1 Introduction

Can individuals donate their data in life and post-mortem? In a playful and exciting episode, BBC Tomorrow’s world has discussed this attractive idea, trying to invoke some of the current issues related to the use and misuse of our digital footprints and personal data.Footnote 1 Individuals are often not aware as to what happens to these digital footprints post-mortem, and the law and policy in this area are still very confusing and inconsistent (Harbinja 2017). But what if we shift this paradigm and enable users to employ their altruistic motivations and aspirations by helping them participate in ‘citizen’s science’ and medical research through donating their medical data posthumously (Vayena and Tasioulas 2015)? This article aims to investigate the idea of posthumous medical data donation (hereinafter: PMDD) from a legal perspective, looking at what the law could do to facilitate this useful practice in the future.

The idea of PMDD is very similar to organ donation , prima facie. Organ donation has been a well-established topic of legal research and medical practice in many countries, including the UK (see e.g. Weimar et al. 2008; Cronin and Price 2008; Price 2000). The practice has its roots in philosophical, philanthropic and humane ideas and reasons, and the law around it has been developing in the last few decades in particular (Evans and Ferguson 2014; Skatova 2011). Data donation would have essentially a similar goal, i.e. to help save human (or other) lives and support medical and clinical practice and research. The aggregation of numerous sets of donated data would support advanced and personalised medical research, providing the basis for data mining, machine learning and AI, which would help generate new understanding of some of the acutest medical concerns that humanity is facing nowadays (e.g. cancer or various mental health conditions, Prainsack 2014).

It is important to distinguish PMDD from medical data sharing of the living, but also from medical data philanthropy, which is the opening, to access and use, by private companies and public organisations, of one’s data sets, for charitable purposes (Taddeo 2016; Krutzinna et al. 2018). Krutzinna et al. argue that ‘posthumous medical data donation is motivated by different reasons, and is less risky and more easily achievable than either data sharing or data philanthropy’, therefore easier to implement and regulate. Importantly, the argument is that the failure to exploit fully the health data available in medical records, which often already exist in digitised form as electronic health record in the NHS, is a huge opportunity cost and has a negative effect on advancements in research. Apart from this practice being inefficient and costly, scholars argue that it is also unethical (Krutzinna et al. 2018).

In terms of individuals’ readiness to engage with the option of posthumous data donation, a study finds that individuals are willing to donate personal data to research for public good, and their motivation is both self-benefit (e.g. enhancing their reputation, professional benefit, or to feel good about themselves) and concern for others. Surveyed individuals who were less likely to donate are motivated by self-interest mainly, whereas those more likely to donate had public good as a main motivating factor. The study concludes by arguing that ‘Data Donation holds promise as a useful tool in the digital economy, providing value to third sector and well-being researchers as well as marketing and the private sector’ (Skatova et al. 2014). In a different study, Jones et al. discuss what the non-use of health-related data would mean, identifying harms for the society as a whole. The study focused on issues with clinical care records, research data and governance frameworks, illustrating the types of data non-use that occur, and some of their consequences for citizens and the society (Jones et al. 2017). There is, therefore, an appetite and compelling ethical arguments for data donation more generally, as well as post-mortem. An aspect of data donation that is explored more deeply in this paper is posthumous data donation.

This article builds on the helpful findings and arguments introduced by social scientists and humanities scholars in the area (Skatova et al. 2014; Krutzinna et al. 2018; Shaw et al. 2016). One of the most tangible results of these endeavours is the Code for posthumous medical data donation developed by the Digital Ethics Lab at the Oxford Internet Institute and funded by Microsoft (Krutzinna et al. 2018). Thus, as research demonstrates, while there may be sound ethical reasons that posthumous data donation is quite straightforward, this is not necessarily the case legally. A legal framework that would support this practice has not been discussed in legal scholarship to date at all. This paper is, therefore, a first legal study of PMDD, aiming to address the gap and shed light on the most significant legal issues that could affect this concept. The focus of this paper is on the UK and English law, and the EU, where appropriate. Importantly, the study will look at the general data protection regime, lex specialis provision (legal regimes regulating health-related data), and data governance , thus making some useful parallels and suggestions for a reform of general and sector-specific data protection laws and policies. These changes would contribute to legal and regulatory clarity and coherence and would support the implementation and enforcement of this important and valuable practice. The legal framework would, therefore, go beyond an ethical framework that is considerably more difficult to enforce in practice.

The paper starts with a brief exploration of the current legal protection of health data and medical records in the UK more generally, and the protection of deceased’s medical data and patients records, more specifically. The purpose of this overview is to ascertain if these laws and policies could apply to PMDD, or whether at least some of their principles could be borrowed for a novel PMDD legal framework. The following section looks at key issues around ownership and succession of personal data and how these could affect PMDD and its legal framework. The author then goes on to explore some overarching parallels with organ donation to determine whether there are some lessons to be learned from this comparable regulatory framework. Finally, the paper concludes with the discussion around the need for a Code for posthumous medical data donation and a more formal regime that would enable and facilitate this practice. Here, the paper proposes key law reforms in the area of data protection and governance related to PMDD.

2 Legal Protection of Health-Related Data of the Living and the Dead in the UK

Before analysing the law and policy around the data of the deceased, it is useful to briefly set out key data protection provisions applicable to medical and health-related data more generally, so to determine whether we could apply these to PMDD. Alternatively, the paper also investigates if we could translate provisions set out in this legislation into principles that would enable the practice of PMDD.

Health-related data in the EU and the UK have been treated as sensitive data in the Data Protection Directive 1995, and are included in the renamed category of ‘special categories of personal data’ in the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018 (DPA 2018). These data include, inter alia, genetic data, biometric data, and data concerning health. Processing of the special categories of data is in principle prohibited by the GDPR, and only allowed on the basis of ten general grounds, including relevant grounds for health data, such as crucially vital interests of data subject and explicit consent by the data subject (GDPR art. 9 2. (a) and (c). Further grounds are where the processing of special categories of data is necessary for the purposes of, broadly, health and social care, and for reasons of public interest in the area of public health (GDPR art. 9 2. (h) and (i). Finally, for research purposes, paragraph 2 (j) applies, and the processing of this type of personal data needs to be in accordance with Article 89(1) based on Union or Member State law. GDPR, therefore, recognises the benefits of facilitating medical research and the need for enabling the access to medical registries and data sets. This ground is relevant to medical data donation by living individuals, whereby member states are to provide for exemptions that would detail conditions and safeguards related to the processing of this data (recital 157, article 89). These specific safeguards include data minimisation, pseudonymization, and derogations from certain data subject rights, such as the right to access, to object, to rectification, to the restriction of processing. Moreover, GDPR also recognises the need for further measures in the interest of data subject and the need to apply the rules of GDPR in the light of these measures (Recital 159, GDPR). This would mean, for instance, following specific data regulatory and ethical frameworks that already exist in medical research, and could potentially include the ethical framework for PMDD. In the UK, the above provisions of GDPR have been implemented in schedule 2 part 6 of the Data Protection Act 2018 (DPA 2018).

GDPR, however, does not apply to anonymised data (see e.g. section 251 of the NHS Act 2006), so research conducted using these would not need to meet the GDPR requirements, provided that it is not possible to relate back the data to individuals, which is nowadays increasingly difficult and therefore this option should be used with caution. For anonymised data, research ethics would normally still require consent and other safeguards for data subject that are participating in a study. The further legal basis for processing of medical data in England without consent, and overriding the common law duty of confidentiality in the interests of improving patient care, or in the public interest, is set out in section 251 of the NHS Act 2006 and The Health Service (Control of Patient Information) Regulations 2002. Applications are administered by the Confidentiality Advisory Group of the Health Research Authority, but anecdotally, researchers note that the success rate is low and applicants are strongly encouraged to pursue the consent route or to use anonymous data where possible (Jones et al. 2017).

GDPR is not a helpful place to identify rules and provisions that would govern the use of the data of the deceased, including the data within PMDD. Recital 27 provides that ‘This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.’ Some member states have used this option and enable for the protection of the data of the deceased more generally (not limited to medical data), such as France or Hungary (see Castex et al. 2018). The UK, however, has chosen not to legislate in the area so the DPA 2018 retains the old definition of personal data, emphasising that the concept relates only to ‘living individuals’ (s. 3(2) DPA 2018). The fact that the GDPR and DPA do not apply directly to the data of the deceased, including posthumous medical data, makes it even more important to identify the key legal issues at play in PMDD. We, therefore, need to look beyond the general data protection framework in order to identify laws and policies that might be helpful in the context of PMDD. The next section will explore laws and policies related to the data of the deceased in the health sector, which could form a basis for the PMDD legal framework.

2.1 The Protection of the Data of the Deceased in the Health Sector

Sector-specific protection of deceased’s medical data is somewhat more extensive than the protection awarded to the data of the deceased in the general data protection regime. For instance, The Access to Health Records Act 1990 provides for the protection of the access to health records of the deceased, and this access is permitted for ‘the patient’s personal representative and any person who may have a claim arising out of the patient’s death’ section 3 (1) f). These would be next of kin or the deceased family who might need to access these to ascertain their claims or causes of death for instance. In England, GP health records are passed on to Primary Care Support England for storage after the patient’s death and these are generally retained for 10 years after death, with the exception of the storage by the Primary Care Support for England where this period extends for up to 100 years. For hospital records, the Department of Health advises that they are kept for 8 years. These are managed by the record manager at the hospital (Department of Health 2010). NHS records are also governed by the Public Records Act 1958 which provides that GP records become public when forwarded to local authorities after the death of the patient. Most of these are closed for 30 years post-mortem and those related to physical and mental health are closed for 100 years. Permission can be sought from the Public Records Office to use data from deceased persons in research if confidentiality can be guaranteed (Medical Research Council 2003). Some of the records kept longer are then opened fully to the public after this point in time.

Interestingly, the NHS data opt-out regime that allows patients to opt out from the use of their data in research, for instance, has been extended to include the data of the deceased and honouring their wish expressed premortem by the way of opting out (NHS, National Data Opt-out Operational Policy Guidance Document 2018). This policy explicitly includes deceased but does not apply if an individual has opted into a certain scheme of research by an express consent, for instance. This is a policy choice and the projection here goes beyond what is legally required by the data protection regime, as indicated earlier in this paper. Also, it provides a useful avenue for the regulation of PMDD, as opting into a PMDD scheme would exclude that data from the NHS opt-out regime. This policy, therefore, does not need to be amended in order to accommodate PMDD.

In addition to data protection, an area of law that would potentially offer a more extensive protection to deceased’s patient records is the common law duty of confidence. Case law implies that the duty of confidence which doctors owe to their patients might survive the death of the patient. For instance, in Lewis v Secretary of State for Health & AnorFootnote 2, Mr Justice Foskett argued that a limited number of authorities in the area, including the ECHR case law and academic views, point towards this proposition. Decisions by the Information tribunal support this stance as well (see Webber v IC and Nottinghamshire Healthcare NHS TrustFootnote 3 and M v IC and Medicines and Health Products Regulatory AuthorityFootnote 4). The issue is still unclear and unsettled in law, and the case law needs to be much more specific and coherent. Nevertheless, it would not be wrong to at least make a claim that this law applies to records post-mortem, even if this is an arguable point at this stage of the development of the relevant case law. As Lewis shows, the courts would also be likely to find the stance of the professional regulators and the NHS highly influential here. (see also Munns and Basu 2015). The Caldicott Review 2013 identifies this discrepancy in the law as well, calling for a legal harmonisation and for the Law Commission to ensure that there are ‘no legal impediments to giving custodianship of their health and social care data within their last will and testament.’ (Caldicott 2013). We will turn to this suggestion in Sect. 6.5, as it is very useful when considering a regulatory framework for PMDD. Once more going beyond the law in this area, the Department of Health, General Medical Council and other clinical professional bodies have long accepted that the duty of confidentiality continues beyond death and this is reflected in the guidance and policies they produce (Department of Health 2010).

In summary, this section identifies the most significant provisions of law and policy that could be applied to PMDD, acknowledging incoherence and the need for clarity in statutes, case law, and policies. Contrary to most types of personal data of the deceased (Harbinja 2017), confidentiality (as an aspect of a broader notion of post-mortem privacy, Edwards and Harbinja 2013) of their health data and records is preserved through policy and the NHS data governance in the UK and many other jurisdictions (Shaw et al.2016). PMDD would mean that this confidentiality could be affected by the wishes of individuals expressed premortem. However, in order to make this option clear and coherent in the law, the legislation set out above would ideally need to be amended (in particular, The Access to Health Records Act 1990 and the Public Records Act 1958 would need to at least mention PMDD, so to enable the access for research purposes). Before looking at these regulatory options in more detail in Sect. 6.5, we will briefly identify some general principles around ownership and control of personal data, including medical data of the deceased. These principles and values will support and underpin the legal framework introduced later in the paper.

3 Some Issues Around Ownership, Privacy, Control and Succession of Data

Issues around ownership and control of data, in the context of the data of the deceased, are significant as they may influence the direction a legal regime might take, swaying it towards propertisation or away from it. It is also important to clarify the legal perspectives and discourse around property and ownership of data, as it might differ significantly from a similar discourse in social science and humanities. For example, while social scientists might use ownership and property more generally and, perhaps, imprecisely, to refer to control, it is very important not to use these in a similar manner in legal discussions and practice, for the reasons set out in this section.

Looking at a comparable legal regime, organs or body parts are not generally considered a full-blown property in law and their commercial exploitation is mostly prohibited, as discussed in the following section. Similarly, and although there have been many calls for propertisation of personal data (as there have been for different proprietary treatments of body parts), and ideas for using the doctrine of quasi-property, a predominant view in the European scholarship is that property is not an adequate legal regime to protect personal data and privacy. This regime is human rights-based and embeds values such as dignity, autonomy, control and respect for personhood. In the European legal doctrine and jurisprudence as well, it has been long established that the data protection regime is based on human rights (the ECHR and the European Charter of fundamental rights) and propertisation and commodification of personal data is not an option in any of the EU member states, including the post-Brexit UK (Harbinja 2013, 2017; Pearce 2018). Consequently, there can be no succession or bequeathing of one’s data, as stricto sensu, only property can be passed onto one’s next of kin and heirs (Harbinja 2017). An option of deciding as to what happens to one’s patient records is not viable under the succession and probate regime at the moment either. Researchers argue that this is unreasonable and that there should be options for individuals to decide what happens to their data on death. (Harbinja 2017; Castex et al. 2018). This is now possible for some digital assets such as emails or social network content in France or Catalonia, however, this does not include one’s medical records and data, and therefore, it is not particularly helpful as a framework for PMDD.

Due to the extremely sensitive nature of data included in patient records, it is important to consider the concept of post-mortem privacy and the protection of individuals’ personal data and personality on death. In a very broad sense, post-mortem privacy includes the protection of one’s body parts and organs, and the narrow interpretation includes the protection of personal data only, and thus covers patient records as well. Research shows that this phenomenon is only partially protected (Edwards and Harbinja 2013; Harbinja 2017; Buitelaar 2017) and there is not a comprehensive regime that would include data protection reform, as well as the necessary regulation of digital assets associated with the deceased’s online footprints and digital persona. The UK has not followed the lead of France or the US to legislate on this matter and the DPA 2018 excludes the data of the deceased completely, as noted above. If post-mortem privacy was recognised in law, as argued by researchers, then the deceased would be able to decide as to what happens to their medical data post-mortem as well, and this would facilitate the practice of PMDD. Of course, as noted above, there may be concerns about conflicting familial interests, and any regime in relation to posthumous data donation would need to take account of this. Some suggestions proposed by Krutzinna et al. (2018) in their Code address these concerns.

Looking at post-mortem privacy from a conceptual perspective, Floridi’s notion of the informational body would be significant to refer to here as well. For Floridi, a human being is constituted and exists through information related to their identity, similar to what Marx sees as the inorganic body metaphor, i.e. the idea that in producing objects, one is producing oneself at the same time. Floridian ethics emphasises the right to control one’s identity, which he understands as an informational structure, constituted by everything that defines this identity, including various types of digital data. Medical and health-related data are even more closely and intimately related to one’s physical body, but also concern their dignity, privacy and integrity, so the concept of informational body includes these data as well (Floridi 2013; Öhman and Floridi 2017). This theory, therefore, provides a further support for arguments against propertisation and commercial exploitation of personal data, including medical data of the deceased. This is in line with the principles and values set out in the Code for PMDD as well since the Code rejects commercial exploitation of patient’s records.

The key arguments set out in the brief discussion above suggest that the legal treatment of data, inducing patients’ records, is not based on property and ownership. The basis remains in human rights and personhood. Post-mortem privacy, dignity and autonomy should be used as an underlying rationale for the regime that regulates and enables PMDD. These principles do underpin the Code for PMDD, and they will form a part of an underlying rationale for a legal framework set out in Sect. 6.5. In spite of this proposition, some mechanisms of succession and probate law could be utilised to introduce and support this concept and help implement deceased’s wishes. We will explore this further in Sect. 6.5.

4 A Comparable Regime: Organ Donation

Having argued that data is not amenable to ownership in a legal sense, we will now explore whether key legal principles of organ donation could be borrowed when designing the legal framework for PMDD. As noted in the introduction, donation of blood, organs and tissue, as well as other comparable forms of donation, share similar motivations with those that Skatova, Ng & Goulding identify for posthumous data donation of patient records and medical data (2014). The purposes of these types of donation are similar too, however, benefits might not be as obvious in the case of data donation and they may seem somewhat remote as discussed above. In law, both would be intrinsically tied to one’s personhood and neither data nor body parts would normally constitute full-blown property in law, at least not the type of property that can be commercially exploited as other objects of property. There have been some instances where certain incidents of property have been assigned to body parts, but these were mainly for very specific purposes and cases, such as theft or to invoke proprietary remedies for their protection (Doodeward and SpenceFootnote 5; R. v Kelly (Anthony Noel)Footnote 6; Dobson v North Tyneside HAFootnote 7; Yearworth v North Bristol NHS TrustFootnote 8, The Human Tissue Act 2004, section 32; Skene 2002; Brazier 2002; Hawes 2010; Mason and Laurie 2001).

Organ donation and biomedical practices have been regulated by many international instruments (e.g. Convention on Human Rights and Biomedicine and the additional protocols to the Convention of the Council of Europe – Oviedo Convention 1997, Universal Declaration on the Human Genome and Human Rights 1997, Universal Declaration of Bioethical Principles of the United Nations 2005), as well as national statutes in the UK (The Human Tissue Act 2004, the Human Tissue (Scotland) Act 2006, Human Transplantation (Wales) Act 2013). All of these legal instruments emphasise the role of consent, either opt-in (as in England) or opt-out (or presumed opt-in, as in Wales and Scotland, see s.3 The Human Tissue Act 2004, Human Transplantation (Wales) Act 2013, the Human Tissue (Scotland) Act 2006). Consent for organ donation can be written or oral and may be given by the deceased before his death or by a third party, usually a close relative or friend.

Requirements for consent in international instruments are slightly divergent and include for instance: Oviedo Convention – free and informed, purpose explained, the right to withdraw; Universal Declaration on the Human Genome and Human Rights 1997 – free and informed consent; Universal Declaration of Bioethical Principles of the United Nations 2005 – prior, free, express and informed consent, adequate and the right to withdraw. All of these international treaties and declarations are based on fundamental principles of dignity, autonomy, privacy and confidentiality. In a similar form, these principles and consent requirements could be used for posthumous data donation as well, as suggested in the Code for PMDD drafted by Krutzinna et al.

There are some notable differences between organ and posthumous data donation, however. These need to be taken into account when designing a regulatory framework, as well as ethical codes. As Krutzinna et al. note, the first key difference between is the lack of physical intrusion on the donor’s side in posthumous data donation. The second difference is the donor status and the lack of urgency as the utility of the data does not have an immediate expiry date in the same way as organs do. A further difference relates to the beneficiaries. Thus, while blood, cord blood and gamete donations can be used to benefit the donor in the future, in the case of posthumous data donation, the beneficiaries are always other individuals, often a group of future unknown beneficiaries of medical research. The additional important difference these researchers identify is in the research question, i.e. clinical research studies attempt to answer a specific question, whereas posthumous medical data would be used for more general research and promote curiosity in research. Researchers in traditional clinical studies will have to contact their participants if they wish to use the data for further or additional research and ask them to re-consent. This requirement does not apply in posthumous medical data donation . In addition, living participants can withdraw their consent at any point, so that their data is removed from research, the same option does not apply in posthumous medical data donation. Here, active consent management is impossible after death but could be an option premortem (Krutzinna et al. 2018). All these considerations should be taken into account when designing an adequate legal framework for this concept. For instance, there will not be an objection based on religious or ethical grounds to the use of this data, in the same way as there have been to organ donation and the integrity of a human body. For the donation for non-clinical purposes, consent will be broad but the individuals should be explained and given a choice to participate or not in this sort of research. Once opted into the scheme, the donors will not need to re-consent for further uses of their data, as long as this is broadly in line with what they consented for (e.g. the use for purely commercial purposes will be prohibited if the data is donated only for public or academic research).

There are also two risks associated with data donation, as identified by Krutzinna et al. The first one is the fact that medical data is rarely just about one individual but often relates to others, who may be harmed as a result (e.g. their family). The risk relates to the potential use that the donated data can be put to (e.g. data revealing hereditary diseased use as a basis for discrimination), thus creating a purpose creep. In these case, the researchers suggest that that particular dataset should be rejected, as it poses risks to other, living individuals. As rightly argued by Krutzinna et al., this does not dismiss the practice per se, but rather, it warns of risks researcher and stewards need to bear in mind when accepting and handling these medical records and data. In addition, safeguards already in place for medical data can be applied in the context too.

The second risk concerns the source of the donated medical data. The potential misuse of the data of the deceased naturally comes with a lower harm to the deceased as opposed to a living person, but this is also coupled with the ability to control the use of the data, which is lower in the case of the deceased’s data. Krutzinna et al., therefore, suggest ‘a framework that respects the values and preferences of the data donors, and that reassures potential donors that their expressed wishes will be respected after death.’, pointing at concerns over the misuse of medical Big Data to justify unfair public policies, the implementation of medical profiling by employers or insurance companies etc. Any regulatory framework would need to address these too. To address these concerns and risks, these scholars propose a value-based code that would include principles and values. The code, they argue, is in line with the good practice of biomedical data schemes such as the NHS care. Data programme or the Personal Genome Project UK.

In terms of specific safeguards within the Code, which would, inter alia, mitigate against risks and differences between posthumous organ and data donation, Krutzinna et al. mention security, pseudonymization and encryption. It would be useful to also include safeguards such as accountability, regulatory scrutiny and transparency as required by GDPR for the use of medical data of the living in research (art. 5 and 89 GDPR, Article 29 Working Party 2018). It is argued here that specifying the need for these principles in the Code, as defined in GDPR (art. 5) and the national data protection regimes, would make the Code more robust, ethically as well as legally. Moreover, as indicated in Sect. 6.2, GDPR also recognises the need for further measures in the interest of data subject, and the Code could be perceived in the light of this provision, as it offers measures in the interest of the deceased as a data subject in the case of PMDD (notwithstanding the fact that, strictly speaking, the deceased are not data subjects under GDPR, but they could be if a member state decides so, see Sect. 6.2).

In summary, principles around organ donation and consent requirements (opt-in consent as currently required in England or presumed opt-in as in Wales; or), in particular, could be used as a blueprint for the data donation post-mortem. Any regulatory regime would need to account for risks that are different to those of organ donation, especially the one associated with a potential harm to a deceased’s family and other living individuals. Consent, however, does not need to be the only or the preferred ground for post-mortem medical data donation, and considerations should be given to ‘adaptive governance models’ and the potentials to use public interest as a ground for this use of medical data (see e.g. Laurie et al. 2015). Relying on this ground would be arguably less complicated for the data of the deceased, as these are excluded from the general data protection regime. The sector-specific law and governance, as indicated above, however, do focus on confidentiality post-mortem, implying that consent is valuable and often required for different uses of the deceased’s medical data , and the Code acknowledges this as well. We will discuss these options further in the following section.

5 International Framework – Code or Law?

It would be very difficult, if not impossible, to create an overarching mandatory framework for posthumous medical data donation at a global level. In the field of organ donation and biomedicine, there are numerous international instruments identified above, however, these have had limited success due to the number of signatories or the lack of enforcement in international law more generally. Therefore, an Ethical Code for Posthumous Medical Data Donation might be a better solution for an international level, where countries may choose to follow the lead of those who have already subscribed to its principles and implemented this idea successfully, to the benefit of research and science. However, as principal authors of the Code rightly argue ‘it is important to regulate for the future, i.e. to avoid ethical guidelines becoming inapplicable due to technological, legal, cultural or social changes. This is the goal of the Code that we propose: to provide normative principles shaping PMDD, rather than a set of specific rules of conduct for the involved actors’ (Krutzinna et al. 2018). This section will, therefore, set out some guiding principles for the legal framework for posthumous medical data donation in England, and the UK more specifically. It will also introduce basic ideas for a wider international regulation and policy.

At a European and the UK level, it is argued that GDPR would allow this practice and amendments are not strictly necessary at this point in time. Anonymised data are excluded, but also, the data of the deceased are not covered by GDPR either, nor is their protection prohibited. The lack of harmonisation opens the door to recognise initiatives like this one but also results in very disparate legal approaches across the EU. It is necessary, therefore, to utilise some of the existing sector-specific frameworks. In France, for instance, The Digital Republic Act 2016Footnote 9 could allow for this practice to be one of the specific directives made by a deceased, which is recognised by the statute. In the UK, again, DPA 2018 does not allow for the protection of the data of the deceased, so an amendment to delete the living from the definition of personal data would be helpful. However, even if the Act excludes the application of the data protection regime to the data of the deceased, there is no reason why a specific regime cannot be established as the DPA 2018 does not prohibit the protection of this data through other regimes, and we have seen above that this has been a long-standing practice in the UK health sector.

This author suggests that the legal framework only includes basic principles, such as the need for consent (opt-in or presumed opt-in), and clear exceptions where consent can be overridden, e.g. in the interests of family, where there is a case of hereditary diseases and data donation could harm others. More detailed principles for handling this process would be still set out in the Code, which would go over and beyond the existing laws, and would potentially be adopted by the NHS within their data governance structure, for instance, the NHS opt-out regime mentioned in Sect. 6.2. As indicated above, the call for an adaptive governance frameworks questions whether consent is, in fact, a ‘silver bullet’, and essentially refers to other grounds for processing of this data, such as public interest or research. (Laurie et al. 2015; Porsdam Mann et al. 2016). Looking at the general data protection regime, consent, in this case, is indeed not required. However, I would side with arguments put forward by the Krutzinna et al. to support the need for consent in medical data donation post-mortem. Consent, in this case, would mitigate against the caution that the Confidentiality Advisory Group expresses, as discussed above, and support the notion of post-mortem privacy. It would be helpful if the consent requirement is harmonised with GDPR, so to introduce similar standards for the protection of the deceased’s medical records as those for the protection of the data of the living. As discussed earlier, however, GDPR does not apply to the data of the deceased, but it does not prevent member states from legislating in the area, so it is viable to mirror most of the consent requirements from GDPR into the PMDD framework. Consent would, therefore, need to be freely given, informed and unambiguous, by a statement or by a clear affirmative action, whereby an individual signifies agreement with PMDD. This is in line with article 4(11) of GDPR, except for it omits the word ‘specific’. Researchers suggest that there could be broad and specific consent options, covering various or specific research projects and uses (Shaw et al. 2016), and the Code for PMDD suggests broad consent too. This also mirrors the consent requirements of the Universal Declaration of Bioethical Principles of the United Nations 2005, as indicated in the previous section. One could still object to this and argue that public interest in advancements in medical research overrides considerations around privacy and confidentiality. However, I would argue that highly sensitive and valuable data included in patient records still require an extent of involvement of the individual concerned. This is in line with the sector-specific regulation of deceased’s health data as discussed above, including the NHS national data opt-out regime.

In terms of implementation of the principles set out above, posthumous medical data donation can also be introduced in the Law Commission’s reform of wills for England and Wales (The Law Commission 2017). The deceased’s decision to donate their medical data can be treated as a part of one‘s will, for example. Solicitors and legal profession would then be able to provide advice on these options as well. Data donor’s card could be recognised similarly to the recognition of donors cards for organ donation (as suggested by the Caldicott review as well). Practically, it would also be useful to establish a register of donors in order to record wishes of the individuals centrally and avoid the need to seek consent from the families, where possible (Shaw et al. 2016). Apart from this, the Access to Health Records Act 1990 should be amended to allow for access by researchers when permitted by the deceased or their personal representative. Amendments to the NHS Act along these lines would be helpful as well. An idea would be to look at PMDD more holistically and introduce a separate regulation by the secretary of state, which would amend the relevant laws and set out the general principles of PMDD, including the recognition of ethical codes and the NHS policies. In the future, these wishes could be recorded in a third party data steward if these emerge as the new actor in the data regulatory landscape (e.g. data trusts, intelligent agents for interpreting and enforcing deceased’s wishes, see similar ideas in Royal Society and British Academy 2017; House of Lords 2018).

In addition to the legal and policy changes, current technology can offer assistance in this area as well. An example is a cooperative model for managing personal health data in Switzerland, i.e. health bank and MIDATAFootnote 10. Ther databox project in the UK could be used for this purpose as well.Footnote 11 These tools enable citizens to be in control of the storage, management and access of their personal data, including the decision how to share it and participate in citizens science (Krutzinna et al. 2018). This could be used as a tech option of recording one’s wishes, however, this mechanism has to be approved by the governance model for posthumous data donation, and made sustainable and secure.

In summary, there is a clear need for principled recognition of posthumous medical data donation in law, at least at a very abstract level, through the introduction of the practice in the data protection and sector-specific legislation, which regulates the governance of medical data. The framework introduced here includes minimal legislative interventions, which could be implemented simply and quickly, without amending GDPR or DPA, for example. The options explored above include amendments to the Access to Health Records Act 1990, the NHS Act, as well as the recognition of PMDD in the law of wills. This framework aims to mitigate against potential disputes and make the practice enforceable, rather than just voluntary and code – based. An enabling and overarching framework would allow for flexibility in the implementation through ethics codes and the NHS policies. A more robust reform would include amendments to the general data protection ideally, to ensure harmonisation and consistency across the EU.

6 Conclusion

This paper explores the notion of posthumous donation of medical records from a legal perspective. The purpose of this paper is to initiate a broader discussion within legal scholarship and set out some overarching considerations and principles that can be applied by regulators and other stakeholders in this area.

The paper finds that the protection of the deceased’s health records and medical data is more extensive than the general protection of the deceased’s personal data, or the protection of post-mortem privacy as a concept. The paper also warns of some issues around ownership and succession, suggesting that regulators and researchers should refrain from referring to data being ‘owned’ or property in this or any other area of law, as this is incongruent with the European legal tradition, normatively and doctrinally. Hence the regulatory regime of posthumous medical data donation should be based on values and rights such as privacy, autonomy and dignity. These values have helpfully been introduced in the Code for posthumous medical data donation, for instance.

Legal framework introduced here follows the main premises of the Code, translating them into suggestions for law reforms. These reforms would include amendments to the general data protection ideally, to ensure harmonisation and consistency across the EU, as well as between the general and sector-specific data protection laws and policies. A more viable idea at this point in time includes amendments to the sector-specific law, perhaps through a separate regulation by the secretary of state for this area as well. A more light touch approach is to introduce an NHS policy that would govern this practice, akin to the NHS opt-out option from research available to the living and the dead as discussed in this paper. Finally, the law Commission should ideally consider including this option in the comprehensive reform of the law of wills they have introduced recently, so to enable individuals to records their decision about posthumous data donation in their wills or otherwise. These changes would contribute to legal and regulatory clarity and would help implement this important and valuable practice, which aims to facilitate research and advances in medical treatments and care.

Looking slightly further in the future, deceased’s wishes to donate his medical data posthumously could be recorded using technological tools such as MIDATA and databox, or other forms of intelligent agents and data stewards based on machine learning and AI. However, in order to explore issues around the law, technology and human-computer interaction, a substantive, multidisciplinary future research around this idea is required, and it will be within the scope of this author’s future research as well.