An ethical framework for sharing patient data without consent

Data privacy concepts are surveyed and a framework is presented for the safe sharing of sensitive patient data. Tailoring the data sharing to the privacy breach risks of each project allows the best compromise for 1) keeping the trust of the public and 2) providing for the best quality data where detailed patient consent is not possible. The first step is an agreement on an acceptable privacy breach risk. Next, proceed to measure that risk for the proposed data when held by a given recipient. Finally, select from a menu of mitigation strategies (people, process and technical) to achieve acceptable risk. The framework is tested against the current UK approach administered by the Patient Information Advisory Group. The hard problem of non-consented data sharing should be divided into the easier (though non-trivial) ones of data and recipient breach risk measurement. Directed research in these two areas will help move the data sharing problem into the 'solved' pile.