Our Future Health participates in the Information Commissioner’s Office Regulatory Sandbox
We understand that every person who signs up to take part in Our Future Health is giving us personal, often sensitive, information. In doing that, they are putting their trust in us. This means that everyone at Our Future Health knows that we need to do everything we possibly can, every single day, to ensure that participant trust is, and continues to be, earned.
This is why we applied to be part of the Information Commissioner’s Office’s (ICO’s) “Regulatory Sandbox”, a service that provides support and advice to organisations that use personal data in innovative ways. We were offered a place on the programme in 2021, and since then have been drawing on the ICO’s expertise and getting them to challenge some of our assumptions as we’ve developed our approach to protecting participant data.
The ICO has recently published a detailed report on our engagement, which sets out the data protection topics we explored and gives an overview of our approach and their recommendations. The impact of this work will be felt by all of our participants and registered researchers engaging with Our Future Health in the years ahead. The process of having our approach challenged by an expert and independent body has given us greater confidence that we are leaving no stone unturned in our commitment to ensure we are protecting our participants’ data.
Findings of note
The report has affirmed our view that the de-identified data (data that has all directly identifying information removed) that registered researchers work with should be treated as “personal data” rather than “anonymous data”. Deciding to treat the data as “personal data” is a cautious approach that requires greater protections on the data. We are taking this approach in relation not only to data controlled by us but also data accessed by registered researchers, meaning participants’ data is stringently protected. The data could not be treated as “anonymous” because, while everything that can directly identify a participant will be removed, a small number of authorised people within Our Future Health will be able to link the data to an identifiable person (so we can, for example, contact them to see if they want to take part in future studies).
We also discussed the legal basis for processing participants’ data. This discussion helped us clarify the legal basis we are using under UK GDPR to collect and store participants’ data for subsequent use in health research. Previously, we had been exploring whether “consent” and “explicit consent” would be the most appropriate legal basis but, as a result of our work with the ICO, we decided to rely on “legitimate interest” and “scientific research purposes” (Articles 6 (1) (f) and 9 (2) (j) UK GDPR respectively) as our legal basis. Even though we have updated our legal basis under UK GDPR, we remain bound by an ethical and regulatory obligation to seek research consent from participants who will join our programme. Research consent is separate and should not be confused with UK GDPR consent. Participants can only join the programme after voluntarily giving research consent, which they can withdraw at any time.
The report has helped us as we have developed our approach to making sure that if registered researchers are accessing data from outside the UK, or countries that the UK considers offer “adequate” protection for people’s rights and freedoms about their personal data, we are only ever granting them access in a way that aligns with the UK GDPR’s international data transfer rules.
Of note to those interested in our approach to making data available to registered researchers through Trusted Research Environments (secure computing environments where registered researchers can access and work with our de-identified data), the ICO acknowledged our bespoke accreditation process, which combines information security, data protection and data governance considerations to keep our data safe. They said: “From a high-level perspective, it is our view that it is encouraging that Our Future Health are seeking to use their accreditation process as a further measure to ensure the protection of the personal data they intend to process, and make available to third parties. This is particularly the case given the intended scale, nature and sensitivity of the processing activities outlined.”
Other topics the project looked at included data controllership, our privacy notices and our policy on handling data subject requests over participant data.
Protecting participant data remains our priority for the future
This means that while our work with the ICO has given us a solid foundation for our work on data, we will need to build on it in the months and years to come. This will involve regularly seeking expert advice on best practice on use of data in health research and, even more importantly, continuing to listen to our participants to make sure we are meeting their expectations. This is in addition to our work on developing a robust data privacy compliance programme that ensures the protection of participant’s rights and freedoms.
We cannot over-emphasise how important it is we get this right. Just as our work with the ICO is the foundation on which we are currently building our work on protecting data, how we protect participant data will be the foundation on which we build our ambition to make discoveries that transform healthcare in the future.