- (i) from that information, or
- (ii) from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information, and
The Regulations referenced in section 251 may make provision broadly under two headings: (i) for requiring prescribed communications of any nature which contain patient information to be disclosed by health service bodies or relevant social care bodies in prescribed circumstances, and (ii) for requiring or authorizing the disclosure or other processing of prescribed patient information, again in prescribed circumstances.
The public interest-based Regulations referred to in section 251 find their current form in the COPI Regulations. These Regulations explicitly set aside the common law duty of confidentiality: ‘Anything done by a person that is necessary for the purpose of processing patient information in accordance with these Regulations shall be taken to be lawfully done despite any obligation of confidence owed by that person in respect of it.’ 93
Regulation 5 of the COPI Regulations provides as follows:
Subject to regulation 7, confidential patient information may be processed for medical purposes in the circumstances set out in the Schedule to these Regulations provided that the processing has been approved –
- (a) in the case of medical research, by both the Secretary of State and a research ethics committee, and
- (b) in any other case, by the Secretary of State.
Based on what is set out in the COPI Regulations (including its Schedule), the HRA is responsible for appointing a committee for the purposes of giving advice to the Secretary of State and the HRA on the application of the COPI Regulations and the disclosure of confidential patient information, for both research and non-research medical purposes, without patient consent. The committee that has been appointed by the HRA for this purpose is known as the Confidentiality Advisory Group (CAG). CAG consists of upwards of 20 members and comprise a mixture of expert and lay members; meetings take place upwards of twice per month. 94 The CAG acts as a safeguard through providing reassurance that section 251 applications are independently scrutinized by an impartial group before a final decision is taken.
It is clear that there is a public interest in promoting medical research to help improve health and wellbeing. For example, the Health and Social Care Act 2012, which largely applies only to England, makes it a duty of the Secretary of State to promote research on matters relevant to the health service. 95 The same Act established the Health and Social Care Information Centre, 96 which, inter alia, has duties to maintain standards, promote the core function of health services, and to develop a confidentiality code of practice. This builds on the statutory provision established by section 251 of the NHS Act 2006 that allows the Secretary of State to make provisions for the processing of patient medical data for medical purposes where (i) neither consent nor anonymization is possible or practicable, and (ii) when otherwise it would be a breach of confidence to use those data. The HRA has had responsibility to administer these powers since 2013. Applications and proposals for research uses, together with providing advice on draft regulations, are delegated to CAG, which advises decision makers—the HRA or the Secretary of State—whether applications to process confidential patient information without consent should be approved or not.
In terms of remit, the NHS Act 2006 and COPI Regulations have a number of inbuilt safeguards that the CAG considers as part of its assessment of applications from researchers to access confidential patient information. 97 Among other things, this includes assurance that the activity must be in the public interest or in the interests of improving patient care, and that the public interest in the disclosure and potential benefits must, on balance, outweigh the breach of confidentiality.
The CAG also often considers whether patient groups or service users have been consulted to test the acceptability of the proposal to help identify the reasonable expectations of a patient on the proposed data use, and subsequently the public interest.
All of this, then, may be seen as the statutory creation of a public interest basis for disclosing confidential information without consent, albeit under a number of strict conditions and for a defined medical purpose. Undoubtedly, given the broad definition of ‘patient information’, ‘confidential patient information’, and the wide meaning attributed to ‘medical research’ under the NHS Act 2006, it is fair to assume that the section 251 statutory gateway is the primary legal basis for the vast majority of health research involving confidential information. However, as I have been keen to stress in this article, not all forms of confidential information and research are captured by section 251, and increasingly, health research and other kinds of scientific research involve a variety of data that do not constitute ‘confidential patient information’, including education, employment, financial, and pension data. The absence of a statutory gateway in these scenarios leaves the door open to a public interest grounded in the common law, as well as innovative policy formulation.
Before moving on, importantly for this article and the argument herein, it is also necessary to highlight Regulation 3 of the COPI Regulations. Regulation 3 both permits the processing of ‘confidential patient information’ and allows the Secretary of State to mandate processing for a range of public health purposes:
- (a) diagnosing communicable diseases and other risks to public health;
- (b) recognising trends in such diseases and risks;
- (c) controlling and preventing the spread of such diseases and risks;
- (d) monitoring and managing—
- (i) outbreaks of communicable disease;
- (ii) incidents of exposure to communicable disease;
- (iii) the delivery, efficacy and safety of immunisation programmes;
- (iv) adverse reactions to vaccines and medicines;
- (v) risks of infection acquired from food or the environment (including water supplies);
- (vi) the giving of information to persons about the diagnosis of communicable disease and risks of acquiring such disease.
With respect to the power to mandate processing, COPI Regulation 3(4) empowers the Secretary of State to require processing for these purposes by issuing a ‘notice’ to require a body or person specified in Regulation 3(3) to process that information for the purpose and time period specified in the notice. These are known as ‘COPI Notices’. In March 2020, at the beginning of the COVID-19 pandemic, the Secretary of State for Health and Care issued four COPI Notices, requiring, among other things, that NHS England, GPs, local authorities, combined authorities, and arm’s-length bodies of the Department of Health and Social Care process confidential patient information to support the Secretary of State’s response to COVID-19 (known as a ‘COVID-19 purpose’). 98 A COVID-19 purpose included ‘research […] in relation to COVID-19’. 99 These Notices were renewed repeatedly over the course of the pandemic and eventually expired in 2022, although one carried on through 2023. 100 While the usual legal basis for many of the activities in a COPI Notice would have been Regulation 3 of the COPI Regulations, this is not the case for research, which is not explicitly mentioned in Regulation 3, although public health research may be seen to fall within its spirit. 101 Much of the background discussion at the time the Notices were issued centered on the fact that the use of ‘confidential patient information’ for research in these circumstances was justified on the basis of overriding public interest, namely seeking insight regarding, and an evidence-based response to, the COVID-19 pandemic.
Following expiry of the COPI Notices, researchers and others relying on a COPI Notice and who needed to process confidential patient information for COVID-19 purposes would require an alternative legal basis for processing of confidential patient information thereafter, which could include obtaining patient consent, Regulation 3 support (presumably for non-research-related activities), or applying to the CAG to transition to Regulation 5 support (presumably for research-related activities, where applicable). Here, I would argue that in circumstances where a section 251 application (Regulation 5 support) is not feasible for one reason or another (eg, the confidential information sought is not ‘confidential patient information’), the COPI Notices themselves suggest that there may be an overriding public interest in using confidential information for research involving public health emergencies, even if the information is not ‘confidential patient information’ for which section 251 application (Regulation 5 support) is applicable. Thus, although the COPI Notices have expired as of the time of writing, the underlying principled justification for their enactment and support ought to be considered as still retaining value—something I consider in Sections 5 and 6.
What the foregoing analysis indicates is that far from being a temporary fix for concerns about the legal basis for using ‘confidential patient information’ without consent for secondary purposes such as research, legislation in England has endured for over two decades that charts a clear pathway for such use. It suggests three things. First, that the public interest can be codified in law and permit uses beyond those concerning risk of serious harm to others and risk of serious crime—in this case, a variety of forms of ‘medical research’. Specifically, this is public interest codified as a mechanism of section 251 support, where the disclosure and use can occur under a COPI Regulation and there is a mechanism for independent oversight and detailed consideration of the public interest; crucially, it is to be contrasted with the separate overriding (and non-statutory) public interest discussed in this article, which is (rightfully) more circumscribed because it is not accompanied by a similar oversight procedure. Second, though, it suggests that any future statutory developments similar to the COPI Regulations may curtail judicial discretion to develop the common law, particularly with regard to use or disclosure of ‘confidential patient information’ that might fall within scope of legislation. Yet, third, it also suggests that the basis for a broader expansion of the (non-statutory) overriding public interest is not human rights per se, including a human right to science, but rather a general recognition about the need for clear legal and policy positions that justify breaching confidentiality and waiving consent when confidential information other than ‘confidential patient information’ is used for research, and a more generalized principle that in the absence of such a legal or policy pathway, some forms of research that would be seen as being in the public interest would be wrongly thwarted.
III.C.4. Regulatory Guidance and Public Opinion
Finally, regulatory guidance and (limited) public opinion would also suggest the scope of the public interest basis may be broader than first appears. The Department of Health’s guidance from 2010, Confidentiality: NHS Code of Practice—Supplementary Guidance: Public Interest Disclosures, makes clear that there are no fixed categories of what a public interest basis for disclosure may be, and that decisions ‘must be made on a case-by-case basis’. 102
The guidance lends weight to a view that serious ‘crime or harm to others’ are the primary categories of a public interest basis, yet the door is not closed to other categories, as the guidance also suggests a public interest justification for disclosure can be considered in situations where:
- Disclosure would be in the public interest; and
- The purpose of the disclosure cannot be achieved with anonymised information; and
- There is no statutory basis for disclosure; and
- Patient consent has not been given because:
- – It is not practicable to ask the patient(s) for consent because, for example, there are no up-to-date contact details for the patient, or the matter is urgent and the patient cannot be contacted; or
- – It would be inappropriate to ask the patient(s) because, for example, they lack the capacity to give consent, or they are suspect(s) who should not be informed that they are under criminal investigation; or
- – The patient(s) have been asked for consent and refused. 103
While the first consideration is question-begging (what would be the specific public interest served for the disclosure?), the subsequent considerations leave open the door to situations that may concern something other than serious crime or harm to others. Indeed, the guidance goes on to state that:
There are clearly cases where disclosure of information may be in the public interest for a reason unrelated to serious harm or serious crime. The decision to disclose must take account of the likelihood of detriment (harm, distress or loss of privacy) to the individuals concerned, but a proportionate disclosure may be acceptable where there is clear benefit to the public. […] Similar considerations may apply to some research uses which do not affect the rights, freedoms or legitimate interests of individual patients. 104
The guidance further goes on to note that because there is little case law in this area, it is recommended that advice be sought from the HRA’s CAG before making such a disclosure. A footnote in the guidance also states that in a research context, disclosure might occur ‘where a research ethics committee has advised that there is little or no risk of detriment to patients’, 105 although it is questionable whether they always have the requisite competence to make such a determination. 106
The British Medical Association (BMA) also has developed recent guidance in this area, albeit with a focus only on the medical (and patient information) context. 107 It defines public interest as ‘the general welfare and rights of the public that are to be recognised, protected and advanced’, 108 and states that a disclosure of confidential information can be in the ‘public interest’ if it is essential (i) to prevent, detect, or prosecute serious crime; (ii) to prevent a serious threat to public health or national security; or (iii) to protect individuals or society from serious harm. 109 Clearly, then, the BMA guidance stresses the importance of a qualifier of ‘serious’ to limit the circumstances of breaching medical confidentiality, but does so in contexts broader than crime or harm to others, namely also considering the context of ‘serious threats’ to public health, although it seems to limit this to cases where an individual patient has a medical condition that puts others at risk or where a patient has a ‘serious communicable disease’, 110 rather than an epidemic or pandemic scenario in which entire populations carry or are at risk from an infectious disease—which, again, is understandable given the guidance is addressed to doctors engaged in a doctor-patient relationship where confidential patient information is disclosed. The guidance goes on to state that:
Disclosures in the public interest will generally be cases which relate to a single individual’s information. Decisions about public interest disclosures must be made on a case by case basis. The public interest test cannot be used to justify routine or ongoing disclosures.
Ultimately, the ‘public interest’ can only be determined by the courts. 111
The Department of Health and BMA guidance thus suggests, indirectly, that judicial attitudes will have important but not necessarily full bearing on the development of the public interest. As judges can only rule on cases brought to them, judicial pronouncements alone will contribute only so much to the path of the public interest. Instead, expert committees such as CAG, as well as researchers and doctors themselves, not to mention Caldicott Guardians 112 and legal counsel, have a key role to play in delineating the scope of the public interest. Here, we may also find that views of the public may well feed into (and should feed into) the policies developed, and decisions rendered, by these committees and professionals.
For example, it is worth noting that a 2018 Ipsos MORI poll of 2000 people, who were asked to give their views on sharing NHS patient address data for the purposes of investigate crime and immigration offences, found that a strong majority (71 per cent) supported the NHS sharing a patient’s address details with other government departments in order to trace an individual who has committed non-serious type of crime (eg, tax evasion, benefits fraud or theft), and with only 16 per cent opposed. 113 This might indicate that the public has a wider view of the scope of a public interest basis for disclosure of confidential information than existing judicial pronouncements and regulatory guidance; it might also signal caution, though, that broad support in the abstract for a wider scope of the public interest does not always indicate broad support in practice, and the difficulty of translating preponderance/majoritarian views into a policy faithfully grounded in ‘the public interest’. 114 This alone may be one reason why, in assessing on a case-by-case basis whether there is an overriding public interest to breach confidentiality and disclose information for a research purpose, particularly in the absence of an oversight body (beyond a research ethics committee) assessing such a case, the circumstances still ought to be limited to ‘serious’ situations where the public interest is manifest, such as research into public health emergencies.
To this end, the Department of Health’s and BMA’s guidance should be read alongside the NHS Constitution, 115 which sets out a series of non-justiciable rights and responsibilities for patients and the NHS in England. Among other things, the Constitution commits that each patient has:
…the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure.
…the right to be informed about how your information is used.
…the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.
In turn, the NHS ‘pledges’:
to anonymise the information collected during the course of your treatment and use it to support research and improve care for others.
where identifiable information has to be used, to give you the chance to object wherever possible.
to inform you of research studies in which you may be eligible to participate.
This series of non-justiciable rights and responsibilities suggests that confidential (patient) information, particularly where identifiable, ought not to be used without patient knowledge and opportunity to object. A public interest override of this would be a tall order to meet the reasonable expectations of patients; many kinds of research are unlikely to meet those expectations. Yet other areas may well, particularly when we consider the Department of Health regulatory guidance that opens the door to ‘some research uses which do not affect the rights, freedoms or legitimate interests of individual patients’. 116
In sum, then, jurisprudence, legislation, academic commentary, and regulatory guidance (alongside very limited public opinion) alike suggest that the scope of the public interest is not necessarily limited to preventing risk of harm to others and preventing or detecting serious crime, although the qualifier ‘serious’ continues to hold significant weight. Likewise, although not always overtly referenced, the notion of a risk or threat to wellbeing being imminent or immediate also seems to hold weight; this temporal element is something I return to below in thinking about the kinds of research scenarios that could be permissible on this basis of public interest buttressed by the human right to science. This means that broadening the scope to cover confidential information sharing for all kinds of research purposes, absent certain qualifiers, would be a step too far. It may be seen as too ‘indirect, cumulative, uncertain and non-immediate’ and:
… require some ingenuity to convince a court that the public interest defence can be used to breach the confidence of someone whose information is merely useful to others when combined with other information […] as opposed to someone who, alone, presents a specific and immediate danger to others. 117
Yet, outside of section 251 scenarios involving confidential patient information, there does appear to be some scope for broadening the public interest to encompass some kinds of research—albeit seemingly largely confined to health research that has been considered by a research ethics committee and which makes use of confidential information for research regarding something like a public health emergency.
What none of these cognate domains have considered hitherto, however, is whether the basis for broadening of the scope of the public interest (again, outside the section 251 context) to cover research in scenarios such as public health emergencies may rest on the bolstering hook of human rights—and in particular human rights that have not per se been domesticated in UK law, unlike those in the ECHR. Thus, I turn now to consider the human right to science and the potential for its application in domestic jurisprudence as a buttress to an overriding public interest basis.
IV. THE HUMAN RIGHT TO SCIENCE IN THE UK
The principle human rights framework that applies in the UK is drawn from the ECHR and its domestication through the HRA 1998. This means that the delineated rights from the ECHR are directly justiciable within its domestic courts. In relation to confidentiality law and the public interest, we have seen this play out in cases concerning breach of confidentiality—but even more so in cases concerning privacy interests, reflected in Article 8 ECHR, and a distinct cause of action, the emerging tort of misuse of private information 118 —both in terms of the limitation to the right to privacy afforded in Article 8(2) ECHR 119 and in terms of a public interest in freedom of expression, reflected in Article 10 ECHR. Both Article 8(2) and Article 10 ECHR can be seen as ‘checks’ on privacy interests that are akin to the exception represented by the public interest in common law. Indeed, it is worth noting English courts’ growing recognition of the importance of ECHR-delineated human rights, which date from 1950—even before the Convention was domesticated in UK law under the HRA 1998. For analogical purposes, it is worth exploring how human rights analysis fits within the misuse of private information tort.
IV.A. Human Rights Analysis within Misuse of Private Information and Breach of Confidence Claims
The public interest also serves as a defense in claims for misuse of private information, where human rights feature in the analysis much more pronouncedly than they do in breach of confidence claims. Here, courts generally adopt a two-stage process addressing two broad issues: (i) whether Article 8 ECHR is engaged at all, which depends in turn on whether the claimant had a ‘reasonable expectation of privacy’ in respect of the relevant information; (ii) if Article 8 ECHR is engaged, whether the defendant’s interference with the claimant’s right to privacy was justified by other relevant considerations, such as the defendant’s own rights, the rights of others, and/or the public interest. In some of these cases, particularly those involving publication (or threatened publication) of private information by a media organization or person, Article 8 is balanced against Article 10 (right to freedom of expression).
The UK Supreme Court case of Bloomberg LP v ZXC 120 has affirmed that for the first stage, whether there is a reasonable expectation of privacy is an objective question. With respect to the second stage, there is no test or formula to determine which interest should prevail in a given case. A balancing exercise is carried out in each instance to determine which interest should prevail. As Lord Steyn noted in Re S (A Child), proportionality is the key factor in examining the precise scope of confidentiality (or privacy) and freedom of expression rights being claimed:
First, neither article [of the ECHR] has as such precedence over the other. Secondly, where the values under the two articles are in conflict, an intense focus on the comparative importance of the specific rights being claimed in the individual case is necessary. Thirdly, the justifications for interfering with or restricting each right must be taken into account. Finally, the proportionality test must be applied to each. 121
And, as noted by the Court of Appeal in Associated Newspapers Ltd v Prince of Wales, 122 which involved a breach of confidence claim, the key question is whether it is in the public interest that the duty of confidence should be breached (or, analogously, that private information be used and disclosed), and given this means overriding a private law right, factors of real weight and importance must be present:
There is an important public interest in the observance of duties of confidence. […] Before the Human Rights Act came into force the circumstances in which the public interest in publication overrode a duty of confidence were very limited. […] Today the test is different. It is whether a fetter of the right of freedom of expression is, in the particular circumstances, ‘necessary in a democratic society’. It is a test of proportionality. But a significant element to be weighed in the balance is the importance in a democratic society of upholding duties of confidence that are created between individuals. It is not enough to justify publication that the information in question is a matter of public interest. […].
For these reasons, the test to be applied when considering whether it is necessary to restrict freedom of expression in order to prevent disclosure of information received in confidence is not simply whether the information is a matter of public interest but whether, in all the circumstances, it is in the public interest that the duty of confidence should be breached. The court will need to consider whether, having regard to the nature of the information and all the relevant circumstances, it is legitimate for the owner of the information to seek to keep it confidential or whether it is in the public interest that the information should be made public. 123
Article 10 ECHR provides that everyone has the right to freedom of expression, but also provides that this freedom may be subject to such restrictions as are prescribed by law and are necessary in a democratic society for (among other things) protecting the rights of others and/or preventing the disclosure of information received in confidence. Even before the ECHR had been incorporated into domestic law, Lord Goff in the Spycatcher case recognized the importance of balancing human rights against disclosure of information received in confidence:
… I can see no inconsistency between English law on this subject and article 10 of the European Convention on Human Rights. […] The exercise of the right to freedom of expression under article 10 may be subject to restrictions (as are prescribed by law and are necessary in a democratic society) in relation to certain prescribed matters, which include ‘the interests of national security’ and ‘preventing the disclosure of information received in confidence’. It is established in the jurisprudence of the European Court of Human Rights that the word ‘necessary’ in this context implies the existence of a pressing social need, and that interference with freedom of expression should be no more than is proportionate to the legitimate aim pursued. I have no reason to believe that English law, as applied in the courts, leads to any different conclusion. 124
In English law, prescription by law is to be found in the established common law principles of confidentiality. This means that in any case, a claimant must bring the claim within those principles. As Phipps and colleagues note, in so far as the claim is based on the equitable doctrine of confidentiality (rather than, say, a contractual basis), it involves the test of the reasonable recipient’s conscience. 125 Moreover, ‘[t]he principles include recognition that in some cases a duty of confidentiality may be negated or qualified by public interest. Proportionality in this context is an aspect of the relevant principles rather than a separate principle.’ 126
From this analogy to the tort of misuse of private information analysis, a key question arises: may one extend the ECHR-driven analysis to a human right to science, which, even if not incorporated into domestic law per se, would prima facie permit a court or other competent body to consider whether another human right—namely the promotion of scientific progress and its application—would override a duty of (or right to) confidentiality in a particular set of circumstances—and if so, what extra weight (if any) is the human rights ‘gloss’ adding to the public interest basis? Does the human right to science serve as a basis for a conflict of rights argument, 127 as weighed against a common law duty of/right to confidentiality, or is it rather more of a juridical ‘buttress’ to a public interest basis for confidential information disclosures?
IV.B. What Does the Human Right to Science Entail?
As noted above in the Introduction, one right enshrined in the UDHR is the right of everyone to ‘share in scientific advancement and its benefits’ (Article 27). Scholars consider the right to have at least a dual-pronged nature: the promotion of the beneficial effects of science, as well as the protection against its adverse effects. 128 In 1966, this right was incorporated into the ICESCR, a binding treaty that refers explicitly to the UDHR and represents an international endeavor to give legal force to the rights, and to which, to date, 171 countries have voluntarily agreed to be bound. This includes the UK, but the UK is not a signatory to the Optional Protocol to the ICESCR, which means it does not agree to recognize the competence of the Committee on Economic, Social and Cultural Rights to consider complaints from individuals or groups who claim their rights under the ICESCR have been violated. Unlike most other human rights, the right to science has never been legally defined and many countries, including the UK, have seemingly forgotten about its existence, much less its implementation. 129 It should be added that the ECHR itself does not contain a provision on the right to science, and nor is it provided in the Council of Europe’s European Social Charter. In itself, this suggests that a ‘right to science’ may sit uneasily with many governments, particularly regarding what it would mean in practice and the reasonable limits one ought to set around the various entitlements and responsibilities that attach to it.
The principal right to science is located in Article 15(1)(b) ICESCR, which denotes the right of everyone to enjoy the benefits of scientific progress and its applications. The article also expounds on the obligations of States parties to take steps for the conservation, development, and diffusion of science (Art. 15(2)), to respect the freedom indispensable for scientific research (Art. 15(3)), and to promote international contacts and cooperation in the scientific field (Art. 15(4)). Yotova and Knoppers argue that the human right to science has two main aspects: the right to access scientific knowledge and information and, second, the right to benefit from scientific applications. 130 It is the first aspect that particularly speaks to the value of data sharing; after all, access to scientific knowledge is necessarily contingent on access to underlying data to drive analysis and understanding, leading to information and ultimately to knowledge. 131 They also observe that this right comes to include, ‘in its core content, a right to access scientific information, including data and scientific publications, to be enabled by states’. 132
IV.C. A Conflict of Rights?
In her 2012 report to the Human Rights Council, the Special Rapporteur in the field of cultural rights, Farida Shaheed, noted that the ‘scope, normative content and obligations of the State under this right […] remain underdeveloped while scientific innovations are changing human existence in ways that were inconceivable a few decades ago’. 133 The Special Rapporteur emphasized the link between the rights to science and the right to participate freely in the cultural life of the community, as well as with the freedom of expression. She remarked on both its intrinsic value and instrumental value as a prerequisite for the realization of a number of other human rights (eg, rights to health, water, housing, and education; right to development; right to a clean and healthy environment). She elucidated that:
The terms ‘benefits’ of science and ‘scientific progress’ convey the idea of a positive impact on the well-being of people and the realization of their human rights. The ‘benefits’ of science encompass not only scientific results and outcomes but also the scientific process, its methodologies and tools. 134
The Special Rapporteur stated that the human right to science may, as with most other rights, be subjected to limitations, in accordance with relevant international standards:
…such limitations must pursue a legitimate aim, be compatible with the nature of this right and be strictly necessary for the promotion of general welfare in a democratic society, in accordance with article 4 of the Covenant on Economic, Social and Cultural Rights. 135 Any limitations must be proportionate: the least restrictive measures must be taken when several types of limitations may be imposed. Furthermore, existing international human rights standards on limitations that can or cannot be legitimately imposed on rights intrinsically linked to the right to science, such as the rights to freedom of opinion and expression, to information and to association, taken into consideration. 136
Only limited mention was made, however, regarding limitations that might be applied to using confidential (or otherwise private) information to realize the human right to science, much less how this right might conflict with other rights or duties, including privacy and confidentiality. The Special Rapporteur noted that:
Conducting research in a socially responsible manner in accordance with ethical standards is emphasized in article 14 of the Universal Declaration on the Human Genome and Human Rights. Rights and freedoms that may be most threatened by the conduct of scientific research, especially those involving exposure or contact and social science research eliciting personal data, are the rights to physical and intellectual integrity, liberty and security, to privacy, and to seek, receive and impart information. 137
No mention of limitations in this context was made either in a two-day seminar held in 2013 and convened by the Office of the United Nations High Commissioner for Human Rights (OHCHR) beyond a general recognition that scientific freedom is ‘not absolute and must be enjoyed responsibly’. 138 No mention is made in secondary literature either, suggesting limited guidance to date on how to reconcile any conflict between the human right to science and, say, the right to privacy or a broader (common law) right to confidentiality in one’s personal health information. Indeed, this raises questions about how respecting a ‘right’ to confidentiality might in turn inhibit the right to science (eg, incomplete data can adversely impact data quality and scientific progress), and how to reconcile a civil right with a socio-cultural right, particularly when all human rights are seen as universal, inalienable, indivisible, interdependent, and interrelated.
In 2020, the United Nations Committee on Economic, Social and Cultural Rights (CESCR) published General Comment No. 25 on Science and Economic, Social and Cultural Rights, which provides much-needed interpretative guidance on the right to science and a basis for measuring and monitoring implementation of the right. The General Comment noted that ‘science’ ought to be interpreted broadly (eg, every possible branch of scientific research), and scientific ‘applications’ ought to be interpreted broadly and include the technology deriving from scientific knowledge, such as medical applications, industrial or agricultural applications, and information and communications technology. Likewise, it was stated that:
The term ‘benefits’ refers first to the material results of the applications of scientific research, such as vaccinations, fertilizers, technological instruments and the like. Secondly, benefits refer to the scientific knowledge and information directly deriving from scientific activity, as science provides benefits through the development and dissemination of the knowledge itself. Lastly, benefits refer also to the role of science in forming critical and responsible citizens who are able to participate fully in a democratic society. 139
General Comment No. 25 does, however, explicitly recognize the limitations of the human right to science and in particular as it concerns the use of potentially confidential information: ‘Acceptability [of the right] implies also that scientific research has to incorporate ethical standards in order to ensure its integrity and the respect of human dignity, […] Some of these standards are that […] privacy and confidentiality should be respected […].’ 140 Similar to the Special Rapporteur’s report, General Comment No. 25 also observes that:
…limitations on the right must respect the requirements of article 4 of the Covenant: first, limitations have to be determined by law; second, they must promote ‘the general welfare in a democratic society’; and third, any restriction must be compatible with the nature of the right restricted. As understood by the Committee, this implies that limitations must respect the minimum core obligations of the right, and must be proportionate to the aim pursued. This means that where there are several means reasonably capable of achieving the legitimate aim of the limitation, the one that is least restrictive to economic, social and cultural rights must be selected, and the burdens imposed on the enjoyment of the right should not outweigh the benefits of the limitation. 141
While General Comment No. 25 does not go into any detail about how limitations may be applied in the context of protecting the confidentiality of certain information, and does not mention how science and scientific progress significantly depends on sharing of data—including at times identifiable data that may be private or confidential—it does provide helpful clarification regarding the contours of the human right to science and how any limitations on the right must be carefully considered. It also lends weight to an argument that a public interest basis to lawfully share confidential information would necessitate a balancing exercise similar to that conducted in cases regarding the right to privacy under Article 8 ECHR and freedom of expression under Article 10 ECHR. Indeed, the analogy to Article 10 ECHR is apposite given that Yotova and Knoppers observe that ‘in Europe, with its many scientifically and technologically developed states, the right to benefit from science is understood as a form of collective freedom of expression rather than as a positive right’. 142
The limiting factor here, however, is the English courts’ hesitation to give effect to social and cultural rights of the kind delineated in the ICESCR, given that the treaty, although signed and ratified by the UK, has not been domesticated in law as has the ECHR. Moreover, we must recall that the right to science entails a right of everyone to share in its benefits; this ought to be distinguished from a right of science, which would include the right of scientists to engage in their research free from interference (read as a broader version of freedom of expression under Article 10 ECHR). 143 This means that neither the ICESCR’s general principles nor its substantive provisions can be enforced by domestic courts. Thus, even though General Comment No. 25 stresses that the human right to science ‘is enforceable and is therefore also justiciable’, 144 realistically, this has not come to fruition in the UK. Nor, it should be added, in many other countries; evidence suggests very limited relevant domestic and international case law offering judicial insight into the right. 145
This position is reflected in the UK’s seventh periodic report under the ICESCR (2022), submitted by the Ministry of Justice. 146 The report does not mention the human right to science at all, and notes only in general terms that ‘The UK has implemented a combination of policies and legislation to give effect to the UN human rights treaties it has ratified’, 147 while failing to indicate that because the ICESCR has not been domesticated in law, the human right to science is not per se enforceable or justiciable. The UK Government reiterated, too, that it does not intend to sign the Optional Protocol as ‘the benefits of the communication procedure remain unclear, especially for the applicant’ and believes that ‘effective domestic laws already exist where individuals can seek enforceable remedies if their rights have been breached. It is possible for an individual to challenge any government decision in the domestic courts if their rights have been breached.’ 148 This continues a trend that can traced back to the UK’s first report from 1993, in which the Government justified the absence of incorporating the right to science in domestic legislation on the grounds that ‘[n]o legislation or other government measures have been taken, or are considered necessary, to guarantee that right’, 149 suggesting that ‘domestic law silences do not necessarily imply negation of the right’. 150 Yotova and Knoppers add, importantly, that: ‘It should be borne in mind that a number of domestic legal systems incorporate customary international law automatically, including, arguably, the right to benefit from science, and thus do not require express legislation to give it effect.’ 151
IV.D. The Human Right to Science as a Juridical Buttress to the Public Interest
All this, then, does not foreclose a domestic court from giving due regard to the human right to science as a public interest basis in a breach of confidence claim, but it does suggest the weight a court would afford it would be less than a right emanating from the ECHR and HRA 1998, thus undermining the strength of a conflict of rights claim as between an arguably non-justiciable human right to science and a civil right and common law right (and duty) of confidentiality. It also suggests that the human right to science may be under-implemented in the UK and thus unduly thwart sharing of data to foster scientific and technological development, affecting an appropriate balance between data sharing and respect for confidentiality. Yet there is another limiting step, as Yotova and Knoppers observe that:
The key challenge to the realization of the right to benefit from science is that, as indicated by the reports of the states parties, most scientific research and the generated data are privately funded. This makes it much more difficult for states to enable access to it, given that human rights do not impose obligations directly on private parties absent explicit domestic regulation to this effect and that such measures are scarce in state practice so far. 152
Given that in the UK, human rights tend to be seen as having vertical effect, binding the state (as obligation-holder) to the individual (as beneficiary), and only indirect horizontal effect (ie, not binding individuals and private actors, but enabling an individual claimant to bring a rights violation claim against the state rather than the responsible non-state private actor), the value of the human right to science as a buttress to a public interest basis may be constrained from a lawfulness perspective. Namely, while the HRA 1998-recognized human rights to privacy and freedom of expression are seen as rights of indirect horizonal effect in English law, it is far from clear that the non-domesticated ICESCR’s human right to science would be treated the same. And, from a social license perspective, this constraint may be even more pronounced in contexts where commercial actors seek access to confidential information: empirical research indicates greater reluctance and skepticism among the general public for their data to be used for commercial purposes than for publicly funded research that has a more explicit public purpose, such as a research involving a public health emergency. 153
At most, given the dominant approach of vertical effect and indirect horizontal effect, one would expect courts to acknowledge the UK’s obligation to give effect to the ICESCR’s rights, including for the full realization of the right to participate in and to enjoy the benefits of scientific progress and its applications, but that this would not mean an obligation to consider the impact of the law of confidentiality on the realization of any of the Covenant’s rights in the same way as it might in a consideration of its impact on an ECHR right such as freedom of expression. This would especially be the case where underlying scientific research is privately funded, as it remains an open question whether domestic courts would afford any difference in the interpretation and application of the right between state-funded and privately funded research. Instead, a more general and active recognition of the human right to science—giving it due regard—may provide a kind of buttress to a public interest analysis for assessing the circumstances in which there may be lawful sharing of confidential information. In this article’s context, this would rest particularly on a putative claim by scientists that having defined access to confidential information is necessary and proportionate to the needs for researchers to conduct science, achieve scientific progress, and ultimately disseminate scientific benefits to the public. In the following section, I proceed to consider how such a claim might play out through two hypothetical scenarios that could invoke the human right to science as a buttress to a public interest basis for disclosure of confidential information.
V. TWO HYPOTHETICAL SCENARIOS INVOLVING THE PUBLIC INTEREST
In this section, I consider two hypothetical scenarios, sketched at a relatively impressionistic level, in which a research team wishes to access various kinds of confidential information relating to a significant number of individuals, and a query arises as to whether a public interest basis may be considered lawful in the circumstances, particularly when grounded in the human right to science.
V.A. The Hypothetical Scenarios
Hypothetical scenario 1 Dr Anil Singh has been undertaking a publicly funded study on the incidence of COVID-19 diagnosis, hospitalization, and death in healthcare workers across England, seeking to establish whether there are differences in these COVID-19 outcomes between ethnic minority workers compared to their White colleagues. This involves undertaking a retrospective cohort study using data from multiple linked electronic databases, including identifiable NHS human resource, health regulator data, and various NHS datasets. Dr Singh and his team have assessed that it is either impossible or impractical to gain consent from potential research participants The study is not collecting personal information directly from any individual healthcare workers; instead, identifiable information of approximately 1 million healthcare workers will be provided by regulatory bodies such as the GMC, the Nursing and Midwifery Council, and the General Pharmaceutical Council. Further, the NHS employee records service (known as the Electronic Staff Record, or ESR) will supply employment information about healthcare workers. In order to link the healthcare worker cohort to healthcare outcomes data (to assess COVID-19 outcomes), identifiable data will be shared within NHS England. This identifiable data will be received and pseudonymised by a special health authority that specializes in health informatics, and the pseudonymised data will flow to a trusted research environment (TRE), where it will be encrypted (rendering it anonymous) and stored for analysis. The duty of confidentiality is relevant when considering the sources of data used for analysis. The duty specific to the healthcare context is engaged through use of both primary and secondary care data (which would constitute ‘confidential patient information’). The duty of confidentiality is also engaged in the use of employment data (which is not ‘confidential patient information’), because as part of the contractual employment relationship, an employer (eg, the NHS) has a duty to keep an employee’s data confidential. As such, the participants in the study have a reasonable expectation that their information, be it health or employment-related, will remain confidential and not be used in ways that deviate from their reasonable expectations, unless there is a specific legal basis that lifts the duty of confidentiality. The COPI Regulations cover use of confidential patient information on the basis of the COPI Notices (up until June 2022) and thereafter on the basis of section 251 support and CAG approval. To that end, Dr Singh has applied for and received CAG approval for use of the confidential patient information. However, the COPI Regulations do not apply to this study insofar as workforce employment data (ie, non-‘confidential patient information’) is concerned and thus Dr Singh seeks an appropriate legal basis for use of this information. Dr Singh has obtained a favorable opinion from an NHS research ethics committee for his study.
Hypothetical scenario 2 The Sheffield Teaching Hospitals NHS Foundation Trust wishes to establish a research database aiming to understand the relationship between child health issues and educational attainment levels within the Sheffield locality. The sample to be included within the database will be all individuals within the Sheffield locality who were born between 01 January 1996 and 31 December 2022. It is proposed that routinely collected data from the following sources will be linked to create the research database:
1. Primary care data from all 76 GP practices across the Sheffield region;
2. Secondary care inpatient, outpatient, and emergency care data from Sheffield Teaching Hospitals NHS Foundation Trust;
3. Community care data from Sheffield Health and Social Care NHS Foundation Trust; and
4. School education data from Sheffield City Council, which receive this information directly from the schools, as well as linkage to educational data held by the Department for Education.
Confidential patient information will be provided by all healthcare providers participating in the study, in order to facilitate linkage across datasets. The school education data source detailed above would not fall within the definition of ‘confidential patient information’ as defined in s251(11) of the NHS Act 2006, but does contain individually identifiable information (eg, name, gender, address, date of birth, school, attendance, GCSE results), and the Foundation Trust is keen to link these data with the health data. The duty of confidentiality is engaged in the use of education data because as part of the school/teacher-pupil relationship, a school, teacher (and council) has a duty to keep the pupil’s education data confidential, subject only to disclosure, as necessary, to the pupil’s parent(s) or legal guardian(s). As such, the participants in the proposed research database have a reasonable expectation that their information, be it health or education-related, will remain confidential and not be used in ways that deviate from their reasonable expectations, unless there is a specific legal basis that lifts the duty of confidentiality. Given the large population-wide study, the Foundation Trust have assessed that it is either impossible or impractical to gain consent. The team is considering how best to proceed concerning various approvals, including NHS research ethics committee approval and section 251 approval through the Confidentiality Advisory Group to obtain support for disclosure of the confidential patient information. The team is also considering how to obtain confidential information concerning the school education data without consent (from adolescents and/or parents), namely by way of a public interest justification.
In hypothetical scenario 1, confidential information is sought for a clear research-related purpose: assessing potentially different care outcomes stratified by ethnicity during a public health emergency, specifically a pandemic that has caused the deaths of millions of people globally and several hundred thousand people in the UK, including a significant number of healthcare workers. Moreover, insofar as non-confidential patient information is involved, the statutory gateway afforded by section 251 of the NHS Act 2006 and the COPI Regulations is not available for use, meaning that the research team will need to rely on another legal basis to access and use the relevant confidential information. The question thus arises: can the legal basis be the public interest, and if so, how might it be supported (if at all) by the human right to science claim?
In hypothetical scenario 2, we are outside the realm of a public health emergency, but still firmly within the realm of scientific research and a bona fide study with bona fide researchers. While CAG may provide section 251 support and approval insofar as it relates to non-consented disclosure and use of confidential patient information, they may likely do so provided certain conditions are fulfilled. This may include a requirement that the team in charge of establishing the research database ensure that appropriate security arrangements are in place; requiring all staff at Sheffield City Council who are involved in processing information for this study should have successfully completed local security awareness training before processing any information; confirmation that the study has received a favorable opinion from an NHS research ethics committee; and support from NHS England’s data advisory team that suitable information governance processes are in place, including by way of a Data Security and Protection Toolkit (DSPT) submission. 154 Similar to hypothetical scenario 1, here, too, a question arises regarding how the confidential information may be accessed, if at all, on grounds other than consent—namely through the (overriding) public interest as a legal basis.
V.B. Evaluative Frameworks from Law and Ethics
Two main evaluative frameworks may be applied to assist the assessment, one drawn from law and another from ethics. The value of these evaluative frameworks to the question I am addressing in this article is that, together, a kind of ‘hybrid’ approach where a legal framework is complemented by an ethics approach may serve best to work through the reasoning in a given scenario to assess whether there is a lawful (and ethical) basis for disclosure of confidential information. Not only would this help ensure confidential information is disclosed within the bounds of the law, it would also help ensure that doing so is ethically justifiable and in accordance with societal views and expectations.
The first evaluative framework may be sourced from the case law and professional guidance referenced above, including case law concerning the ECHR in which certain conditions have to be met before lawful exceptions to a human right would be satisfied. This would require one to weigh up in a given scenario three considerations:
- (1) whether such disclosure (and use) is seen as a proportionate action, weighed between the public interest in maintaining confidentiality and the benefit to the public to address the particular research question; and
- (2) whether a proportionate disclosure may be acceptable where there is clear benefit to the public.
To the first question, this should entail consideration of whether disclosure and use can be seen as genuinely in pursuit of a research purpose (involving a scientific endeavor), and, taking all relevant circumstances into account, whether it is seen as necessary in a democratic society for those ends. To the second question, the recent guidance from the National Data Guardian, on the evaluation of public benefit when health and adult social care data about patients or service users are processed without their consent for purposes beyond individual care, is of particular use. 155 The guidance defines public benefit in terms similar to public interest and the discussion below concerning ‘net interest’:
Public benefit means that there should be some ‘net good’ accruing to the public; it has both a benefit aspect and a public aspect. The benefit aspect requires the achievement of good, not outweighed by any associated risk. Good is interpreted in a broad and flexible manner and can be direct, indirect, immediate or long-term. Benefit needs to be identifiable, even if it cannot be immediately quantified or measured. The public aspect requires demonstrable benefit to accrue to the public, or a section of the public. 156
As the guidance notes, there are two aspects to public benefit evaluations: the public aspect and the benefit aspect. For the former, ‘The project or initiative that is applying to use data must be motivated by an intention to benefit the public, or a section of the public.’ 157 For the latter:
Data recipients should be prepared to demonstrate what public benefit the data use is delivering. This should happen at such intervals as specified by the organisation providing access to the data. It should also be in a form that can be readily shared with the public, for example, on a data uses register. 158
Moreover, there is a third consideration at play in assessing whether confidential information may be accessed on a public interest basis:
- (3) a legal evaluative framework would involve a consideration of whether the affected individuals have a reasonable expectation of confidentiality in respect of the relevant information, 159 and whether the research team’s interference with these individuals’ confidentiality interests is justified by other relevant considerations, in particular a public interest in such a research use, buttressed by a human right to science.
I would argue that a public health emergency, which can be defined as ‘an occurrence or imminent threat of widespread or severe damage, injury, or loss of life or property resulting from a natural phenomenon or human act’, 160 would be considered a public interest that could constitute a valid legal basis for disclosure and use of confidential information. It would clearly meet a common understanding of the public interest and reflects a ‘net interest’ in which all members of the public have in common, viz. combatting a live or imminent public health threat where there is risk of widespread or severe harm (in other words, a serious health threat to the general population). By ‘net interest’, I mean (taking up Barry’s account of the public interest 161 ) that it may well be the case that people in England can have different interests in respect of a public health emergency and research on it, insofar as they simultaneously occupy different roles or capacities in relation to it. Each person may balance their various interests differently according to their preferences, but, on net, they reflect a collective interest for all members of society rather than one which attaches only to particular individuals or groups. Other kinds of serious health threats to the general population, which may or may not be categorized as a ‘public health emergency’, such as climate change, air pollution, cancer, and mental health crises, may be less likely to meet the public interest threshold in this context given, among other reasons, the difficulty with defining the specific research problem and establishing the imminence or immediacy of the threat of widespread or severe harm to human health, although I acknowledge there may be strong counter-arguments here.
The second evaluative framework is drawn from ethics and may help inform legal reasoning. Specifically, one may consider applying to the scenarios Schaefer and colleagues’ definition of public interest, which may serve as an evaluative ethical framework. They apply their definition to considerations of consent waivers in the context of biomedical research, but it may be seen to have purchase in the confidentiality context, too. They define public interest as ‘substantial expected advancement of the health-related interests of members of a group whose interests are, or should be, of particular concern to the society in question.’ 162 They make their definition relative to groups whose interests are of particular concern to advance via the research, such as a rare disease community, and groups who traditionally have been marginalized and whose interests have been (or continue to be) unjustly ignored by society at large. In the context of a public health emergency, all members of a community would have a common interest in seeing a response to address it, be it a coordinated response from the state or responses from various actors, including researchers (which may involve support from the state). This definition enables us to consider the interests at stake, the value of the research, and whether the threshold is met such that a public interest disclosure can, in principle, be made lawfully. Schaefer and colleagues also offer a helpful set of criteria (which, they emphasize, can only provide ‘non-exhaustive categories which tend towards contribution to the public interest’, 163 due to the shapeshifting nature of the public interest) that could assist in a systematic evaluation of the public interest. These criteria include addressing a health priority; scientific robustness; open access of publications and datasets as purported research outputs; non-patentability/copyright of findings to keep them in the public domain; and translatability (ie, research whose results have direct, measurable relevance to practice or policy). Again, I would argue that many types of research in the context of a public health emergency would very likely fulfil these criteria.
Presumably, then, applying both sets of evaluative frameworks to the two hypothetical scenarios, Dr Singh and the research team would make an argument that there is a public interest basis in having the confidants make a limited, carefully controlled disclosure of the confidential information. Here, the research team would want to make an argument that disclosure is seen as a proportionate action weighed between the public interest in maintaining confidentiality and the benefit to the public to address the particular research issue (COVID-19). Moreover, they would want to advance an argument that, similar to an ECHR Article 8 versus Article 10 exercise, the human right to science obliges a balancing exercise between a right to confidentiality and a right to science, including access to information for research that is in the public interest. Alternatively, they may wish to advance an argument more akin to an Article 8(1) versus Article 8(2) exercise, namely that the human right to science serves as a buttress to the ‘protection of health or morals, or […] the protection of the rights and freedoms of others’ such that identifiable information in the particular circumstance should be disclosed. In this scenario, there would seem to be a stronger argument for disclosing the confidential information on the grounds an overriding public interest, with the human right to science helping support that legal basis.
Conversely, under hypothetical scenario 2, despite there being a legitimate research question and aim to establish a research database using the datasets requested, obtaining individual-level confidential school education data on a public interest basis, supported by a human right to science claim, is more tenuous. It is not at all clear that the school education data must be obtained at an individually identifying level and that the research team themselves ought to perform the data linkage rather than an independent, accredited unit (including in a trusted research environment/secure data environment or data safe haven). Likewise, it is arguable that the disclosure of this information in this context would not constitute a proportionate action such that the benefit to the public in establishing this research database outweighs the public interest in maintaining confidentiality in children’s’ and adolescent’s school records. Given the non-emergency scenario here, the broad, open-ended nature of the longitudinal study, and the diminished sense of a clear benefit to the public, it is unlikely that any proportionate disclosure of confidential information here would be viewed as acceptable in the absence of consent. Indeed, one could surmise that both pupils and their parents/legal guardians have a reasonable expectation of confidentiality in respect of the relevant information and that disclosure of the information for this research database would not run in accordance with that reasonable expectation. The human right to science would not serve as a juridical buttress here in the absence of an interest in which all members of the public have in common, such as a live or imminent public health threat where there is risk of widespread or severe harm.
Invariably, any scenario that is put to both sets of evaluative frameworks entails an assessment of the positive and negative aspects of the proposed research endeavor (which may well also entail a consideration of the value or social desirability of each endeavor, in addition to merit of the science), as well as a weighing of the trade-offs between different elements of the common good, including confidentiality, privacy, trust, justice, and population health. Whether buttressed by the human right to science or not, any overriding of the public interest in keeping identifiable health data confidential will necessitate careful consideration and, as Ballantyne and Schaefer suggest, ‘a wide population scope interpretation of public interest, such that the interests of humanity at large rather than particular subgroups can potentially be considered in weighing up whether a study sufficiently advances the public interest’. 164 Moreover, any given scenario entails an assessment of the extent of access (who is seeking access to the information, how much of it, for how long, under what conditions, etc.) and terms of access (ie, access only to those who can further the public interest), as well as a consideration of proportionality (access to confidential information is considered within the least restrictive means in the given scenario as there are no other reasonable means available to pursue the public interest-driven scientific endeavor and there is an evidenced commitment to use the information only as far as is necessary).
What the foregoing analysis demonstrates is that if, in a particular case, it is determined that there are prima facie grounds for confidential information disclosure on the basis of an overriding public interest, invocation of the human right to science can, as a buttress, help promote a broader view of what might be in the public interest for it to be seen as a benefit for the wider community. Yet, a series of considerations also must be factored in the analysis, supplementing the two main evaluative frameworks outlined above, namely:
- Whether individuals have a reasonable expectation of confidentiality in respect of the relevant information, which in turn may depend, among other things, on the level of risk associated with access to and use of the relevant information for a research project (with minimal risk in the proposed research being associated with a stronger argument for a public interest basis), the perceived sensitivity of the information, and whether vulnerable populations are involved. 165
- Whether it is reasonably practicable to obtain consent and if not, persuasive, evidence-based reasons as to why it is not reasonably practicable. 166 Here again, it may be argued that consent should be sought for research involving confidential information that entails greater than minimal risk.
- Whether the research has a commercial purpose and/or the research is commercially funded (in which case the bar for disclosure likely will be even higher, but should be counterbalanced by the argument that for some groups, the only way they will reap any benefits is through commercially funded research).
- Whether the proposed research is likely to likely to have significant public health and/or biomedical value.
- Whether there has been delineation of the scope of restricted information disclosure as a control device: only those persons who have a proper interest in receiving confidential information should receive it and those persons, in turn, should be made aware of their obligations to hold the information in confidence to prevent unauthorized disclosures and misuse. Moreover, disclosure should be appropriately limited in its scope, duration, and extent—massive, ongoing confidential ‘data dumps’ are unlikely to meet with approval. 167
- Whether it is possible to either pseudonymize or anonymize any or all of the information to prevent risk of misuse and work around or limit confidential (read: identifiable) information disclosure; make use of already-existing publicly available (ie, non-confidential) information; or otherwise access and make use of the information in a security-preserving, confidentiality-enhancing manner such as a trusted research environment/secure data environment or data safe haven. 168
- Whether a court should authorize such disclosure by means of its general declaratory jurisdiction and to avoid future litigation risk from various parties, or whether it is sufficient for an independent oversight body or expert committee (eg, a confidentiality advisory committee) to exercise this decision, or whether it should be at the discretion of individual data custodians.
- Whether the proposed research has been approved by a competent, independent research ethics committee; the committee has been informed that confidential information will be disclosed without consent; and the legal basis for such disclosure is the public interest.
V.C. Analogy to Data Protection Law
As a coda, we may compare the difficult hurdles to widely expand the public interest basis in confidentiality law with data protection law, as reflected in the UK GDPR 169 and Data Protection Act 2018. Under data protection law, personal data may be processed when it ‘is necessary for the performance of a task carried out in the public interest’ 170 and special category personal data (such as health data and genetic data), while otherwise prohibited, may be processed if, among other exemptions and conditions, there is a public interest basis in one of three areas: archiving, 171 public health, 172 and unspecified ‘reasons of substantial public interest’. 173 Concerning this last basis, as Georgieva and Kuner note (in reference to the EU GDPR, which carries almost precisely the same language in these provisions as the UK GDPR):
Finding a substantial public interest requires a balancing between the public interest and the risks for data subjects. To process sensitive data the public interest must be ‘substantial’, in contrast to the conditions for processing personal data based on a task carried out in the public interest under [GDPR] Article 6(1)(e), where there is no requirement that the public interest be substantial. Recital 46 [of the GDPR] mentions as examples of data processing serving ‘important grounds’ of public interest ‘when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters’. Voter data may be processed based on the public interest when this is required by the operation of the democratic system in a Member State, as long as appropriate safeguards are established. The threshold for satisfying this criterion is thus high. 174
Under data protection law, too, then, we see that public health emergencies and humanitarian emergencies would likely fulfil the criteria of a (substantial) public interest basis to process sensitive (special category) personal data without seeking and obtaining consent, though even here it would require processing to be permitted on the basis of domestic law that must be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
If we consider the COVID-19 context, the UK’s Coronavirus Act 2020 amended primary public health legislation to enable secondary legislation to be drafted that would require persons to provide information or answer questions (including information or questions relating to their health). 175 This would suggest that the exemption the government would rely upon to process special category personal data, such as health information, would be either the public health or substantial public interest basis under UK GDPR Article 9(2)(i) and 9(2)(g), respectively. Yet, it is difficult to envision how a particular human right provision, such as the human right to science, could itself form the basis of a domestic law, even as the UK is bound to the ICESCR under international law. And again, given that the UK has not agreed to be bound by the Optional Protocol to the ICESCR, which allows individuals complain to the Committee on Economic, Social and Cultural Rights about violations of their ICESCR rights, and given that the ICESCR is not directly part of UK law, in contrast with the ECHR under the HRA 1998, there is no explicit domestic law upon which a data controller—be it the government or otherwise—could rely to justify processing special category personal data on the basis of the public interest, which in turn is grounded in the human right to science. Reliance on high-level customary law and principles of common law would have to suffice, and there is legal uncertainty and risk in doing so.
VI. CONCLUSION: THE HUMAN RIGHT TO SCIENCE AS A WEDGE TO EXPAND THE PUBLIC INTEREST BASIS?
This article has demonstrated the ostensible benefits—but also clear limitations—of relying on the public interest basis, supported by the human right to science, to lawfully permit the disclosure and use of confidential information for a research purpose. While the public interest is a malleable concept, and courts have encouraged flexibility as to its categories, it is not so elastic as to encompass a general override of confidentiality on the basis of promoting scientific advancement and its applications. Nor, arguably, would we want it to stretch too far, lest the relationship between patients and doctors and participants and researchers (as well as educators and pupils, and employers and employees) be scarred and informational autonomy interests irrevocably damaged—undermining the public interest in health care and health research, among other important sectors. There may be a social contract in which all of us as citizens have a responsibility to contribute to research in exchange for reaping the benefits of modern medicine, 176 but that responsibility must be protected and respected with a number of safeguards and, ideally and where possible, undertaken with our consent. Sharing our confidential information to certain others without our consent, even in the aim of promoting scientific advancement and its applications, constitutes a significant infringement of informational autonomy and cannot stand on its own as a general category of a public interest basis.
However, what we may find is some limited judicial and juridical willingness, on a case-by-case basis, to broaden the public interest somewhat. Specifically, the argument made in this article is that there is scope to permit disclosure of confidential information to certain others and under certain conditions when there is a perceived overriding public interest basis for doing so—a public health emergency such as COVID-19, a risk of serious harm to others, and so on. More likely than not, in many scenarios, existing statutory avenues will be seen as the appropriate path forward to balance the value of data sharing and protection of confidentiality interests. In England and in the context of ‘medical research’ and use of ‘confidential patient information’, this would be ongoing resort to Regulation 5 of the COPI Regulations and reliance on CAG as an independent, expert body to assess, on an individual application basis, whether confidential patient information can be disclosed in the absence of consent. For other forms of research and categories of confidential information, the basis is more uncertain and likely subject to an even higher threshold. The legal and ethical evaluative frameworks discussed in Section 5 above offer some potential avenue for assessing when a public interest disclosure may be lawful in these contexts, particularly if combined; yet invariably, difficult judgments will need to be made and no simple solutions can be proffered.
I argue that were there a decision made by a competent authority to share confidential information on the grounds of public interest, the human right to science may be invoked as a gloss that emphasizes the importance of the informational requirement in the particular circumstances. This said, and in addition to the above qualifications, there are strong policy reasons to apply this basis narrowly. Foremost, the absence of consent means that there is greater risk of infringement of the informational autonomy interests of individuals as well as actions that fail to accord with their reasonable expectations of confidentiality. This in turn could harm the scientific endeavor if individuals, and the public en masse, fear that their confidential information may be misused and disclosed without their knowledge, much less acceptance. As Ballantyne and Schaefer put it, ‘The sustainability of biomedical research using identifiable health data relies on earning public trust. The research community must demonstrate that data are being managed fairly and responsibly. Public trust is enhanced by clarity, transparency and consistency.’ 177 Extra care and attention should be placed when assessing public interest disclosures for non-therapeutic research-related purposes that involve confidential information, including when the human right to science is invoked.
Even where confidential information is shared on the basis of an overriding public interest, there is an obligation to make the disclosure knowable, fair, and transparent and, where at all possible, provision made for individuals to object or refuse, and, also if possible, opt out from the disclosure. This, in turn, means there must be sufficient processes of public engagement and participation—which may be difficult in the midst of a given public health emergency, but can nonetheless be charted going forward to help map what kinds of public health emergencies (or other contexts) might be seen as acceptable. After all, the dual nature of the human right science lends weight to the importance of participation in the deliberation of such a disclosure decision and in any putative scientific endeavor. People, as citizens in a polity that relies on abstract but powerful legal constructs such as the ‘public interest’, ought to have a say in deciding whether their confidential information ought to be shared as a means to both promote the beneficial effects of science and protect against any adverse effects.
This article cannot endeavor to chart all the circumstances in which the human right to science may aid a public interest basis for disclosing confidential information. What I have done, though, is craft the contours of a conceptual argument in which we might envision an incremental expansion of the scope of the public interest in the research context, as well as an analytical framework upon which a more robust construct of the public interest basis in confidentiality law might be developed. How much an incremental expansion of the scope, if at all, may be seen as according with the reasonable expectations of the public ultimately is not only a legal question, but an ethical and socio-political one, too, that necessitates empirical investigation with robust patient and public involvement. To this end, and as an early step, research institutions should set their own internal policies clarifying for researchers how the determination of the public interest is to be undertaken and how in practice it should be evaluated. 178 This must, of course, be drafted in alignment with the existing jurisprudence and regulatory guidance to help drive harmonization and establish precedent. But even more fundamentally, and in tune with ethics and social science input, a next research step in this area ought to be further engagement of the public to determine the scope of the public interest and reasonable expectations, the kinds of research that would reasonably be considered to contribute to the public interest, and the contours of the human right to science as a juridical buttress to enable lawful sharing of confidential information.
DISCLOSURES
I am a member of the National Data Guardian’s Panel, which advises on the state of information governance across the health and care system in England. The views expressed in this article are my own and do not represent the views of that Panel or the National Data Guardian.
ACKNOWLEDGEMENTS
I wish to thank Graeme Laurie, Mark Taylor, Victoria Chico, Cormac Mac Amhlaigh, and the participants in the Brocher Foundation workshop on the human right to science (November 29–December 1, 2022) for their insightful comments on a previous draft of this article. I am also grateful to the anonymous reviewers for their helpful comments.
Footnotes
See generally Carolyn Adams , Judy Allen , and Felicity Flack , Sharing Linked Data for Health Research : Toward Better Decision Making (2022).
Campbell v. Mirror Group Newspapers [2004] UKHL 22. The law of privacy in the informational context holds that where individuals have a reasonable expectation of privacy in their information, it must not be misused by others—with the caveat of unless there is a lawful justification that negates the misuse.
C v. Chief Constable of the Police Service of Scotland [2019] CSOH 48.
Lee Bygrave , Data Privacy Law : An International Perspective (2014).
In this article, I use the terms duty of confidentiality and duty of confidence interchangeably.
Coco v. AN Clark (Engineers) Ltd [1968] FSR 415.
Paula Case, Confidence Matters: The Rise and Fall of Informational Autonomy in Medical Law, 11 Med . Law Rev . 208, 213 (2003).
Secondary use may be defined as the use of information which is separate and distinct from, or otherwise subordinate to, the primary use of the collection or receipt. For example, patient information may be collected for the purpose of direct care of the patient; a secondary use of that information may be administration, planning, audit, or research.
Aileen McHarg, Reconciling Human Rights and the Public Interest: Conceptual Problems and Doctrinal Uncertainty in the Jurisprudence of the European Court of Human Rights, 62 Mod . L. Rev . 671 (1999); Angela Ballantyne and G. Owen Schaefer, Public Interest in Health Data Research: Laying Out the Conceptual Groundwork, 46 J. Med . Ethics 610 (2020). See also G. Owen Schaefer, et al., Clarifying How to Deploy the Public Interest Criterion in Consent Waivers for Health Data and Tissue Research, 21 BMC Med . Ethics 23 (2020).
Mark Taylor and Tess Whitton, Public Interest, Health Research and Data Protection Law: Establishing a Legitimate Trade-Off between Individual Control and Research Access to Health Data, 9 Laws 6 (2020). See also the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016, which mandates Northern Ireland’s Department of Health to make regulations that enable the use of health and social care information which identifies individuals to be used for ‘health care or social care purposes’ which are in the public interest, without the consent of the individuals whose information may be used. The provisions of the Act will only be utilized where (i) it is impossible or impracticable to gain the consent of individuals; (ii) anonymized or pseudonymized information would not achieve the desired outcome; and (iii) the committee established under the statutory provisions authorizes the processing. As of the time of writing, due to ongoing political instability in Northern Ireland, no regulations have been promulgated, and thus, it is unclear what framework might guide assessments of secondary use health care or social care purposes that are in the public interest. I further discuss this interesting piece of legislation, which is supportive of my principal argument that the public interest can be a suitable legal basis to support a cautious widening of secondary uses of health information (and other kinds of information), later in the article.
See Mersey Care NHS Trust v. Ackroyd (No.2) [2006] EWHC 107 (QB), which held that institutions, such as hospitals, also have rights and responsibilities in respect of confidential information. The decision was upheld by the Court of Appeal at [2007] EWCA Civ 101.
See section 251 of the NHS Act 2006, which allows for the disclosure of so-called ‘confidential patient information’ under defined conditions, as set out in detail in the Health Service (Control of Patient Information) Regulations 2002 (SI 2002/1438). While section 251 applications will be covered in Section 3 of this article, it is important to note early on that I am drawing a distinction between consideration of public interest as part of an application for section 251 support (the legal basis itself being the statutory gateway)—which applies to ‘confidential patient information’—and (overriding) public interest relied outside of a section 251 application, which would apply to non-‘confidential patient information’ and where the legal basis itself is the public interest.
Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016, supra note 10. One notes that the legislation, in section 1(1), speaks only of prescribed confidential information disclosures for ‘health care or social care purposes’ and which are ‘necessary or expedient in the public interest.’ It is unclear whether this would encompass some forms of health research.
Éditions Plon v. France (58148/00) [2004] ECHR 200; Lewis v. Secretary of State for Health [2008] EWHC 2196.
Adams , et al ., supra note 1, at 33–38, 125–127.
