Keywords

1 Introduction

Numerous health conditions affecting large parts of the population remain under-researched. The consequence is that preventative measures, treatments and/or cures are lacking. Some of these illnesses, such as Alzheimer’s dementia or Parkinson’s disease, have devastating effects on their sufferers, and currently lack adequate treatment. While some progress has been made in discovering genetic or biological markers to identify people at greater risk of contracting certain diseases, little is known about the interpersonal differences that make someone a sufferer while sparing others with identical markers. Identifying and understanding these underlying differences is hard partly because of a lack of relevant data. The data required for such scientific progress need to be wide and longitudinal, but this is difficult and costly to obtain within traditional clinical research studies. At the same time, some data that exist are currently unavailable to research due to the absence of an adequate framework to streamline the currently onerous access procedures. Although individuals can volunteer while alive their data to private corporations by accepting terms and conditions to this effect, it is not yet possible to give one’s medical data (whether during life or after death), for research purposes to a public institution. Nor is there any regulatory or ethical framework in place to guide the donation process. In this article, we argue that this constitutes an unethical failure to utilise data that are of immense value and importance in the quest to improve public health and to promote the common good. The focus is on posthumous medical data donation (PMDD), which should be enabled as a matter of urgency by putting in place an ethical code of PMDD.

The article starts with an outline of what is meant by PMDD, followed by an explanation of the reasons for enabling PMDD. These consist of 10 arguments in favour of PMDD, as well as arguments against the alternative approach suggested by some researchers (e.g. Mann et al. 2016), namely the removal of the need for individual informed consent in Big Data health research. Comparing PMDD to other types of biomedical donations that already take place, we argue that the existing ethical frameworks from other donation schemes provide useful guidance, but do not suffice to ensure ethical PMDD. Therefore, we stress the need to define an ethical code specific to PMDD, and propose five foundational principles for such a code.

2 What Is Posthumous Medical Data Donation?

Posthumous medical data donation (PMDD) refers to the act of donating one’s personal medical data after death. Medical data is meant to describe here data that are routinely collected in a health system, whenever individuals use health services, throughout their life. Such data hold enormous potential for medical research and for health and care improvements on a large scale. However, personal medical data currently remain mostly inaccessible for researchers due to a lack of enabling regulation. Issues of consent, ownership, and privacy, among others, mean that upon death, an individual’s data become ‘locked in’. Depending on the jurisdiction, gaining access for research purposes is cumbersome, if possible at all (Shaw et al. 2015). An effective way to solve this problem is by making provisions for enabling the donation of one’s own medical data after death. So far, the donation of medical data has received limited attention (Shaw et al. 2016).

PMDD is different from medical data sharing,Footnote 1 which happens while one is alive, and from medical data philanthropy , which describes the opening, to external access and use, by private companies and public organisations, of their data sets, for charitable purposes (Taddeo 2016).Footnote 2 Data sharing and philanthropy are important sources of medical information, but, as we shall argue in the rest of this article, posthumous medical data donation is motivated by different reasons, and is less risky and more easily achievable than either data sharing or data philanthropy (Table 11.1).

Table 11.1 Differences between data donation, sharing and philanthropy
Full size table

Other types of donation in the medical field are already very common. Indeed, a significant part of the medical system relies on donations to save lives, educate and teach the medical profession, and advance medical knowledge in general. Examples include blood, organ and tissue donations, gamete donations, stem cell and cord blood donations, as well as brain and body donations for research and educational purposes. It is even possible to donate one’s body for commercial or artistic purposes, albeit controversially, for instance to the anatomist and inventor of plastination, Gunther von Hagens, and his (in)famous “Body Worlds” exhibition.Footnote 3

Unlike these types of biomedical donation, the donation of medical data is conceptually problematic: a lack of materiality and the simultaneity of data pose a challenge to the notion that data can be “donated” in the conventional sense (Prainsack 2018). However, at least in the context of post-mortem donations, the use of ‘donation’ appears preferable to more general terms, like ‘sharing’, as the former rules out the possibility of a retraction of the data by the donor or of joint use with the donor.

When it comes to donating medical data, there are specific subsets of data that can currently be donated. One such example is genomic data (Haeusermann et al. 2017). For instance, the Personal Genome Project enables individuals to “donate” their full genome for research purposes.Footnote 4 Another example is data given during participation in medical research projects, studies, or clinical trials. However, the donation of a more comprehensive dataset, such as in the form of personal medical records (PMRs) has not been systematically enabled so far. The collection and use of medical data for research purposes has mostly been via the aforementioned patient surveys, clinical studies, and trials. As the type and number of patients recruited to these is rather limited, a vast amount of potential data is not included and remains unused. At the same time, the infrastructure of our health services is changing to enable—in theory—the wider sharing of data with health care professionals and researchers. For instance, through the electronic health records (EHRs) currently being introduced within NHS England, individuals can share their own records via a link. This still faces some challenges, partly due to different data formats and a lack of data system interoperability.Footnote 5 In addition, serious limitations of this approach relate to the quality of information and the fact that the data available in these EHRs tend to be incomplete, and vary from General Practitioner (GP) practice to GP practice, but these are predominantly practical obstacles that could easily be overcome (Floridi and Illari 2016).

The failure to utilise fully the health data available in PMRs, which often already exist in digitised form as EHRs, has a huge opportunity cost. It has a negative effect on medical research, given that an incredibly valuable resource remains untapped when its utilisation could lead to significant advances in medical knowledge. In times when public health is in desperate need of improvement and when many serious health conditions are poorly understood, this is unacceptable and, it is argued, unethical. It is crucial to enable individuals to donate their medical data and enable its use for research for the common good.

3 Why We Should Enable PMDD

In light of the potential benefit to be derived from the utilisation of PMRs for research purposes, some have suggested that obtaining informed consent from individuals is inappropriate for record-based research (Mann et al. 2016). This position emphasises the benefit for society at large, and maintains that because of a “duty to easy rescue”—i.e. that individuals are under a moral obligation to benefit others where there is no or minimal risk to themselves—one would be justified in bypassing, in this particular context, what is otherwise a fundamental principle in research ethics: informed consent. Indeed, the current legal rules in many Western jurisdictions allow for this type of research to proceed without such consent, but this article is concerned primarily with the ethical considerations relating to PMDD, and not with legal frameworks.

There is clearly some merit in reconsidering how informed consent operates in modern data- or record-based medical research, where in order to maximise utility, data often need to be repurposed in ways that could not have been anticipated at the time of data collection. Rather than negating a need for consent in such instances, however, we consider it ethically preferable to enable those individuals already willing to volunteer their data to do so, even if this may lead to an initial and perhaps unavoidable bias, but one which may also be acceptable in order to start the process.Footnote 6 Note that empirical research into patient attitudes suggests that they are many.Footnote 7 This approach will foster trust and encourage wider social acceptance of the collection and re-use of medical data. However, if such a fully voluntary approach does not yield sufficient participation, a move towards an alternative approach is conceivable, e.g. through an opt-out system or record-based research with less consent requirements attached. In addition, abandoning the informed consent requirement on the basis of an analogical reasoning in terms of rescue seems inappropriate, where no discernible individual is immediately saved or even treated. The long-term time horizon of most medical research projects also makes it rather unlikely that the patient data subjects will ever become beneficiaries of any research findings resulting directly from their own records. This is obviously impossible in the case of data of the deceased. Therefore, the idea of simply using the available data without first obtaining informed consent is dismissed, even where this would be within the current limits of the law. Instead, from an ethical perspective, PMDD should be enabled and encouraged as a fully voluntary action for the following ten reasons.

  1. (1)

    It is unethical to frustrate the “will-to-do-it” without proper justification. Although no individual donor will receive a benefit at the point of donation, the ability to contribute to the advancement of medicine and act as a moral agent can provide a significant benefit during one’s lifetime. Studies with organ, body, and brain donors show a strong desire to do post-mortem good, and suggest that medical data would be no different (Steinsbekk et al. 2013). Indeed, the Personal Genome Project and patient networks, such as patientslikeme.com, offer good examples of the case in point.Footnote 8

  2. (2)

    The concept of altruism is well-established and should include data donation for the common good.Footnote 9 There is evidence that most individuals already desire to act morally, and may do so without the need for further encouragement when provided with the right information, a straightforward procedure, and appropriate safeguards (Richardson and Hurwitz 1995). With regard to PMDD, the lack of regulatory guidance and practical possibilities of donating data hampers the moral agency of potential donors.

  3. (3)

    Fairness is also crucial, as it ensures that burdens and benefits are shared across society. If one receives healthcare, it is only fair that one gives back. This is an infra-generational argument, since members of the current generation will be donating data for the benefit of others, much like they currently benefit from the contributions of previous generations to medical knowledge. Arguably, there is a moral obligation to participate in scientific research (Harris 2005).

  4. (4)

    PMDD is an appeal to inter-generational solidarity, as future generations will benefit from past generations and will become more motivated to donate to future generations in turn. Recently, the notion of solidarity has experienced a revival as a framework to direct biomedicine beyond the dichotomy of personal benefit and the common good (Prainsack 2017). Such arguments suggest that there is a need to nudge less altruistic individuals to act more responsibly, and to take on their share of the collective burden of contributing to medical knowledge (Prainsack and Buyx 2017).

  5. (5)

    PMDD would foster a (human) right to science. It has been argued that this includes a human right to participate in the scientific process in its entirety (Vayena and Tasioulas 2015). Of course, this is not to say that a right to donate one’s medical record implies a receiver’s duty to use these data, as it is advisable to retain the option to reject a donation where this carries significant ethical risks. This is standard practice in whole-body donation programmes, where acceptance of a donation is contingent on the health status of the donor and the demand by the accepting institution (Riederer et al. 2012).

  6. (6)

    There is a strong economic argument to be made. Using the data that are already being collected during health and social care to advance the body of medical knowledge would enable a more cost-effective administration of healthcare. In addition, the more data are donated, the more value the old data have. This scale issue is typical of the digital, and makes it economically sensible to encourage PMDD.Footnote 10

  7. (7)

    It is crucial to facilitate PMDD immediately, as the trend towards commercialisation of personal health data is growing, and this may leave the public at risk of missing out. Public and commercial benefits are often intertwined, but there is a great risk that a lack of public systems that enable the donation of data may lead to the collection of such data occurring exclusively in the private/commercial sphere and that, consequently, the use of data for public benefit may become impossible, or at least restricted to research that has significant commercial value. Such a market is already emerging for individuals to sell their own data to companies. This is the case of Zenome.io, which combines blockchain technology and digital currency to allow individuals to sell their personal genomic information.Footnote 11 Soon, more comprehensive platforms might encourage individuals to sell their full electronic health records , as these become increasingly available to patients. A socio-political decision to take the initiative on PMDD is thus urgently needed to seize this opportunity and to avoid serious negative implications for public health research, once this will be locked out of an increasingly commercialised industry in personal medical data, or has to pay for access, in the absence of a public data donation scheme.

  8. (8)

    PMDD is also a matter of logical coherence. Considering that (most) people can already donate their organs and blood, and that it is possible to extract substantial data from those donations, it is logically incoherent not to allow PMDD. Furthermore, implicitly, individuals are already allowed and often enabled to give away freely their personal data to private corporations, often for uncertain purposes, as the terms and conditions of many commercial platforms make clear.

  9. (9)

    Two key risks are diminished in PMDD, as both consent and privacy are less troublesome where the data relate to a deceased as opposed to a living person. This would avoid or at least mitigate many of the problems currently arising in the context of data sharing, as PMDD poses significantly less pressure on individual privacy, ownership, and consent.

  10. (10)

    Finally, data sharing by research institutions has been encouraged in recent years and is now considered part of good scientific conduct, as it fosters transparency, replicability of studies, and leads to efficient use of research data. Given that most of the reasons for scientific data sharing also apply to PMDD, a decision to promote one but not the other is logically and ethically inconsistent.

While other types of medical donation (such as tissue donation) have been the subject of extensive debate, resulting in ethical and governance frameworks and national schemes, this has yet to occur for medical data donation. At the same time, public relations campaigns are ongoing to promulgate the need to utilise health data wisely and ethically. The high-profile UK campaign “Understanding Patient Data”, which is jointly funded by the Wellcome Trust, the Medical Research Council, the Department of Health and Social Care, the Economic and Social Research Council, and Public Health England, aims to “support discussions with the public, patients and healthcare professionals about uses of health and care data”.Footnote 12 This is an unethical asymmetry, since the lack of opportunity for individuals to donate their PMRs prevents them from acting altruistically by donating their data for the common good, despite public funding invested in educating the public about the need to make such data accessible for research within the health service. Research into the harms of non-use of health data has concluded that these are hard to prove, but that there are significant consequences that need to be addressed in a move towards socially responsible reuse of data (Jones et al. 2017). In addition, the aforementioned study did not consider the social harm of preventing people from doing what they deem to be morally important. That this is a real concern was shown by some participants in a large biobank study in Norway, where the desire to contribute to the common good was frequently brought up (Steinsbekk et al. 2013). Once all this is combined with the potential value that such data hold for medical research, it provides a strong reason for remedying the current missed opportunity. The fact that the current lack of a mechanism for PMDD is more likely to be explained by regulatory inertia than a deliberate decision against it on ethical grounds provides even more reason to remedy the situation. So, how does PMDD compare to the existing types of biomedical donation that are already managed by specific ethical guidelines and governance frameworks? The next section addresses this question.

4 How Does PMDD Compare to Other Biomedical Donations?

A number of types of biomedical donation are already firmly established in several health systems around the world. Currently, there are at least seven types of physical donations, plus two where the donation consists of a specific data set. Given this abundance of donation schemes, one might question the need for yet another framework and suggest instead an ethical approach by analogy. However, as Table 11.2 indicates by focusing on the United Kingdom, there are some morally significant differences among existing schemes and the proposed PMDD.

Table 11.2 Comparison of biomedical donation schemes in the United Kingdom
Full size table

4.1 Key Differences Among Existing Biomedical Donation Schemes

The first key difference between PMDD and the most common donation schemes is the lack of physical intrusion. Although donating medical data can be described as being intrusive to private life, it does not involve a physical act, or indeed any action on behalf of the donor other than giving consent. This is also a one-off task, as there is no opportunity for re-contact when the donor is deceased.

This leads to the second key difference: donor status. Blood, gametes, cord blood, and tissue are usually donated by living people, as are some organs (e.g. some kidneys). However, even where the donations are by the deceased, the living relatives are typically directly involved: organ donations are checked with family members prior to proceeding, and the urgency of the process (with arrangements typically made within 24 h of death) can put immense pressure on relatives. With PMDD, it might be equally sensible to bring family members on board, even where the deceased have clearly expressed their wishes, but no urgency is required as the utility of the data has no expiry date.

A third difference relates to the materiality of data: medical or any kind of digital data are non-material, unlike other biomedical donations. This means, for instance, that data cannot be “taken out” of one individual and put into another – as would be the case in organ or blood donations.

This is linked to a final difference worth stressing, namely that of the beneficiary. While blood, cord blood, and gamete donations can be used to benefit oneself in the future (although that might be more accurately described as a safeguard than a donation), with other donations, including PMDD, the beneficiaries are necessarily others. In addition, where the purpose of the donation is non-clinical there is no immediate benefit to anyone in particular. The benefit is of a more general nature, such as the advancement of clinical knowledge through research, or the teaching and training of future health care professionals. When it comes to donations that involve health or medical data, as opposed to a physical donation, the key difference lies in the research question. Typically, clinical research studies and trials will attempt to answer a specific question, or address a concrete hypothesis, whereas PMDD would be used for more general research and promote serendipity in research.Footnote 13 Researchers in traditional clinical studies will have to re-contact their participants if they wish to use the data for further or additional research, this requirement does not apply in PMDD. In addition, living participants can change their mind at any point and withdraw their consent, meaning that their data is removed from any research in so far as this is practically possible, which again does not apply in PMDD, where active consent management is an impossibility.

These differences listed above are only some of the most significant ones between existing forms of biomedical donation and PMDD. The list is by no means exhaustive. Yet, the comparison suffices to highlight that reliance on existing frameworks is likely to fall short of offering the ethical guidance required to enable safe PMDD. This is also because, although some important risks are minimised, PMDD is not without its own risks. These risks need to be carefully managed while maximising the future utility of the donated data. This makes it of utmost importance to ensure that PMDD is done ethically, and in particular safely and fairly, without creating any unnecessary impediment to either the donor or the health researcher using their data.

5 The Need for an Ethical Code

Broadly speaking, two main sources of risks can be associated with PMDD, one resulting from the non-individual nature of medical data and one resulting from source of the data being a deceased individual without any control over future uses of the data.

The first source concerns the nature of the donated medical data, specifically that medical data is seldom just about one individual but also often relates to others, who may be harmed as a result Some of the donor’s medical data may reveal sensitive information about related people. Relational issues arise, for instance, where genomic data reveal information about family members. Similarly, information found in psychological or psychiatric records may well contain sensitive information about others, including family members, as this often plays a significant part in the treatment of mental illness. Sexual health and reproductive information are further examples of sensitive medical data that typically relate to at least one other person. Harms to others might also be caused when insights derived from donated data are used for profiling purposes, which might be discriminatory and unfair to individuals to whom it is applied. This risk becomes more acute when donated medical data is sensitive, for example when relating to a particular (other) individual or a sensitive condition. In some cases, the risks may be such to embargo a donation, or in extreme cases to disallow an individual from participating in PMDD, despite a personal desire to do so. An example could be close relatives of acting politicians, where there is a national interest in avoiding the exposure of vulnerabilities to outside influences. Similarly, some conditions, like hereditary diseases or mental illness, may carry a significantly greater risk of becoming a target of discrimination, making it preferable to avoid PMDD. The overall cost of this restriction would be minimal, as the value of PMDD lies in well-curated, large data sets, rather than individual data sets. It is important to understand that, when shared data pose a serious risk, it would be ethically justified and sensible to reject the particular data donation, as the limited value of a single data set (or even of a particularly valuable one), is outweighed by the risks to other, living members of society. The decision as to when to reject a donation should be strictly limited to those cases where the risk to others is likely and serious, to avoid that overcautiously approaches may lead to the dismissal of valuable data sets that could be useful to study less common conditions and rare diseases.

In summary, fears around potential harms to close relatives do not represent an argument against PMDD. The risks just highlighted are not specific to PMDD but rather refer to the kind of data in question, not the actual act of donating. This means that all the risks generally associated with biomedical data also apply in this context (Mittelstadt and Floridi 2016). The consequence is that one can rely on similar safeguards, especially in terms of the procedures, policies and tools that are already applied in the healthcare context, such as de-identification and encryption.Footnote 14 The fact that these data would be donated does not affect these concerns substantially.

The second source of risks concerns the provenance of the donated medical data and the potential use to which the donated data can be put. Because the donor is deceased, PMDD has a lower (or perhaps no) negative impact on the donor, compared with sharing one’s medical data when alive. However, safeguarding is also lower, since individuals may indicate how their data may be used or repurposed while they are alive, but of course have no control once dead. It is therefore crucial to develop a framework that respects the values and preferences of the data donors, and that reassures potential donors that their expressed wishes will be respected after death. In particular, concerns over the misuse of medical Big Data to justify unfair public policies, the implementation of medical profiling outside of the health care context (e.g. by employers or insurance companies), and the application of IP rights to lock-in or restrict access to medical insights and advances derived from donated medical data have to be taken seriously, and need to be addressed.

For all these reasons, an ethical code of PMDD is needed to these issues effectively. With regard to the first risk (of harm to relatives), encouraging the active involvement of family members and relatives prior to a decision to participate in PMDD could resolve many of the potential concerns, similar to the existing recommendations in organ or body donation. As it has been argued, a “do not use if in doubt” approach is also practicable, as the value of any single data set is limited and unlikely to have an impact on the utility of the overall PMDD database. Note that this is also an argument against the need to impose a “duty to easy rescue”, and hence a suspension of the need to have informed consent: one organ not donated may mean a life not saved, but one data set not included makes in itself little difference to population-based medical studies.

The second risk (lack of control once deceased) can be mitigated by means of a value-based framework that firmly places key ethical principles—such as respect for persons, human dignity, privacy and integrity, amongst others—at the heart of PMDD. Two valuable resources can be drawn on to inform such a code. First, the lessons learned from past mistakes made in the context of biomedical data schemes, such as the NHS Care.data programme, as well as the best practices of ongoing initiatives, such as the Personal Genome Project UK. And second, the ethical and governance frameworks currently in place for other types of donations, most crucially those used in biobanking, organ and body donation. An ethical code for PMDD must learn from the solutions already found for both these resources, and be coherent with them. In the next chapter, we set out to codify some of the lessons and best practices that currently exist in an unstructured form to develop a functional ethical code for PMDD, as well as leverage the important work done by others in developing ethical frameworks for other types of biomedical donations (see Chap. 12).

6 How to Implement Ethical PMDD

The first step towards the development of an ethical code for PMDD presented in this article was a thorough review of existing ethical frameworks. The focus was in particular on tissue, brain, and body donation, as well as the sharing of genomic information, because of their similarities with PMDD. However, our analysis also revealed some key differences (discussed above), limiting direct comparability with our proposed scheme, and reinforcing our belief that a dedicated code is needed for PMDD. In this section, some past and current biomedical data projects are considered to identify relevant lessons and best practice.

6.1 Learning from Mistakes and Codifying Best Practice

Big Data in health care is often described as the biggest opportunity of our times to improve public and individual health, and it is therefore no surprise that a vast number of data-related projects are ongoing in health care. While there are key differences among the initiatives, including in data ownership, access rights and purpose, their success—in terms of ethics—can be evaluated on the basis of adherence to a number of fundamental principles.

At the unsuccessful end of the spectrum, initiatives like the UK’s disastrous Care.data serve as a reminder that neglecting these principles can lead to the complete failure of a well-intended scheme. As the Nuffield Council on Bioethics has explained, “Care.data is a salutary lesson in the need for robust and timely public engagement – as opposed to mere communication – and in understanding the range of ways in which data subjects might perceive harms arising from uses of their data.”Footnote 15 The consequences of this incident can still be felt, and have led to a deep distrust in data sharing between the NHS and commercial partners. This is in contrast with other countries, where better management of communication and public engagement has led to wide public support of similar programmes (Patil et al. 2016).

Unfortunately, it seems that some of the lessons learnt from the Care.data debacle have not yet been applied. The recent introduction of the “GP at hand” video-consultation smartphone app, for which NHS England partnered with Babylon Health, has met with skepticism both from GPs and the general public. Concerns quickly arose over inequality in the treatment of patients, especially those with complex health needs, ultimately leading to a suspension of the planned wider roll-out of the service (Finlayson et al. 2017). The lack of proper evaluation of the service has also been criticised (Rosen 2017), and concerns raised over the privacy management, given Babylon Health assumes ownership of the recorded video consultations in its terms and conditions.Footnote 16 Although this might seem unlikely to be enforced in practice, in theory this means that patients are not allowed to share their video consultations with health care professionals who are not enrolled with Babylon’s GP at hand service without the company’s prior permission. Considering that the service was commissioned by NHS England, most patients are likely to be unaware of this restriction, and hiding such an important point in the legal text does not exemplify good communication or foster trust between the NHS, its third-party partners, and patients.

In the context of genetic data, the Icelandic genetic testing company, deCODE Genetics, provides another example of how public trust is all too easily disappointed. In 2012, the company decided to sell out to the American pharmaceutical company Amgen—including the DNA and health data of approximately 140,000 Icelandic individuals held by deCODE. Most of these people had volunteered their data on the basis that the company would create a universal health database of Icelanders for research purposes, as it had promised in the late 1990s but never delivered (Greely 2012).

Sustainability is crucial for any health-related Big Data project, as its success will depend on a long-term commitment to research. Unfortunately, this aspect is often neglected. A few years ago, the Finnish government (in cooperation with some private sector companies) launched the ambitious project of setting up a single platform for the storage of information on the health and well-being of the population. The idea was that this could be accessed by health care providers to offer more efficient and effective care, and to prevent ill health. The service, taltioni.fi, was lauded as sustainable and trustworthy, not least because of its cooperative nature and the fact that it involved both the public and private sectors (Riso et al. 2017). However, the platform vanished shortly after its launch, and it is not known what happened to any data stored within it.Footnote 17

At the other end of the spectrum are projects like the “Patients Like Me” network, which according to its website, is “unleashing the power of data for good (…) by empowering people to take control of their health.”Footnote 18 The company provides a detailed and clear privacy policy, including plain language explanations in addition to legal texts, and provides users with comprehensive options to manage the sharing of their data with third parties, such as private corporations and commercial vendors.

The Personal Genome Project UK (PGP-UK) is equally transparent about data access, but goes one step further by providing the de-identified genomic information as fully Open Data. Individuals can choose to withdraw their data at any point but are made aware, before enrolment, that such a withdrawal cannot necessarily prevent all future uses of the data, as copies of it may have been downloaded from the website. The PGP-UK is complex in that it involves sharing of genomic data as Open Data, and this is reflected in the informed consent procedure, which requires participants to pass an enrolment exam before being admitted to the project.

Even a deep commitment to ethical principles offers no guarantee that things will never go wrong, as accidental breaches are always possible. In 2014, the PGP suffered a setback when it accidentally disclosed some of the participant email addresses and names to other participants.Footnote 19 Due to a configuration error, replies to an email from the PGP-UK were sent to the entire mailing list rather than the PGP-UK staff only, thereby revealing the sender’s identity to the members of the list. Some 220 people were affected, and the issue was quickly discussed within the ethics community, where it was described as a failure both in privacy and trust.Footnote 20 This is just one interpretation, as the PGP-UK notified and apologised immediately after the event, but the incident indicated that risk from human error is hard to eliminate. As one of the commentators in the discussion noted, the email blunder was a suitable way to identify those prospective participants who merely pay lip service to the idea of openly sharing their data.

Recently, cooperative models for managing personal health data have gained popularity. Switzerland currently has two such schemes, healthbank and MIDATA. Both enable citizens to be in control of the storage, management and access of their personal health and health-related data, including the decision how to share it. Schemes like these find their inspiration in citizen science, whereby members of the public can contribute actively to medical research by providing access to their personal data. As these platforms are fairly recent developments and are not yet in place in most countries, it remains to be seen how they will be adopted by the public. However, their cooperative approach certainly carries great potential for the future management of personal health data.

6.2 Deriving Relevant Ethical Principles

Drawing on the review of the literature and relevant biomedical donation schemes and projects, and the input from the participants of two workshops on the ethics of data donation ,Footnote 21 the following five ethical principles or categories emerged as most relevant to PMDD:

  1. 1.

    Human dignity and respect for persons

  2. 2.

    Promotion of the common good

  3. 3.

    The right to “Citizen Science”

  4. 4.

    Quality and good data governance

  5. 5.

    Transparency, accountability, and integrity

These might at first glance appear rather generic and hardly ground-breaking. One might also question how these can be applied in practice. In response, we lay out the specific requirements for an “Ethical Code for Posthumous Data Donation” in the Appendix, which provides more detail on a practical implementation. The Code is not a governance framework, so some practical issues will still need to be addressed before implementing a PMDD scheme. With regard to the generality of the principles, this is crucial to preserve sufficient flexibility to account for future developments. Considering that PMDD is going to be a long-term endeavour, it is important to regulate for the future, i.e. to avoid ethical guidelines becoming inapplicable due to technological, legal, cultural or social changes. This is the goal of the Code proposed here: to provide normative principles shaping PMDD, rather than a set of specific rules of conduct for the involved actors. These are not based on any singular ethical approach (such as a consequentialist ethics) but build on human rights, the concept of human dignity and bioethical principles, including research ethical principles.

7 Conclusion

In light of both the benefits and potential risks involved in wide donation of personal medical data, there is a need for an ethical code of PMDD that addresses key challenges, including consent, privacy, security and ownership. The previous work done in relation to other types of biomedical donation acts as a useful resource to inform such a code but cannot simply be extended to PMDD, which comes with its own particular ethical challenges.

It is argued that most of these issues have practical solutions, and that the primary focus should be on managing permissible access and use of the collected data. Procedural safeguards have already been developed in other relevant and comparable areas of medical research and could be adopted to foster PMDD. Consider for example the broad consent procedures currently used in biobanking or the “educate-before-you-sign” approach similar to the one used by the PGP-UK. This would ensure that any individual wishing to donate medical data could make a decision that is maximally informed (Sheehan 2011). Privacy risks could be mitigated by managing carefully access to donated data. At the same time, it is important to emphasise that no safety measures will ever be fail-safe, and openness about this fact should form part of the ethical design of PMDD procedures.

The code developed here (see the following chapter) addresses the key ethical issues arising from PMDD. Arguably, before being adopted, further input should be obtained from a wider audience, for instance through public engagement, to investigate public support. However, this is only the first step towards more comprehensive use of health-relevant data for the common good . In the future, combining corporate data (via data philanthropy) with data sharing and PMDD might open up even greater possibilities for supporting health care and research. But for this to work, PMDD must first be brought to life.