Operationalising ethics in secondary health-data use: an operator-focused framework for normative governance with audit and performance metrics

Daniel Strech

doi:10.12688/f1000research.179326.1

Home Browse Operationalising ethics in secondary health-data use: an operator-focused...

ALL Metrics

-

Views

-

Downloads

Get PDF

Get XML

Export

▬

✚

Opinion Article

Operationalising ethics in secondary health-data use: an operator-focused framework for normative governance with audit and performance metrics

[version 1; peer review: awaiting peer review]

Daniel Strech

PUBLISHED 13 Apr 2026

Author details Author details

QUEST Center for Responsible Research, Berlin Institute of Health at Charite, Berlin, Germany

Daniel Strech
Roles: Conceptualization, Formal Analysis, Methodology, Project Administration, Writing – Original Draft Preparation

OPEN PEER REVIEW

REVIEWER STATUS AWAITING PEER REVIEW

This article is included in the Health Services gateway.

Abstract

Background

Operators of health data hubs and registries enable secondary use by implementing consent processes, privacy safeguards, access governance, data quality management, transparency, and stakeholder engagement. Ethical guidance is extensive, yet it rarely specifies operator-level practices or indicators that show whether governance performs well in routine use. This paper proposes an operator-focused framework that makes ethics implementable and assessable.

Methods

The framework synthesises international guidance, systematic reviews and other empirical work on governance gaps, and publicly available governance materials from major data infrastructures. Ethics practices were selected for conceptual distinctness and operator-level controllability, grouped into seven governance domains, and aligned with a PDCA (Plan–Do–Check–Act) cycle. For each practice, the framework provides illustrative audit items, descriptive metrics, and outcome indicators intended as adaptable references rather than prescriptive standards.

Results

Seven domains are covered: Informed Consent & Information, Privacy & Data Protection, Data Quality, Use & Access Governance, Incidental Findings, Stakeholder Engagement, and Project-Level Transparency. Each domain contains four PDCA-aligned practices with linked evaluation items.

Discussion

The framework shifts practical bioethics for secondary use from policy existence to demonstrable performance. It can support operator self-audit and proportionate oversight by funders, ethics committees, and stakeholder bodies, while remaining modular across legal and infrastructural contexts. It also provides a starting point for developing minimal, transparent reporting expectations to support trust-building governance.

Keywords

secondary use; health data governance; ethics implementation; data access governance; audit and performance metrics; health data hubs

Corresponding author: Daniel Strech

Competing interests: The author served as spokesperson and remains a member of the German working group ‘Consent,’ which developed the broad consent model for the German Medical Informatics Initiative (MII). The author receives research funding related to the topics of this paper from MII consortia (HiGHmed, CAEHR) and from the EU-funded project More-EUROPA. The author was also part of an expert group that authored a report for the German Federal Ministry of Health outlining technical, legal, and ethical preconditions for responsible secondary use of health data. In addition, the author served as a member of two WHO working/review groups relevant to this topic: ‘Guidance for Ethical Review of Health Systems Research’ and ‘Ethics of Public Health Surveillance.’

Grant information: This work was supported by intramural funds from the Berlin Institute of Health at Charité – Universitätsmedizin Berlin, Germany.
The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Copyright: © 2026 Strech D. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite: Strech D. Operationalising ethics in secondary health-data use: an operator-focused framework for normative governance with audit and performance metrics [version 1; peer review: awaiting peer review]. F1000Research 2026, 15:508 (https://doi.org/10.12688/f1000research.179326.1) First published: 13 Apr 2026, 15:508 (https://doi.org/10.12688/f1000research.179326.1) Latest published: 13 Apr 2026, 15:508 (https://doi.org/10.12688/f1000research.179326.1)

Introduction

Over the past decade, the secondary use of health data has evolved into a highly heterogeneous field, spanning retrospective analyses of electronic health records, prospective cohort studies, real-time surveillance infrastructures, and large-scale national platforms. This diversity reflects not only differences in data types and access models, but also varying regulatory traditions, governance capacities, and stakeholder expectations.¹ Examples of long-standing infrastructures include the Clinical Practice Research Datalink (CPRD, UK),² claims data repositories in the US (e.g., OptumLabs), and hospital-based disease registries operated by academic institutions. Earlier national flagships such as the UK Biobank paved the way, while more recent large-scale programmes, e.g. All of Us in the United States or the German Medical Informatics Initiative (MII), explicitly aim to serve multiple user groups, including academic research, public health and policy.

Regardless of label, these infrastructures depend on operators who shoulder a long list of governance duties: maintaining system availability, enforcing privacy safeguards, implementing interoperability standards, curating data quality, selecting a consent model if needed, planning access procedures, engaging stakeholders and more.

While all of these tasks have normative relevance, they differ in how directly they implement ethical values. Highly technical or operational activities (e.g., uptime, load balancing, budgeting) are guided primarily by IT and finance frameworks and express values only indirectly. By contrast, tasks such as protecting privacy, obtaining informed consent, ensuring data quality, or involving patients in governance processes directly translate aspirational norms into operator-controlled rules, procedures, and verifiable actions. This paper refers to such tasks as ethics practices. Taken together, they define the domain of normative governance: the set of responsibilities through which infrastructure operators concretely implement core ethical principles. For example, “respect for persons” is expressed through consent mechanisms and privacy safeguards, while “public value” is operationalized via data quality management and transparency regarding approved secondary uses and their results reporting.

Normative governance: an underdefined field

The maturity of ethics practices varies considerably. Some areas, such as privacy or data quality, are guided by extensive privacy standards (GDPR, HIPAA, ISO 27701) and by well-established data-quality frameworks (FAIR principles, Kahn et al. dimensions).^3,4 Others, such as consent models, access governance, or stakeholder engagement, remain heterogeneous, under-institutionalized, and difficult to evaluate. Although central to trust and accountability in data infrastructures, these practices are rarely treated as a coherent field with shared structures, expectations, or evaluative tools.

The missing piece: a framework for mapping and evaluation

What is still lacking is a structured approach to describe, organize, and assess these ethics practices. Unlike technical domains such as data architecture or cost allocation, which are supported by specialized toolkits and professional norms, normative governance remains fragmented. No widely accepted model captures the full range of ethics practices, their connection to ethical values, or the means by which their implementation can be evaluated.

This paper proposes a framework that addresses this gap in two ways: first, by categorizing ethics practices across key governance domains (e.g. consent, data protection, access control); second, by linking each domain to relevant audit questions and evaluation criteria. The framework is not a prescriptive checklist but an orientation tool, intended to support operators in adapting, combining, or omitting elements based on their institutional context.

Positioning within the landscape of existing ethics guidance

Numerous bioethics contributions, international statements and best-practice guidelines have laid out the ethical principles for secondary data use. A systematic review of principles and norms in this area by Kalkman et al. synthesized four stable value clusters: (i) societal benefit & public value, (ii) respect for persons, (iii) fairness & data justice, and (iv) public trust & engagement.⁵ These value clusters are echoed in reviews of patient and public attitudes^6,7 and in principle-oriented guidance such as the WMA Declaration of Taipei,⁸ the OECD Recommendation on Health Data Governance⁹ and the CIOMS International Ethical Guidelines.¹⁰

Practice-oriented documents go a step further. The ISBER Best Practices¹¹ or the WHO policy and implementation guide on health-data reuse¹² provide detailed operational recommendations on biospecimen handling, data security, access procedures and quality control. Similarly, frameworks such as the UK Biobank Ethics & Governance Framework,^13,14 the All of Us Data-Access Framework¹⁵ and the GA4GH Framework for Responsible Sharing of Genomic and Health-Related Data¹⁶ set concrete standards for consent, privacy or tiered access. However, each addresses only selected ethics-practice domains and rarely embeds evaluation metrics.

As a result, even the more detailed best-practice documents offer valuable guidance but do not yet provide an integrative, evaluable framework for ethics practices as a field in its own right.

Methods

Conceptual orientation

The goal was to construct an operator-focused framework that couples widely accepted ethical values to actionable practices and a lean but meaningful evaluation tier.

Knowledge inputs and scope

Six knowledge streams informed the design:

1. International guidance or frameworks for secondary data use or its specific ethics practices^8,10,12–22
2. Systematic reviews on values and public attitudes anchoring the four aspirational norms^5–7,23
3. Governance-gap studies that document heterogeneous or missing practices^1,24–29
4. Practice-focused case literature on the implementation of specific ethics practices for secondary use^30–37
5. An expert report for the German Federal Ministry of Health that described technical, legal and ethical preconditions and success requirements for responsible secondary use.³⁸
6. Conceptual work on ethics implementation that stresses measurability.^39–41

Practice selection

Source documents were scanned for recurring but distinct ethics practices such as consent, data protection or stakeholder engagement. Candidate practices were retained if they met two filters:

1) Conceptual distinctness – no thematic overlap with other candidates, and
2) Operator controllability – the platform can implement, mandate, or audit the activity.

Each governance domain was then structured into four PDCA (Plan–Do–Check–Act)-aligned activities to reflect the dual goal of implementation and evaluation⁴²:

• Norm-Setting (Plan): Define and justify the ethics practice;
• Operational (Do): Implement the practice and capture primary data;
• Assurance (Check): Monitor implementation with metrics and judge effectiveness and quality;
• Improvement (Act): Revise standards or processes when assurance findings or new requirements demand change.

The list of ethics practices across the PDCA structure is deliberately illustrative, not comprehensive. An all-inclusive catalogue would be unmanageable, ignore context-specific tailoring and age rapidly. The framework therefore provides anchor practices in each domain—enough to guide gap analysis and stakeholder dialogue, while leaving space for operators to add, refine or merge practices as required.

Evaluation layer

For every ethics practice, the framework specifies:

• an audit item verifying the presence and currency of policies or logs, and
• descriptive and/or outcome metrics that feed the Assurance tier (e.g. completeness of key variables, consent-decline rate, access-review turnaround, follow-up completion for incidental findings).

Plausibility check

To verify the completeness and real-world applicability of the resulting list of ethics practices, the following plausibility checks were conducted. In a practice-guideline triangulation the list was cross-matched with five benchmark guidelines for secondary health-data use, namely.^8–12 In a real-world implementation scan the practices were mapped to governance artefacts from five well-documented platforms (UK Biobank, All of Us, PCORnet, German MII, GA4GH) and to 51 European patient registries reviewed by van den Akker et al.²⁵

Results

Overview of the three-layer framework

The framework translates four aspirational norms into illustrative ethics practices across seven governance domains ( Table 1) and couples each practice to evaluation items ( Table 2). Practices are organised along the Plan–Do–Check–Act (PDCA) logic, labelled Norm-Setting, Operational, Assurance and, where applicable, Improvement.

Table 1. Seven governance domains with illustrative ethics practices aligned to the PDCA cycle.

Domain	Norm-setting practice (Plan)¹	Operational practice (Do)	Assurance practice (Check)	Improvement practice (Act)²
Informed Consent & Information	Select and justify the consent model (broad, waiver/opt-out); draft and approve participant information, consent documents, and guidance e.g. for consent procedures	Collect consent and withdrawals; publish (version-controlled) documents	Monitor consent/decline/withdrawal rates; test comprehension of participant information on a representative sample	Revise materials and procedures
Privacy & Data Protection	Adopt a privacy & data-protection policy compliant with GDPR (or equivalent) and complete a DPIA/PIA	Implement pseudonymisation, encryption and audit-log controls; maintain breach-response plan	Audit logs monthly; conduct an annual penetration test	Revise privacy and data protection measures
Data Quality	Adopt a data-quality framework aligned with Kahn et al. dimensions (completeness, plausibility, uniqueness, temporal consistency, bias) and FAIR metadata principles	Run automated profiling & quality checks on each load; publish quarterly quality dashboard	Benchmark key indicators; trigger bias review if coverage or completeness falls below threshold	Remediate quality gaps (re-extract data or update curation rules)
Use & Access Governance	Specify eligibility, fairness and rejection criteria in a use&access policy, publish a data-transfer agreement template, adopt a conflicts-of-interest (COI) policy	Execute a structured access checklist and sign data-transfer agreements, maintain an up-to-date COI register	Track turnaround; analyse rejection reasons, review the COI register annually	Revise policy and template
Incidental-Finding Management	Establish clinical-significance thresholds and minimum communication and follow-up guidances	Run the IF workflow; record detection, disclosure and follow-up	Calculate % actionable IFs communicated and follow-up completion	Update thresholds and guidances
Patient & Stakeholder Engagement	Specify engagement measures (e.g. seats for patient representatives in U&A committee, annual consultation forums, user satisfaction surveys)	Hold consultation forums and post summaries of feedback received	Survey user/stakeholder satisfaction	Update engagement measures
Project-Level Transparency	Define transparency rules for approved secondary-use projects such as prospective registration, public result reporting, and code sharing	Maintain or cooperate with a public project register; collect result summaries and code uploads	Measure % projects registered prospectively, % results posted, % code shared	Revise transparency rules

1 Abbreviations: COI = conflict of interest; DPIA/PIA = (Data) Privacy Impact Assessment; IF = incidental finding; FAIR = Findable, Accessible, Interoperable, Reusable;

2 Executed when assurance results or legal/ethical updates indicate a need for change

Table 2. Evaluation layer: Illustrative examples for audit, descriptive and outcome metrics for each ethics practice.

Domain	Audit items¹	Descriptive metrics²	Quality/outcome metrics³
Informed Consent & Information	Consent-model file approved; latest info sheet online; staff training records	Consent/decline/withdrawal rates; median dialogue duration	Comprehension score ≥ 80% correct
Privacy & Data Protection	DPIA on file & reviewed annually; data-processing-agreement template current	Number of log-exception alerts per month; encryption key rotations per year	No critical pen-test findings open >30 days
Data Quality	Data-quality framework document available; latest dashboard ≤3 months old	Completeness rate of key variables; number of plausibility fails	Completeness ≥95% and plausibility error < 1%
Use & Access Governance	Use-and-access policy online; DTA template online	Median turnaround days; number of requests & rejections	100% of veto-based rejections independently reviewed and documented quarterly
Incidental-Finding Management	Guidelines for IF communication and follow-up available	Actionable IFs detected/disclosed; follow-ups initiated	Follow-up completion ≥90%
Patient & Stakeholder Engagement	List of patient/stakeholder representatives online; engagement plan posted; forum minutes archived	Attendance count at consultation forum	Mean user-satisfaction score ≥ 3
Transparency	Public project register operational; result-summary template available; code-sharing policy published	Percent projects registered prospectively; percent results posted ≤12 m	Percent projects with linked code/data (threshold set by operator)

1 Audit metrics verify policy existence or a documented “not-applicable” rationale,

2 Descriptive metrics characterise workload or process features without value judgement,

3 Outcome metrics enable normative assessment by comparing results with predefined thresholds

Seven domains proved sufficient when tested against the contents of multiple international guidance documents and governance artefacts from five major data platforms and 33 registries. No further domain emerged, indicating a breadth that is “complete enough to start a gap analysis” yet concise.

Ethics practices

Each domain includes four action-oriented, conceptually distinct practices (one per PDCA step). The domains and examples are as follows:

• Informed Consent & Information distinguishes: (i) choosing and justifying an opt-in or opt-out (or no-consent) model; (ii) maintaining participant-facing documents; (iii) monitoring decline and comprehension; (iv) revising materials when thresholds are missed.
• Privacy & Data Protection lists DPIA completion, implementation of pseudonymisation/encryption, annual pen-test review and remediation of critical findings.
• Data Quality includes adoption of a Kahn/FAIR framework, automated profiling with quality dashboards, bias review if thresholds are missed and data recuration as needed.
• Use & Access Governance covers eligibility criteria, a structured review checklist with data-transfer agreements, analysis of veto-based rejections and criterion adjustment when bottlenecks appear.
• Incidental-Finding Management moves from threshold policy, through workflow logging, to follow-up auditing and policy update if completion falls below a certain threshold.
• Patient & Stakeholder Engagement progresses from formal inclusion, to consultation forums, satisfaction surveying and redesign if scores drop below a certain threshold.
• Project-Level Transparency includes prospective registration, timely result reporting, and reproducibility through code and data sharing.

The practices are illustrative, not exhaustive. They are intended to provide a shared vocabulary and structure, while enabling tailoring or merging in line with platform scope, objectives and resources.

Special context for Privacy & Data Protection and Data Quality

For Privacy & Data Protection and Data Quality these examples are deliberately concise, because detailed operational playbooks already exist e.g. GDPR and ISO 27701 for privacy safeguards; the Kahn data-quality dimensions together with FAIR and further guides for profiling and validation.

In the other five domains, Informed Consent & Information, Use & Access Governance, Incidental-Finding Management, Patient & Stakeholder Engagement, and Project-Level Transparency, no universally adopted standards are available. The framework therefore offers additional illustrative examples to help operators translate abstract norms into actionable and auditable tasks.

Division of labour between operators and data users

Not all practices must be executed by the operator’s internal staff. In domains such as incidental findings or project-level transparency, tasks may be i) handled centrally by the operator, ii) delegated to researchers, or iii) executed via a hybrid model, where researchers must follow operator-defined standards and report back.

The framework includes practices that the operator can mandate, monitor or audit, even when operational execution is partly decentralised. Whether platforms opt for centralised, decentralised or hybrid models will depend on legal, scientific and logistical context. In all cases, operators should retain oversight to ensure that the aspirational norms are met.

Evaluation items

Table 2 links each ethics practice to three evaluation items:

1. Audit items verify whether each practice is formally addressed and up to date, either through an operative artefact (policy, SOP, dashboard, log) or through a documented justification that the practice is not applicable (e.g. no consent required, no incidental findings expected). These can often be assessed externally by funders, reviewers or patient representatives.
2. Descriptive metrics characterise workloads and basic process features (e.g. consent-decline rate, number of log exceptions, median turnaround time for access requests). They enable trend analysis without value judgement.
3. Quality/outcome metrics enable normative assessment, for instance: comprehension of consent materials ≥80%, data completeness ≥95%, no critical pen-test findings unresolved after 30 days, or independent review of all veto-based access rejections,

Currently, most platforms satisfy only the audit item: they can point to a policy or SOP, but descriptive and especially outcome metrics are still uncommon. Consent materials are seldom comprehension-tested, IF workflows rarely audited, and stakeholder engagement rarely evaluated for satisfaction or perceived impact. The proposed structure aims to shift normative governance culture from “existence” to “performance.”

Plausibility results

The list of ethics practices was cross-matched with five benchmark guidelines (ISBER 2023, WHO 2022, OECD 2022, CIOMS 2016, WMA 2016). All seven governance domains appeared at least once across the set, no additional domain emerged. Coverage, however, was uneven: domains such as Informed Consent & Information and Privacy & Data Protection were present (and often detailed) in every guideline, whereas Stakeholder Engagement and Incidental-Finding Management were mentioned in only two or three, typically at a high level.

A real-world scan linked the seven domains to governance artefacts from UK Biobank, All of Us, PCORnet, GA4GH, and the German MII. Each domain had at least one concrete implementation artefact (policy, template, SOP), demonstrating that every practice on the list is in active use somewhere in the field.

The registry review by van den Akker et al. (2024) analysed 51 European patient registries. Again, every domain surfaced at least once, yet implementation was highly variable. For example, only 1 of 20 consent/information forms (5%) described a procedure for incidental findings, and fewer than one-third of registries detailed how data were anonymised or pseudonymised. These findings confirm the framework’s completeness while illustrating the heterogeneity it is meant to address.

Discussion

This paper advances the governance debate on secondary use of health data by moving beyond aspirational value statements toward a system in which ethics practices are made explicit and linked to verifiable evaluation items. In doing so, it complements earlier work that catalogued norms⁵ or surveyed public attitudes⁷ and extends implementation-science proposals to the ethics domain.³⁹ The framework enables registry operators to conduct quick self-audits, select context-relevant metrics, and monitor progress over time. Researchers, funders, patient representatives, and policymakers can use the same structure as a reference for what constitutes good normative governance in this area and what types of evidence should be requested or scrutinized.

From value to verifiability

Current guidance for biobanks and data platforms, such as the WMA Declaration of Taipei,⁸ typically stops at high-level imperatives such as “ensure consent” or “justify data access,” without indicating which concrete ethics practices are required or how performance should be judged. Checklists such as the ISBER Best Practices go further,¹¹ but they rarely span all seven domains identified here and seldom distinguish between the mere existence of a document and the effectiveness of its implementation. By pairing each practice with audit items and performance metrics, the present framework fills this gap. Its breadth is intentional but lean: complete enough to initiate internal gap analysis, yet not so prescriptive that initiatives are paralyzed by dozens of indicators.

The framework moves governance from a trust-based logic of presumed compliance to an audit-informed logic that demands not only written policies but also evidence of their real-world performance.

Contextual adaptability and scalable use

A key feature of the framework is its modularity. It allows differentiated use across stakeholder groups, from self-assessment by operators to oversight by funders or advocacy by civil society actors. Equally important, it is scalable: the domains and practices are structured in a way that applies to small-scale registries as well as national or multi-jurisdictional platforms. Its illustrative nature enables context-sensitive specification. Operators are not expected to implement every practice identically, but to transparently justify how they adapt the framework to their operational, legal, and social environment.

Such justification may take two forms: a positive specification (e.g. “we implement X by doing Y”) or an explicit non-adoption with rationale (e.g. “this domain is not relevant because our data are fully anonymised” or “this metric is currently infeasible but under development”). This practice of context-based declaration makes the framework practical and normatively accountable at once.

From policies to performance

As the plausibility check showed, most large data platforms (e.g. UK Biobank, All of Us, PCORnet,) and many patient registries already satisfy the audit layer by publishing policies or SOPs that cover at least some of the seven ethics-practice domains. Publicly disclosed descriptive or outcome metrics, however, remain rare.

The framework draws attention to this blind spot. Tracking consent comprehension, veto-based access rejections, or IF follow-up adds workload, but these data are essential for demonstrating respect, fairness, and public value in practice. Future work should therefore develop lightweight tooling for routine metric collection and explore how external stakeholders (ethics committees, funders, patient groups) can access and interpret such data without over-burdening operators.

Although systematic evaluation remains the exception, published case studies show that it is feasible. Zenker et al. report on broad consent uptake across 27 university hospitals participating in the German Medical Informatics Initiative (MII), providing implementation-level insights into consent processes at scale.⁴³ While substantial variation in consent rates across sites was observed, the authors emphasize that interpretation remains difficult due to inconsistent definitions and documentation standards. Fischer-Rosinsky et al. complement these findings with detailed uptake data from four emergency departments⁴⁴: among 1,138 approached patients, only 28% ultimately consented, while over 40% declined or could not complete the process, often due to contextual or situational factors. These studies illustrate that capturing consent dynamics is feasible, but depends on clear procedural standards and routine monitoring. Bossert et al. used participatory feedback and cognitive interviews to iteratively revise a broad consent form.⁴⁵ While no quantitative comprehension testing was reported, patient feedback led to substantial revisions across three document versions.

These case examples for the domain “Consent&Information” show that descriptive and outcome metrics can be embedded into routine operations or implemented by independent third parties. Beyond consent, recent audits illustrate how further ethics practices can be assessed in practice. A pan-European survey of 41 health-data hubs showed that 83% apply some form of data-quality control and 65% report anonymisation procedures, but only about half publish Data-Access or Data-Processing Agreements, and fewer still enforce minimum quality thresholds before ingesting data.¹ The cross-sectional audit of 51 European patient registries showed that although 31 (61%) claimed to have a use-and-access policy, only 17 made the full document publicly available and just four explicitly prohibited re-identification.²⁵

Relation to adjacent ethics domains

While this framework centers on operator-level governance of health data infrastructures, it intersects with adjacent ethics discourses that warrant distinction. One such discourse concerns Learning Health Care Systems (LHCS). These systems depend on many of the same infrastructures and may presuppose several of the ethics practices addressed here. However, LHCS ethics typically focus on downstream questions at the point of care or project level, such as minimal-risk research without explicit consent, point-of-care randomisation, or obligations to implement findings.^46,47 In contrast, the present framework addresses upstream responsibilities: the governance of data access, protection, and provisioning that enables such learning activities in the first place.

A parallel situation arises with AI ethics. Much AI development, especially in medical contexts, relies on access to large, well-governed datasets managed by health data platforms. Yet AI ethics debates often focus on downstream issues such as algorithmic explainability, fairness, or accountability.^48,49 These are important but distinct from the operator-level responsibilities that determine whether and how data become available for AI development at all.

While this framework does not seek to resolve domain-specific concerns in LHCS or AI ethics, it may help clarify what responsible infrastructure entails in practice, especially where operator decisions shape the scope, quality, and legitimacy of downstream research and innovation.

Strengths, limitations, and future directions

A strength of the framework lies in its integrative structure: it brings together ethical concepts, normative considerations, and insights from existing governance materials across multiple health data platforms. Rather than proposing a fixed model, it offers adaptable components that can be aligned with different institutional contexts and levels of maturity.

At the same time, several limitations apply. First, the proposed metrics are illustrative: they have not been broadly discussed or endorsed across the data governance community, and no shared standards exist regarding their use, relevance, or thresholds. Routine data collection for many domains, such as consent comprehension, veto-based access rejections, or incidental finding follow-up, remains rare. Implementation will therefore require context-sensitive prioritization and negotiation of feasibility.

Second, while the framework is grounded in a broad range of conceptual and documentary sources, it does not result from a systematic or exhaustive scan of all existing platforms and policies. Rather, it reflects a structured synthesis of operator-level responsibilities, developed through iterative comparison with international ethics guidance and governance practices. While the seven domains are intended to offer a comprehensive account of ethically relevant tasks at the infrastructure level, future work may test their completeness and applicability across additional settings.

Building on these limitations, two lines of inquiry suggest themselves. First, adaptation studies at platform level could explore how the framework is interpreted and specified in different legal, infrastructural, and ethical environments, and what rationales are offered for adaptation, postponement, or omission. Second, indicator research should refine and test proposed metrics, distinguishing between norm-referenced targets and descriptive monitors. Consensus-building methods may help establish minimal reporting standards, including metadata on evidentiary strength and resource requirements.

Conclusion

Governing secondary use of health data requires both normative robustness and empirical accountability. By coupling widely accepted values to a compact but comprehensive set of ethics practices and evaluation items, this framework offers a practical starting point. Its value will grow as communities iterate on the illustrative metrics, refine implementation across diverse contexts, and share comparative results—helping the field evolve from principled aspiration to demonstrable responsibility.

Ethics approval

Ethics approval was not required, as this conceptual work draws exclusively on publicly available information.

Data availability

No data are associated with this article.

References

1. Alvarez-Romero C, Martinez-Garcia A, Bernabeu-Wittel M, et al.: Health data hubs: an analysis of existing data governance features for research. Health Res Policy Syst. 2023; 21(1): 70. PubMed Abstract | Publisher Full Text | Free Full Text
2. CPRD: Clinical Practice Research Datalink, Data Governance Operating Framework.Reference Source2022.
3. Wilkinson MD, Dumontier M, Aalbersberg IJ, et al.: The FAIR Guiding Principles for scientific data management and stewardship. Sci. Data. 2016; 3: 160018. PubMed Abstract | Publisher Full Text | Free Full Text
4. Kahn MG, Callahan TJ, Barnard J, et al.: A Harmonized Data Quality Assessment Terminology and Framework for the Secondary Use of Electronic Health Record Data. EGEMS (Wash DC). 2016; 4(1): 1244. PubMed Abstract | Publisher Full Text
5. Kalkman S, Mostert M, Gerlinger C, et al.: Responsible data sharing in international health research: a systematic review of principles and norms. BMC Med. Ethics. 2019; 20(1): 21. PubMed Abstract | Publisher Full Text | Free Full Text
6. Kalkman S, van Delden J , Banerjee A, et al.: Patients' and public views and attitudes towards the sharing of health data for research: a narrative review of the empirical evidence. J. Med. Ethics. 2022; 48(1): 3–13. PubMed Abstract | Publisher Full Text | Free Full Text
7. Hutchings E, Loomes M, Butow P, et al.: A systematic literature review of attitudes towards secondary use and sharing of health administrative and clinical trial data: a focus on consent. Syst. Rev. 2021; 10(1): 132. PubMed Abstract | Publisher Full Text | Free Full Text
8. WMA: World Medical Association, Declaration of Taipei on ethical considerations regarding health databases and biobanks.2016. Reference Source
9. OECD: Health Data Governance for the Digital Age: Implementing the OECD Recommendation on Health Data Governance. Paris: 2022. Publisher Full Text
10. CIOMS: International Ethical Guidelines for Health-Related Research Involving Human Subjects. Geneva: Council for International Organizations of Medical Sciences; 2016.
11. ISBER: International Society for Biological and Environmental Repositories. ISBER best practices: Recommendations for repositories (5th ed.).Reference Source2023.
12. WHO: World Health Organization. Policy and Implementation Guidance on Data Sharing and Use of Health-Related Data for Research Purposes. Geneva: Reference Source
13. UK Biobank: UK Biobank Ethics and Governance Framework.Reference Source2007.
14. UK Biobank: Access Procedures. Application and review procedures for access to the UK Biobank Resource.Reference Source2022.
15. All of Us: Framework for Access to All of Us Data Resources v1.1.2021. Reference Source
16. GA4GH: Global Alliance for Genomics and Health. Framework for Responsible Sharing of Genomic and Health-Related Data. Version 1.0.Reference Source
17. ISBER: International Society for Biological and Environmental Repositories (ISBER). Best Practices: Recommendations for Repositories. 5th edition.2023. Reference Source
18. OECD: Recommendation of the Council on Health Data Governance. OECD/LEGAL/0433.Reference Source2017.
19. Presidential Commission for the Study of Bioethical Issues: Anticipate and Communicate: Ethical Management of Incidental and Secondary Findings in the Clinical, Research, and Direct-to-Consumer Contexts. Washington, DC: 2013.
20. CIOMS: International guidelines on good governance practice for research institutions. Geneva: Council for International Organizations of Medical Sciences; 2023.
21. Nuffield Council on Bioethics: The collection, linking and use of data in biomedical research and health care: ethical issues. London: 2015. Reference Source
22. European Network for Health Technology Assessment: Registry Evaluation and Quality Standards Tool (REQueST).2019. Reference Source
23. Stockdale J, Cassell J, Ford E: "Giving something back": A systematic review and ethical enquiry into public views on the use of patient data for research in the United Kingdom and the Republic of Ireland. Wellcome Open Res. 2018; 3: 6. Publisher Full Text
24. Pavlenko E, Strech D, Langhof H: Implementation of data access and use procedures in clinical data warehouses. A systematic review of literature and publicly available policies. BMC Med. Inform. Decis. Mak. 2020; 20(1): 157. Publisher Full Text
25. van den Akker OR , Stark S, Strech D: Ethics practices associated with reusing health data: an assessment of patient registries. BMC Med. 2024; 22(1): 577. PubMed Abstract | Publisher Full Text | Free Full Text
26. van den Akker OR , Thibault RT, Ioannidis JPA, et al.: Transparency in the secondary use of health data: assessing the status quo of guidance and best practices. R. Soc. Open Sci. 2025; 12(3): 241364. PubMed Abstract | Publisher Full Text | Free Full Text
27. Langhof H, Kahrass H, Illig T, et al.: Current practices for access, compensation, and prioritization in biobanks. Results from an interview study. Eur. J. Hum. Genet. 2018; 26(11): 1572–1581. PubMed Abstract | Publisher Full Text | Free Full Text
28. Lamer A, Popoff B, Delange B, et al.: Barriers encountered with clinical data warehouses: Recommendations from a focus group. Comput. Methods Prog. Biomed. 2024; 256: 108404. PubMed Abstract | Publisher Full Text
29. Qualls LG, Phillips TA, Hammill BG, et al.: Evaluating Foundational Data Quality in the National Patient-Centered Clinical Research Network (PCORnet(R)). EGEMS (Wash DC). 2018; 6(1): 3. PubMed Abstract | Publisher Full Text
30. Barazzetti G, Bosisio F, Koutaissoff D, et al.: Broad consent in practice: lessons learned from a hospital-based biobank for prospective research on genomic and medical data. Eur. J. Hum. Genet. 2020; 28(7): 915–924. PubMed Abstract | Publisher Full Text | Free Full Text
31. Zenker S, Strech D, Ihrig K, et al.: Data protection-compliant broad consent for secondary use of health care data and human biosamples for (bio) medical research: Towards a new German national standard. J. Biomed. Inform. 2022; 131: 104096. Publisher Full Text
32. Doutreligne M, Degremont A, Jachiet PA, et al.: Good practices for clinical data warehouse implementation: A case study in France. PLOS Digit Health. 2023; 2(7): e0000298. PubMed Abstract | Publisher Full Text | Free Full Text
33. Danciu I, Cowan JD, Basford M, et al.: Secondary use of clinical data: the Vanderbilt approach. J. Biomed. Inform. 2014; 52: 28–35. PubMed Abstract | Publisher Full Text | Free Full Text
34. Tai CG, Harris-Wai J, Schaefer C, et al.: Multiple Stakeholder Views on Data Sharing in a Biobank in an Integrated Healthcare Delivery System: Implications for Biobank Governance. Public Health Genomics. 2018; 21(5–6): 207–216. Publisher Full Text
35. Des Jardins TR: The keys to governance and stakeholder engagement: the southeast michigan beacon community case study. EGEMS (Wash DC). 2014; 2(3): 1068. PubMed Abstract | Publisher Full Text
36. Nab L, Schaffer AL, Hulme W, et al.: OpenSAFELY: A platform for analysing electronic health records designed for reproducible research. Pharmacoepidemiol. Drug Saf. 2024; 33(6): e5815. PubMed Abstract | Publisher Full Text | Free Full Text
37. Waitman LR, Bailey LC, Becich MJ, et al.: Avenues for Strengthening PCORnet's Capacity to Advance Patient-Centered Economic Outcomes in Patient-Centered Outcomes Research (PCOR). Med. Care. 2023; 61(12 Suppl 2): S153–S160. PubMed Abstract | Publisher Full Text | Free Full Text
38. Strech D, von Kielmansegg S , Zenker S, et al.: "Data Donation" – Research Needs, Ethical Assessment, and Legal, IT, and Organizational Frameworks; Scientific Expert Report. Commissioned by the Federal Ministry of Health; 2020. (German language). Reference Source
39. Sisk BA, Mozersky J, Antes AL, et al.: The "Ought-Is" Problem: An Implementation Science Framework for Translating Ethical Norms Into Practice. Am. J. Bioeth. 2020; 20(4): 62–70. PubMed Abstract | Publisher Full Text | Free Full Text
40. Huxtable R, Ives J: Mapping, framing, shaping: a framework for empirical bioethics research projects. BMC Med. Ethics. 2019; 20(1): 86. PubMed Abstract | Publisher Full Text | Free Full Text
41. Schwietering J, Langhof H, Strech D: Empirical studies on how ethical recommendations are translated into practice: a cross-section study on scope and study objectives. BMC Med. Ethics. 2023; 24(1): 2. PubMed Abstract | Publisher Full Text | Free Full Text
42. ISO: International Organization for Standardization, ISO/IEC 27701:2019 – Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines. Geneva: 2019.
43. Zenker S, Strech D, Jahns R, et al.: Nationally standardized broad consent in practice: initial experiences, current developments, and critical assessment. Bundesgesundheitsblatt Gesundheitsforschung Gesundheitsschutz. 2024; 67(6): 637–647. PubMed Abstract | Publisher Full Text | Free Full Text
44. Fischer-Rosinsky A, Eienbroker L, Mockel M, et al.: Broad consent in the emergency department: a cross sectional study. Arch. Public Health. 2025; 83(1): 44. PubMed Abstract | Publisher Full Text | Free Full Text
45. Bossert S, Kahrass H, Heinemeyer U, et al.: Participatory improvement of a template for informed consent documents in biobank research - study results and methodological reflections. BMC Med. Ethics. 2017; 18(1): 78. PubMed Abstract | Publisher Full Text | Free Full Text
46. Faden RR, Kass NE, Goodman SN, et al.: An Ethics Framework for a Learning Health Care System: A Departure from Traditional Research Ethics and Clinical Ethics. Hastings Cent. Rep. 2013; 43: S16–S27. Publisher Full Text
47. IOM: Best Care at Lower Cost: The Path to Continuously Learning Health Care in America. Washington D.C.: National Academies Press, Institute of Medicine (IOM); 2012.
48. European Commission: Directorate-General for Communications Networks, Content and Technology. (2019). Ethics guidelines for trustworthy AI. Publications Office of the European Union; 2019. Reference Source
49. Floridi L, Cowls J, Beltrametti M, et al.: AI4People-An Ethical Framework for a Good AI Society: Opportunities, Risks, Principles, and Recommendations. Minds Mach (Dordr). 2018; 28(4): 689–707. PubMed Abstract | Publisher Full Text | Free Full Text

Comments on this article Comments (0)

Version 1

VERSION 1 PUBLISHED 13 Apr 2026

Author details Author details

QUEST Center for Responsible Research, Berlin Institute of Health at Charite, Berlin, Germany

Daniel Strech
Roles: Conceptualization, Formal Analysis, Methodology, Project Administration, Writing – Original Draft Preparation

Competing interests

The author served as spokesperson and remains a member of the German working group ‘Consent,’ which developed the broad consent model for the German Medical Informatics Initiative (MII). The author receives research funding related to the topics of this paper from MII consortia (HiGHmed, CAEHR) and from the EU-funded project More-EUROPA. The author was also part of an expert group that authored a report for the German Federal Ministry of Health outlining technical, legal, and ethical preconditions for responsible secondary use of health data. In addition, the author served as a member of two WHO working/review groups relevant to this topic: ‘Guidance for Ethical Review of Health Systems Research’ and ‘Ethics of Public Health Surveillance.’

Grant information

This work was supported by intramural funds from the Berlin Institute of Health at Charité – Universitätsmedizin Berlin, Germany.
The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Article Versions (1)

version 1

Published: 13 Apr 2026, 15:508

https://doi.org/10.12688/f1000research.179326.1

Copyright

© 2026 Strech D. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Download

Export To

metrics

	Views	Downloads
F1000Research	-	-
PubMed Central Data from PMC are received and updated monthly.	-	-

Citations

0

SEE MORE DETAILS

CITE

how to cite this article

Strech D. Operationalising ethics in secondary health-data use: an operator-focused framework for normative governance with audit and performance metrics [version 1; peer review: awaiting peer review]. F1000Research 2026, 15:508 (https://doi.org/10.12688/f1000research.179326.1)

NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.

track

receive updates on this article

Track an article to receive email alerts on any updates to this article.

Open Peer Review

Comments on this article Comments (0)

Version 1

VERSION 1 PUBLISHED 13 Apr 2026

Open Peer Review

Reviewer Status

AWAITING PEER REVIEW

Comments on this article

All Comments(0)

Add a comment

Sign up for content alerts

Browse by related subjects

[1] 1. Alvarez-Romero C, Martinez-Garcia A, Bernabeu-Wittel M, et al.: Health data hubs: an analysis of existing data governance features for research. Health Res Policy Syst. 2023; 21(1): 70. PubMed Abstract | Publisher Full Text | Free Full Text

[2] 2. CPRD: Clinical Practice Research Datalink, Data Governance Operating Framework.Reference Source2022.

[3] 3. Wilkinson MD, Dumontier M, Aalbersberg IJ, et al.: The FAIR Guiding Principles for scientific data management and stewardship. Sci. Data. 2016; 3: 160018. PubMed Abstract | Publisher Full Text | Free Full Text

[4] 4. Kahn MG, Callahan TJ, Barnard J, et al.: A Harmonized Data Quality Assessment Terminology and Framework for the Secondary Use of Electronic Health Record Data. EGEMS (Wash DC). 2016; 4(1): 1244. PubMed Abstract | Publisher Full Text

[5] 5. Kalkman S, Mostert M, Gerlinger C, et al.: Responsible data sharing in international health research: a systematic review of principles and norms. BMC Med. Ethics. 2019; 20(1): 21. PubMed Abstract | Publisher Full Text | Free Full Text

[6] 6. Kalkman S, van Delden J , Banerjee A, et al.: Patients' and public views and attitudes towards the sharing of health data for research: a narrative review of the empirical evidence. J. Med. Ethics. 2022; 48(1): 3–13. PubMed Abstract | Publisher Full Text | Free Full Text

[7] 7. Hutchings E, Loomes M, Butow P, et al.: A systematic literature review of attitudes towards secondary use and sharing of health administrative and clinical trial data: a focus on consent. Syst. Rev. 2021; 10(1): 132. PubMed Abstract | Publisher Full Text | Free Full Text

[8] 8. WMA: World Medical Association, Declaration of Taipei on ethical considerations regarding health databases and biobanks.2016. Reference Source

[9] 9. OECD: Health Data Governance for the Digital Age: Implementing the OECD Recommendation on Health Data Governance. Paris: 2022. Publisher Full Text

[10] 10. CIOMS: International Ethical Guidelines for Health-Related Research Involving Human Subjects. Geneva: Council for International Organizations of Medical Sciences; 2016.

[11] 11. ISBER: International Society for Biological and Environmental Repositories. ISBER best practices: Recommendations for repositories (5th ed.).Reference Source2023.

[12] 12. WHO: World Health Organization. Policy and Implementation Guidance on Data Sharing and Use of Health-Related Data for Research Purposes. Geneva: Reference Source

[13] 13. UK Biobank: UK Biobank Ethics and Governance Framework.Reference Source2007.

[14] 14. UK Biobank: Access Procedures. Application and review procedures for access to the UK Biobank Resource.Reference Source2022.

[15] 15. All of Us: Framework for Access to All of Us Data Resources v1.1.2021. Reference Source

[16] 16. GA4GH: Global Alliance for Genomics and Health. Framework for Responsible Sharing of Genomic and Health-Related Data. Version 1.0.Reference Source

[17] 17. ISBER: International Society for Biological and Environmental Repositories (ISBER). Best Practices: Recommendations for Repositories. 5th edition.2023. Reference Source

[18] 18. OECD: Recommendation of the Council on Health Data Governance. OECD/LEGAL/0433.Reference Source2017.

[19] 19. Presidential Commission for the Study of Bioethical Issues: Anticipate and Communicate: Ethical Management of Incidental and Secondary Findings in the Clinical, Research, and Direct-to-Consumer Contexts. Washington, DC: 2013.

[20] 20. CIOMS: International guidelines on good governance practice for research institutions. Geneva: Council for International Organizations of Medical Sciences; 2023.

[21] 21. Nuffield Council on Bioethics: The collection, linking and use of data in biomedical research and health care: ethical issues. London: 2015. Reference Source

[22] 22. European Network for Health Technology Assessment: Registry Evaluation and Quality Standards Tool (REQueST).2019. Reference Source

[23] 23. Stockdale J, Cassell J, Ford E: "Giving something back": A systematic review and ethical enquiry into public views on the use of patient data for research in the United Kingdom and the Republic of Ireland. Wellcome Open Res. 2018; 3: 6. Publisher Full Text

[24] 24. Pavlenko E, Strech D, Langhof H: Implementation of data access and use procedures in clinical data warehouses. A systematic review of literature and publicly available policies. BMC Med. Inform. Decis. Mak. 2020; 20(1): 157. Publisher Full Text

[25] 25. van den Akker OR , Stark S, Strech D: Ethics practices associated with reusing health data: an assessment of patient registries. BMC Med. 2024; 22(1): 577. PubMed Abstract | Publisher Full Text | Free Full Text

[26] 26. van den Akker OR , Thibault RT, Ioannidis JPA, et al.: Transparency in the secondary use of health data: assessing the status quo of guidance and best practices. R. Soc. Open Sci. 2025; 12(3): 241364. PubMed Abstract | Publisher Full Text | Free Full Text

[27] 27. Langhof H, Kahrass H, Illig T, et al.: Current practices for access, compensation, and prioritization in biobanks. Results from an interview study. Eur. J. Hum. Genet. 2018; 26(11): 1572–1581. PubMed Abstract | Publisher Full Text | Free Full Text

[28] 28. Lamer A, Popoff B, Delange B, et al.: Barriers encountered with clinical data warehouses: Recommendations from a focus group. Comput. Methods Prog. Biomed. 2024; 256: 108404. PubMed Abstract | Publisher Full Text

[29] 29. Qualls LG, Phillips TA, Hammill BG, et al.: Evaluating Foundational Data Quality in the National Patient-Centered Clinical Research Network (PCORnet(R)). EGEMS (Wash DC). 2018; 6(1): 3. PubMed Abstract | Publisher Full Text

[30] 30. Barazzetti G, Bosisio F, Koutaissoff D, et al.: Broad consent in practice: lessons learned from a hospital-based biobank for prospective research on genomic and medical data. Eur. J. Hum. Genet. 2020; 28(7): 915–924. PubMed Abstract | Publisher Full Text | Free Full Text

[31] 31. Zenker S, Strech D, Ihrig K, et al.: Data protection-compliant broad consent for secondary use of health care data and human biosamples for (bio) medical research: Towards a new German national standard. J. Biomed. Inform. 2022; 131: 104096. Publisher Full Text

[32] 32. Doutreligne M, Degremont A, Jachiet PA, et al.: Good practices for clinical data warehouse implementation: A case study in France. PLOS Digit Health. 2023; 2(7): e0000298. PubMed Abstract | Publisher Full Text | Free Full Text

[33] 33. Danciu I, Cowan JD, Basford M, et al.: Secondary use of clinical data: the Vanderbilt approach. J. Biomed. Inform. 2014; 52: 28–35. PubMed Abstract | Publisher Full Text | Free Full Text

[34] 34. Tai CG, Harris-Wai J, Schaefer C, et al.: Multiple Stakeholder Views on Data Sharing in a Biobank in an Integrated Healthcare Delivery System: Implications for Biobank Governance. Public Health Genomics. 2018; 21(5–6): 207–216. Publisher Full Text

[35] 35. Des Jardins TR: The keys to governance and stakeholder engagement: the southeast michigan beacon community case study. EGEMS (Wash DC). 2014; 2(3): 1068. PubMed Abstract | Publisher Full Text

[36] 36. Nab L, Schaffer AL, Hulme W, et al.: OpenSAFELY: A platform for analysing electronic health records designed for reproducible research. Pharmacoepidemiol. Drug Saf. 2024; 33(6): e5815. PubMed Abstract | Publisher Full Text | Free Full Text

[37] 37. Waitman LR, Bailey LC, Becich MJ, et al.: Avenues for Strengthening PCORnet's Capacity to Advance Patient-Centered Economic Outcomes in Patient-Centered Outcomes Research (PCOR). Med. Care. 2023; 61(12 Suppl 2): S153–S160. PubMed Abstract | Publisher Full Text | Free Full Text

[38] 38. Strech D, von Kielmansegg S , Zenker S, et al.: "Data Donation" – Research Needs, Ethical Assessment, and Legal, IT, and Organizational Frameworks; Scientific Expert Report. Commissioned by the Federal Ministry of Health; 2020. (German language). Reference Source

[39] 39. Sisk BA, Mozersky J, Antes AL, et al.: The "Ought-Is" Problem: An Implementation Science Framework for Translating Ethical Norms Into Practice. Am. J. Bioeth. 2020; 20(4): 62–70. PubMed Abstract | Publisher Full Text | Free Full Text

[40] 40. Huxtable R, Ives J: Mapping, framing, shaping: a framework for empirical bioethics research projects. BMC Med. Ethics. 2019; 20(1): 86. PubMed Abstract | Publisher Full Text | Free Full Text

[41] 41. Schwietering J, Langhof H, Strech D: Empirical studies on how ethical recommendations are translated into practice: a cross-section study on scope and study objectives. BMC Med. Ethics. 2023; 24(1): 2. PubMed Abstract | Publisher Full Text | Free Full Text

[42] 42. ISO: International Organization for Standardization, ISO/IEC 27701:2019 – Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines. Geneva: 2019.

[43] 43. Zenker S, Strech D, Jahns R, et al.: Nationally standardized broad consent in practice: initial experiences, current developments, and critical assessment. Bundesgesundheitsblatt Gesundheitsforschung Gesundheitsschutz. 2024; 67(6): 637–647. PubMed Abstract | Publisher Full Text | Free Full Text

[44] 44. Fischer-Rosinsky A, Eienbroker L, Mockel M, et al.: Broad consent in the emergency department: a cross sectional study. Arch. Public Health. 2025; 83(1): 44. PubMed Abstract | Publisher Full Text | Free Full Text

[45] 45. Bossert S, Kahrass H, Heinemeyer U, et al.: Participatory improvement of a template for informed consent documents in biobank research - study results and methodological reflections. BMC Med. Ethics. 2017; 18(1): 78. PubMed Abstract | Publisher Full Text | Free Full Text

[46] 46. Faden RR, Kass NE, Goodman SN, et al.: An Ethics Framework for a Learning Health Care System: A Departure from Traditional Research Ethics and Clinical Ethics. Hastings Cent. Rep. 2013; 43: S16–S27. Publisher Full Text

[47] 47. IOM: Best Care at Lower Cost: The Path to Continuously Learning Health Care in America. Washington D.C.: National Academies Press, Institute of Medicine (IOM); 2012.

[48] 48. European Commission: Directorate-General for Communications Networks, Content and Technology. (2019). Ethics guidelines for trustworthy AI. Publications Office of the European Union; 2019. Reference Source

[49] 49. Floridi L, Cowls J, Beltrametti M, et al.: AI4People-An Ethical Framework for a Good AI Society: Opportunities, Risks, Principles, and Recommendations. Minds Mach (Dordr). 2018; 28(4): 689–707. PubMed Abstract | Publisher Full Text | Free Full Text

Operationalising ethics in secondary health-data use: an operator-focused framework for normative governance with audit and performance metrics

Abstract

Background

Methods

Results

Discussion

Keywords

Introduction

Normative governance: an underdefined field

The missing piece: a framework for mapping and evaluation

Positioning within the landscape of existing ethics guidance

Methods

Conceptual orientation

Knowledge inputs and scope

Practice selection

Evaluation layer

Plausibility check

Results

Overview of the three-layer framework

Table 1. Seven governance domains with illustrative ethics practices aligned to the PDCA cycle.

Table 2. Evaluation layer: Illustrative examples for audit, descriptive and outcome metrics for each ethics practice.

Ethics practices

Special context for Privacy & Data Protection and Data Quality

Division of labour between operators and data users

Evaluation items

Plausibility results

Discussion

From value to verifiability

Contextual adaptability and scalable use

From policies to performance

Relation to adjacent ethics domains

Strengths, limitations, and future directions

Conclusion

Ethics approval

Data availability

References

Comments on this article Comments (0)

Open Peer Review

Comments on this article Comments (0)

Open Peer Review

Reviewer Status

Comments on this article

Browse by related subjects

Competing Interests Policy

Stay Updated