LAUSR

For decades, medical researchers in the UK have highlighted difficulties accessing patient data for research. They have described multiple challenges: the parallel regulatory frameworks protecting personal data through data protection law (the ‘UK GDPR’) and common law protecting the disclosure of confidential information; the ethical principles enshrined in professional medical practice reinforcing the importance of medical confidentiality; and an undercurrent of public concern about potential for confidential patient information (CPI) to be exploited or abused. In March 2020, this complex landscape was disrupted through the publication of control of patient information or ‘COPI’ notices by the Secretary of State for Health and Social Care to mandate the sharing of CPI for COVID-19 purposes. After two years and four extensions, most of these notices have now been withdrawn. This experience provides a useful natural experiment for those who have been calling for streamlined governance of patient data for research purposes and suggests a number of lessons for future regulatory directions.