and other PMDDI staff shall be adequately trained for their respective roles within the PMDD activities, including knowledge and understanding of this Code and any applicable data protection and privacy laws and regulations (such as the EU’s General Data Protection Regulation);
Safe and secure storage facilities shall be used for the data, including use of adequate and updated encryption techniques, to minimise the risk of unauthorised access, data loss, or misuse. Proper record-keeping and access management shall be maintained to ensure full traceability of the location of, and access to, any PMDD;
PMDDs shall be de-identified using currently available standards, and re-identification shall be prohibited. Quality control mechanisms for PMRs shall be applied prior to data being added to the database;
Mechanisms should be adopted for ensuring the sustainability of the database for future use, including procedures to be followed in case of discontinuance of the PMDDI.
Transparency, Trust, and Integrity
Transparency, trust, and integrity shall inform all PMDD activities, including communications with the donor and the public. In particular,
Communications with donors, any relatives or next of kin, and the public shall be open, honest, clear, and objective. Any information provided shall be comprehensible to a non-expert person and shall be accessible;
Clear and transparent procedures for deciding requests for data access shall be established and made public, and shall apply equally to all researchers regardless of their affiliation. All access requests, whether granted or declined, shall be made public;
Mechanisms to ensure accountability and to handle complaints shall be implemented, including mechanisms for identifying, reporting and managing incidents such as breaches, losses of data, or unauthorised access. Any incident shall be followed by rigorous investigation, and corresponding sanctions shall be instituted. In addition, procedures for handling lawful requests from law enforcement agencies shall be established;
Full disclosure of any financial arrangements involving PMDD data or financial gains derived from PMDD activities will be made.
Obtaining PMRs for Research Purposes
PMR shall be obtained and used for research purposes in accordance with applicable national laws and local regulations, and the principles set forth in the Code.
Due to the anticipated benefit to be derived from the research to be conducted using the data, resources shall be dedicated to encourage participation in PMDD. In particular, information shall be provided to the public to encourage donations, while at the same time safeguarding the voluntariness of participation.
Consent shall be required for all collections of PMDD and for the use of PMDD for biomedical research purposes, even where local laws do not require such consent. As part of the consent procedure, participation will be explained as an opportunity to contribute in the long term to the improvement of other people’s health. Broad consent to research falling within the guidelines of this Code shall be deemed sufficient, as it is not possible to anticipate all ethically and scientifically sound future research uses.
Prior to giving informed consent, the person concerned shall be offered appropriate information about the nature and purpose of PMDD, including examples of the type of research for which it will be used, the financial interests of the data collecting entity, and the management of access to and use of the data, including the kinds of safeguards that will be maintained.
Donors shall be informed that the full PMRs will be transferred to the PMDDI, including identifying information, to enable linkage between different datasets which is necessary to ensure maximum scientific utility of the overall database. However, donors shall be free to place restrictions on the use of their data and to exclude subsets of data from their donations. These preferences shall be recorded in the PMR in full. Donors shall be informed of their right to make changes to their preferences or to withdraw consent at any point prior to their death.
Donors shall be encouraged to discuss their decision with their relatives, especially those with close genetic links.
Donors shall be informed that the use of their PMDD is not guaranteed and that in some rare instances a particular PMDD may be rejected if it poses a significant risk of harm to an individual or a group. Information shall be provided on possible reasons for exclusion.
Consent shall be appropriately documented in the PMR and at the PMDDI.
Persons Unable to Give Consent
To avoid the exclusion of vulnerable populations from benefiting from the scientific advances resulting from large-scale biomedical research, and to ensure their representation within the data underlying such research, an active effort shall be made to include PMRs from all groups.
Where an individual is permanently unable to provide consent, due to a lack of legal capacity, the registration of a donor and subsequent donation may be carried out with the authorisation of the person’s legal representative or guardian. The individual concerned shall be involved in the decision-making process as far as possible.
Similarly, where a minor is concerned, the parents or legal guardian shall be permitted to authorise a donation. The opinion of the minor shall be taken into consideration in proportion to the age and degree of maturity of the child.
Where an individual is temporarily unable to provide consent, due to a lack of legal capacity, registration as a donor shall be held off until capacity to consent is regained or a permanent incapacity has been confirmed by the medical professional.
Changing or Withdrawing Consent
Donors can withdraw consent for participation in PMDD at any time by submitting a revised authorisation form, or by notifying a health care professional. The objection will be recorded in the PMR and will ensure that data is not submitted to the PMDD database on the donor’s death.
It shall also be possible for a person to record an objection to PMDD in their PMR.
A decision to object to PMDD, or to change or withdraw consent once given, shall not have a negative impact on the medical treatment or care of the person or lead to discrimination against that person.
Where a legal representative or guardian gave the authorisation for PMDD, the right to change or withdraw consent remains with that person for as long as they shall have legal guardianship of that person.
There may be ethical reasons for excluding a particular PMDD donation, which may be grounded, inter alia, in the nature or the source of data. The following list is not exhaustive, and there may be other grounds on which a PMDDI may decide to refuse to accept a PMDD.
The right of a PMDDI to refuse a PMDD shall be maintained, as the overall cost of these refusals would be minimal, since the value lies in well-curated, large datasets, rather than individual datasets.
Refusing a PMDD on Grounds of the Data’s Nature
Where the donor’s data may reveal sensitive data about related people, a stewarding PMDDI may decide to refuse a PMDD. In particular, where genomic data reveal information about family members, it may be preferable to exclude such data from the donation where a comprehensive risk assessment reveals an unacceptably high risk to living people. This may apply especially where the relatives are vulnerable people and/or the condition is a hereditary disease, which may lead to stigma and/or discrimination.
Refusing a PMDD on Grounds of the Data Source
In some rare cases, there may be reasons to reject a PMDD on the basis of its source. This means disallowing a particular individual from participating in PMDD, where a donation would carry a disproportionate risk to others. An example could be close relatives of acting politicians or diplomats, where there is a national interest in avoiding the exposure of vulnerabilities to outside influences.
Other Grounds for Refusing a PMDD
An institution may refuse to accept a particular PMDD on other grounds, including, for example, the potentially illegal nature of the collected data, but any reasons should be made sufficiently clear to the potential donor.
Research Approval, Conduct and Oversight
In accordance with the foundational principles of the Code, it will be fundamental for the success of the PMDD activities that public trust is maintained. For this, it is crucial to manage research activities carefully, by maintaining transparency and ensuring accountability of any individual involved.
Prohibition of Financial Gain
It shall be prohibited to gain financially from PMDD. Therefore, donors will not be offered any financial or other inducement to participate in PMDD. Since participation does not entail any expense for the donor, the issue of reimbursement does not arise.
The PMDDI shall not be permitted to sell data obtained from PMDD activities, or to make a profit from such activities. Any profits resulting from the charging of access or licencing fees have to be reinvested in the maintenance and improvement of the PMDD database. The sole purpose of any fee shall be to support the financing of costs, maintenance and improvement of the PMDD database, and shall not be used to make profits.
All data in relation to donors and their families shall be collected, processed and used in accordance with the principle of confidentiality and the right to respect for private life.
The steward will ensure that data are anonymised, linked, and stored to the highest standards of security. Researchers will only be given access to anonymised data.
All users and staff handling the data will receive appropriate training for maintaining confidentiality and adherence with all relevant legislation.
Systems for data security and storage will be kept up to date and will be of the highest technical standard.
Custody of the data will be transferred to the PMDDI upon the donor’s death. This conveys a range of rights to the stewarding institution, in particular the right to take legal action against unauthorised use or abuse of the data. Donors will not have property rights in the data.
The PMDDI will not exercise their right to sell the data to third parties but will act as steward of the database, maintaining and developing it for the common good in accordance with its purpose.
This does not affect the right of the donor to give away, sell, or donate data to other parties.
All data will be collected, stored and handled in accordance with applicable data protection laws and regulations to safeguard the integrity of all data, e.g. in compliance with the EU’s General Data Protection Regulation.
Directly Identifiable Data
Directly identifiable data, which will necessarily be included in the transfer of the PMR to the PMDDI, will be separated from the medical data of the donor prior to being added to the database. An arbitrary code without any external meaning (that is, for example, not a National Insurance number or similar) will be attached to link the personal identifying information to the medical information. This option for re-identification is necessary for data quality management: to eliminate redundant data, verify data accuracy and completeness, to establish correct linkages among databases, and to identify data which may need to be withdrawn.
Identifying information will be held in a separate data vault with restricted access, controlled by a senior steward at the PMDDI. The access key to the code for re-linking identifying information to the data will never be shared with external agents, such as researchers, and will only be accessible to a select few PMDDI staff who are ethically trained and sign special confidentiality agreements.
Information on Health and Hereditary Disease
The PMDDI will not share data or health information with living relatives or other interested parties under any circumstances. This includes information on potential hereditary disease.
It is, however, possible for the donor to nominate specific individuals who are to receive a copy of the PMR upon the donor’s death. It is the responsibility of the donor to ensure that the contact details of the recipients are kept up to date.
The PMDDI will retain full control of all access to, and uses of, the data in the database. No exclusive access will be granted to any party.
To build and maintain a relationship of public trust, the PMDDI will inform the public of the rules for access, any requests made, access granted or refused, and any research results.
Access to the database by law enforcement agencies will be granted only under court order, and will be resisted in all other circumstances. Any such requests will be reported to the public in so far as this is legally permissible (see also “Access Requests” section).
The PMDDI may charge a reasonable fee for access to the data for approved research purposes. This fee may vary depending on the expected financial benefit from use of the data. However, the fee should not be so excessive as to prevent legitimate research from being conducted due to purely economic reasons, and it may in some circumstances be advisable to waive the fee entirely. Any profit occurring as a result of the fee system is regulated by “Prohibition of Financial Gain” section.
The PMDDI will have overall decision-making authority over any access requests to the database. A special advisory board may be set up and charged with this task. However, routine applications may be delegated to appropriate working groups to provide more efficient services to the research community and to the public.
The PMDDI will provide public explanations of all policies and procedures for research access. These documents will continue to be developed to reflect relevant technical, legal and social changes, but will never abandon the principles of fairness and transparency in decision-making.
Access to the data will be granted only for scientifically and ethically approved research. Requestors will have to demonstrate benefit-sharing mechanisms and will have to have obtained research ethics approval from an appropriate body prior to being granted access to the data.
All researchers accessing the database will be required to provide the results from analyses made using the data, and any relevant supporting information, to the PMDDI to make them subsequently available to all other legitimate researchers with approved access to the database.
It is a requirement on all researchers seeking access to place the findings, whether positive or negative, from all research based on the PMDD data in the public domain. Publication of results shall be in peer-reviewed scientific literature wherever this is possible, open access by preference, or on the website of the PMDDI.
Any PMDD activities will be conducted in accordance with national research governance frameworks and national research guidelines.
Independent periodic reviews of the quantity and quality of access requests, the research conducted, and the published results will be conducted and the findings will be made public.
As the purpose of PMDD is to generate new knowledge to promote population health, particular focus shall be placed on the dissemination of research outcomes. Where the independent reviewers are not satisfied that the principles of the Code are sufficiently upheld by the researchers, the PMDDI shall be required to review its access procedures to ensure that only those research requests are granted that promise to honour the principles of the Code.
The PMDDI shall develop a detailed contingency strategy for handling the PMDDI data and database in case of liquidation or termination of the PMDDI. The goal of the strategy must be to ensure the continuous protection of the rights of the donors and their families, and to respect their wishes that their data be used for research purposes. As such, the strategy should provide detailed plans for transferring the data to another steward so that research may continue on the data.
Appendix: Sample PMDD Authorisation Form
The Code draws heavily on the excellent ethical frameworks prepared by various organisations for other biomedical purposes, including: Framework for responsible sharing of genomic and health-related data by the Global Alliance for Genomics and Health (2014), available at https://www.ga4gh.org/docs/ga4ghtoolkit/rsgh/Framework-Version-10September2014.pdf. UK Biobank Ethics and Governance Framework (Version 3.0, October 2007), available at http://www.ukbiobank.ac.uk/wp-content/uploads/2011/05/EGF20082.pdf?phpMyAdmin=trmKQlYdjjnQIgJ%2CfAzikMhEnx6. BrainNet Europe Code of Conduct by the BNE Consortium (May 2008), available at http://www.brainnet-europe.org/images/content/en/media/code/code_of_conduct.pdf. Human Tissue Authority’s Code A: Guiding principles and the fundamental principle of consent, available at https://www.hta.gov.uk/sites/default/files/HTA%20%2807a-17%29%20Guiding%20Principles.pdf. Overview of legal and ethical frameworks governing body donation in Europe by Riederer et al. (2012), available at http://repository.ubn.ru.nl/bitstream/handle/2066/116823/116823.pdf?sequence=1.
About this article
Cite this article
Krutzinna, J., Taddeo, M. & Floridi, L. Enabling Posthumous Medical Data Donation: An Appeal for the Ethical Utilisation of Personal Health Data. Sci Eng Ethics 25, 1357–1387 (2019). https://doi.org/10.1007/s11948-018-0067-8
- Data donation
- Medical data ethics
- Ethical code
- Data philanthropy