Article Text

Download PDFPDF

Patient data for commercial companies? An ethical framework for sharing patients’ data with for-profit companies for research
  1. Eva C Winkler1,
  2. Martin Jungkunz2,
  3. Adrian Thorogood3,
  4. Vincent Lotz1,
  5. Christoph Schickhardt2
  1. 1Section for Translational Medical Ethics, Department of Medical Oncology, National Center for Tumor Diseases, University Hospital Heidelberg, Heidelberg, Germany
  2. 2Section for Translational Medical Ethics, National Center for Tumor Diseases, German Cancer Research Center, Heidelberg, Germany
  3. 3Terry Fox Research Institute, Montréal, Québec, Canada
  1. Correspondence to Dr Eva C Winkler, Section for Translational Medical Ethics, Department of Medical Oncology, National Center for Tumor Diseases, University Hospital Heidelberg, Heidelberg 69120, Germany; eva.winkler{at}


Background Research using data from medical care promises to advance medical science and improve healthcare. Academia is not the only sector that expects such research to be of great benefit. The research-based health industry is also interested in so-called ‘real-world’ health data to develop new drugs, medical technologies or data-based health applications. While access to medical data is handled very differently in different countries, and some empirical data suggest people are uncomfortable with the idea of companies accessing health information, this paper aims to advance the ethical debate about secondary use of medical data generated in the public healthcare sector by for-profit companies for medical research (ReuseForPro).

Methods We first clarify some basic concepts and our ethical-normative approach, then discuss and ethically evaluate potential claims and interests of relevant stakeholders: patients as data subjects in the public healthcare system, for-profit companies, the public, and physicians and their healthcare institutions. Finally, we address the tensions between legitimate claims of different stakeholders in order to suggest conditions that might ensure ethically sound ReuseForPro.

Results We conclude that there are good reasons to grant for-profit companies access to medical data if they meet certain conditions: among others they need to respect patients’ informational rights and their actions need to be compatible with the public’s interest in health benefit from ReuseForPro.

  • ethics- medical
  • health care economics and organizations
  • philosophy- medical
  • public policy
  • ethics- business

Data availability statement

Data sharing not applicable as no datasets generated and/or analysed for this study. Not applicable since no data were generated.

This is an open access article distributed in accordance with the Creative Commons Attribution Non Commercial (CC BY-NC 4.0) license, which permits others to distribute, remix, adapt, build upon this work non-commercially, and license their derivative works on different terms, provided the original work is properly cited, appropriate credit is given, any changes made indicated, and the use is non-commercial. See:

Statistics from

Request Permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.


Secondary use of medical data for research purposes is a promising approach to advance medical science and improve healthcare. Currently, many initiatives around the world are setting up infrastructures to enable systematic secondary research use of data generated in the healthcare system.1 The development of such infrastructures has prompted ethical and legal debates about, for example, appropriate consent models,2 approaches to privacy protection, and oversight of data access and use by academic researchers.3 However, academia is not the only sector that expects secondary use of medical data to be of great benefit. The pharmaceutical and tech industry is interested in so-called ‘real-world’ health data not only for the launching and postmarketing surveillance of their products but increasingly also for research and development of new drugs and artificial intelligence (AI) solutions for healthcare. Medical data are expected to play an important role in informing research decisions about unmet needs, to serve as synthetic control arms in new trial designs, to optimise trial recruitment, and to understand safety and efficacy profiles.4 5 They are the basis to develop, train and validate AI applications.6 Hence, a crucial and obvious ethical question needs to be resolved about the reuse or secondary use of medical data generated in the public healthcare sector for medical research by for-profit companies (ReuseForPro): Should access be granted to for-profit companies to use medical data for research, and if so, how and under which conditions?

Some large-scale data initiatives that aim to enable reuse of patient data for research and data science allow access by for-profit companies in principle. Examples are the German Medicine Informatics Initiative that aims to collect clinical data from German university and affiliated hospitals7 or the Mayo Clinic’s clinical data analytics platform.8 Other initiatives like CancerLinQ—a platform for sharing clinical data from patients with cancer from healthcare IT systems all over the USA—only provide clinical data to ‘non-profit companies that can generate practical knowledge to shape the future of cancer care.’9

ReuseForPro is also a politically sensitive topic with the potential to cause public debate and concern as shown by two cases from the UK (for an overview, see Horn and Kerasidou10). In 2013, the National Health System (NHS) announced its intention to collaborate with for-profit companies and made medical data collected from hospitals and general practitioners available for research by for-profit companies.11–14 This initiative was publicly criticised for lack of transparency and public communication about the handling of patient records. Single hospitals also started sharing health records for ReuseForPro. The Royal Free Hospital in London did so in a cooperation with Google DeepMind which was publicly viewed as violation of patients’ privacy rights and data protection law.15 16

Studies on patients’ willingness to share their medical data for ReuseForPro show a pattern of consistently lower approval rates for commercial research compared with academic research. One representative study with German participants shows a marked drop from 97% approval to supporting academic research with their data to 17%.17 Other German studies found a similar, though less pronounced difference in acceptance of data use by academic versus commercial research.18–20 In other countries, acceptance rates for ReuseForPro range between 50% and 60%, as has been shown for Australia21 and the UK.22 Moreover, in the UK study in question, 44% of those participants who were not willing to share their data with for-profit companies ‘earlier in the survey, agreed […] that research should be conducted by commercial organisations if, otherwise, the research would not take place.’22 Finally, some studies show that public benefit is a key factor moderating patients’ acceptance of ReuseForPro.21

While we have seen some empirical data on patients’ willingness to provide their data for ReuseForPro, there is a need for a more comprehensive normative debate. Some authors are primarily concerned with the use of data collections held by private companies; they highlight the importance of public benefit23 and improving quality of care24 through research use of medical data. Graham presents four criteria that must be met for health data sharing with private companies to be trusted: transparency, accountability, representation and a clear social purpose.25 Referring to the NHS of the UK, Horn and Kerasidou10 argue for public–private partnerships for reuse of medical data, designed on the basis of solidarity and public benefit. However, the field still lacks a broader ethical framework that includes all relevant stakeholder perspectives on ReuseForPro. Hence, the main goal of this article is to start such an ethical conceptualisation of the debate on ReuseForPro. For this purpose, we first clarify some basic concepts and our ethical-normative perspective. We then discuss and ethically evaluate potential claims and interests of relevant stakeholders. Finally, we address the tensions between legitimate claims of different stakeholders to suggest conditions that might ensure ethically sound ReuseForPro.

Basic concepts and definitions

The focus of this paper is the reuse of medical data from the public healthcare sector for medical research by for-profit companies (ReuseForPro).

By 'medical data' we mean data of patients generated in and for the primary purpose of patient care. This includes data from preventive, diagnostic and treatment measures, but also data recorded for billing and reimbursement of medical services. In general, medical data are deidentified prior to any secondary use, that is, identifying characteristics such as names, date of birth are removed or replaced by a code. However, despite deidentification, there typically remains a residual risk of reidentification for patients. Thus, the data are usually treated as personal/person-related data falling under privacy and data protection norms.3

We define the public healthcare sector by the source of funding of the infrastructure and of the healthcare delivery. Consequently, healthcare institutions in which infrastructure and healthcare are publicly financed are the ‘purest’ form of public healthcare. If the infrastructure is financed privately, as are, for example, private practices or hospitals, but the healthcare for patients is financed publicly, this represents a hybrid form according to our definition. For the sake of the argument, we will focus on the pure form of the public healthcare sector.

By ‘sharing medical data with companies’ we mean that companies receive access to the data and can use it for research purposes. Access can be operationalised in distinct ways. Traditionally, the hospital transfers the data directly to the companywhere the data analysis is performed. Alternatively, for greater security, the hospital may only provide the company with access to data that remains ‘in place’.26 The company sends a computational analysis algorithm to the hospital, the hospital applies the algorithm to the relevant data set (ie, processes the data), and solely aggregated results are sent back to the company. In this way, patient data do not leave the walls of the hospital; only the aggregated results of the analyses are sent to the company.27 28

Following the different forms of research indicated in several recitals of the EU, GDPR,29 by medical research we mean research at all stages—basic, translational or applied research—in all fields of medicine and medical technologies, including IT and AI products for the healthcare sector, for generating scientific knowledge aiming at potential application in healthcare. We do not consider other forms of research using medical data like market research to fall under the rubric of medical research.

By for-profit companies we mean companies that participate in market competition, pursue the primary goal of profit making and are owned by private persons or holdings in private ownership. The specifics of the legal form are not relevant here.

Basic normative principles for ethical assessment of involvement of private companies

Before ethically analysing and assessing potential claims and duties of involved stakeholders, we need to roughly define our ethical approach, that is, the ethical-normative framework we rely on. The ethical analyses will be carried out from a position of liberalism inspired by John Rawls’ ‘A Theory of Justice’. Following Rawls’ interpretation, we take his theory as an approach that aims to transfer and apply the basic Kantian idea of respect for persons (as an end, not as means) to the area of political philosophy and social justice. According to this rights-based approach, all persons should be guaranteed an equal system of liberty rights. Several of these rights are of relevance for this article such as the right to privacy and informational self-determination and the right to academic freedom (freedom of research). However, according to the perspective of political liberalism, persons are not only entitled to liberty rights but also have certain duties to others and society. In Rawls’ thought experiment, people behind a veil of ignorance, that is, without knowledge of their position in society, would agree that everybody deserves support to really and substantially be able to use her liberty rights. Citizens, thus, have the duty to assist others to be able to use these liberties as well as the duty to support just institutions of the liberal-democratic society. From the liberal-egalitarian ideal of a democratic society ordered according to the rule of law by a constitutional state (Rechtsstaat), we also deduce general civic values and principles of relevance for our ethical analysis: the principles of transparency, accountability and liability as well as the principle of participation and representation in decision processes.

When defining the ethical framework of our investigation, the question of the moral status of companies arises and whether and to what degree they can be attributed duties, rights and responsibilities at all. Due to limited space, we cannot adequately portray the rich discussion on this topic across fields of social ontology, theory of collective agency, philosophy of law, social ethics and business ethics. Instead, we provide a pragmatic and basic account of ascribing rights, duties and responsibilities to companies, based on a few elementary considerations. First, companies have constitutional rights in western liberal and democratic states. For instance, companies have the basic right to freedom of scientific research according to the German constitutional law and to the EU Charter of Fundamental Rights.30 One reason from legal theory and philosophy for granting determined constitutional rights to companies is to treat them as a placeholder of the rights of the individuals who own them and act through them.31 Although the specific moral rights, obligations and responsibilities of companies are subject to diverging positions and debatesi, there is a widespread basic consensus that ascribing rights, duties and responsibilities to corporations is meaningful, plausible and ethically justified.ii

Second, in terms of concrete rights and obligations, it is morally justified that privately owned businesses, including corporations, have the right to do business, to strive for profits on markets, and to carry out research and development. In compensation for their rights, they have moral obligations and responsibilities determined by legal obligations towards society, employees, customers or the environment. Again, there is a broadly accepted basic consensus that we should have an economic order that allows private business activities including privately owned corporations which compete on markets.iii This is the elementary normative approach for the ethical analysis of companies’ legitimate claims and obligations concerning ReuseForPro, which will ultimately be determined in reference to specific features and circumstances of the relevant context in the next section.

Morally relevant interests at stake and their ethical assessment

Based on this normative framework, we will now assess the potential claims and expectations of the respective stakeholders regarding ReuseForPro: patients, for-profit companies, the public and physicians and their healthcare institutions.

Patients as data subjects in the public healthcare system

When it comes to secondary use of their medical data, patients have several legitimate claims and expectations. Some of them apply to all types of secondary use of medical data, others are specific to ReuseForPro. We distinguish here between the current patients, whose data are to be used, versus the public and future patients (see ‘The public and future patients’), because the rights and interests of each group are affected in very different ways as the following aspects show.

Medical confidentiality

Patients have a legitimate expectation in a trusting relationship with their physicians. This trust is based on the quality of their physicians’ care, their commitment to the patients’ best interest as a priority goal, and to a relevant degree on the physician keeping personal information confidential.32,iv The patient’s right to confidentiality is firmly established in medical ethics and law. With ReuseForPro, medical confidentiality is affected if medical data that leave the protected realm of the patient–physician relationship is not adequately protected from unauthorised access and reidentification. In general, deidentification is a pivotal measure for protecting confidentiality. Technical safeguards including secure access mechanisms (see ‘Basic concepts and definitions ’) may add additional layers of protection against reidentification.

Informational self-determination

As referred to in the section ‘Basic normative principles for ethical assessment of involvement of private companies’, one of the relevant basic rights is the moral right to privacy and informational self-determination. We conceive the right to informational self-determination as follows: ‘The right to informational self-determination protects a person’s ability to freely decide whether and how personal data and information about her are collected, stored, multiplied, processed and transferred by third parties […]. In the following, we use the term informational self-determination instead of (informational) privacy for it better captures that the right is about actively determining what happens with one’s personal data and information.’33 This right becomes particularly important when it comes to highly sensitive medical data.

Representation and patient involvement

Out of a wish to govern the use of their data, patients might expect to be included in decision-making bodies of data initiatives. Such a form of participation is already being realised in some places through patient representatives on data access and use committees. This claim is substantiated by the principle of representation. Furthermore, involving patients has the potential to foster trust in the governance of data and improve the quality of oversight.

Interest in clinical benefit

In research activities such as phase III clinical trials where patients potentially gain a clinical benefit, the interest of participating patients in this clinical benefit is a valid moral claim to be factored into the overall ethical assessment of a study. In other research activities, it is highly unlikely that participating patients will benefit, so that appropriate information is required to avoid false hopes and therapeutic misconception. We assume that ReuseForPro is highly unlikely to generate clinical benefit for data donating patients due to the lengthy development and approval process for new therapies or medical products. Therefore, individual clinical benefit should play no role in the ethical assessment of ReuseForPro. The envisaged benefit of ReuseForPro is for future patients and the public (discussed in the section ‘The public an future patients’).

Share in profits

Patients might claim a right to a share in the profits of commercial success of products developed with their medical data. To make that claim, patients could refer either to the principle ‘to each person according to her effort’ or ‘to each person according to her contribution’34 as a principle of justice for the sharing of profit. However, we doubt that either claim can substantiate a case for patients’ right to have a share in profits from commercial success of products from ReuseForPro. As far as additional effort is concerned, medical data are traditionally generated by doctors and other specialists using the resources and infrastructure of the public health system as part of the individual care of patients. For patients, ReuseForPro creates little or no relevant extra effort, work, or investment other than the time during the information and consent process to decide whether or not to allow access to their diagnosis and treatment data when asked. The data are just a first level of effort in the highly complex, long and resource-intensive process of developing a successful medical product that requires significant efforts by the company.

The contribution principle emphasises that patients’ medical data are as a matter of fact—and completely independently from any effort, labour or investment—an indispensable contribution for the development of a profitable product based on ReuseForPro. Hence, patients can legitimately say that they contribute to data collection and that they want a share in the profits in proportion to their admittedly small contribution. Here, we would first point out that the data themselves and even new scientific insights do not typically generate profit directly. More importantly, we would argue along with other scholars35–37 that these medical data should be a public resource, for the following reasons. The data themselves are generated in a publicly funded health system. The public and tax-payer investment in the healthcare infrastructure including the training and education of staff and the payment for diagnostics and therapies justify a claim on using them for public benefit. Hence, while medical data certainly fall under patients’ control required by the right to informational self-determination, patient ownership rights cannot necessarily be deduced.

Accountability and liability

Patients are entitled to clear accountability structures and compensation in the event of adverse consequences from ReuseForPro, a claim based on our principle of accountability and liability described above. Harm mitigation bodies have been suggested by some scholars for situations where data subjects experience harms arising from digital data use in the big data context.38 While this suggestion is convincing in principle, the challenge lies in the implementation—that is, how exactly to demonstrate harm caused by ReuseForPro that may result from, for example, privacy breaches or negative ratings by predictive analytics. Provisions for either legal remedies or harm mitigation are, however, specific to neither the distinction between academic and for-profit data initiatives nor for healthcare or other economic sectors.

For-profit companies

Pharmaceutical and biotech companies make for a significant proportion of research and development in the healthcare sector. If for-profit companies invest in such research driven endeavours, they might make the following claims.

Freedom of research and right to access patient data

For-profit companies in the health sector are entitled to freedom of research. Freedom of research is primarily a defensive right that restricts the influence of state institutions on research activities, among other things, to the extent that researchers, and thus also private company researchers, are free to decide on their choice of research subject. Going beyond the defensive function, for-profit companies might additionally claim that the fundamental right to freedom of research constitutes a right to access patient data stored in publicly sponsored data sharing infrastructures. In fact, research-based pharmaceutical companies have repeatedly criticised that they are not given access rights to patient data, for example, under the Patient Data Protection Act in Germany.39 However, it is not clear how freedom of research, as a defensive right, can substantiate a claim for access to medical records of patients stored in publicly funded infrastructures. For-profit companies might even have an interest in exclusively accessing real-world patient data for their research to keep competitors at arm’s length. However, exclusive access40 would restrict rather than stimulate competition—which would tend to be in the interest of the company but not the interest of the greater public. What private companies can legitimately demand is a fair playing field so that there are equal and fair conditions of access for all companies alike. So, in principle, any data access provided to the private sector should be non-exclusive and non-discriminatory.v


Certainly, private companies in the healthcare sector have a legitimate interest to generate profits and thrive on the market. The ideal way to achieve this goal is to develop high-quality products that generate real added value and address a need in an area with a high burden of disease. For these kinds of innovations societies are willing to pay high prices. While high market profits are in the company’s interest, two ethical debates are connected to the pricing strategies of pharmaceutical companies: first, whether it is legitimate to demand the highest possible price that the market allows if this puts the respective healthcare systems under great financial pressure. And second, whether pharmaceutical companies have ethical obligations to charge fair prices for essential medicines. These debates are particularly relevant for products developed with data from patients and from a publicly funded healthcare system. While companies have a legitimate right to pursue and realise profits, in the case of ReuseForPro particular restrictions to this right are justified if necessary to safeguard social benefit of ReuseForPro.41

Corporate (social) responsibility

Corporate responsibility implies to take on social responsibility beyond the companies’ actual business purpose and is an expectation of society vis à vis private companies. At the same time, the formulation of a corporate social responsibility (CSR) strategy and the corresponding activities are generally also intended to improve the company’s image. In our context, companies working with patient data have an interest in CSR ideally out of a felt duty to protect patients’ privacy or generate value for society and certainly in order to build trust in their business model. This amalgamation of two goals—real assumption of responsibility and image cultivation—makes it necessary to check carefully whether companies live up to what they promise. Especially in the new field of AI development, concrete expectations towards corporate responsibilities of companies in developing new AI products are being formulated e.g., with a list of criteria for trustworthy AI of the European AI Alliance42 or the Montreal declaration for responsible AI.43

The public and future patients

There are two moral bases to justify claims by the public regarding ReuseForPro: for one, the public and those paying into health insurance finance the infrastructure and the healthcare personnel that generate clinical data; second, the state as legitimate representative and instrument of the people within a liberal-democratic order has the right and duty to ensure that all activities remain in compliance with the law and benefit the people; this holds in particular for activities with a strong public relevance and involvement such as the secondary use of medical data from the public healthcare system via a publicly funded data infrastructure.

Public benefit

The public and prospective patients have an interest in ReuseForPro as it has high potential to benefit society.44 A strong orientation towards the public benefit (common good) is critical for public acceptance and trust concerning ReUseForPro,10 and essential for its moral justification. Research with patient data generated through everyday healthcare encounters could promote drug safety for patients, make clinical trials more efficient, substitute placebo controls by so-called virtual control arms with existing patient data and increase the quality and cost-effectiveness of the health system with AI tools, for example, for decision support. Since pharmaceutical and biotech companies make for a significant proportion of research and development in the health sector, there are good reasons to assume that ReuseForPro will exploit the potential of medical data along a spectrum from high public benefit in post-market surveillance data to potential long-term benefits when used for research and development.

Return to the healthcare system

The public has a morally legitimate interest to receive a return from private entities for providing them with the opportunity to use patient data for secondary research purposes. This return can take many different forms that contribute to the maintenance and improvement of the healthcare system: increase of scientific medical knowledge; medical products that help improve the prevention, diagnosis or care of disease at a reasonable cost; or fees for data access that can be reinvested in healthcare.45

Trust in the healthcare system

The public has an interest in ensuring that citizens and patients trust the public healthcare system and its institutions. Empirical studies show that the acceptance of the use of data by commercial users is significantly lower than acceptance of data use by academic users (see ‘Introduction’). ReuseForPro is a publicly and politically delicate endeavour and has the potential to seriously compromise public trust.10

Effective competition

The public has a legitimate interest in ensuring that ReuseForPro is consistent with effective market competition and does not exacerbate existing imbalances in the market due to accumulated market power of individual companies. Effective competition including global competition involves preventing the formation of monopolies and oligopolies. Access to patients’ data for big players like Amazon or Alphabet (google) in ReuseForPro, as, for instance, in the case of NHS, could reinforce existing monopolies, and therefore, needs to be handled and regulated with particular attention and caution.

Promotion of national companies

If we conceive the public as the people of a state, the public has an interest in timely access to high-quality healthcare products, which is promoted by competition nationally and globally. The public might also have a special interest in promoting national companies or, in the case of EU members, at least companies of the EU if research and development take place ‘at home’ and taxes are paid within the state. National companies might also be perceived as more trustworthy in the public opinion and can be held accountable within the national jurisdiction. These reasons might serve as a weak argument for granting preferred access to national companies. However, data are not a limited resource since they are reproducible and such preferred access must not forestall effective competition.

Healthcare institutions and physicians

Hospitals and doctors’ offices are ultimately the places where patient data are generated. While public hospitals need to invest in information technology, infrastructure and finance personnel, physicians and nurses contribute a large and important part of the data through their documentation of patient treatment. For these reasons, healthcare institutions and physicians might make the following claims.

Ownership of health data

Physicians might claim that the data only exist because they collected and documented them, and therefore, they own their patients’ data. Likewise, hospital managers and the institution could claim that it is their stewardship of resources and governance that ensures functionality of the healthcare delivery in their institution and data collection is an important element of this and therefore the data belongs to the hospital. From these ownership claims, physicians and hospital managers could derive an entitlement to deny data use by private companies, or to condition such access on a share in the eventual profits. However, data ownership claims of physicians and hospitals are problematic. First and foremost, the concept of data ownership of second parties itself conflicts with patients’ right to informational self-determination. Second, medical data are not generated as an end in itself but as part of physicians’ primary task to provide state of the art healthcare. Third, actors such as technicians (eg, in connection with MRI) or laboratory staff also produce a relevant part of the data and would therefore also have a (partial) claim to data ownership. Fourth, with regard to the ownership claims of hospital management, most of the resources used for diagnostics and thus for data generation are financed with public money. The argument from the resources invested in data generation thus argues, if anything, for ownership claims on the part of society, with hospitals playing an important role as responsible stewards of this resource. However, to the extent to which ReuseForPro is associated with additional burdens, efforts and costs for hospitals or physicians, they have certain legitimate claims for compensation or reward for these additional efforts (see next section ‘Compensation for additional effort’).

Compensation for additional effort

Contrary to popular belief, the data are not just there as a treasure waiting to be exploited. To make the data usable, they must be documented in a uniform and structured manner and their context of origin must be annotated with sufficient accuracy in metadata.46 This is associated with relevant additional data work, which does not necessarily have to be carried out by the physicians themselves. Especially since physicians today rightfully complain that they spend more and more time on documentation and data entry at the expense of time with the patient, it is important to see that additional standardisation and documentation are usually required to make the data usable for ReuseForPro. Hence, healthcare providers and individual physicians contributing data for ReuseForPro have a legitimate claim to be relieved from or compensated for any additional efforts for data procurement and documentation—meaning any extra effort beyond what they are obliged to do for ensuring quality patient care.

Interest in exclusive research with ‘own’ patient data

Healthcare institutions and physicians with academic affiliation might be interested in research with patient data themselves, especially if they have an academic mandate to do so. They might also team up with for-profit companies for joint research projects that may also lead to commercial outputs. Since data can be duplicated and are, therefore, a non-rivalrous resource for health research, access should be non-discriminatory meaning that academic researchers and private sector health researchers should have equal access to the data if a return to the healthcare system is secured and if patients have consented to ReuseForPro. If the data-requesting company pursues a research goal similar to that of an internal academic research project, there might be a situation of competition between the company on the one hand and the academic researchers or hospital on the other hand. Should this be the case, clear rules based on public value and patients’ consent to reuse data by academic and commercially oriented researchers are pivotal.

Table 1 maps potential claims of stakeholders, weighs them tentatively according to the ethical assessment and lists strategies for mitigating tensions between claims.

Table 1

Moral claims of stakeholders and mitigation strategies

Justification and requirements for the secondary use of patient data by private companies

In the following we discuss how potential tensions between the different stakeholders’ claims and interests explored above can be appropriately handled and mitigated in ReuseForPro. The most important areas of tension are for one, between the public interest and companies’ interest in profit maximisation and, second, between the individual’s right to informational self-determination and the public interest in maximising data utility.

The legitimate public interest in benefiting from research with patient data can go hand in hand with the company’s interest in generating profit with products based on this data. However, the public’s and the company’s interests can also come into conflict if the product does not convey any real added value, is overpriced or is not available on the domestic market at all. As stated above, it can be rightfully expected that ReuseForPro creates public benefit since the patient data are generated in the public healthcare system. This public interest standard is also underlined by the social responsibility of private companies and the principles of accountability. Hence, companies need to accept constraints on their liberty to pursue profit and the state must create framework conditions that ensure an appropriate return of benefits. First suggestions might be:

  • Limit ReuseForPro to research that aims to improve health or the healthcare system.10 This would exclude, for example, uses for marketing, product placement or seeding trials. Within the limits of this goal, however, the private company is free to choose whatever research area it wants to develop and invest in.

  • Ensure and document a return from ReuseForPro that contributes to better health or healthcare,25 for example, via health products themselves or payments for health data that can then be used to finance health programmes. The donating healthcare system should have preferential access to products developed with ReUseForPro.10 Apart from an ex ante negotiation about potential returns, an ex post documentation and track record for each company about the products and benefits generated with patient data are ways to satisfy the principles of accountability and transparency.25 Accountability implies setting up a governance system that gives a public account of the kinds of contracts governing secondary use; reasons and goals of usage; scientific quality, effects and outcomes on the project level; and more general information about a company’s mission, financial ties and contribution to the health sector.

  • If benefits are returned to the healthcare system, companies are free to generate profit especially with innovative products. The upper limit to pricing is dictated by the fair pricing argument that demands that products should not be overpriced and profits should be limited when high costs for vital products threaten the viability of the public healthcare system. One way to put this into practice would be to condition data access on fair commercialisation downstream.

  • Ideas on how to ensure this include obliging companies to register their research in advance in publicly accessible study registries to create scientific transparency and to create transparency about the level of public data support received by companies. Another idea is to clearly indicate in price negotiations to what extent their products were developed with patient data. If companies do not adhere to fair pricing, they can be excluded from further data use for a certain period of time. We advise against the introduction of legal sanctions as we believe that public moral pressure or fear of reputational damage is enough to motivate most companies to ensure fair marketing downstream.

A second area of tension is the patient’s right to informational self-determination and the public interest in the maximisation of the use of the data. While this conflict arises for data sharing generally, it is particularly acute for ReuseForPro, considering its relatively low acceptance rate. Hence, risks and benefits must be especially well explained. Since consent to ReuseForPro cannot be assumed, it is ethically necessary that patients get the option to either approve or reject ReuseForPro as an extra option separately from all other consent content. This includes complying with the above outlined principles of transparency and accountability as an indispensable condition for ReuseForPro.

  • Patients expect that their personal data is kept confidential. ReuseForPro governance should hold companies accountable for data security, protecting patients’ privacy and minimising risks. To this end, technical solutions like secure access mechanisms10 (see ‘Basic concepts and definitions ’) wherever feasible are warranted, and different governance bodies may be needed depending on the character of ReuseForPro or the nature of the company—for example, whether it is a big tech company’s research and development department or a smaller start-up company that does basic research in AI solutions for the health sector.

  • The legitimate interests of parties affected should be represented in the process to set up and monitor data uses as underlined by the principle of representation and participation.25 One important instrument in this regard are data access and use committees that may also include patient representatives.


In summary, even though private companies have rights to freedom of research or to pursue profit, these do not extend to a moral right to access and use medical data. There are, however, good reasons for patients and data access and use committees to grant private companies access if they meet certain conditions: above all companies need to respect patients’ informational rights and act in accordance with the public’s interest in health benefit from ReuseForPro.

The public has a legitimate interest in ReuseForPro for the sake of public benefit but has no morally justifiable claim obligating patients to provide their medical data for ReuseForPro. However, the public has an ethically justifiable claim towards the physicians and healthcare institutions of the public healthcare system to support ReuseForPro provided physicians and institutions are compensated for the additional effort required to provide the data. All things considered, secondary use of patient data by for-profit companies is not only justifiable but may even be mandated under certain conditions.

Data availability statement

Data sharing not applicable as no datasets generated and/or analysed for this study. Not applicable since no data were generated.

Ethics statements

Patient consent for publication



  • Contributors ECW set the subject matter, conceptualised the argument, wrote and revised the draft manuscript in close cooperation with MJ, CS and input from AT. MJ revised and updated the summary of the empirical and existing ethical literature and drafted several passages in the chapter on stakeholder interests. MJ contributed to the overall process of structuring and drafting the manuscript. AT contributed his expertise on governance and policy of large data initiatives, drafted the formulation of some passages, and contributed to initial and to the final comprehensive revision. VL was responsible for literature research of the empirical literature and summarised his findings in initial drafts of the presentation of the empirical literature in the introduction. CS drafted a first conceptual structure and contributed to all stages of the manuscript, in particular to the section about the normative framework. ECW is responsible for the overall content and the guarantor.

  • Funding The authors have not declared a specific grant for this research from any funding agency in the public, commercial or not-for-profit sectors.

  • Competing interests ECW and CS have been receiving grants by the German Ministry of Education and Research (BMBF) in the frame of the German Medical Informatics Initiative (MII) and have been involved in the MII Working Group "Consent" .

  • Provenance and peer review Not commissioned; externally peer reviewed.

  • See for instance, Peter French’s prominent account of corporations as moral persons (that French subsequently revised).47

  • For accounts of corporative duties, see Ó Laoghaire.48

  • As one instance of this basic theoretical consensus, one might refer to a range of philosophical positions that includes libertarianism,49 welfare state capitalism, property-owning democracy and liberal socialism (for private ownership of production measures in the two latter models according to Rawls, see von Platz50

  • Nuffield Report on Big Data: Medical confidentiality protects patients from harm in two ways: it both encourages them to disclose information essential to their treatment, so that they do not suffer the harm of untreated disease, and it provides assurance against any harm that may occur to them from a more general disclosure of the information. Over time, respecting confidence helps to foster trust .32

  • The Data Governance Act is a bit more nuanced for access to public sector data in that it admits the exceptional possibility of commercial exclusivity in specific cases, however this seems not directly transferable to the research scenario since research can be done in competition and is not based on exclusive data access. Recital 13

Other content recommended for you