Article Text


Linked health data for pharmacovigilance in children: perceived legal and ethical issues for stakeholders and data guardians
  1. Yvonne Marina Hopf1,
  2. Christine B Bond1,
  3. Jill J Francis2,
  4. John Haughney1,
  5. Peter J Helms3
  1. 1Academic Primary Care, University of Aberdeen, Aberdeen, UK
  2. 2School of Health Sciences, City University London, London, UK
  3. 3Department of Child Health, University of Aberdeen, Royal Aberdeen Children's Hospital, Aberdeen, UK
  1. Correspondence to Dr Yvonne Marina Hopf; y.hopf{at}


Objective The inclusion of the Community Health Index in the recording of National Health Service (NHS) contacts in Scotland facilitates national linkage of data such as prescribing and healthcare utilisation. This linkage could be the basis for identification of adverse drug reactions. The aim of this article is to report the views of healthcare professionals on data sharing, ownership and the legal and other applicable frameworks relevant to linkage of routinely collected paediatric healthcare data.

Design Qualitative study using semistructured face-to-face interviews addressing the study aims.

Participants Purposive sample of professional stakeholders (n=25) including experts on ethics, data protection, pharmacovigilance, data linkage, legal issues and prescribing. Interviews were audio-recorded, transcribed and thematically analysed using a framework approach.

Results Participants identified existing data sharing systems in the UK. Access to healthcare data should be approved by the data owners. The definition of data ownership and associated legal responsibilities for linked healthcare data were seen as important factors to ensure accountability for the use of linked data. Yet data owners were seen as facilitators of the proposed data linkage. Twelve frameworks (legal, regulatory and governance) applicable to the linkage of healthcare data were identified.

Conclusions A large number of potentially relevant legal and regulatory frameworks were identified. Ownership of the linked data was seen as an extension of responsibility for, or guardianship of, the source datasets. The consensus emerging from the present study was that clarity is required on the definition of data sharing, data ownership and responsibilities of data owners.

Statistics from

Strengths and limitations of this study

  • Purposive sampling ensured identification and inclusion of wide range of stakeholders.

  • Participants found it challenging to discuss a service they had not experienced.

  • Consensus was reached suggesting that the responses were valid.

Background and significance

Pharmacovigilance describes the assessment, detection, monitoring and evaluation of adverse drug reactions (ADRs).1 ADRs can cause considerable harm2–5 but may be very rare and only identifiable once many people have taken a drug. The need for a systematic approach to pharmacovigilance was triggered by the thalidomide disaster which led to the introduction of the Drug Amendment Act in the USA, requiring the Food and Drug Administration (FDA) to approve all new drug applications for use in the USA, and the establishment of the Committee on Safety of Drugs in the UK, which in turn introduced the Yellow Card Scheme, a scheme for the spontaneous reporting of suspected ADRs.6 Systems and regulations were further refined over time including the introduction of the European Medicines Agency (EMA) to coordinate drug licensing in Europe.7

Before a drug is licensed and marketed, only a small cohort of patients has been exposed to a given drug.4 Therefore, postmarketing surveillance is an essential component of medication safety. In the UK, the national licensing agency, the Medicines and Healthcare products Regulatory Agency (MHRA), requires companies to provide drug safety data to before they make a licensing recommendation8 ,9 unless application is made to the EMA for licensing and marketing across the European Union. After licensing, ADRs are identified by spontaneous reporting such as the Yellow Card Scheme and information is then cascaded to relevant healthcare professionals. There are also systems which specifically target a particular medication, for example, the Prescription Event Monitoring in Southampton, UK, and which requests extended data from prescribers. New MHRA standards for ADR reporting and signal management will lead to reporting to a central, pan-European database,10–12 resulting in the creation of EudraVigilance.13 This database will be built on reports on suspected ADRs submitted by its member states.

Despite this, it is well accepted that, in general, ADRs are under-reported. Some research suggests that current rates represent only 10–15% of the true rate.14 This is particularly the case for drugs used in children, many of which do not have a license for a paediatric use, and yet children exposed to ‘unlicensed’ medication are more likely to experience an ADR than children receiving licensed products.13 ,15

Other approaches to improve pharmacovigilance are, therefore, required. Previous studies have shown that routinely collected healthcare data can be used to generate signals of ADRs, that is, indicators of a possible causal relationship between an ADR and a specific drug.16–19 Each patient in National Health Service (NHS) Scotland has a unique patient identifier (allocated at birth or first contact with the Scottish NHS) used for each patient contact which would theoretically allow robust matching between different datasets, such as data from the family doctor, hospitals and dispensed prescriptions. Linking available routinely collected electronic healthcare data may provide a solution. A data linkage infrastructure already exists in Scotland20–22 as well as other countries.23–25 Linking datasets from primary and secondary care would allow following the patient in real time, providing denominators as well as avoiding duplication of signal generation, that is, reporting the same reaction twice. Routine data linkage would permit creation of a continuous virtual cohort to monitor for long-term outcomes, for example, after exposure to pharmacotherapy, and enable a more efficient screening for side effects or ADRs due to an ever increasing data pool.26 Creating a large cohort can sometimes be challenging in children if the group of patients is below 1000, as can be the case for orphan drugs or rare conditions.27 In addition, off-label or unlicensed drugs, often used in paediatrics, are not subject to the rigorous postmarketing surveillance schemes, which leaves the evidence in this field incomplete.28 Combining datasets from primary and secondary care would maximise the potential to identify safety issues around paediatric medication.23 However, its routine use might raise ethical and legal questions about privacy and confidentiality as well as other issues.20 ,29–31 The work presented here is part of the CHIMES (Child Medical Records for Safer Medicines) programme in Scotland, a research project which is developing a new system for drug monitoring and surveillance based on linkage of routinely collected paediatric healthcare data from primary and secondary care, and prescriptions dispensed from community pharmacies.


The aim of the work reported here was to elicit the views of relevant stakeholders to the linkage of routinely collected NHS data for the purpose of earlier identification of ADRs in children. A further aim was to inform recommendations for a data linkage project.


Design, subjects and settings

Semistructured face-to-face interviews were undertaken with a purposive sampling of stakeholders with professional interests and responsibilities in accessing and using Scottish NHS data to capture views on the proposed linkage of administrative NHS data for paediatric pharmacovigilance (n=36 invitations were sent). Purposive sampling was used to ensure representation from a range of relevant perspectives including ethics, public health, data protection, pharmacovigilance, data linkage, legal issues, paediatrics and prescribing, as well as diverse clinical backgrounds including medical doctors, nurses and pharmacists from primary and secondary care were approached to take part. The areas of interest as listed was compiled after a literature review and consequently a list of organisations was compiled that would cover the identified topics. Invitations were sent directly to selected members of these organisations either as representatives of the organisation or because of their personal expertise in an identified topic.

Materials and data collection

An interview topic guide was developed (available on request), guided by the research question “What are the views of professional stakeholders towards linked NHS data across Scotland” and informed by a review of current literature.32 The topic guide and interview technique were piloted in two interviews, which suggested the paediatric context of the proposed data linkage should be emphasised more clearly. The invitation letter contained a study information sheet and a consent form, which the participants returned by post prior to the interview. Interviews were conducted face-to-face or by telephone as requested. All interviews were audio-recorded.

Data management and analysis

Interviews were transcribed verbatim and checked against the recording. A framework approach33 was used to identify themes inductively and deductively from the transcripts. The ‘Framework’ approach as postulated by Ritchie and Spencer33 describes a thematic analysis of data that includes comparison of participants’ responses to selected themes. It allows for the organisation of the ‘raw’ data into categories, and follows a defined five-step process: familiarisation, identifying themes, indexing, charting and mapping and interpretation. Three interviews were independently coded by two researchers (YMH and CBB). A final thematic framework was agreed following discussion to clarify any initial inconsistencies. The framework was then validated by coding a further transcript independently by two researchers (YMH and JH). Differences between coders in allocating quotations to the main themes were resolved after discussion. Data management and coding were conducted using QSR NV.7.


A total of 23 interviews was conducted between February and October 2010 with 25 participants (at the participant's request 2 dyadic interviews were conducted), the length varying between 25 and 84 min. Table 1 shows the diversity of participants’ interests and backgrounds. Eleven of the 14 Scottish Health Boards were represented.

Table 1

Covered interests by number of participants

Five main themes were identified: (1) views and understanding of pharmacovigilance, (2) opinions on available data within the NHS, (3) beliefs about the usage of linked data, (4) opinions about the dissemination of findings and (5) views of the proposed data linkage. Two central subthemes of theme 5 were data sharing and data ownership in relation to the current legal framework. These are reported in detail below.

Data sharing

Participants highlighted that data sharing between primary and secondary care in Scotland was already a reality, for example, as in the Emergency Care Summaries (a summary of basic information about a person's health including their name, date of birth, Community Health Index (CHI) number and medicines prescribed by the general practitioner (GP)), but raised the issue of potential gaps in (electronic) data sharing due to the continued use of paper records. In contrast, community pharmacies, which generally keep electronic records, were perceived as being reluctant to share data due to their commercial setting: Again…accessing pharmacy data is not that easy because they are individual businesses and are fairly reluctant to share stuff electronically. (A22, male, GP)

Concerns were raised that data linkage/sharing could lead to identifying an individual patient: Because you are talking small numbers and there might be only one child in the country that has that condition. (A14, female, public health) We've had local issues […] where we tried to keep it anonymous but because the disease is so rare and the drug is so rarely used, […] it's hard to maintain anonymity here. (A24, female, pharmacy)

Caldicott Guardians (individuals who control access to NHS patient information) were seen as enablers of appropriate data sharing at regional (Health Board) level as Boards were perceived to be beyond the remit of central scrutiny (eg, the Privacy Advisory Committee (PAC) of NHS National Services Scotland (NSS)): The Health Board can do pretty much what they want with their data that would probably be beyond the remit of PAC. (A11, male, non-clinical, legal background)

Data ownership

The definition of data ownership and, by implication, legal responsibility for the linked dataset and the accountability in the event of any misconduct were seen as important. The need for clarity about who owns the data was raised as a main issue by participants. Indeed, one participant questioned whether data can be owned at all: How are you capable of owning data that belongs to a patient? Lord Goff in one of his rulings stated that in so far as it is being capable of being owned, NHS person specific healthcare data is public domain. (A04, male, medical consultant)

One participant referred to the data controller mentioned in the Data Protection Act (DPA) 1998 that, if there were more than one data controller for each given dataset, responsibilities could become complicated: You need to have defined who is responsible for the data set really. […]So that's the first thing because quite often what you find […] there is not really a very clear sense of who makes decisions about them. (A09, female, Caldicott guardian, physician)

Legally, it was believed that data controllers should decide what happens to data, which means that the Information Service Division (ISD) of the NHS would be responsible for datasets held at ISD but not for data held by individual Health Boards. This would also mean that GPs were the data controller for patients’ data, but not everyone agreed: I don't think we should talk about my data because patient data is not the doctor's data. (A11, male, non-clinical, legal background)

Furthermore, it was believed that GPs already have strong feelings of data ownership and that this might lead to reluctance to share the data: GPs have this feeling […] that the data is their data and it doesn't belong to anybody else. (A14, female, public health)

Another participant saw the data as the property of the NHS: The data should be seen as belonging to the NHS and therefore used for important NHS purposes and I think you would be hard put to argue that pharmacovigilance wasn't one of those. (A18, male, non-clinical, Public Health and Pharmacoepidemiology)

Legal and regulatory framework

Twelve different frameworks were cited while discussing what laws might apply to the proposed project. The DPA 1998 was mentioned most frequently, followed by the Common Law of Duty of Confidentiality and the Freedom of Information (Scotland) Act 2002. Less frequently mentioned were the Caldicott Principles and Information Governance in general, and single references were given for child protection, European Law, Privacy Impact Assessment and the PAC. Two legal acts mentioned, Section 251 and the Health Services Control of Patient Information Regulation 2002, are not applicable to Scotland. However, participants thought that Scottish legislation would allow the proposed use of the proposed data linkage: We have legislation in Scotland that allows the use of data for epidemiological or quality improvement purposes as long as the population is kept informed of it and as long as it is securely anonymised. (A03, male, academic GP)

In addition, further restrictions and potential challenges in view of child protection issues versus public interest were mentioned: The law's concerned about protecting the child, it's not concerned about necessarily promoting public interest. (A11, male, non-clinical, legal background)


Participants identified 12 legal and regulatory frameworks that might have to be taken into account when discussing the linkage of routinely collected healthcare data. Existing schemes of data sharing in Scotland within the healthcare context were discussed, and problems with the definition and responsibility of data ownership were identified.

Strengths and limitations of the study

The strength of our approach was the purposive sampling to identify a wide range of interested stakeholders. The purposive sampling was designed to ensure inclusion of representatives from a wide range of organisations and backgrounds and a potentially wide range of views. We spoke to participants with a legal background as well as a paediatric background and included experts on pharmacovigilance and ethics and clinicians from all areas. Data saturation within the sample was reached with the later interviews as no new issues were identified. Data saturation was reached with the reported sample, nonetheless, we cannot guarantee the findings beyond the current sample. Utilising highly informed interview partners allowed extraction of high-level barriers and challenges to the proposed linkage, but it also means that the views described here do not necessarily reflect the opinions of frontline healthcare professionals. However, the methods we used are illustrative of good practice in terms of research and consultation, and in the current age of rapid technological development, the results provide a framework of issues that should be considered in other contexts that involve the linkage and secondary use of patient records. The information provided to participants about the proposed data linkage was only outlined in summary as it was hoped that participants would help to shape the proposed data linkage by suggesting data for linkage and relevant barriers without being influenced by the background information provided. It was hoped that this approach would generate a wider range of perceived barriers and issues compared with participants responding to a fixed system design. Although participants found it hard to articulate their views about the proposed data linkage for pharmacovigilance, there was consensus around the five identified themes and as such the findings of this study could inform the design of a pharmacovigilance system based on linked routinely acquired patient data. The legal and regulatory frameworks discussed in this article were solely identified by the interviewees. It might be possible that relevant frameworks have not been identified whereas other frameworks discussed might not be applicable to the final data linkage project.

Problems with data sharing

The main concern was that increased data sharing could theoretically risk inappropriate identification of individuals, although in practice the size of a linked dataset at national level would make this unlikely. Nonetheless, participants wanted further controls, including required approval by Caldicott Guardians, in order to eliminate inadvertent and unintentional use of the data. However, Health Board Caldicott Guardians are not responsible for data collected within general practices, and there could be a need for others to be involved as Information Governance or Caldicott Leads.34 While the DPA only applies to the use of ‘identifiable’ patient data and not to anonymised data,35 it is recognised that data can never be fully anonymised as the original source data include patient identifiable information. Furthermore, the unique patient CHI number, which would be used for accurate deterministic linkage, would fall under the definition of personal data within the DPA.36 Professional guidance and standards such as the General Medical Council (GMC) promoted in their guideline on confidentiality allows the sharing of personal patient data in justified circumstances, stating that “confidentiality is an important duty, but it is not absolute.”37 Disclosures are possible when it is required by the law, for example, in questioning fitness to practice, or when patients give explicit consent for the sharing of their data. Furthermore, and of relevance to data linkage, the GMC guideline also states that if the disclosure of the information is “to enable medical research, education or other secondary uses of information that will benefit society over time”,37 sharing information is possible without patient consent. Further guidance reiterates that disclosure would be preferred in an anonymised format but that patient identifiable information can be shared without explicit consent if it is justified in the public interest and if necessary.38 That advice follows the second Caldicott principle “Don't use service user identifiable information unless it's absolutely necessary” (ref. 34, p.17). As the CHI number is necessary to identify and link data between primary and secondary care correctly, and as the guidance explicitly states research, epidemiology and public health surveillance as important secondary uses of medical data,38 it would be difficult to impose an absolute ban on access to the data for pharmacovigilance. Thomas and Walport30 mentioned ‘cultural barriers to appropriate sharing’ (ie, a ‘culture of caution’) in their report and suggest that perceptions of risk might prevent data from being shared in practice.

Data ownership as a challenge

Establishing the owners of the datasets for linkage was seen as a major issue and there is an apparent lack of clarity on this. The DPA defines data collectors and data processors but not ownership.36 The Wellcome report repeatedly refers to GPs as advocates for patients’ data but does not refer to data ownership.29 Data ownership is discussed widely in the literature39–41 but few have attempted a definition other than discussing the implication and responsibilities that lie within the (undefined) ‘ownership’. The Oxford dictionary defines ‘ownership’ as “the act, state, or right of possessing something.”42 In medical law ‘ownership’ is mostly used when discussing body parts or samples from patients.43 In our interviews, the term ‘data ownership’ seemed to be inextricably linked with responsibility for the data owned. The responsibilities that participants expected from ‘data owners’ included controlling access to the data within the current legal framework. So the term ‘data owner’ might be more about legal responsibilities than physical ownership. Accepting that definition, data controllers would have to be contacted and asked for permission to link ‘their’ data. Therefore, the way forward might be a named data controller for the linked dataset, who would assume responsibility and accountability. The DPA acknowledges that there may be more than one data controller at a time, that is, jointly or in common with another individual, which could be pertinent to the use of linked data drawn from several datasets. Accountability, as an added incentive to prevent security breaches, has been successfully employed by QResearch, a non-profit organisation jointly owned by the University of Nottingham and EMIS (Egton Medical Information Systems Limited), a clinical software provider, which uses anonymised health records from primary care.44


The plethora of different stakeholders, the mix of potentially applicable, albeit contradictory, laws and guidelines create confusion among researchers and decision-makers when it comes to data sharing and data linkage. Clear legal guidance on data sharing and a working definition of data ownership are required for both, developers of linked data systems and the end users of the linked data, in order to avoid ambiguity of opinion. Identification of the data controller of each individual dataset that is linked is necessary as is the appointment of individuals or accountable organisations to own the linked data. One proposal arising from the present study could be the use of a Privacy Impact Assessment of the planned linkage in order to identify any privacy risks potential. For example, a protocol for information governance, based on the one in use at NHS ISD Scotland, could include approval of the planned linkage by the already established PAC of ISD. Additionally, it should comply with the NSS Confidentiality guidelines and the ISD Disclosure protocol.45 It should be noted that PAC is an advisory, rather than statutory body; however, it is unlikely that its advice would be contravened. Although potentially complex, such a system could be brought together in a single application process analogous to the current Multicentre Research Ethics Committee (UK) and NHS approval processes.46


The complex and conflicting nature of the current legal situation informed the stakeholders’ views of data sharing and data ownership. Data sharing, as in the proposed data linkage for paediatric pharmacovigilance, was not opposed by stakeholders. The most commonly held view emerging from the present study was that clarity is required on the definition for data sharing, data ownership and responsibilities of data owners, although the need for a more explicit legal framework was identified. The findings presented here will be compared with the findings of a parallel study exploring the views of the public on the proposed data linkage (currently ongoing) as ideally any final recommendations for this project should be drawn from both relevant populations, healthcare professionals as data collectors and the public as data providers.


The authors would like to thank all participants who took part in this study for their time. They also thank the NJC Secretariat as well as Netta Clark, Jennifer Brechin, Hazel Riley and Beverley Clayton for their help with transcribing the audio files. They are also grateful to Nayha Sethi for review of an earlier version.


View Abstract


  • Contributors PJH was the Chief Investigator of the overall programme, conceived the research, led writing of the proposal for funding and contributed to the final protocol for this study. CBB and JH were co-investigators and led the writing of the work package which included the interview study. YMH was responsible for the draft of the study protocol, the development of any study material, the daily study conducted and coordination, acquisition of data, analysis, producing tables and interpretation of data. JH validated the coding framework. YMH drafted/co-led writing of the article and incorporating feedback from coauthors on successive drafts. CBB, PJH and JH contributed to the study protocol design. CBB and JJF were also involved in subsequent analysis, and co-led the writing of the article. All authors commented on the initial drafts of the article and revision of successive drafts. The final version of the manuscript was approved by all authors.

  • Funding This work was supported by the Chief Scientist Office (Child Medical Records for Safer Medicines (CHIMES) Applied Research Programme, grant number ARPG/07/4). Funds were obtained through funder competition. The University of Aberdeen was responsible to provide the governance framework for the study.

  • Competing interests All authors had support from the Chief Scientist Office Scotland for the submitted work; there were no financial relationships with any organisations that might have an interest in the submitted work in the previous 3 years; there were also no other relationships or activities that could appear to have influenced the submitted work.

  • Ethical approval Ethical approval for the study “Issues for healthcare professionals in use of routinely held data for signal generation in paediatric pharmacovigilance studies” was obtained from the North of Scotland Research Ethics Service (NoSRES) in December 2009 (reference nr 09/S0801/115). This was followed by local approval from all 14 Scottish Research & Development (R&D) departments which was facilitated by the NHS Research Scotland Permissions Coordinating Centre (NRS Permissions CC).

  • Provenance and peer review Not commissioned; externally peer reviewed.

  • Data sharing statement No additional data are available.

Request permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.