Ethics of collecting and using health data

Word cloud for ethics

Why ethics and data?

Where there is power, there is ethics. Unethical practices often entail misuse of power. Misuses in health range from a physician not informing her patient about the risks of a procedure she will perform to the manager of a public health data system not protecting the confidentiality of patient records. Patients submit to physicians because they hope to benefit from their healing powers. But patients can suffer abuses of that power. Communities participate in government health surveillance because they expect the surveillance to benefit them by controlling disease. But they can suffer from data negligence, such as inadequate precautions to protect data confidentiality, or worse, intentional misuse of data.

While data are inherently powerful, they carry more power when managed by an electronic system. A well-functioning information system merges data from several sources to provide additional information with ease and speed. During surveillance, for example of a deadly disease like Ebola, an information system might provide the ages, names, and addresses of family members and where an infected person worked. Public health workers could interview these contacts to place them in quarantine or monitor their health. Alternatively, health workers could spread or misuse the information to stigmatise contacts, affecting whether they could attend school, work, or visit the market.

Data from surveillance guide programmes that target disease prevention or treatment of a population. Faced with a rapidly emerging health threat, such as a highly infectious disease, a health department must act quickly. They cannot necessarily follow the ethical practices that govern research. Public health systems must protect the confidentiality of sensitive information while ensuring practitioners can use the data to provide health services equitably.

Return to contents ⇒

Ethical practice of public health

The principles of ethics coming from medicine, research, and human rights do not adequately address critical issues encountered by public health decision-makers. Individual autonomy is sometimes in tension with the good of the community. For example, to control an epidemic, health workers may have to quarantine an individual to prevent him from transmitting an infection to others in the community.

In 2000, some public health practitioners in the US, wrote a code of ethics with 12 principles that speak to the practice of public health.In 2002, the American Public Health Association adopted the code. They published the Principles in the Ethical Practice of Public Health:

  1. Public health should address principally the fundamental causes of disease and requirements for health, aiming to prevent adverse health outcomes.
  2. Public health should achieve community health in a way that respects the rights of individuals in the community.
  3. Public health policies, programs, and priorities should be developed and evaluated through processes that ensure an opportunity for input from community members.
  4. Public health should advocate and work for the empowerment of disenfranchised community members, aiming to ensure that the basic resources and conditions necessary for health are accessible to all.
  5. Public health should seek the information needed to implement effective policies and programs that protect and promote health.
  6. Public health institutions should provide communities with the information they have that is needed for decisions on policies or programs and should obtain the community’s consent for their implementation.
  7. Public health institutions should act in a timely manner on the information they have within the resources and the mandate given to them by the public.
  8. Public health programs and policies should incorporate a variety of approaches that anticipate and respect diverse values, beliefs, and cultures in the community.
  9. Public health programs and policies should be implemented in a manner that most enhances the physical and social environment.
  10. Public health institutions should protect the confidentiality of information that can bring harm to an individual or community if made public. Exceptions must be justified on the basis of the high likelihood of significant harm to the individual or others.
  11. Public health institutions should ensure the professional competence of their employees.
  12. Public health institutions and their employees should engage in collaborations and affiliations in ways that build the public’s trust and the institution’s effectiveness.

Return to contents ⇒

Ethics and health information systems

Many countries are transitioning from manual to electronic district health information systems (HIS).  We identify some ethical challenges around using manual and electronic information systems:

Keeping data secure

Managers should store data according to established policies for security and confidentiality of patient data.

MEASURE Evaluation, for example, suggests standards for routine management of health information, including:

  1. Keeping data in a secure location.
  2. Providing permits to specific staff to access the data.
  3. Limiting movement of paper records.
  4. Ensuring password protection for electronic records and limited access.
  5. Transmitting only aggregated data.
  6. Requiring staff to sign confidentiality agreements annually.

Keeping identities confidential

Digital data are powerful in part because it is possible to automatically link them between systems. To function together, or to be interoperable, two systems must intentionally select compatible conventions for data selection and definitions. Interoperability creates risks as well as opportunities for greater information, for example, consolidated databases are more attractive targets for cyber-attacks.

  • Increasing the amount of data associated with an individual creates additional opportunities to identify them – permitting deductive identification. Aggregating data provides some protection, for example by reporting the number of women receiving antenatal care rather than maintaining a list of their names. But if the aggregated number is few or the community where the women live is small, readers of reports might be able to deduce their identities. Analysts can create big data from electronic health records, electronic financial data, cell-phone use, social media, and geo-location devices. Because they can triangulate data between sources, their ability to ensure anonymity is declining fast.
  • Incorporating geographically-referenced data into a HIS can increase the risk of deductive identification, particularly in a small geographic area. Use of geo-coded data can lead to discrimination against people associated with a particular geographic area. For example, data showing high rates of cholera infection could dampen tourism and associated income to the community or country.

Basing action on data and evidence

The WHO advocates for HIS as a means to improve evidence-based decision-making at all levels of the health system. Ethical implications when evaluating evidence and using data in decision-making include:

  • Data quality: Invalid data can lead to inappropriate analysis of health and service patterns and trends, and misappropriation of resources. For example, biases in data collection can systematically include or exclude a vulnerable segment of the population. If data are of such poor quality that they do not engender confidence, data usage will decline. Factors that improve data quality include training in data collection, designing forms that are clear and succinct, reducing the burden of data collection, and ensuring data ownership.
  • Conflicting evidence: Different HIS data sources may yield conflicting information, or there may be more than one interpretation of a single set of findings. In such cases, transparent decision-making can prevent one person or group from unilaterally imposing their view.
  • Under-representation of data on complex issues: Health topics that require complex study designs or long time-frames are often more difficult and costly to study. For example the evaluation of structural interventions. This can result in lack of evidence on particular topics, perpetuating their under-representation in policies and programmes. If data producers do not address complex issues, simpler, more direct efforts will be undermined or even counter-productive.
  • Lack of data as an excuse to postpone action: Decision-makers seldom have all the evidence they need; they must make decisions with the information available. The dilemma for decision- makers can be: whether to act without sufficient evidence or to postpone action until they have more complete information. Sometimes, decision-makers cast doubt on the validity of available data, even when it is plentiful.

Making public health data open and transparent

Transparency builds trust in a health system; promoting trust in data also promotes trust in analyses conducted with those data and decisions that utilise them.

  • Public health managers can promote transparency. For example, they can keep individuals informed about how the system uses and shares data collected about them. Governments and organisations can publish anonymised data openly to empower the public. This will encourage research and innovation, promote transparency, and inform decision-making.
  • Open data can be beneficial. But they can lead to unintended ethical issues. Amateur researchers may not understand or be able to account for data limitations such as quality, bias, and confounding. Some erroneous claims may be harmless. Others could have serious unintended consequences. For example propagating unfounded medical advice.  Or the data may be used maliciously to promote an agenda to incite discrimination against a particular group.

Sharing data

When stakeholders share data, each may have contributed to the collection of a single set of data, or may have contributed data to a merged set. In either case, the stakeholders agree to share access to the resulting dataset. There are challenges in sharing data between countries, for example:

The Global Initiative of Sharing All Influenza Data (GISAID) database, established in 2008, promotes the sharing of influenza data and builds capacity to respond to global influenza outbreaks. GISAID maintains a policy of scientific etiquette, in which researchers must acknowledge the originating laboratory in publications. They must also agree to collaborate with the data provider in further analysis and research.

In 2013, Chinese researchers uploaded genetic sequences from the first human cases of the new H7N9 avian flu virus to the GISAID database. They began preparing a manuscript for publication. The researchers later became aware of other research teams planning to publish analyses based on the Chinese H7N9 genetic data. They worried that they would lose credit for their work in isolating and sequencing the virus. Working through GISAID, the Chinese researchers contacted the other research teams, They agreed to hold their publications until the Chinese teams published their initial findings. In this case, GISAID was able to mitigate a potential data sharing conflict while providing rapid access to influenza data to support the global response to the virus.

HIS and research infrastructures in low- and middle-income countries (LMICs) may lack the data management and analysis capacities of their counterparts in high-income countries. Investigators in LMICs often share data with collaborators in high-income countries, who conduct the analyses and gain recognition from the work. Some LMIC researchers feel neglected and exploited in a process that also perpetuates unequal analytic capacities. Researchers and HIS managers should support data sharing partnerships that give adequate recognition and benefit to all parties involved, and seek to build research capacity of LMICs.  

Avoiding burdensome data collection

Every ministry or external donor has questions of interest to them, and their own set of indicators. At the point of data collection, be it in a health facility or at a home visit, each moment spent collecting data threatens to be a moment not caring for the patient or client.

  • To provide good care and good data, the HIS manager must keep data collection to a minimum. They should ensure that each data item is essential and that it will be used frequently.
  • The more useful a set of information, the more people will reference it; the more people use information, the more attention data managers will put into maintaining quality and presenting the data. This feedback loop is broken when those collecting the data do not have access to them for local evaluation and decision-making.
  • Many LMICs rely on external funding to support large-scale data collection. Ministries frequently align health indicators with donor priorities or disease-specific initiatives rather than with overall health system goals. Uncoordinated initiatives can monopolise resources, duplicate efforts. This can result in indicators that are not the most relevant to local populations. The large quantities of data that result can lead to information overload and limited capacity to use data effectively.
  • Siloed data sources also limit decision-makers’ ability to consider the whole health system when allocating resources. To ensure data are parsimonious, a ministry of health needs to facilitate coordination between donors, other ministries, and offices within the ministries. They must also have and use the authority to decide which data are essential, and to curtail unnecessary data collection.

Enabling those who collect data to own and guide their use

When developing a HIS, managers should anticipate and address potential ownership issues before data collection. They should also consider issues around future data access and use to maximise opportunities to utilise the data and begin building the capacity to do so.

Data ownership encompasses maintaining and securing data, managing any changes made to the data collection processes and participating in the collection, analysis, and use of data.

Patients, healthcare providers, health insurance plans, registry developers, funding agencies, research institutions, and government agencies could all claim ownership to health information stored in a public health registry. How far can ownership claims extend? If a patient consents to include her information in a health registry, does she maintain any right to refuse future, unforeseen uses of that information?

Most countries do not have adequate policy and legal frameworks for data ownership and, in many cases, ownership claims to health information have not been legally tested. Selling health information and de-identified patient data is a multi-billion dollar industry, raising additional questions regarding data ownership. Do patients need to give consent for others to sell their information? Is it unethical for one person to benefit from the sale of many people’s data? The National Aboriginal and Torres Strait Islander Health Data Principles are one example of an attempt to address issues such as these.

More technical questions include: Who should be held accountable for data breaches or errors in data collection? To what extent are data managers accountable to individuals represented in the data, as well as other potential owners of the data?

Mechanisms to define and transfer data ownership and accountability include licenses, data use agreements, and data sharing agreements. System managers can use role-based access, login records, and audit trails to monitor and track user access and activities on a system.

Addressing health inequities

WHO defines health equity as ‘the absence of systematic disparities in health between social groups who have different levels of underlying social advantage/disadvantage.’ Efforts to ameliorate health inequities are often impeded by lack of information and low health system capacity to address identified inequities. A HIS can address these needs by collecting actionable data on inequities. It can link health data to social indicators to better address them.

The ability of a HIS to address health inequities is complicated. The areas of a city or country that have the fewest health services usually have the weakest HIS. Perhaps it goes without saying, that strengthening a HIS in a resource-poor area is more difficult than strengthening a HIS in situations where resources – including trained personnel – are more abundant. Also, the system seldom collects data on common sources of inequity, such as ethnicity and social position. Managers must weigh the data collection burden of adding these variables to routine data collection.

Return to contents ⇒

Making ethical decisions

Some ethical decisions must be made before standards are developed. In these instances, we suggest the following as guidelines for making ethical decisions:

  1. Clarify the facts of the situation.
  2. Identify the ethical questions.
  3. Identify the stakeholders and what each stands to lose or gain.
  4. Describe what various schools of ethical thought highlight.
  5. Identify any relevant professional ethical principles, standards of practice, and laws.
  6. Identify possible alternative courses of action.
  7. Choose the alternative best supported by the preceding analysis.
  8. Evaluate the actions taken and their eventual outcomes.

Return to contents ⇒


Increased collaboration and connectivity across countries and proliferation of data through new technologies introduce ethical challenges for handling public health data.

What happens in one country often affects its neighbours. Those addressing disease prevention or control in one country have an interest in the disease patterns of other countries. Countries may not, however, share their health data, or they may collect them in ways that are not useful to neighbouring states. When they share data, a highly infectious and pathogenic epidemic can challenge protections of patient privacy. There may be little time to identify ethical principles and practices; they must be put into policy, and even practiced before they are needed.

The Internet and cell-phones have enabled the production and sharing of previously unimaginable amounts of data. These new big data sources have many potential uses and implications for public health, including enhanced disease detection and surveillance. Ethical issues have emerged around transparency of methods of analysis, collaboration between private (for profit) and public (not for profit) institutions, data ownership and sharing, and individual privacy.

Societies, particularly in the West, often regard numbers as objective and value-free, and thus ethically and culturally neutral. Utilitarianism, the philosophy most closely aligned with the sciences of epidemiology and econometrics, aims for the greatest good for the greatest number. Decisions about what is good, such as disease cases prevented, or the most cost-beneficial approach, are typically based on numbers and data.

But, power differentials, including the power to collect and interpret data, raise ethical concerns. Groups with power or without power are often defined by cultural perspectives based on ethnicity, gender, income or other social factors. These groups can hold different views on whether the data used are valid, how they are used, who has access to them, and so on. The interface of culture and HIS is relatively unexplored. Findings could have significant implications for the creation and use of the data systems.

Recent advances in technology make possible near instantaneous collection and use of data in HISs. The data afford opportunities for public health action and to allocate resources to improve public health. The power of this information also raises ethical concerns about potential misuses. In some cases, technologies are advancing faster than our identification of the ethical implications. They are certainly faster than our ability to establish ethical principles, procedures, skills, and systems. The challenges intensify in resource-poor settings as international donors press for creation of electronic HIS, even in the absence of resources to staff and maintain them.

It is likely that the health sector will only realise the importance of known ethical issues and the will to address them after the occurrence of harmful ethical lapses. The creation of policies and procedures to guard data ethics and the training of individuals to carry them out are in themselves urgent ethical imperatives.

Return to contents ⇒

Source chapter

The complete chapter on which we based this page:

Cover of The Palgrave Handbook of Global Health Data Methods for Policy and Practice

Thomas J., McNabb S. (2019) Principles and Ethics of Collecting and Managing Health Data. In: Macfarlane S., AbouZahr C. (eds) The Palgrave Handbook of Global Health Data Methods for Policy and Practice. Palgrave Macmillan, London.

Additional resources

The Universal Declaration of Human Rights adopted by the United Nations General Assembly in 1948.

Public health code of ethics published by the American Public Health Association in 2019.

Principles in the Ethical Practice of Public Health .This code of ethics states key principles of the ethical practice of public health. An accompanying statement lists the key values and beliefs inherent to a public health perspective upon which the Ethical Principles are based.

Ethical Issues in Global Health. This website describes some public health areas where WHO is involved in providing leadership and guidance on the ethical issues involved.

Guidelines for Data Management Standards in Routine Health Information Systems. The Digital Development Principles Working Group, has produced nine principles for digital development with tools and resources for each principle.

The United Nations Fundamental Principles of Official Statistics includes professional ethics as one of its ten fundamental principles, and identifies a series of legal, administrative, and data-related principles that ministries should incorporate in the regulatory framework of a HIS to promote scientific standards and professional ethics.

MEASURE Evaluation. Guidelines for Data Management Standards in Routine Health Information Systems.

The collection, linking and use of data in biomedical research and health care: ethical issues

Canadian Institutes of Health Research Best Practices for Protecting Privacy in Health Research

US Centers for Disease Control and Prevention: Data Security and Confidentiality Guidelines Frequently Asked Questions

Institute of Medicine (US) Forum on Microbial Threats: Learning from SARS: Preparing for the next disease outbreak.

Chatham House. A guide to sharing the data and benefits of public health surveillance

Research Fairness Initiative (RFI). Research fairness initiative: making research partnerships work for everyone.

The Canadian Institutes of Health Research developed best practices for protecting privacy in health research

The US Centers for Disease Control and Prevention have created a helpful set of answers to frequently asked questions on data security and confidentiality.

Latest publications ⇒

Latest news ⇒