Article Text

Download PDFPDF

Using routinely collected health data for surveillance, quality improvement and research: Framework and key questions to assess ethics and privacy and enable data access
  1. Simon de Lusignan
  1. Harshana Liyanage
  1. Concetta Tania Di Iorio
  1. Tom Chan
  1. Siaw-Teng Liaw
  1. Department of Clinical and Experimental Medicine, University of Surrey, UK
  2. Serectrix snc, Pescara, Italy
  3. School of Public Health and Community Medicine, UNSW Medicine, Australia
  1. Author address for correspondence: Simon de Lusignan, Department of Clinical and Experimental Medicine, University of Surrey, Guildford, Surrey GU2 7XH, UK s.lusignan{at}


Background The use of health data for public health, surveillance, quality improvement and research is crucial to improve health systems and health care. However, bodies responsible for privacy and ethics often limit access to routinely collected health data. Ethical approvals, issues around protecting privacy and data access are often dealt with by different layers of regulations, making approval processes appear disjointed.

Objective To create a comprehensive framework for defining the ethical and privacy status of a project and for providing guidance on data access.

Method The framework comprises principles and related questions. The core of the framework will be built using standard terminology definitions such as ethics-related controlled vocabularies and regional directives. It is built in this way to reduce ambiguity between different definitions. The framework is extensible: principles can be retired or added to, as can their related questions. Responses to these questions should allow data processors to define ethical issues, privacy risk and other unintended consequences.

Results The framework contains three steps: (1) identifying possible ethical and privacy principles relevant to the project; (2) providing ethics and privacy guidance questions that inform the type of approval needed; and (3) assessing case-specific ethics and privacy issues. The outputs from this process should inform whether the balance between public interests and privacy breach and any ethical considerations are tipped in favour of societal benefits. If they are then this should be the basis on which data access is permitted. Tightly linking ethical principles to governance and data access may help maintain public trust.

  • confidentiality
  • jurisprudence
  • patient data privacy
  • patient rights
  • public health surveillance
  • research ethics

Commons license

Statistics from

Request Permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.


Health research projects conducted in an international setting are increasingly attempting to bring together large data sets utilising patient’s computerised medical record data.1 Advances in secure computational methods make projects of this nature feasible and able to meet strict information governance standards that reduce the chances of any breach in privacy.

Privacy and ethical issues in real-life projects are complex and often project specific. Variations in published guidelines are influenced by the type of study participants, funding bodies, regional legislation, and so on.2 Despite these differences, privacy and ethics are fundamental principles in biomedical science. The privacy and ethical framework described in this paper provides a generic evidence-based approach, with a focus on linking principles to practical questions that inform the approvals required to enable health data access. It recognises that research must be in the public interest and have citizens’ trust.3,4

Need for a pragmatic approach for dealing with privacy and ethical issues

Many projects deal with ethical, privacy and data access issues within the same work package or committee. However, while they might be grouped together at the project-level, ethical approvals (if any) required for surveillance, quality improvement (QI) and research projects are subject to layers of regulation different from those that ensure privacy standards. Approvals are generally made by separate bodies that deal with specific areas. In general research ethics approval, or exemption from it, is dealt with separately from data protection and information governance. Moreover, approvals for international studies are obtained from separate bodies in different countries. This paper proposes a pragmatic methodology for researchers who want to use health care data for research, surveillance and service evaluation projects spanning from a conceptual framework to actionable assessment techniques.

Building a privacy and ethical framework

The privacy and ethical framework consists of a set of privacy and ethical assessment principles derived by a review of the relevant ethics and privacy literature (Table 1). The associated questions were developed by translating principles to fit the context of the potential use cases that the principles will be applied to. We considered examples in the existing literature that highlighted implications of applying (or not applying) privacy and ethical principles within specific health research settings or scenarios.

Table 1 Key information sources

The framework adopts controlled vocabularies and standard definitions to ensure consistent understanding of the privacy and ethical principles. The set of principles and questions are extensible and can evolve in a manner that can absorb new research in the area and to adapt to changing legislations. The principles and questions are referenced to their original source.


Controlled vocabularies are important to ensure consistency of the concepts used across studies and in different countries.5 This approach is needed because the terminologies used for describing privacy, ethics and data access concepts are diverse. For example, the definitions of terms such as ‘data owner’, ‘data custodian’ and ‘data processor’ have overlapping meanings. Legal definitions, in the field of data protection, are often used very differently from how the same terms are used in research projects. We have built on a prior initiative for developing controlled vocabularies and ontologies in this domain.6 We have extended this work by enriching the controlled vocabularies with additional findings from our literature survey and by adopting standard definitions accepted within the domain (e.g. European Union Data Protection Directive,7 or other regionally appropriate definitions such as the Australian Privacy Principles8).

Step 1: Exploring ethical and privacy principles

The first step is to consider key (1) ethical and (2) privacy principles relevant to the research being conducted. Areas are included, or not, depending on the nature of the study.1,916

Step 2: Ethical and privacy questions to inform the approvals needed

The second stage involves asking and answering the ethical and privacy guidance questions for the principles that apply to that study. The guidance questions will be grounded on the identified ethical principles. They will support privacy and ethical evaluation of research studies and issues that arise during the lifetime of the projects. Researchers should include privacy and ethical considerations relevant to their study design and through this process identify what approvals are needed.17 Data custodians can also use these questions to assess requests to share data.

Step 3: Should access to data be granted?

The responses to questions in Step 2 should inform whether there is an ethical basis for data access. Key areas to consider are: (1) mitigation strategies to be implemented to conform to privacy and ethical principles; (2) data flow modifications, that is any change in data processing to enhance privacy (e.g. use of aggregated data rather than with identifiable personal information); (3) what local approvals need to be put in place, which may be nationally stipulated and (4) protocols for data access; the use of pooled data may be authorised; alternatively, distributed analysis or a hybrid.


The framework can be represented as a number of use cases involving multiple stakeholders; they will vary according to the type of study. The overall use case diagram for the framework is illustrated in Figure 1. ‘Use cases’ are generally used to model systems and their interactions in software engineering. They describe a story of how a system and its actors (those who engage in various interactions with the system) collaborate to achieve a specific goal. These diagrams are frequently used while gathering technical requirements associated with health information systems.18,19 We have followed Unified Modelling Language use case notation as given in the Rational Unified Process to create these diagrams.20

Figure 1 Overall use case diagram for the privacy and ethical framework. The box indicates the system of interest and the oval within corresponds to the processes within the system that are inter-related. The actors who interact with the system (and its processes) are drawn around the box
  1. Researchers and research ethics committees: The same principles and questions should apply to all involved in research. Privacy and ethics are included in the design of a study, and generally studies go on to receive ethical approval as the potential issues are considered from the initial stages. The actors in this use case will typically involve primary investigators who design the study, the ethics committee members who approve studies and data custodians who provide approval for data access. The ethics of research studies will have a higher degree of scrutiny as interventions might include new treatments.

  2. QI: A narrower range of privacy and ethical considerations generally apply to QI initiatives. Protection of public from harm is generally not an issue as most parts of those studies usually have a high degree of patient safety in built. Treatment used in QI studies are already approved and whether to treat is decided by both the clinician and the patient according to clinical standards and patient’s preference. As data are generally handled at a local level, data sharing is less complicated in this use case.

  3. Surveillance: Generally, using data for disease surveillance is part of a health system’s public health functions and therefore fewer ethical principles apply. However, a duty of privacy remains where data are further used to inform QI or research; in which case different principles pertain. Data are mostly reported as aggregated summaries and the unit used for reporting is generally regional or city level though sentinel surveillance networks report at the national level. The unit of reporting largely ensures that privacy of individuals is maintained despite reports are published at regular intervals. However, privacy concerns might arise when stratifying populations into narrow age-bands or localities and in the reporting of rare events. During epidemic outbreaks, personal data and samples may need to be collected for public health purposes. Whilst the privacy and ethical considerations applied in this use case are limited, patients should still be given the right to opt out of their data being used for surveillance.

The use cases also involve representatives from the public including patients, carers (generally parents in the case of children) and non-patient citizens. Present-day research studies should have a high level of patient and public engagement throughout the research process. Patient group representatives should get involved as early as the design stage of the study to ensure that studies are likely to be beneficial to patients and to help maintain wider public trust. We have drawn secondary-level use cases suggesting how the privacy and ethical framework will be utilised (Figures 24).

Figure 2 The use case utilising the privacy and ethics framework in the context of research studies. Research requires the greatest level of scrutiny and involvement of actors – eight different actors are identified as important in this process. Citizens are important as research in the public interest must also be acceptable to citizens. Patients include consenting research participants and carers include parents and those with power of attorney
Figure 3 The use case for utilising the privacy and ethics framework for QI studies. Generally, ethical approval is not required here in contrast to the research use case. Public interest is also important in this use case. QI studies requires a protocol just as research studies
Figure 4 The use case for utilising the privacy and ethics framework for surveillance. Surveillance is conducted in the public interest, and although it does require clear reporting methods, it does not require a protocol or research ethical approval. However, individuals still have the right to expect that their privacy is protected. Only for a small number of specified diseases is legal compulsory information passed to public health specialists (e.g. Salmonella food poisoning)


This paper describes an extensible framework that can be used to explore the ethical and privacy principles related to research, QI and surveillance. The framework links to key questions that help ensure that important issues are identified. Further research is needed to test the reliability of this approach and the completeness and validity of the principles included in it. This is planned as an activity of the International Medical Informatics Association and European Federation for Medical Informatics Primary Health Care Working Groups.

The strength of this approach is the extensibility and adaptability to different research scenarios, as demonstrated in the example use cases. The coupling of ethical principles with the privacy and data protection requirements to access data represents a change from current practice, where they are often considered separately. The purpose of this integration is to help maintain the trust of citizens by ensuring that the use of routine health data is for ethical purposes and demonstrably in the public interest.

APPENDIX A – Ethical guidance questions

Adapted from Willison et al. (2014)

  1. What are the burdens and potential harms associated with the proposed initiative? Who bears them?

  2. Are burdens and potential harms justified in light of the potential benefits to participants and/or to society?

  3. Is the selection of participants fair and appropriate?

  4. Is individual informed consent warranted? Is it feasible? Is it appropriate? Is it sufficient?

  5. Is community engagement warranted? Is it feasible? What level of engagement is appropriate?

  6. What are the social justice implications of this initiative?

  7. What are the potential longer term consequences?

APPENDIX B – Privacy and data access guidance questions

  1. Who is accountable for the data and where will it be stored?

  2. Who will have access to the data?

  3. Is there an audit trail to indicate that the data was obtained lawfully?

  4. Has sufficient level of anonymisation achieved?

  5. Are there any restrictions for secondary processing the data?

  6. Can the accuracy of the data be verified?

  7. Are the data processing/transformation processes documented and approved?

  8. Is there a method where individuals can opt out of being included from the data?


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
  9. 9.
  10. 10.
  11. 11.
  12. 12.
  13. 13.
  14. 14.
  15. 15.
  16. 16.
  17. 17.
  18. 18.
  19. 19.
  20. 20.