Understanding health data security in direct care: co-creating information and resources with the public

Over 5,000 records were screened across twelve literature and media sources.

Public understanding and perceptions of health data security (RQ1):

• Reviews of peer-reviewed and grey literature suggest that little is known about the UK publics’ understanding of health data security concepts and issues.

• The UK public tend to be supportive of health data sharing for direct care, though there are common concerns about the exploitation of health data by commercial companies and the risk of data breaches.

Public-facing communications about health data security (RQ2 & RQ3):

• Public-facing information is overwhelmingly text-based and has a technical reading level which is inaccessible to non-university level audience, regardless of publication source (public and private bodies or news agencies).

• Public and private bodies with responsibility for maintaining the security of health data used for direct care and/or research generally employed a neutral or positive sentiment in relevant documents.

• Media sources generally presented information about health data security with a negative sentiment and typically focus on malicious external security breaches.

• Academic and public bodies should directly research public understandings of health data security, including a diverse range of participant demographic characteristics and perspectives.
• Public and private bodies should develop public-facing resources relating to health data security in the context of direct care, acknowledging the provision for resources focused on security of health data sharing/access for research.
• Public-facing resources should be made more accessible by both improving the readability of text-based resources and integrating multimedia explainers.
• Public-facing resources should ensure they use a neutral tone, finding the middle ground between public bodies’ tendency to be reassuring and the media tendency to be alarming.

• All peer-reviewed research and most grey literature examined public understanding of health data security in the context of data sharing for research, however, there is a paucity of evidence of the UK publics’ understanding in the context of direct care.
• Of over 5,000 records screened across twelve literature and media sources, only a single video resource and a single audio (podcast) resource were identified.
• There is a critical gap for non-technical public-facing multimedia educational resources about health data security in the context of direct care.

This research was a reminder of how little public knowledge there is about data security in general. Until participants viewed health data security concepts through the lens of their own lives and started asking questions, their knowledge gaps were filled by faith and assumptions. Relatable examples helped build understanding and sense of control. Co-creation participants developed visual storylines for an animation and interactive infographics, with relatable characters to bring key health data security information to life. These storylines were refined through subsequent rounds of co-creation and expert interviews to ensure the events and wording were both accurate and resonant.

Recommendations:

• Make it relatable: Participants engaged most when the content felt resonant to their own lives. They believed that relatable information from people who looked and sounded like themselves experiencing the reality of data security practices would help the public engage and start to understand these concepts better.
• Use visual tools to build understanding: Participants found it easier to understand and evaluate information when they could visualise typical practices. Visual presentations of health data security information were popular, with suggestions for animations, images or simple clear infographics.
• Layer information accessibly: Many participants overestimated how much they knew before the sessions. It was thought sensible to start with the basics and allow people to choose when and how to explore further detail through the provision of layers of information and signposting to other trusted sources.

Participants’ realisation of their knowledge gaps raised feelings of low agency and anxiety, aroused suspicions that information was being hidden, and encouraged seeking answers from unofficial sources. Participants saw no reason for information not to be clearly and comprehensively communicated to them. Many people were pragmatic about data use and its security: risks in life exist and they and the protections in place should be visible. Co-creation participants developed plain language narratives - acknowledging concern without creating fear, while clearly explaining rights and protections. Content and characterisation aimed to depict how data and breaches are handled in practice, while avoidance of dense text, jargon, and over-crowding of information improved the sense of transparency.

Recommendations:

• Use plain language: Dense text, acronyms, and unfamiliar organisational names made participants feel deterred or suspicious. Information should be presented in everyday language and short explanations instead of industry shorthand.
• Be upfront: Address common fears about unauthorised access and data misuse straight away. The public already have enough information about health data breaches to form questions; if those aren’t answered proactively, information is sought from other sources.
• Shift perceptions: Participants had assumptions about what safe processes might look like; both in the roles and modes of communications. Storytelling could be used to normalise the necessary and authorised journey of data in direct care.

Participants didn’t just want facts about risks - they wanted improved knowledge and trust that the security safety net was there and that they would be alerted if and when there is a risk to them. Specific wording was a challenge due to variation in roles, organisations, and processes across services, regions, and time. Co-creation participants humanised faceless organisations, and utilised serious tone and repetition to make evident a clear through-line of core principles across the system.

Recommendations:

• Make accountability visible: Participants wanted to know who is responsible. Relatable case studies and humanised characters were suggested to show that real people - not just faceless institutions - are actively keeping data safe.
• The golden thread: Expert stakeholders suggested that focusing on the structures around data security as a clear thread, was less confusing than naming multiple titles of those responsible and nuances between regions, Trusts and services.

Participants had some concerns and questions which had not been anticipated by expert stakeholders. In addition, there was a strong desire for understanding of what a breach might mean for them and what practical steps they could take in response. However, while some queries may be answered easily, some are beyond the scope of one resource, and in some areas, the ‘answers’ are changing as society evolves. In co-creation, participants shaped a layered resource: an introductory animation to build awareness, followed by flexible infographics which could be copied into printouts to start building people’s understanding before something goes wrong. To be useful in the face of uncertainty, information was presented in the steps which people can expect in a data breach, and signposts were suggested to offer further support and information.

Recommendations:

• Anticipate questions and signpost clearly: Participants raised reasonable, predictable questions - some beyond the scope of any one resource (e.g., third-party contracts, their own data access). Rather than ignoring them, acknowledge these topics and signpost to support people in asking more from the system.
• Be honest about what can’t be explained: There were a number of grey areas where answers did not seem possible - such as exactly what a hacker might do with health data. Participants suggested that proactively naming “the missing information” and pointing to reliable external sources would build trust.
• Clear response steps: Many participants worried they wouldn’t recognise a breach or know how to respond. While the specifics vary, explaining how breaches are handled - and the list of steps individuals should expect - was thought to offer reassurance and restore some sense of control