Trust lies at the heart of the relationship between patients and those that care for them.

Meeting the challenges faced by the health care system requires that we make much greater use of digital technology and increasing sophisticated use of information, but in doing so we need to ensure we preserve trust.

Healthcare professionals have the right to expect patients to share with them the information they need to deliver safe, efficient, defensible, economical viable care and to allow them to record this information and share it with others as far as is necessary to achieve these objects.

Healthcare professionals have a duty to record this data but also to ensure it is used appropriately by themselves and others respecting the patients’ expectations of privacy.

Patients’ need to understand the need for data about them to be recorded and shared and that failure to allow this might result in suboptimal care or in extreme cases mean that care can’t be delivered to them.

Patient’s also have an obligation to allow their data to be used in ways which are in the broader public interest (for example to enable medical research or support economic well-being) where this can be done in ways that properly balance the risk to their privacy with the public interest.

In this blog I suggest some principles that might be applied do balance these rights and responsibilities and preserve trust in the digital age.

Respect the patient wishes and beliefs

Respect the patient’s real or imagined concerns with regard to their privacy, while explaining clearly to them the benefit of sharing to them and the greater good as well the risks of not sharing.

Acknowledge that the risks from a privacy breach vary dramatically depending on an individual’s circumstances, for some even a usually trivial disclosure can be life-threatening

Except in exception circumstances respect the patient’s wishes not to share data even in this decision is unwise and may mean that aspects of care cannot be provided.

Try always to work on the basis of informed consent, even in the case of de-identified data. Understand the emerging approaches that can make the collection and management of consent practical when previously it was not (e.g. www.miconsent.org). Relying on implied consent (with an opt-out option) or the use of legal gateways to avoid the need for consent may sometimes be necessary but such approaches should be used sparingly particularly where there is a material re-identification risk and take all reasonable steps to inform patients that this has been done and their rights to object or opt-out as well of the benefits of not doing so.

Apply the “Least Principle”

Seek to collect the least amount of data and hold it for the least time required to achieve your objective.

Avoid collecting data for which you have no clear need just because it “might come in useful”. Be particularly aware of those data which while not obvious identifying data have great utility to those seeking to re-identify de-identified data (e.g. dates of encounters).

Consider careful before creating large repositories of patient data. These can become what the Information Commissioner once described as a “Toxic Liability” However, the value of such repositories can be considerable. If build with patient consent and regard to privacy, they have an important role to share.

Acknowledge the risks

Acknowledge that there is a residual risk of inappropriate disclosure either by accident or malice and work to minimise it.

Acknowledge the risks of not sharing data which can offer be greater than those of inappropriate sharing. Good information governance is about maximising the benefits from data sharing not blocking it.

Acknowledge that the boundary between identifiable and non-identifiable data is a grey one. In all but the most limited or highly aggregated dataset there is a residual risk that those with motivation and opportunity can re-identify some of the individuals in the dataset. Manage to ensure that those with the motivation do not have the opportunity.

Be aware that for many dataset re-identification is easier than is generally understood and with rich dataset becomes a trivial task. Take active steps to understand and reduce the re-identification risk and carefully protect those dataset where the re-identification risk is material.

Actively manage privacy

Understand that the effective management of privacy requires a mixture of technical measures, governance rules and culture backed by audit to identify potential risks and actual breaches with robust action against those who through either a lack of care or maliciously fail to respect patient privacy.

Be aware of and apply all practical Privacy Enhancing Technologies

Take steps to keep up-to-date with both privacy enhancing technologies (PETs) and those approaches and technologies that might be used by those seeking to breach privacy.

In particular seek to understand approaches to anonymisation and pseudonymisation methods of blind record linkage (which allow record linkage without the exposure of identifiable data and the role that cryptography can play in protecting privacy.