By Paul Affleck, Jenny Westaway, Maurice Smith and Geoff Schrecker.
You don’t have to be a nominative determinist to believe that it matters what things are called. Prompted by Graham et al.’s paper Trust and the Goldacre Review: why trusted research environments are not about trust, we’ve been thinking recently about the best name for resources that allow analysts electronic access to healthcare data. In our response, we stated they are very much about trust. However, we agree with their questioning of the term ‘Trusted Research Environments’.
Electronic health records provide a tremendous resource for research, planning, service evaluation, commissioning, policy development and audit. In the past, the typical model for enabling such secondary use of information has been to disseminate data to users under contractual controls. Occasionally, to avoid the time-consuming process of agreeing a contract and ensuring the recipient has sufficiently secure systems, users have been ‘embedded’ within the provider organisation’s systems with some form of honorary contract. This would often result in speedier access but lack transparency.
Last year, in response to the GP Data for Planning and Research programme, more than a million members of the public registered a National Data Opt-out in a single month. The programme was paused and changes were pledged before data collection would start, including: “an effective, secure computing environment (known as a Trusted Research Environment) has been developed to allow approved researchers to access data they have applied for, without it ever being copied or moved outside the security of the NHS”. The Government-commissioned Goldacre Review published earlier this year also presents these environments as key to earning public trust. However, the term ‘Trusted Research Environment’ is not universally accepted and has several drawbacks.
One concern is that a person could misplace trust in a Trusted Research Environment because while it may provide greater security it may not be trustworthy in other ways, for example, a person may have concerns regarding who is given access to data even if that access is given in a secure way. A further weakness of this term is that it is not clear what is being trusted by whom. The obvious response is that it is an environment that can be trusted by all (the data subjects, analysts, funders, data providers and so forth) but trust is typically seen as something that is ‘given’ or ‘earned’ not simply asserted.
Trustworthy Research Environments
As Hubbard et al. note, some prefer the word ‘Trustworthy’ to ‘Trusted’. Possibly this is to emphasise that data subjects are being invited to place their trust in an environment rather than being told that it is trusted. An advantage of this term is that it is clearer about what is being trusted – the environment and the people running it. In this way, it may also better encompass the elements of trustworthy data stewardship that go beyond data security, such as oversight to ensure public benefit is served by the data usage and public engagement and involvement. However, whether a resource is actually trustworthy is a judgement an individual has to make based on the criteria that they regard as appropriate. From this perspective a person might judge labelling a resource as ‘trusted’ or ‘trustworthy’ as presumptuous in a way that calling a resource ‘secure’ is perhaps not.
Secure Research Environments, Secure Data Environments, and data safe havens
Graham et al. suggest the term ‘Secure Research Environment’. This term is very similar to the name of the Office for National Statistics’ resource, the ‘Secure Research Service’. However, there is an obvious objection to using either of these terms more broadly. Not all the activity is necessarily research (it may be audit, service evaluation, commissioning, or some other analysis). It may be contended that the public will not draw such fine distinctions, but our ethical and regulatory structures do and there is a need for alignment. The Department of Health and Social Care uses the term secure data environment avoiding the restriction to ‘research’. However, as evidenced by the concern about the involvement of Palantir in NHS England’s data platform, these resources need to be more than ‘secure’ to obtain public support. Another alternative name is ‘data safe haven’, which is also less restrictive regarding purpose. The word ‘haven’ has reassuring connotations of safety and refuge and would fit with holding a person’s intimate medical history. However, the term ‘haven’ has other uses that have more negative connotations such as in ‘tax haven’. It could also lead to confusion with the position of the Health and Social Care Information Centre as the safe haven for health and care information.
In conclusion, the current diversity of names is confusing, but no single name is obviously best. Our personal preference would be to avoid the implication of telling people what to trust and use the purely descriptive term ‘Controlled Access Data Environment’ or CADE for short. In terms of wider ethical requirements, we would simply advise such environments to operate in line with use MY data’s mantra of “Say what you do, do what you say” and use transparency to build public trust.
Authors: Paul Affleck, Jenny Westaway, Maurice Smith and Geoff Schrecker.
PA: University of Leeds Faculty of Medicine and Health, Leeds, UK
JW: Independent Advisor in Public Policy and Citizen Engagement, Leeds, UK
MS: GP, Liverpool, UK
GS: Retired GP and Independent Consultant in Clinical Informatics, Derbyshire, UK
This article represents the personal opinions of the authors and not the views of any organisation, body or committee. PA is a programme manager for the UK Colorectal Cancer Intelligence Hub, which is supported by Cancer Research UK (grant C23434/A23706). He is also: a Specialist Ethics Member/Co-Deputy Chair of the Independent Group Advising on the Release of Data (IGARD); a Member of the UK Longitudinal Linkage Collaboration’s Involvement Network and a lay member of the Ministry of Defence Research Ethics Committee. JW is a lay member of IGARD. MS is a part-time GP working in Liverpool. He is also CCIO & Caldicott Guardian for Liverpool Place (as part of Cheshire and Merseyside Integrated Care Board) and a specialist GP Member of IGARD. GS is a retired GP. He is a specialist GP Member of IGARD and an independent consultant in Clinical Informatics.