You may not know it, but if you live in the UK and have contacted the NHS with any coronavirus-related health concerns, your data is now being used for research. This is regardless of whether you have previously tried to stop this happening by requesting to use the national data opt-out service.
Data being used may include your medical records or anything collected by healthcare providers in relation to your care. Researchers in universities, government and also private companies are using it to scrutinise the way the virus is transmitted, how the disease progresses, and to help analyse which treatment options are most effective.
Using this data during a time of public emergency may seem reasonable to many people. But this does not avoid the fact that most of us view our medical records as private. So people will rightly be concerned that their data is being shared without their knowledge or consent.
There are two main laws that dictate how healthcare data privacy in the UK is handled: the European-wide General Data Protection Regulation (GDPR), and an additional UK-specific protection called the Common Law Duty of Confidentiality.
Due to the coronavirus pandemic, this second legal duty has been quietly relaxed and the authority of an important review body suspended to allow researchers unprecedented access to patient data.
GDPR and your data
In the UK, the Data Protection Act 2018 turns the principles outlined in the EU’s GDPR into national law.
The legislation also provides details of how such data should be handled and safeguarded, including the importance of identifying the lawful basis under which the data is to be stored and processed. There are six possibilities for such a basis: