An Ethical Code for Posthumous Medical Data Donation
This chapter follows the argument that personal medical data should be made available for scientific research by enabling and encouraging individuals to donate their medical records after death, provided that this can be done safely and ethically. While medical donation schemes with dedicated regulatory and ethical frameworks for blood, organ or tissue donations are already in place, no such ethical guidance currently exists with regard to personal medical data. In addressing this gap, this chapter presents the first ethical code for posthumous medical data donation (PMDD). It is based on five foundational principles and seeks to inform and guide the implementation of an effective and ethical PMDD scheme by addressing the key risks associated with the utilisation of personal health data for the promotion of the common good.
KeywordsData donation Medical data ethics Ethical code Health records Personal health data Data philanthropy Data ethics
The importance and value of brain, body, organ and tissue donation after death has long been recognised, and relevant regulatory and ethical frameworks have been put in place to manage it. Medical data , which also hold enormous potential for medical research and for the improvement of health and social care on a large scale, has not as yet been incorporated into such frameworks. Neither is it currently possible to donate one’s medical data posthumously.1 However, enabling such posthumous medical data donation (hereafter PMDD) is in the interest of individuals and society at large. It is important to make medical data available for scientific research by enabling and encouraging individuals to donate their medical records2 after death, similarly to how they can already donate bodies or body parts. This is why a research project on PMDD, developed by the Digital Ethics Lab at the Oxford Internet Institute has led to the formulation of this Ethical Code for Posthumous Medical Data Donation (hereafter the Code), which sets out the guiding ethical principles for such donations. An important limitation to note is that the Code focuses exclusively on ethical aspects. This means that important practical issues relating to law and governance will have to be addressed prior to and during its implementation.3
Recalling the Convention for the Protection of Human Rights and Fundamental Freedoms of the Council of Europe, Rome, 4.XI.1950;
Recalling the Convention on Human Rights and Biomedicine and the additional protocols to the Convention of the Council of Europe, Oviedo, 4.IV.1997;
Recalling the Universal Declaration of Human Rights, 10.XII.1948 and the Universal Declaration on the Human Genome and Human Rights, 11.XI.1997 and the International Declaration on Human Genetic Data of the United Nations, 16.X.2003;
Recalling the Universal Declaration of Bioethical Principles of the United Nations 19.X.2005;
Recalling the Declaration of Helsinki of the World Medical Association, 1.VI.1964;
Recalling the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), and repealing Directive 95/46/EC.
The sale, lease or commercial licensing of the data. It shall also include uses of the data to produce or manufacture products or services for general sale.
The person-source of the data, or data subject.
Any donor-related data.
Repository (often online) built to facilitate access to data.
Directly identifying data
Any data that make possible the identification of the person concerned, without disproportionate efforts.
De-anonymised / pseudo-anonymised / coded data
Any data that make possible the identification of the person concerned only through the use of a simple tool, such as a key.
Any data that do not make possible the identification of the person concerned without disproportionate efforts.
Information on hereditary disease
Any data which is either predictive of genetic disease or can serve to identify the person as a carrier of a gene responsible for a disease or detect a genetic predisposition or susceptibility to a disease, whereas scientific proof for validity of that information is present.
Informed, free and express decision to donate one’s PMR after death for research purposes.
Personal Medical Record (PMR)
The health data stored about a person within the health system.
Posthumous Medical Data Donation (PMDD)
The giving of one’s PMR for research purposes upon death.
Activities such as obtaining, handling, processing, storing and distributing of data, including all associated research activities.
PMDD institution (PMDDI)
The PMDDI is the institutional body acting as steward of all donated data.
Any person with a legitimate interest in conducting research, whether affiliated with an academic, commercial, public, private or other institution. It shall not include private individuals.
Institution holding and maintaining the data. The steward assumes full responsibility for compliance with the legal and ethical rules that apply to collecting, processing and managing the data.
Any person involved in collecting, storing, handling, processing, accessing, or managing the data.
The Code of Ethics on Posthumous Medical Data Donation (hereafter ‘the Code’) has been developed to establish the guiding ethical principles for Posthumous Medical Data Donation (hereafter ‘PMDD’), in recognition that PMDD constitutes an act that is both meaningful to an individual and valuable to the public and as such should be facilitated.
any applicable national laws or local regulations are to be complied with at all times. The Code does not replicate, amend or overrule but complements any such instruments;4
participation in PMDD activities is and remains voluntary; this includes every person’s right to accept or refuse participation at any point;
the autonomy and confidentiality of all donors and their families shall be respected;
special care will be taken in all PMDD activities to avoid discrimination against, or stigmatisation of, an individual, a family or a group;
every care will be taken that the collected data is used, and in line with the purposes for which it was donated, namely for ethically and scientifically sound research, and that it is not abandoned;
the research process and the ethical guidelines will be reviewed by an independent body on a regular basis to take into account any new developments in technology, law, and society. The results of such a review will be made public.
The Code shall apply to the full range of PMDD activities involving donated personal medical records (hereafter ‘PMR’). It shall not apply to other types of health-related data, nor shall it apply to donations made by living donors. For the purposes of the Code, PMDD shall not include donations made to private institutions for the purposes of commercial exploitation. The Code shall apply to donors, users, and researchers.
12.5 Foundational Ethical Principles
Human dignity and respect for persons
Promotion of the common good
The right to Citizen Science
Quality and good data governance
Transparency, accountability, and integrity
12.5.1 Human Dignity and Respect for Persons
the dignity of the donor shall be protected at all times;
the preferences and values of the donor shall be honoured at all times;
the privacy of the donor shall be maintained;
potential harm to the donor, any relatives and/or next of kin shall be minimised.
12.5.2 Promotion of the Common Good
to maximise the morally good outcome, all PMDD shall be publicly accessible, and all research findings and results based on the data shall be published under an open licence;
where the acceptance of a donation to the database carries a significant risk to relatives and/or family members, a careful balancing of harms and benefits should take place, which may lead to the rejection of the donation. Such rejections should be limited to serious cases of harm, to reduce the risk of excluding particularly valuable datasets, such as those relating to rare diseases and less common conditions. In all instances, the relatives and family members of the donor should be engaged in the process as much as is practically feasible to gain their support for the donation;
prohibition of unethical research using PMDD without exception;
prohibition of commercial exploitation of PMDD data where this could unfairly restrict access to treatments or cures;
requesting proof of adequate benefit sharing measures prior to granting access to the PMDD database to a researcher.
12.5.3 The Right to Citizen Science
all donations should be accepted, unless there are solid grounds for rejecting a particular donation, such as a disproportionate risk of harm to others;
the optimal use of donated data shall be guaranteed, and data shall not be abandoned;
all results and findings shall be shared with the public in an accessible and timely manner;
the public shall be actively involved in the further development of PMDD and encouraged to participate in deliberations about the wider social impact of PMDD.
12.5.4 Quality and Good Data Governance
users and other PMDDI staff shall be adequately trained for their respective roles within the PMDD activities, including knowledge and understanding of this Code and any applicable data protection and privacy laws and regulations (such as the EU’s General Data Protection Regulation);
safe and secure storage facilities shall be used for the data, including use of adequate and updated encryption techniques, to minimise the risk of unauthorised access, data loss, or misuse. Proper record-keeping and access management shall be maintained to ensure full traceability of the location of, and access to, any PMDD;
PMDDs shall be de-identified using currently available standards, and re-identification shall be prohibited. Quality control mechanisms for PMRs shall be applied prior to data being added to the database;
mechanisms should be adopted for ensuring the sustainability of the database for future use, including procedures to be followed in case of discontinuance of the PMDDI.
12.5.5 Transparency, Trust, and Integrity
communications with donors, any relatives or next of kin, and the public shall be open, honest, clear, and objective. Any information provided shall be comprehensible to a non-expert person and shall be accessible;
clear and transparent procedures for deciding requests for data access shall be established and made public, and shall apply equally to all researchers regardless of their affiliation. All access requests, whether granted or declined, shall be made public;
mechanisms to ensure accountability and to handle complaints shall be implemented, including mechanisms for identifying, reporting and managing incidents such as breaches, losses of data, or unauthorised access. Any incident shall be followed by rigorous investigation, and corresponding sanctions shall be instituted. In addition, procedures for handling lawful requests from law enforcement agencies shall be established;
full disclosure of any financial arrangements involving PMDD data or financial gains derived from PMDD activities will be made.
12.6 Obtaining PMRs for Research Purposes
PMR shall be obtained and used for research purposes in accordance with applicable national laws and local regulations, and the principles set forth in the Code.
Due to the anticipated benefit to be derived from the research to be conducted using the data, resources shall be dedicated to encourage participation in PMDD. In particular, information shall be provided to the public to encourage donations, while at the same time safeguarding the voluntariness of participation.
Consent shall be required for all collections of PMDD and for the use of PMDD for biomedical research purposes, even where local laws do not require such authorisation. As part of the consent procedure, participation will be explained as an opportunity to contribute in the long term to the improvement of other people’s health. Broad consent to research falling within the guidelines of this Code shall be deemed sufficient, as it is not possible to anticipate all ethically and scientifically sound future research uses.
12.6.1 Obtaining Consent
Prior to giving informed consent, the person concerned shall be offered appropriate information about the nature and purpose of PMDD, including examples of the type of research for which it will be used, the financial interests of the data collecting entity, and the management of access to and use of the data, including the kinds of safeguards that will be maintained.
Donors shall be informed that the full PMRs will be transferred to the PMDDI, including identifying information, to enable linkage between different datasets which is necessary to ensure maximum scientific utility of the overall database. However, donors shall be free to place restrictions on the use of their data and to exclude subsets of data from their donations. These preferences shall be recorded in the PMR in full. Donors shall be informed of their right to make changes to their preferences or to withdraw consent at any point prior to their death.
Donors shall be encouraged to discuss their decision with their relatives, especially those with close genetic links.
Donors shall be informed that the use of their PMDD is not guaranteed and that in some rare instances a particular PMDD may be rejected if it poses a significant risk of harm to an individual or a group. Information shall be provided on possible reasons for exclusion.
Consent shall be appropriately documented in the PMR and at the PMDDI.
12.6.2 Persons Unable to Give Consent
To avoid the exclusion of vulnerable populations from benefiting from the scientific advances resulting from large-scale biomedical research, and to ensure their representation within the data underlying such research, an active effort shall be made to include PMRs from all groups.
Where an individual is permanently unable to provide consent, due to a lack of legal capacity, the registration of a donor and subsequent donation may be carried out with the authorisation of the person’s legal representative or guardian. The individual concerned shall be involved in the decision-making process as far as possible.
Similarly, where a minor is concerned, the parents or legal guardian shall be permitted to authorise a donation. The opinion of the minor shall be taken into consideration in proportion to the age and degree of maturity of the child.
Where an individual is temporarily unable to provide consent, due to a lack of legal capacity, registration as a donor shall be held off until capacity to consent is regained or a permanent incapacity has been confirmed by the medical professional.
12.6.3 Changing or Withdrawing Consent
Donors can withdraw consent for participation in PMDD at any time by submitting a revised authorisation form, or by notifying a health care professional. The objection will be recorded in the PMR and will ensure that data is not submitted to the PMDD database on the donor’s death.
It shall also be possible for a person to record an objection to PMDD in their PMR.
A decision to object to PMDD, or to change or withdraw consent once given, shall not have a negative impact on the medical treatment or care of the person or lead to discrimination against that person.
Where a legal representative or guardian gave the authorisation for PMDD, the right to change or withdraw consent remains with that person for as long as they shall have legal guardianship of that person.
12.6.4 Refusing Donations
There may be ethical reasons for excluding a particular PMDD donation, which may be grounded, inter alia, in the nature or the source of data. The following list is not exhaustive, and there may be other grounds on which a PMDDI may decide to refuse to accept a PMDD.
The right of a PMDDI to refuse a PMDD shall be maintained, as the overall cost of these refusals would be minimal, since the value lies in well-curated, large datasets, rather than individual datasets.
126.96.36.199 Refusing a PMDD on Grounds of the Data’s Nature
Where the donor’s data may reveal sensitive data about related people, a stewarding PMDDI may decide to refuse a PMDD. In particular, where genomic data reveal information about family members, it may be preferable to exclude such data from the donation where a comprehensive risk assessment reveals an unacceptably high risk to living people. This may apply especially where the relatives are vulnerable people and/or the condition is a hereditary disease, which may lead to stigma and/or discrimination.
188.8.131.52 Refusing a PMDD on Grounds of the Data Source
In some rare cases, there may be reasons to reject a PMDD on the basis of its source. This means disallowing a particular individual from participating in PMDD, where a donation would carry a disproportionate risk to others. An example could be close relatives of acting politicians or diplomats, where there is a national interest in avoiding the exposure of vulnerabilities to outside influences.
184.108.40.206 Other Grounds for Refusing a PMDD
An institution may refuse to accept a particular PMDD on other grounds, including, for example, the potentially illegal nature of the collected data, but any reasons should be made sufficiently clear to the potential donor.
12.7 Research Approval, Conduct and Oversight
In accordance with the foundational principles of the Code, it will be fundamental for the success of the PMDD activities that public trust is maintained. For this, it is crucial to manage research activities carefully, by maintaining transparency and ensuring accountability of any individual involved.
12.7.1 General Principles
220.127.116.11 Prohibition of Financial Gain5
It shall be prohibited to gain financially from PMDD. Therefore, donors will not be offered any financial or other inducement to participate in PMDD. Since participation does not entail any expense for the donor, the issue of reimbursement does not arise.
The PMDDI shall not be permitted to sell data obtained from PMDD activities, or to make a profit from such activities. Any profits resulting from the charging of access or licencing fees have to reinvested in the maintenance and improvement of the PMDD database. The sole purpose of any fee shall be to support the financing of costs, maintenance and improvement of the PMDD database, and shall not be used to make profits.
All data in relation to donors and their families shall be collected, processed and used in accordance with the principle of confidentiality and the right to respect for private life.
The steward will ensure that data are anonymised, linked, and stored to the highest standards of security. Researchers will only be given access to anonymised data.
All users and staff handling the data will receive appropriate training for maintaining confidentiality and adherence with all relevant legislation.
Systems for data security and storage will be kept up to date and will be of the highest technical standard.
18.104.22.168 Data Custody
Custody of the data will be transferred to the PMDDI upon the donor’s death. This conveys a range of rights to the stewarding institution, in particular the right to take legal action against unauthorised use or abuse of the data. Donors will not have property rights in the data.
The PMDDI will not exercise their right to sell the data to third parties but will act as steward of the database, maintaining and developing it for the common good in accordance with its purpose.
This does not affect the right of the donor to give away, sell, or donate data to other parties.
22.214.171.124 Data Protection
All data will be collected, stored and handled in accordance with applicable data protection laws and regulations to safeguard the integrity of all data, e.g. in compliance with the EU’s General Data Protection Regulation.
126.96.36.199 Directly Identifiable Data
Directly identifiable data, which will necessarily be included in the transfer of the PMR to the PMDDI, will be separated from the medical data of the donor prior to being added to the database. An arbitrary code without any external meaning (that is, for example, not a National Insurance number or similar) will be attached to link the personal identifying information to the medical information. This option for re-identification is necessary for data quality management: to eliminate redundant data, verify data accuracy and completeness, to establish correct linkages among databases, and to identify data which may need to be withdrawn.
Identifying information will be held in a separate data vault with restricted access, controlled by a senior steward at the PMDDI. The access key to the code for re-linking identifying information to the data will never be shared with external agents, such as researchers, and will only be accessible to a select few PMDDI staff who are ethically trained and sign special confidentiality agreements.
188.8.131.52 Information on Health and Hereditary Disease
The PMDDI will not share data or health information with living relatives or other interested parties under any circumstances. This includes information on potential hereditary disease.
It is, however, possible for the donor to nominate specific individuals who are to receive a copy of the PMR upon the donor’s death. It is the responsibility of the donor to ensure that the contact details of the recipients are kept up to date.
12.7.2 Research Access
The PMDDI will retain full control of all access to, and uses of, the data in the database. No exclusive access will be granted to any party.
To build and maintain a relationship of public trust, the PMDDI will inform the public of the rules for access, any requests made, access granted or refused, and any research results.
Access to the database by law enforcement agencies will be granted only under court order, and will be resisted in all other circumstances. Any such requests will be reported to the public in so far as this is legally permissible (see also clause 184.108.40.206).
The PMDDI may charge a reasonable fee for access to the data for approved research purposes. This fee may vary depending on the expected financial benefit from use of the data. However, the fee should not be so excessive as to prevent legitimate research from being conducted due to purely economic reasons, and it may in some circumstances be advisable to waive the fee entirely. Any profit occurring as a result of the fee system is regulated by clause 220.127.116.11.
18.104.22.168 Access Requests
The PMDDI will have overall decision-making authority over any access requests to the database. A special advisory board may be set up and charged with this task. However, routine applications may be delegated to appropriate working groups to provide more efficient services to the research community and to the public.
The PMDDI will provide public explanations of all policies and procedures for research access. These documents will continue to be developed to reflect relevant technical, legal and social changes, but will never abandon the principles of fairness and transparency in decision-making.
Access to the data will be granted only for scientifically and ethically approved research. Requestors will have to demonstrate benefit-sharing mechanisms and will have to have obtained research ethics approval from an appropriate body prior to being granted access to the data.
22.214.171.124 Research Results
All researchers accessing the database will be required to provide the results from their analyses made using the data, and any relevant supporting information, to the PMDDI to make them subsequently available to all other legitimate researchers with approved access to the database.
It is a requirement on all researchers seeking access to place the findings, whether positive or negative, from all research based on the PMDD data in the public domain. Publication of results shall be in peer-reviewed scientific literature wherever this is possible, open access by preference, or on the website of the PMDDI.
12.7.3 Research Oversight
Any PMDD activities will be conducted in accordance with national research governance frameworks and national research guidelines.
Independent periodic reviews of the quantity and quality of access requests, the research conducted, and the published results will be conducted and the findings will be made public.
As the purpose of PMDD is to generate new knowledge to promote population health, particular focus shall be placed on the dissemination of research outcomes. Where the independent reviewers are not satisfied that the principles of the Code are sufficiently upheld by the researchers, the PMDDI shall be required to review its access procedures to ensure that only those research requests are granted that promise to honour the principles of the Code.
12.7.4 Contingency Planning
The PMDDI shall develop a detailed contingency strategy for handling the PMDDI data and database in case of liquidation or termination of the PMDDI. The goal of the strategy must be to ensure the continuous protection of the rights of the donors and their families, and to respect their wishes that their data be used for research purposes. As such, the strategy should provide detailed plans for transferring the data to another steward so that research may continue on the data.
Annex: Sample PMDD Authorisation Form
To be completed by donor and signed by a witness.
Date of birth
I WISH TO DONATE MY MEDICAL DATA AFTER MY DEATH.
I UNDERSTAND THAT THEY MAY BE USED FOR RESEARCH PURPOSES.
- 1.Data retention
⎕ I consent to my medical data being retained indefinitely.
⎕ My medical data can be retained for a maximum of ___ years.
- 2.Data types
⎕ I consent to all my medical data being used.
⎕ I wish to exclude the following data from my donation:
- 3.Research purposes
⎕ I consent to my medical data being used for all research that has received ethics approval by an official REC within the European Economic Area (EU, plus Iceland, Liechtenstein and Norway).
- 4.Copy of record
- ⎕ I wish the following named individuals to receive a complete copy of my medical data upon my death:
Relationship to donor
Date, Signature of donor
Date, Signature of witness
Arguably, there are no particular barriers to donate one’s data, at least in some jurisdictions such as the UK, where this could be done via an Advance Directive. However, the lack of coherent ethical and legal structure to facilitate such donation makes it practically impossible.
The term “medical records“is to be loosely understood, as the availability and format will vary between jurisdictions and it is unlikely that medical data are consolidated in one place.
See the concept of post-compliance soft ethics in Floridi, L. 2018. Soft ethics, the governance of the digital and the general data protection regulation. Philosophical Transactions of the Royal Society A 376 (2133): 20180081.
The Code presupposes some basic data protection and privacy safeguards in line with the legal instruments set out under “Considerations” above. This means that the Code may not be sufficiently detailed in jurisdictions that do not subscribe to those international conventions, and further guidelines may be required.
It is important to note that the research in this article has focused exclusively on the ethical issues of PMDD, which means that governance questions have not been answered. This includes the question of the legal nature of the institutional body (the PMDDI), which will need to be addressed prior the implementation of a PMDD scheme.
These technical issues will need to be addressed more fully prior to the implementation of a PMDD scheme. Maintaining confidentiality through anonymization will have to be reconciled with the need to retain an option for re-identification for quality management purposes. The Code follows current practices in other types of medical donation schemes, e.g. biobanking, where anonymized data is made available to researchers and identifying data is kept separate and is not made available for research.
This document draws heavily on the excellent ethical frameworks prepared by various organisations for other biomedical purposes, including the references under the heading “References”.
We express our gratitude to Microsoft Research, for funding the research that led to the elaboration of this document. We are also extremely grateful to the participants of two workshops on the Ethics of Data Donation, held by the Digital Ethics Lab at the Oxford Internet Institute, for their valuable contribution to the preparation of this document.
Funded by Microsoft Research. The authors declare no conflict of interest.
- BrainNet Europe Code of Conduct by the BNE Consortium. 2008, May. Available at http://www.brainnet-europe.org/images/content/en/media/code/code_of_conduct.pdf.
- Framework for responsible sharing of genomic and health-related data by the Global Alliance for Genomics and Health. 2014. Available at https://www.ga4gh.org/docs/ga4ghtoolkit/rsgh/Framework-Version-10September2014.pdf.
- Human Tissue Authority’s Code A: Guiding principles and the fundamental principle of consent, available at https://www.hta.gov.uk/sites/default/files/HTA%20%2807a-17%29%20Guiding%20Principles.pdf.
- Overview of legal and ethical frameworks governing body donation in Europe by Riederer et al. 2016. Available at http://repository.ubn.ru.nl/bitstream/handle/2066/116823/116823.pdf?sequence=1.
- UK Biobank Ethics and Governance Framework. Version 3.0, October 2007. Available at http://www.ukbiobank.ac.uk/wp-content/uploads/2011/05/EGF20082.pdf?phpMyAdmin=trmKQlYdjjnQIgJ%2CfAzikMhEnx6.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.