A large amount of health data on Norwegian citizens are held in databases – but they are spread over 16 separate databases, all containing only a limited amount of patient information. Linking these datasets could potentially wield crucial information, but due to data protection researchers have to go through a costly and time-consuming application process.
The current regulations mean that patients could indirectly suffer, argues Camilla Stoltenberg, Director-General of the Norwegian Institute of Public Health.
“The combined effect of good intentions has led to a regulatory framework which in essence works in an unethical way,” says Stoltenberg.
She uses the example of the swine flu pandemic of 2009 to illustrate her point. The outbreak prompted Norwegian authorities to advise people to get vaccinated. However, more information was urgently needed on effects and side effects of the vaccine.
“Prior to the next outbreak, in 2010, stronger evidence was requested to underpin vaccination advice. The issue was whether the advice should be altered, based on the 2009 experience,” explains Stoltenberg.
But despite agreement and co-operation between the three separate health authorities holding the necessary data, it took almost a year before the first link-up between datasets was completed – long after the second wave of swine flu had come and gone.
“The regulations need to be simplified, and more streamlined processes will in turn make it easier to ensure and improve data protection for individuals,” argues Stoltenberg.
She would also like to see the introduction of new databases to collate and format disparate data from local health agencies. This would particularly be beneficial for research on widespread illnesses such as type 2 diabetes, chronic obstructive pulmonary disease and depression.
But Helge Veum, Director at the Norwegian Data Protection Authority, argues that other considerations also come into play.
“It’s a difficult balancing act. We have to keep in mind that mandatory registration of health data where individuals can be identified is a major data protection issue. Compared to other countries we already have compiled a large amount of data on individuals’ health,” he points out.
“We should rather ask whether there are other ways of acquiring this information.”
Veum cautions about the unintended consequences of excessive data collation.
“How would it affect trust between a patient and the doctor? We don’t want to risk a situation where people are avoiding health services because it means being registered in a national database.”
Stoltenberg agrees that large amounts of health data do pose a challenge – although not for national databases, but for hospitals and their patient records.
“It’s impossible to get in and simply extract personal data in the database files we now have – they are encoded and encrypted. I have been working with databases over 20 years and never come across a name, a date of birth or an address,” she says.
“If I wanted to pry into people’s data, I would rather target hospitals’ patient journals which contain much more personal information.”
Given the security of database storage, the current data protection policy stymies important research into public health, Stoltenberg argues.
“Since patient data already is electronically available in the health service, it’s unethical not to use it in research. The data is crucial for improving quality of health care, improved patient safety and a better understanding of the causes for illness and death,” she concludes.