Do we need consent to obtain consent? Public and participant feedback to using personal health data for recruitment

Claire E Hastie, David J Lowe, Andrew McAuley, Catherine A O'Donnell, Nicholas L Mills, Corri Black, Tracy R Ibbotson, Andrew J Winter, Janet T Scott, David N Blane, Susan Browne, Jill P Pell

Research output: Contribution to journalArticlepeer-review

20 Downloads (Pure)


Medical researchers are generally expected to obtain consent before accessing personal health data; problematic if they require personal health data to determine whom to invite. In reality, consent is not an absolute requirement of data protection legislation. Under the General Data Protection Regulation (GDPR), personal data need to be processed securely, lawfully, fairly, transparently and in a manner compatible with why they were originally collected.1 Scientific, research and statistical purposes are not considered incompatible with the initial purposes of data collection.2 Lawfulness is established by meeting one of six criteria, including consent, public interest or legitimate interest.1 GDPR does not define public interest,3 but the Data Protection Act 2018 does not list research as a public interest.4 Therefore, lawfulness of health research based on public interest is likely be established only in exceptional situations, such as a pandemic. Legitimate interest requires that data subjects could reasonably expect their data to be used for the purpose at the time they were collected.1

In the long-COVID in Scotland Study (long-CISS), consent could not be obtained prior to using health records to identify and classify eligible subjects. This population cohort study compared symptoms, daily activities and quality of life among people who had previous laboratory-confirmed COVID-19 with a negative PCR test comparison group matched by age, sex and area deprivation. Therefore, data on test results, age, sex and area of residence were needed to identify and classify individuals prior to sending invitations and obtaining consent. Eligible participants were identified from the Case Management System (CMS), the National Health Service (NHS) Scotland database established to support the ‘Test and Protect’ response to COVID-19. The database provided PCR results to STORM-ID; a digital healthcare company commissioned by NHS Scotland to send individuals their test results.

In long-CISS, Public Health Scotland, the data controller for CMS, identified eligible subjects and provided Storm ID with an extract containing their name, date of birth and telephone number only. Storm ID developed its existing digital platform to automatically send SMS texts to these individuals informing them of the study and inviting them to participate. During an initial authentication step, the recipient keyed in a unique token, provided in the invitation, along with their name and date of birth. If these matched the information in the data extract, the subject was able to provide electronic consent and access the web-based questionnaire. The questionnaire responses were pseudonymised and analysed by the investigators within the national safe haven, a virtual trusted research environment, with results released following disclosure control. At no point could individuals be identified by the investigators. The invitation text included an electronic participant information leaflet, notification that participants were free to withdraw from the study at any time, and contact details to obtain additional information, if required.

Awareness of the study among the general public and potential participants was achieved via a Scottish Government press launch, widespread coverage across traditional and social media, information posted on the Public Health Scotland (Data Controller) website, a study webpage including frequently asked questions and contact details for queries, and information-sharing with long-COVID support groups.

Following the launch, 156 queries were received from the general public (Scottish population 5.5 million): 135 supportive, 16 unrelated to the study, 4 notifying changes of contact details and 1 asking for information on data use. Invitations were sent to 235 699 people in the first tranche, of whom 97 (0.04%) contacted the investigators: 54 for help with technical problems with the app, 24 seeking clarifications (eg, confirmation their responses had been received), 13 unrelated to the study, 4 supportive, 1 to correct their name and 1 requesting Freedom of Information process information (which they did not progress). The response rate was 18%, 5 (0.002%) people withdrew from the study, and 34 947 (80%) ticked that they were happy to be recontacted for further research.

While long-CISS could be justified as public interest in the context of a pandemic, there is an argument for the lawfulness of health research based on legitimate interest, subject to reasonable expectations, awareness and transparency being met. The number and nature of the responses received from the general public and invited individuals, the high recruitment and low opt-out rates, and the very high percentage of participants willing to be recontacted provide convincing evidence (and arguably precedent) that subjects did not consider health research to be inconsistent with how they expect their health data to be used. We hope our findings will inform the debate regarding consent and reassure legislators, data controllers and researchers that accessing personal health data without consent can be done without endangering public trust provided that appropriate steps are taken.
Original languageEnglish
Pages (from-to)697-698
Number of pages2
JournalJournal of Epidemiology and Community Health
Early online date7 Jun 2022
Publication statusPublished - 8 Jul 2022


Dive into the research topics of 'Do we need consent to obtain consent? Public and participant feedback to using personal health data for recruitment'. Together they form a unique fingerprint.

Cite this