Enabling Posthumous Medical Data Donation: A Plea for the Ethical Utilisation of Personal Health Data

In this article, we argue that personal medical data should be made available for scientific research, by enabling and encouraging patients to donate their medical records once deceased, in a way similar to how they can already donate organs or bodies. This research is part of a project on posthumous medical data donation (PMDD) developed by the Digital Ethics Lab at the Oxford Internet Institute, University of Oxford, and funded by Microsoft. We provide ten arguments to support the need to foster posthumous medical data donation. We also identify two major risks—harm to others, and lack of control over the use of data—which could follow from unregulated donation of medical data. We reject the argument that record-based medical research should proceed without the need to ask for informed consent, and argue for a voluntary and participatory approach to using personal medical data. Our analysis concludes by stressing the need to develop an ethical code for data donation to minimise the risks providing five foundational principles for ethical medical data donation; and suggesting a draft for such a code.


Introduction
Numerous health conditions affecting large parts of the population remain under-researched. The consequence is that preventative measures, treatments and/or cures are lacking. Some of these illnesses, such as Alzheimer's dementia or Parkinson's disease, have devastating effects on their sufferers, and currently lack adequate treatment. While some progress has been made in discovering genetic or biological markers to identify people at greater risk of contracting certain diseases, little is known about the interpersonal differences that make someone a sufferer while sparing others with identical markers. Identifying and understanding these underlying differences is hard partly because of a lack of relevant data. The data required for such scientific progress need to be wide and longitudinal, but this is difficult and costly to obtain within traditional clinical research studies. At the same time, some data that exist are currently unavailable to This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d Electronic copy available at: https://ssrn.com/abstract=3177989 2 research due to the absence of an adequate framework to streamline the currently onerous access procedures. Although individuals can volunteer while alive their data to private corporations by accepting terms and conditions to this effect, it is not yet possible to give one's medical data (whether during life or after death), for research purposes to a public institution. Nor is there any regulatory or ethical framework in place to guide the donation process. In this article, we argue that this constitutes an unethical failure to utilise data that are of immense value and importance in the quest to improve public health and to promote the common good. We focus on posthumous medical data donation (PMDD) and argue it should be enabled as a matter of urgency by putting in place an ethical code of PMDD.
In the rest of this article, we start by outlining what we mean by PMDD, followed by an explanation of our reasons for enabling PMDD. These consist of 10 arguments in favour of PMDD, as well as arguments against the alternative approach suggested by some researchers, namely the removal of the need for individual informed consent in Big Data health research. Comparing PMDD to other types of biomedical donations that already take place, we argue that the existing ethical frameworks from other donation schemes provide useful guidance, but do not suffice to ensure ethical PMDD. We therefore argue for the development of an ethical code specific to PMDD, and propose five foundational principles for such a code. 3 Other types of donation in the medical field are already very common. Indeed, a significant part of the medical system relies on donations to save lives, to educate and teach the medical profession, and to advance medical knowledge in general. Examples include blood, organ and tissue donations, gamete donations, stem cell and cord blood donations, as well as brain and body donations for research and educational purposes. It is even possible to donate one's body for commercial or artistic purposes, albeit controversially, for instance to the anatomist and inventor of plastination, Gunther von Hagens, and his (in)famous "Body Worlds" exhibition. 2 When it comes to donating data, there are specific subsets of data that can currently be donated. One such example is genomic data (Haeusermann et al. 2017). For instance, the Personal Genome Project enables individuals to donate their full genome for research purposes. Another example is data given during participation in medical research projects, studies, or clinical trials. However, the donation of a more comprehensive dataset, such as in the form of personal medical records (PMRs) has not been systematically enabled so far. The collection and use of medical data for research purposes has mostly been via the aforementioned patient surveys, clinical studies, and trials. As the type and number of patients recruited to these is rather limited, a vast amount of potential data is not included and remains unused. At the same time, the infrastructure of our health services is changing to enable-in theory-the wider sharing of data with health care professionals and researchers. For instance, through the electronic health records (EHRs) currently being introduced within NHS England, patients can share their own records via a link. Serious limitations of this approach relate to the quality of information and the fact that the data available in these EHRs tend to be incomplete, and vary from General Practitioner (GP) practice to GP practice, but these are predominantly practical obstacles that could easily be overcome (Floridi & Illari 2014).
The failure to utilise fully the health data available in PMRs, which often already exist in digitised form as EHRs, is a huge opportunity cost. It has a negative effect on medical research, given that an incredibly valuable resource remains untapped when its utilisation could lead to significant advances in medical knowledge. In times when public health is in desperate need of improvement and when many serious health conditions are poorly understood, this is unacceptable and, so we argue, unethical. It is crucial that we enable individuals to donate their medical data and enable its use for research for the common good.

Why We Should Enable PMDD
In light of the potential benefit to be derived from the utilisation of PMRs for research purposes, some have suggested that obtaining informed consent from individuals is inappropriate for record-based research (Porsdam Mann, Savulescu & Sahakian 2016). This position emphasises 2 https://bodyworlds.com/ (accessed March 5, 2018).
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 4 the benefit for society at large, and maintains that because of a "duty to easy rescue"-i.e. that individuals are under a moral obligation to benefit others where there is no or minimal risk to themselves-one would be justified in bypassing, in this particular context, what is otherwise a fundamental principle in research ethics, of informed consent.
There is clearly some merit in reconsidering how informed consent operates in modern data-or record-based medical research, where in order to maximise utility, data often need to be repurposed in ways that could not have been anticipated at the time of data collection. Rather than negating a need for consent in such instances, however, we consider it ethically preferable to enable those patients already willing to volunteer their data to do so. Note that empirical research into patient attitudes suggests that they are many. 3 In addition, abandoning the informed consent requirement on the basis of an analogical reasoning in terms of rescue seems inappropriate, where no discernible individual is immediately saved or even treated. The long-term time horizon of most medical research projects also makes it rather unlikely that the patient data subjects will ever become beneficiaries of any research findings resulting directly from their own records. And it is obviously impossible in the case of data of the deceased. We therefore dismiss the idea of simply using the available data without first obtaining informed consent, even where this would be within the current limits of the law. Instead, we suggest enabling and encouraging PMDD as a fully voluntary action for the following ten reasons.
1) It is unethical to frustrate the "will-to-do-it" without proper justification. Although no individual donor will receive a benefit at the point of donation, the ability to contribute to the advancement of medicine and act as a moral agent can provide a significant benefit during one's lifetime. Studies with organ, body, and brain donors show a strong desire to do post-mortem good, and suggest that medical data would be no different (Steinsbekk et al. 2013). Indeed, the Personal Genome Project and patient networks, such as patientslikeme.com, offer good examples of the case in point. 4 2) The concept of altruism is well-established and should include data donation for the common good. There is evidence that most individuals already desire to act morally, and may do so without the need for further encouragement when provided with the right information, a straightforward procedure, and appropriate safeguards (Richardson & Hurwitz 1995). With regard to PMDD, the lack of regulatory guidance and practical possibilities of donating data hampers the moral agency of potential donors.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 5 since members of the current generation will be donating data for the benefit of others, much like they currently benefit from the contributions of previous generations to medical knowledge. Arguably, there is a moral obligation to participate in scientific research (Harris 2012). 4) PMDD is an appeal to inter-generational solidarity, as future generations will benefit from past generations and will become more motivated to donate to future generations in turn. Recently, the notion of solidarity has experienced a revival as a framework to direct biomedicine beyond the dichotomy of personal benefit and the common good (Prainsack 2011). Such arguments suggest that there is a need to nudge less altruistic individuals to act more responsibly, and to take on their share of the collective burden of contributing to medical knowledge (Prainsack 2017). 5) PMDD would foster a (human) right to science. It has been argued that this includes a human right to participate in the scientific process in its entirety (Vayena & Tasioulas 2015). Of course, this is not to say that a right to donate one's medical record implies a receiver's duty to use these data, as it is advisable to retain the option to reject a donation where this carries significant ethical risks. This is standard practice in whole-body donation programmes, where acceptance of a donation is contingent on the health status of the donor and the demand by the accepting institution (Riederer et al. 2012).
6) There is a strong economic argument to be made. Using the data that are already being collected during health and social care to advance the body of medical knowledge would enable a more cost-effective administration of healthcare. In addition, the more data are donated, the more value the old data have. This scale issue is typical of the digital, and makes it economically sensible to encourage PMDD. 5 7) It is crucial to facilitate PMDD immediately, as the trend towards commercialisation of personal health data is growing, and this may leave the public at risk of missing out. A market is emerging for individuals to sell their own data to companies. This is the case of Zenome.io, which combines blockchain technology and digital currency to allow individuals to sell their personal genomic information. 6 Soon, more comprehensive platforms might encourage individuals to sell their full electronic health records, as these become increasingly available to patients. A socio-political decision to take the initiative on PMDD is thus urgently needed to seize this opportunity and to avoid serious negative implications for public health research, if it is locked out of an increasingly commercialised industry in personal medical data, or has to pay for access.  Zenome -Your DNA is an asset. Zenome is a market. https://zenome.io/ (accessed Oct 31, 2017).
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 6 8) PMDD is also a matter of logical coherence. Considering that (most) people can already donate their organs and blood, and that it is possible to extract substantial data from those donations, it is logically incoherent not to allow PMDD. Furthermore, implicitly, individuals are already allowed and often enabled to give away freely their personal data to private corporations, often for uncertain purposes, as the terms and conditions of many commercial platforms make clear.

9)
Two key risks are diminished in PMDD, as both consent and privacy are less troublesome where the data relate to a deceased as opposed to a living person. This would avoid or at least mitigate many of the problems currently arising in the context of data sharing, as PMDD poses significantly less pressure on individual privacy, ownership, and consent. 10) Finally, data sharing has been encouraged in recent years and is now considered part of good scientific conduct, as it fosters transparency, replicability of studies, and leads to efficient use of research data. Given that most of the reasons for scientific data sharing also apply to PMDD, a decision to promote one but not the other is logically and ethically inconsistent.
While other types of medical donation (such as tissue donation) have been the subject of extensive debate, resulting in ethical and governance frameworks and national schemes, this has yet to occur for medical data donation. At the same time, public relations campaigns are ongoing to promulgate the need to utilise health data wisely and ethically. The high-profile UK campaign "Understanding Patient Data", which is jointly funded by the Wellcome Trust, the Medical Research Council, the Department of Health and Social Care, the Economic and Social Research Council, and Public Health England, aims to "support discussions with the public, patients and healthcare professionals about uses of health and care data". 7 This is an unethical asymmetry, since the lack of opportunity for individuals to donate their PMRs prevents them from acting altruistically by donating their data for the common good, despite public funding invested in educating the public about the need to make such data accessible for research within the health service. Research into the harms of non-use of health data has concluded that these are hard to prove, but that there are significant consequences that need to be addressed in a move towards socially responsible reuse of data (Jones et al. 2016). In addition, the aforementioned study did not consider the social harm of preventing people from doing what they deem to be morally important. That this is a real concern was shown by some participants in a large biobank study in Norway, where the desire to contribute to the common good was frequently brought up (Steinsbekk et al. 2013). Once all this is combined with the potential value that such data hold for medical research, it provides a strong reason for remedying the current missed opportunity. The fact that the current lack of a mechanism for PMDD is more likely to be explained by regulatory inertia than a deliberate decision against it on ethical grounds provides even more reason to 7 Understanding Patient Data. http://understandingpatientdata.org.uk/ (accessed March 5, 2018).
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 7 remedy the situation. So, how does PMDD compare to the existing types of biomedical donation that are already managed by specific ethical guidelines and governance frameworks? The next section addresses this question.

How Does PMDD Compare to other Biomedical Donations?
A number of types of biomedical donation are already firmly established in several health systems around the world. Currently, there are at least seven types of physical donations, plus two where the donation consists of a specific data set. Given this abundance of donation schemes, one might question the need for yet another framework and suggest instead an ethical approach by analogy. However, as Table 1 indicates by focusing on the United Kingdom, there are some morally significant differences between existing schemes and the proposed PMDD.
Exceptions apply, such as kidney donations by living donors. b A rare example is the commercial art project "Body Worlds".
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 8

Key Differences Between Existing Biomedical Donation Schemes
The first key difference between PMDD and the most common donation schemes is the lack of physical intrusion. Although donating medical data can be described as being intrusive to private life, it does not involve a physical act, or indeed any action on behalf of the donor other than giving consent. This is also a one-off task, as there is no opportunity for re-contact when the donor is deceased. This leads to the second key difference: donor status. Blood, gametes, cord blood, and tissue are usually donated by living people, as are some organs (e.g. some kidneys). However, even where the donations are by the deceased, the living relatives are typically directly involved: organ donations are checked with family members prior to proceeding, and the urgency involved in the process (with arrangements typically made within 24 hours of death) can put immense pressure on everybody involved. With PMDD, it might be equally sensible to bring family members on board, even where the deceased have clearly expressed their wishes, but no urgency is required as the utility of the data has no expiry date.
Another key difference, in comparison to some type of donations, relates to the beneficiary. While blood, cord blood and gamete donations can be used to benefit oneself in the future (although that might be more accurately described as a safeguard than a donation), with other donations, including PMDD, the beneficiaries are necessarily others. In addition, where the purpose of the donation is non-clinical there is no immediate benefit to anyone in particular. The benefit is of a more general nature, such as the advancement of clinical knowledge through research, or the teaching and training of future health care professionals. When it comes to donations that involve health or medical data, as opposed to a physical donation, the key difference lies in the research question. Typically, clinical research studies and trials will attempt to answer a specific question, or address a concrete hypothesis, whereas PMDD would be used for more general research and promote serendipity in research. Whereas researchers in traditional clinical studies will have to re-contact their participants if they wish to use the data for further or additional research, this requirement does not apply in PMDD. In addition, living participants can change their mind at any point and withdraw their consent, meaning that their data is removed from any research in so far as this is practically possible, which again does not apply in PMDD, where active consent management is an impossibility.
These distinctions (lack of physical intrusion, lack of expiry date, unspecified beneficiaries, and impossibility of withdrawing consent) are merely some of the key differences between existing forms of biomedical donation and PMDD, and the list is by no means exhaustive. Yet, the comparison suffices to highlight that reliance on existing frameworks is likely to fall short of offering the ethical guidance required to enable safe PMDD. This is also because, although some important risks are minimised, PMDD is not without its own risks. These risks need to be carefully managed while maximising the future utility of the donated data. This makes it of utmost importance to ensure that PMDD is done ethically, and in particular safely and fairly, This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 9 without creating any unnecessary impediment to either the donor or the health researcher using their data.

The Need for an Ethical Code
Broadly speaking, two main risks can be associated with PMDD. One is rooted in the fact that medical data is seldom just about one individual but also often relates to others, who may be harmed as a result. The second risk relates to the potential use that the donated data can be put to.
The first risk concerns the nature of the donated medical data. Some of the donor's medical data may reveal sensitive information about other, related people. Relational issues arise, for instance, where genomic data reveal information about family members. Similarly, information found in psychological or psychiatric records may well contain sensitive information about others, including family members, as this often plays a significant part in the treatment of mental illness. Sexual health and reproductive information are further examples of sensitive medical data that typically relate to at least one other person. Harms to others might also be caused when insights derived from donated data are used for profiling purposes, which might be discriminatory and unfair to individuals to whom it is applied. This risk becomes more acute when donated medical data is sensitive, for example when relating to a particular (other) individual or a sensitive condition. In some cases, the risks may be such to embargo a donation, or in extreme cases to disallow an individual from participating in PMDD, despite a personal desire to do so. An example could be close relatives of acting politicians, where there is a national interest in avoiding the exposure of vulnerabilities to outside influences. Similarly, some conditions, like hereditary diseases or mental illness, may carry a significantly greater risk of becoming a target of discrimination, making it preferable to avoid PMDD. The overall cost of this restriction would be minimal, as the value of PMDD lies in well-curated, large data sets, rather than individual data sets. It is important to understand that, when shared data pose a serious risk, it would be ethically justified and sensible to reject the particular data donation, as the limited value of a single data set (or even of a particularly valuable one), is outweighed by the risks to other, living members of society.
In summary, fears around potential harms to close relatives do not represent an argument against PMDD. The risks just highlighted are not specific to PMDD but rather refer to the kind of data in question, not the actual act of donating. This means that all the risks generally associated with biomedical data also apply in this context (Mittelstadt & Floridi 2016). The consequence is that one can rely on similar safeguards, especially in terms of the procedures, policies and tools that are already applied in the healthcare context, such as de-identification and encryption. 8 The fact that these data would be donated does not affect these concerns substantially.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 10 The second risk concerns the source of the donated medical data. Because the donor is deceased, PMDD has a lower (or perhaps no) negative impact on the donor, compared with sharing one's medical data when alive. However, safeguarding is also lower, since individuals may indicate how their data may be used or repurposed while they are alive, but of course have no control once dead. It is therefore crucial to develop a framework that respects the values and preferences of the data donors, and that reassures potential donors that their expressed wishes will be respected after death. In particular, concerns over the misuse of medical Big Data to justify unfair public policies, the implementation of medical profiling outside of the health care context (e.g. by employers or insurance companies), and the application of IP rights to lock-in or restrict access to medical insights and advances derived from donated medical data have to be taken seriously, and need to be addressed.
For all these reasons, an ethical code of PMDD is needed that can address these issues effectively. With regard to the first risk (of harm to relatives), encouraging the active involvement of family members and relatives prior to a decision to participate in PMDD could resolve many of the potential concerns, similar to the existing recommendations in organ or body donation. As we have argued, a "do not use if in doubt" approach is also practicable, as the value of any single data set is limited and unlikely to have an impact on the utility of the overall PMDD database. Note that this is also an argument against the need to impose a "duty to easy rescue", and hence a suspension of the need to have informed consent: one organ not donated may mean a life not saved, but one data set not included makes in itself little difference to population-based medical studies.
The second risk (lack of control once deceased) can be mitigated by means of a value-based framework that firmly places key ethical principles-such as respect for persons, human dignity, privacy and integrity, amongst others-at the heart of PMDD. Two valuable resources can be drawn on to inform such a code. First, the lessons learned from past mistakes made in the context of biomedical data schemes, such as the NHS Care.data programme, as well as the best practices of ongoing initiatives, such as the Personal Genome Project UK. And second, the ethical and governance frameworks currently in place for other types of donations, most crucially those used in biobanking, organ and body donation. An ethical code for PMDD must learn from the solutions already found for both these resources, and be coherent with them. In the next section, we set out to codify some of the lessons and best practices that currently exist in an unstructured form to develop a functional ethical code for PMDD, as well as leverage the important work done by others in developing ethical frameworks for other types of biomedical donations (see Appendix).

How to Implement Ethical PMDD
The first step towards the development of an ethical code for PMDD presented in this article was a thorough review of existing ethical frameworks. We focused in particular on tissue, brain, and body donation, as well as the sharing of genomic information, because of their similarities with PMDD. However, our analysis also revealed some key differences (discussed above), limiting This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 11 direct comparability with our proposed scheme, and reinforcing our belief that a dedicated code is needed for PMDD. In this section, we consider some past and current biomedical data projects to identify relevant lessons and best practice.

Learning from Mistakes and Codifying Best Practice
Big Data in health care is often described as the biggest opportunity of our times to improve public and individual health, and it is therefore no surprise that a vast number of data-related projects are ongoing in health care. While there are key differences among the initiatives, including in data ownership, access rights and purpose, their success-in terms of ethics-can be evaluated on the basis of adherence to a number of fundamental principles.
At the unsuccessful end of the spectrum, initiatives like the UK's disastrous Care.data serve as a reminder that neglecting these principles can lead to the complete failure of a well-intended scheme. As the Nuffield Council on Bioethics has explained, "Care.data is a salutary lesson in the need for robust and timely public engagement -as opposed to mere communication -and in understanding the range of ways in which data subjects might perceive harms arising from uses of their data." 9 The consequences of this incident can still be felt, and have led to a deep distrust in data sharing between the NHS and commercial partners. This is in contrast with other countries, where better management of communication and public engagement has led to wide public support of similar programmes (Patil et al. 2016).
Unfortunately, it seems that some of the lessons learnt from the Care.data debacle have not yet been applied. The recent introduction of the "GP at hand" video-consultation smartphone app, for which NHS England partnered with Babylon Health, has met with skepticism both from GPs and the general public. Concerns quickly arose over inequality in the treatment of patients, especially those with complex health needs, ultimately leading to a suspension of the planned wider roll-out of the service (Greenhalgh et al. 2017). The lack of proper evaluation of the service has also been criticised (Rosen 2018), and concerns raised over the privacy management, given Babylon Health assumes ownership of the recorded video consultations in its terms and conditions. 10 Although this might seem unlikely to be enforced in practice, in theory this means that patients are not allowed to share their video consultations with health care professionals who are not enrolled with Babylon's GP at hand service without the company's prior permission. Considering that the service was commissioned by NHS England, most patients are likely to be unaware of this restriction, and hiding such an important point in the legal text does not exemplify good communication or foster trust between the NHS, its third-party partners, and patients. This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d In the context of genetic data, the Icelandic genetic testing company, deCODE Genetics, provides another example of how public trust is all too easily disappointed. In 2012, the company decided to sell out to the American pharmaceutical company Amgen-including the DNA and health data of approximately 140,000 Icelandic individuals held by deCODE. Most of these people had volunteered their data on the basis that the company would create a universal health database of Icelanders for research purposes, as it had promised in the late 1990s but never delivered (Greely 2012).
Sustainability is crucial for any health-related Big Data project, as its success will depend on a long-term commitment to research. Unfortunately, this aspect is often neglected. A few years ago, the Finnish government (in cooperation with some private sector companies) launched the ambitious project of setting up a single platform for the storage of information on the health and well-being of the population. The idea was that this could be accessed by health care providers to offer more efficient and effective care, and to prevent ill health. The service, taltioni.fi, was lauded as sustainable and trustworthy, not least because of its cooperative nature and the fact that it involved both the public and private sectors (Riso et al. 2017). However, the platform vanished shortly after its launch, and it is not known what happened to any data stored within it. 11 At the other end of the spectrum are projects like the "Patients Like Me" network, which according to its website, is "unleashing the power of data for good (…) by empowering people to take control of their health." 12 The company provides a detailed and clear privacy policy, including plain language explanations in addition to legal texts, and provides users with comprehensive options to manage the sharing of their data with third parties, such as private corporations and commercial vendors.
The Personal Genome Project UK (PGP-UK) is equally transparent about data access, but goes one step further by providing the de-identified genomic information as fully Open Data. Individuals can choose to withdraw their data at any point but are made aware, before enrolment, that such a withdrawal cannot necessarily prevent all future uses of the data, as copies of it may have been downloaded from the website. The PGP-UK is complex in that it involves sharing of genomic data as Open Data, and this is reflected in the informed consent procedure, which requires participants to pass an enrolment exam before being admitted to the project.
However, even a deep commitment to ethical principles offers no guarantee that things will never go wrong, as accidental breaches are always possible. In 2014, the PGP suffered a setback when it accidentally disclosed some of the participant email addresses and names to other This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 13 participants. 13 Due to a configuration error, replies to an email from the PGP-UK were sent to the entire mailing list rather than the PGP-UK staff only, thereby revealing the sender's identity to the members of the list. Some 220 people were affected, and the issue was quickly discussed within the ethics community, where it was described as a failure both in privacy and trust. 14 This is just one interpretation, as the PGP-UK notified and apologised immediately after the event, but the incident indicated that risk from human error is hard to eliminate. As one of the commentators in the discussion noted, the email blunder was a suitable way to identify those prospective participants who merely pay lip service to the idea of openly sharing their data.
Recently, cooperative models for managing personal health data have gained popularity. Switzerland currently has two such schemes, healthbank and MIDATA. Both enable citizens to be in control of the storage, management and access of their personal health and health-related data, including the decision how to share it. Schemes like these find their inspiration in citizen science, whereby members of the public can contribute actively to medical research by providing access to their personal data. As these platforms are fairly recent developments and are not yet in place in most countries, it remains to be seen how they will be adopted by the public. However, their cooperative approach certainly carries great potential for the future management of personal health data.

Deriving Relevant Ethical Principles
Drawing on our review of the literature and relevant biomedical donation schemes and projects, we have identified the following five ethical principles or categories as relevant to PMDD: 1. Human dignity and respect for persons 2. Promotion of the common good 3. The right to "Citizen Science" 4. Quality and good data governance 5. Transparency, accountability, and integrity These might at first glance appear rather generic and hardly ground-breaking. One might also question how these can be applied in practice. In response, we lay out the specific requirements 13 See: https://www.personalgenomes.org.uk/archive/email-storm-incident-and-apology (accessed March 5, 2018). 14 See, for example, "Personal Genome Project UK email disaster: If you can't guarantee privacy, at least try to ensure trust", available at: http://blog.practicalethics.ox.ac.uk/2014/05/personal-genome-project-uk-email-disaster-if-youcant-guarantee-privacy-at-least-try-to-ensure-trust/ (accessed March 5, 2018). 14 for an "Ethical Code for Posthumous Data Donation" in the Appendix, which provides more detail on a practical implementation. However, the Code is not a governance framework, so some practical issues will still need to be addressed before implementing a PMDD scheme. With regard to the generality of the principles, we believe that this is crucial to preserve sufficient flexibility to account for future developments. Considering that PMDD is going to be a long-term endeavour, it is important to regulate for the future, i.e. to avoid ethical guidelines becoming inapplicable due to technological, legal, cultural or social changes. This is the goal of the Code that we propose: to provide normative principles shaping PMDD, rather than a set of specific rules of conduct for the involved actors.

Conclusion
In light of both the benefits and potential risks involved in wide donation of personal medical data, we need for an ethical code of PMDD that addresses key challenges, including consent, privacy, security and ownership. The previous work done in relation to other types of biomedical donation acts as a useful resource to inform such a code but cannot simply be extended to PMDD, which comes with its own particular ethical challenges.
We believe that most of these issues have practical solutions, and that the primary focus should be on managing permissible access and use of the collected data. Procedural safeguards have already been developed in other relevant and comparable areas of medical research and could be adopted to foster PMDD. An example could be to adopt the broad consent procedures currently used in biobanking, or by following an "educate-before-you-sign" approach similar to the one used by the PGP-UK. This would ensure that any individual wishing to donate medical data could make a decision that is maximally informed. 34 Privacy risks could be mitigated by carefully managing access to donated data. At the same time, it is important to emphasise that no safety measures will ever be fail-safe, and openness about this fact should form part of the ethical design of PMDD procedures.
The code we have developed (see Appendix) addresses the key ethical issues arising from PMDD. However, this is only the first step towards more comprehensive use of health-relevant data for the common good. In the future, combining corporate data (via data philanthropy) with data sharing and PMDD might open up even greater possibilities for supporting health care and research. But for this to work, we must first bring PMDD to life.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 15

Appendix An Ethical Code for Posthumous Medical Data Donation Preamble
The importance and value of brain, body, organ and tissue donation after death has long been recognised, and relevant regulatory and ethical frameworks have been put in place to manage it. Medical data, which also hold enormous potential for medical research and for the improvement of health and social care on a large scale, has not as yet been incorporated into such frameworks. Neither is it currently possible to donate one's medical data posthumously. However, enabling such posthumous medical data donation (hereafter PMDD) is in the interest of individuals and society at large. It is important to make medical data available for scientific research by enabling and encouraging patients to donate their medical records after death, similarly to how they can already donate bodies or body parts. This is why a research project on PMDD, developed by the Digital Ethics Lab (at the Oxford Internet Institute, University of Oxford) and funded by Microsoft, has led to the formulation of this Ethical Code for Posthumous Medical Data Donation (hereafter the Code), which sets out the guiding ethical principles for such donations.

Definitions
Commercial exploitation The sale, lease or commercial licensing of the data. It shall also include uses of the data to produce or manufacture products or services for general sale.

Donor
The person-source of the data, or data subject.

Data
Any donor-related data.

Database
Repository (often online) built to facilitate access to data. Directly identifying data Any data that make possible the identification of the person concerned, without disproportionate efforts.

16
De-anonymised / pseudoanonymised / coded data Any data that make possible the identification of the person concerned only through the use of a simple tool, such as a key.

Fully-anonymised data
Any data that do not make possible the identification of the person concerned without disproportionate efforts.

Information on hereditary disease
Any data which is either predictive of genetic disease or can serve to identify the person as a carrier of a gene responsible for a disease or detect a genetic predisposition or susceptibility to a disease, whereas scientific proof for validity of that information is present.

Informed Consent
Informed, free and express decision to donate one's PMR after death for research purposes.

Personal Medical Record (PMR)
The health data stored about a person within the health system.

Posthumous Medical Data Donation (PMDD)
The giving of one's PMR for research purposes upon death.

PMDD activities
Activities such as obtaining, handling, processing, storing and distributing of data, including all associated research activities.

PMDD institution (PMDDI)
The PMDDI is the institutional body acting as steward of all donated data.

Researcher
Any person with a legitimate interest in conducting research, whether affiliated with an academic, commercial, public, private or other institution. It shall not include private individuals.

Steward
Institution holding and maintaining the data. The steward assumes full responsibility for compliance with the legal and ethical rules that apply to collecting, processing and managing the data.

User
Any person involved in collecting, storing, handling, processing, accessing, or managing the data.

Overview
The Code of Ethics on Posthumous Medical Data Donation (hereafter 'the Code') has been developed to establish the guiding ethical principles for Posthumous Medical Data Donation (hereafter 'PMDD'), in recognition that PMDD constitutes an act that is both meaningful to an individual and valuable to the public and as such should be facilitated.

Objectives
The key objective of the Code is to state the fundamental ethical principles which should govern all PMDD activities. In addition, This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 17  any applicable national laws or local regulations are to be complied with at all times. The Code does not replicate, amend or overrule but complements any such instruments;  participation in PMDD activities is and remains voluntary; this includes every person's right to accept or refuse participation at any point;  the autonomy and confidentiality of all donors and their families shall be respected;  special care will be taken in all PMDD activities to avoid discrimination against, or stigmatisation of, an individual, a family or a group;  every care will be taken that the collected data is used for the purposes for which it was donated, namely for ethically and scientifically sound research, and that it is not abandoned;  the research process and the ethical guidelines will be reviewed by an independent body on a regular basis to take into account any new developments in technology, law, and society. The results of such a review will be made public.

Scope
The Code shall apply to the full range of PMDD activities involving donated personal medical records (hereafter 'PMR'). It shall not apply to other types of health-related data, nor shall it apply to donations made by living donors. For the purposes of the Code, PMDD shall not include donations made to private institutions for the purposes of commercial exploitation. The Code shall apply to donors, users, and researchers.

Foundational ethical principles
Five foundational principles aim to guarantee a minimum ethical standard to be maintained in all PMDD activities: 1 Human dignity and respect for persons 2 Promotion of the common good

The right to Citizen Science
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 18 4 Quality and good data governance 5 Transparency, accountability, and integrity 2.1 Human dignity and respect for persons Human dignity and respect for persons shall be paramount in all PMDD activities. In particular,  the dignity of the donor shall be protected at all times;  the preferences and values of the donor shall be honoured at all times;  the privacy of the donor shall be maintained;  potential harm to the donor, any relatives and/or next of kin shall be minimised.

Promotion of the common good
The purpose of the PMDD database is to provide the means to generate and disseminate new medical knowledge to benefit the public. The donor's wish to promote the common good by contributing to biomedical research shall be respected. This means:  all PMDD shall be in the public domain, and all research findings and results based on the data shall be published under an open licence;  prohibition of unethical research using PMDD without exception;  prohibition of commercial exploitation of PMDD data where this could unfairly restrict access to treatments or cures;  requesting proof of adequate benefit sharing measures prior to granting access to the PMDD database to a researcher.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 19

The right to citizen science
Citizens' right to participate in the scientific process in its entirety should be recognised and respected at all times. In particular,  all donations should be accepted, unless there are solid grounds for rejecting a particular donation, such as a disproportionate risk of harm to others;  the optimal use of donated data shall be guaranteed, and data shall not be abandoned;  all results and findings shall be shared with the public in an accessible and timely manner;  the public shall be actively involved in the further development of PMDD and encouraged to participate in deliberations about the wider social impact of PMDD.

Quality and good data governance
Quality management and data governance shall be taken seriously when accepting, handling or using PMDD data. In particular,  users and other PMDDI staff shall be adequately trained for their respective roles within the PMDD activities, including knowledge and understanding of this Code and any applicable data protection and privacy laws and regulations (such as the EU's General Data Protection Regulation);  safe and secure storage facilities shall be used for the data, including use of adequate and updated encryption techniques, to minimise the risk of unauthorised access, data loss, or misuse. Proper record-keeping and access management shall be maintained to ensure full traceability of the location of, and access to, any PMDD;  PMDDs shall be de-identified using currently available standards, and reidentification shall be prohibited. Quality control mechanisms for PMRs shall be applied prior to data being added to the database; This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 20  mechanisms should be adopted for ensuring the sustainability of the database for future use, including procedures to be followed in case of discontinuance of the PMDDI.

2.5
Transparency, trust and integrity  mechanisms to ensure accountability and to handle complaints shall be implemented, including mechanisms for identifying, reporting and managing incidents such as breaches, losses of data, or unauthorised access. Any incident shall be followed by rigorous investigation, and corresponding sanctions shall be instituted. In addition, procedures for handling lawful requests from law enforcement agencies shall be established;  full disclosure of any financial arrangements involving PMDD data or financial gains derived from PMDD activities will be made.

3
Obtaining PMRs for research purposes PMR shall be obtained and used for research purposes in accordance with applicable national laws and local regulations, and the principles set forth in the Code.
Due to the anticipated benefit to be derived from the research to be conducted using the data, resources shall be dedicated to encourage participation in PMDD. In particular, information shall This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 21 be provided to the public to encourage donations, while at the same time safeguarding the voluntariness of participation.
Consent shall be required for all collections of PMDD and for the use of PMDD for biomedical research purposes, even where local laws do not require such consent. As part of the consent procedure, participation will be explained as an opportunity to contribute in the long term to the improvement of other people's health. Broad consent to research falling within the guidelines of this Code shall be deemed sufficient, as it is not possible to anticipate all ethically and scientifically sound future research uses.

Obtaining consent
Prior to giving informed consent, the person concerned shall be offered appropriate information about the nature and purpose of PMDD, including examples of the type of research for which it will be used, the financial interests of the data collecting entity, and the management of access to and use of the data, including the kinds of safeguards that will be maintained.
Donors shall be informed that the full PMRs will be transferred to the PMDDI, including identifying information, to enable linkage between different datasets which is necessary to ensure maximum scientific utility of the overall database. However, donors shall be free to place restrictions on the use of their data and to exclude subsets of data from their donations. These preferences shall be recorded in the PMR in full. Donors shall be informed of their right to make changes to their preferences or to withdraw consent at any point prior to their death.
Donors shall be encouraged to discuss their decision with their relatives, especially those with close genetic links.
Donors shall be informed that the use of their PMDD is not guaranteed and that in some rare instances a particular PMDD may be rejected if it poses a significant risk of harm to an individual or a group. Information shall be provided on possible reasons for exclusion.
Consent shall be appropriately documented in the PMR and at the PMDDI.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 22

Persons unable to give consent
To avoid the exclusion of vulnerable populations from benefiting from the scientific advances resulting from large-scale biomedical research, and to ensure their representation within the data underlying such research, an active effort shall be made to include PMRs from all groups.
Where an individual is permanently unable to provide consent, due to a lack of legal capacity, the registration of a donor and subsequent donation may be carried out with the authorisation of the person's legal representative or guardian. The individual concerned shall be involved in the decision-making process as far as possible.
Similarly, where a minor is concerned, the parents or legal guardian shall be permitted to authorise a donation. The opinion of the minor shall be taken into consideration in proportion to the age and degree of maturity of the child.
Where an individual is temporarily unable to provide consent, due to a lack of legal capacity, registration as a donor shall be held off until capacity to consent is regained or a permanent incapacity has been confirmed by the medical professional.

Changing or withdrawing consent
Donors can withdraw consent for participation in PMDD at any time by submitting a revised authorisation form, or by notifying a health care professional. The objection will be recorded in the PMR and will ensure that data is not submitted to the PMDD database on the donor's death.
It shall also be possible for a person to record an objection to PMDD in their PMR.
A decision to object to PMDD, or to change or withdraw consent once given, shall not have a negative impact on the medical treatment or care of the person or lead to discrimination against that person.
Where a legal representative or guardian gave the authorisation for PMDD, the right to change or withdraw consent remains with that person for as long as they shall have legal guardianship of that person.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 23

Refusing donations
There may be ethical reasons for excluding a particular PMDD donation, which may be grounded, inter alia, in the nature or the source of data. The following list is not exhaustive, and there may be other grounds on which a PMDDI may decide to refuse to accept a PMDD.
The right of a PMDDI to refuse a PMDD shall be maintained, as the overall cost of these refusals would be minimal, since the value lies in well-curated, large datasets, rather than individual datasets.

3.4.1
Refusing a PMDD on grounds of the data's nature Where the donor's data may reveal sensitive data about related people, a stewarding PMDDI may decide to refuse a PMDD. In particular, where genomic data reveal information about family members, it may be preferable to exclude such data from the donation where a comprehensive risk assessment reveals an unacceptably high risk to living people. This may apply especially where the relatives are vulnerable people and/or the condition is a hereditary disease, which may lead to stigma and/or discrimination.

3.4.2
Refusing a PMDD on grounds of the data source In some rare cases, there may be reasons to reject a PMDD on the basis of its source. This means disallowing a particular individual from participating in PMDD, where a donation would carry a disproportionate risk to others. An example could be close relatives of acting politicians or diplomats, where there is a national interest in avoiding the exposure of vulnerabilities to outside influences.

3.4.3
Other grounds for refusing a PMDD An institution may refuse to accept a particular PMDD on other grounds, including, for example, the potentially illegal nature of the collected data, but any reasons should be made sufficiently clear to the potential donor.

Research approval, conduct and oversight
In accordance with the foundational principles of the Code, it will be fundamental for the success of the PMDD activities that public trust is maintained. For this, it is crucial to manage research It shall be prohibited to gain financially from PMDD. Therefore, donors will not be offered any financial or other inducement to participate in PMDD. Since participation does not entail any expense for the donor, the issue of reimbursement does not arise.
The PMDDI shall not be permitted to sell data obtained from PMDD activities, or to make a profit from such activities. Any profits resulting from the charging of access or licencing fees have to reinvested in the maintenance and improvement of the PMDD database.

Confidentiality
All data in relation to donors and their families shall be collected, processed and used in accordance with the principle of confidentiality and the right to respect for private life.
The steward will ensure that data are anonymised, linked, and stored to the highest standards of security. Researchers will only be given access to anonymised data.
All users and staff handling the data will receive appropriate training for maintaining confidentiality and adherence with all relevant legislation.
Systems for data security and storage will be kept up to date and will be of the highest technical standard.

Ownership
Legal ownership of the data will be transferred to the PMDDI upon the donor's death. This conveys a range of rights to the stewarding institution, in particular the right to take legal action against unauthorised use or abuse of the data. Donors will not have property rights in the data.
The PMDDI will not exercise their right to sell the data to third parties but will act as steward of the database, maintaining and developing it for the common good in accordance with its purpose.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 25 This does not affect the right of the donor to give away, sell, or donate data to other parties.

Data protection
All data will be collected, stored and handled in accordance with applicable data protection laws and regulations to safeguard the integrity of all data, e.g. in compliance with the EU's General Data Protection Regulation.

Directly identifiable data
Directly identifiable data, which will necessarily be included in the transfer of the PMR to the PMDDI, will be separated from the medical data of the donor prior to being added to the database. An arbitrary code without any external meaning (that is, for example, not a National Insurance number or similar) will be attached to link the personal identifying information to the medical information. This option for re-identification is necessary for data quality management: to eliminate redundant data, verify data accuracy and completeness, to establish correct linkages among databases, and to identify data which may need to be withdrawn.
Identifying information will be held in a separate data vault with restricted access, controlled by a senior steward at the PMDDI. The access key to the code for re-linking identifying information to the data will never be shared with external agents, such as researchers, and will only be accessible to a select few PMDDI staff who are ethically trained and sign special confidentiality agreements.

Information on health and hereditary disease
The PMDDI will not share data or health information with living relatives or other interested parties under any circumstances. This includes information on potential hereditary disease.
It is, however, possible for the donor to nominate specific individuals who are to receive a copy of the PMR upon the donor's death. It is the responsibility of the donor to ensure that the contact details of the recipients are kept up to date.

Research access
The PMDDI will retain full control of all access to, and uses of, the data in the database. No exclusive access will be granted to any party.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d

26
To build and maintain a relationship of public trust, the PMDDI will inform the public of the rules for access, any requests made, access granted or refused, and any research results.
Access to the database by law enforcement agencies will be granted only under court order, and will be resisted in all other circumstances. Any such requests will be reported to the public in so far as this is legally permissible (see also clause 4.2.1).
The PMDDI may charge a reasonable fee for access to the data for approved research purposes.
This fee may vary depending on the expected financial benefit from use of the data. However, the fee should not be so excessive as to prevent legitimate research from being conducted due to purely economic reasons, and it may in some circumstances be advisable to waive the fee entirely. Any profit occurring as a result of the fee system is regulated by clause 4.1.1.

Access requests
The PMDDI will have overall decision-making authority over any access requests to the database. A special advisory board may be set up and charged with this task. However, routine applications may be delegated to appropriate working groups to provide more efficient services to the research community and to the public.
The PMDDI will provide public explanations of all policies and procedures for research access.
These documents will continue to be developed to reflect relevant technical, legal and social changes, but will never abandon the principles of fairness and transparency in decision-making.
Access to the data will be granted only for scientifically and ethically approved research.
Requestors will have to demonstrate benefit-sharing mechanisms and will have to have obtained research ethics approval from an appropriate body prior to being granted access to the data.

Research results
All researchers accessing the database will be required to provide the results from their analyses made using the data, and any relevant supporting information, to the PMDDI to make them subsequently available to all other legitimate researchers with approved access to the database.
It is a requirement on all researchers seeking access to place the findings, whether positive or negative, from all research based on the PMDD data in the public domain. Publication of results This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d 27 shall be in peer-reviewed scientific literature wherever this is possible, open access by preference, or on the website of the PMDDI.

Research oversight
Any PMDD activities will be conducted in accordance with national research governance frameworks and national research guidelines.
Independent periodic reviews of the quantity and quality of access requests, the research conducted, and the published results will be conducted and the findings will be made public.
As the purpose of PMDD is to generate new knowledge to promote public health, particular focus shall be placed on the dissemination of research outcomes. Where the independent reviewers are not satisfied that the principles of the Code are sufficiently upheld by the researchers, the PMDDI shall be required to review its access procedures to ensure that only those research requests are granted that promise to honour the principles of the Code.

Contingency planning
The PMDDI shall develop a detailed contingency strategy for handling the PMDDI data and database in case of liquidation or termination of the PMDDI. The goal of the strategy must be to ensure the continuous protection of the rights of the donors and their families, and to respect their wishes that their data be used for research purposes. As such, the strategy should provide detailed plans for transferring the data to another steward so that research may continue on the data.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3177989 P r e p r i n t n o t p e e r r e v i e w e d