Health data, privacy, and consent: the autonomy lost when data starts circulating.

The contemporary discussion about health data almost always begins in the right place: privacy. But it often ends in the wrong place: formal authorization. The problem is no longer just whether the patient signed, clicked, or consented. The problem is whether an intelligible moral relationship still exists between the person, their data, the systems that reuse it, and the resulting benefits or risks.

The article by Robert Panadés and Oriol Yuguero, “Cyber-bioethics: the new ethical discipline for digital health,” is particularly useful because it recognizes that the digitalization of health not only adds new tools to medicine; it adds a new moral layer to the clinical relationship itself. For the authors, digital health necessitates expanding the classic principles of bioethics—autonomy, beneficence, non-maleficence, and justice—to include data protection, cybersecurity, transparency, explainability, equity, non-discrimination, and accountability (Panadés and Yuguero, 2025).

The thesis is compelling. Digital medicine is not simply medicine with computers. It is medicine mediated by data infrastructures. And, when the infrastructure starts to participate in decision-making, triage, diagnosis, risk prediction, research, and resource management, bioethics must stop thinking only about the consultation, the hospital, or the laboratory. It must also consider the entire circuit: who collects, who structures, who accesses, who reuses, who trains models, who audits, who benefits, and who is exposed.

The main contribution of Panadés and Yuguero's article is precisely this: to show that the privacy and confidentiality of patient data becomes one of the central challenges of AI in medicine, because AI depends on the collection and analysis of large volumes of clinical information, often difficult to explain to the data subjects themselves (Panadés and Yuguero, 2025). Its limitation is also clear: the article identifies the problem well, but does not sufficiently develop the operational models of consent, governance, and secondary reuse of data that are now at the heart of the European transformation of digital health.

That's where supplementary literature becomes crucial.

From consent as a signature to consent as an ongoing relationship.

Informed consent was created to protect individuals against undue intervention in their bodies. However, health data presents a different challenge: it can be reused long after the consultation, combined with other data, analyzed by third parties, exported to research projects, used to train AI models, or integrated into public policies. Therefore, the question "Did the patient consent?" is no longer sufficient. It is necessary to ask: consent for what purpose, for how long, with what possibility of revocation, with what real knowledge, and with what guarantees of control?

Jane Kaye and colleagues pioneered the proposal of dynamic consent as a digital interface between participants and researchers, precisely because traditional consent models remained static, paper-based, and confined to institutional or national boundaries, while biomedical research became increasingly global, digital, and data-driven (Kaye et al., 2015). This proposal remains relevant because it shifts consent from an isolated moment to an ongoing relationship.

Dynamic consent allows data subjects to update preferences, accept or reject certain uses, receive information about new projects, and, in principle, regain a form of active participation (Kaye et al., 2015; Teare, Prictor and Kaye, 2021). But its virtue is also its risk: the more consent requests are submitted, the greater the likelihood of fatigue, inattention, or automatic decision-making. Dynamic consent can become a new form of digital bureaucracy if it is not designed with prudence, literacy, and respect for the cognitive load of the individual.

Recent literature seeks to resolve this tension through hybrid models. Welzel and colleagues argue that consent in digital health should combine trust, traceability, and individual control, using consent management platforms, digital identity, de-identified tokens, and, in certain contexts, blockchain or sovereign identity models (Welzel et al., 2025). The idea is not to transform all patients into technical managers of their data, but to ensure that authorization does not disappear within an opaque infrastructure.

The most interesting perspective for our work is this: consent ceases to be merely a legal act and becomes an interface of moral governance. A person should not only consent; they should be able to understand, follow, correct, limit, and, in certain cases, withdraw. Without this, autonomy becomes a formality preserved on the surface and dissolved in practice.

The mistake of thinking that privacy is only about secrecy.

In healthcare, privacy is often treated as synonymous with confidentiality. However, this equivalence is incomplete. Confidentiality protects against improper disclosure. Privacy also protects against inappropriate uses, abusive inferences, unexpected recombinations, and changes in context.

Helen Nissenbaum developed the idea of “contextual integrity” to show that privacy depends on the norms that regulate the appropriate flow of information in a given social context (Nissenbaum, 2010). Applied to healthcare, this perspective is extremely powerful: data may have been legitimately collected in a consultation, but become morally problematic when it circulates in another context—for example, commercial research, insurance, employment, behavioral advertising, predictive risk models, or AI training.

This is one of the dimensions that most easily goes unnoticed by professionals in the field. The ethical problem lies not only in the direct identification of the person, but also in the shift in context. Data collected for care can be reused for classification. Data collected for investigation can be used for exclusion. Apparently neutral data, when aggregated, can produce inferences about vulnerability, therapeutic adherence, genetic risk, mental health, or future behavior.

Mittelstadt and Floridi had already warned that biomedical big data creates specific problems of consent, privacy, ownership, objectivity, power, and inequality, especially because the aggregation and reuse of large volumes of data alters the relationship between the individual, science, and institutions (Mittelstadt and Floridi, 2016). The central point is that data protection cannot be limited to the question "has the name been removed?". In healthcare, even pseudonymized data can remain ethically sensitive because its recombination can produce knowledge about individuals, groups, or communities.

The consequence is simple, yet demanding: anonymization and pseudonymization are necessary, but insufficient. We need an ethics of data flow.

Secondary use as a common good — and as a risk of asymmetry.

The secondary use of health data has enormous public value. It can improve health policies, optimize resources, identify inequalities, accelerate research, develop therapies, train diagnostic models, and respond to health emergencies. The World Health Organization defines secondary use as the processing of data for purposes other than those for which they were initially collected, including planning, research, innovation, and improvement of health services (WHO Regional Office for Europe, 2024).

It would therefore be ethically poor to defend an absolute view that health data should never be reused. This position would narrowly protect individual autonomy but could undermine solidarity, justice, and the collective improvement of health. Prainsack and Buyx help precisely to correct this individualistic excess by arguing that solidarity can offer a different way of thinking about biomedical problems, including health databases, personalized medicine, and collective governance (Prainsack and Buyx, 2017).

However, the solidarity argument can also be abused. Invoking the “common good” should not function as a generic authorization to extract value from personal data. Solidarity is only ethically robust when there is reciprocity, transparency, fair distribution of benefits, and protection against harmful uses. Otherwise, secondary use becomes an elegant form of value transfer: citizens provide the data; public institutions, companies, or researchers extract benefits; and the data subjects rarely know what happened, what results were obtained, or who profited.

The OECD recognizes this tension by arguing that the cross-border secondary use of health data requires convergence of legal frameworks, harmonization of national procedures, and attention to public perception of data use (OECD, 2025). The point is crucial: without public trust, even technically sound projects can become socially illegitimate.

The European Health Data Area: opportunity and moral test.

The European Health Data Space represents one of the most important moments for contemporary European bioethics. The European Commission presents the EHDS as an instrument to empower citizens in accessing and controlling their electronic health data, enabling the safe reuse of this data for research, innovation, policymaking and regulation, and creating a single market for electronic health record systems (European Commission, 2025).

This ambition is correct. But it raises a difficult question: will it be possible to create a European infrastructure for the reuse of health data that is simultaneously useful, secure, fair, understandable, and respectful of autonomy?

Van Drumpt and colleagues show that the EHDS seeks to address the fragmentation of the European data ecosystem by promoting ethical and responsible reuse, but faces risks related to privacy, security, consent, equitable access, and potential structural imbalances in the health data economy (van Drumpt et al., 2025). Their most relevant contribution is to show that these risks cannot be resolved solely through legal norms or technology alone. Integrated governance models, privacy protection technologies, public engagement, and clear access rules are necessary.

The idea of data permits, secure processing environments, and privacy-enhancing technologies is particularly important. Secondary use of health data should occur in controlled environments, with strong authentication, data minimization, traceability, purpose limitation, and auditing. SPMS, in the Portuguese context, also emphasizes that secondary use should occur with anonymization or pseudonymization, specific authorized purposes, and secure processing environments (SPMS, 2024).

The bioethical question, however, is not just whether the environment is safe. It is whether the environment is governed. Safety without governance creates technical confidence, but not moral legitimacy.

The false technical solution: federated learning, differential privacy, and the new invisible risks.

Federated learning is often presented as an elegant solution: the data remains in the hospitals or institutions of origin, and the models are trained locally, sharing only parameters or results. Eden and colleagues describe federated learning as a methodology that allows the analysis of large distributed datasets while maintaining sovereignty with their respective owners, but they warn that the technology does not eliminate ethical risks, privacy concerns, bias, malicious use, or harm (Eden et al., 2025).

This warning is essential. Federated learning reduces the circulation of raw data, but it does not eliminate the circulation of value, inference, or power. A model trained on data from multiple institutions may still incorporate biases, reveal information through indirect attacks, reinforce inequalities, or be used for purposes other than those initially intended. Therefore, Eden and colleagues argue that federated learning requires procedural, relational, and structural governance mechanisms, including agreements, audits, oversight, accountability, and institutional engagement (Eden et al., 2025).

The same applies to differential privacy, homomorphic encryption, secure multi-party computation, or zero-knowledge proofs. These technologies are important, but they do not replace ethics. A technology can protect data and still allow for an unfair purpose. It can prevent direct re-identification and still produce statistical discrimination. It can comply with the law and still erode trust.

This is one of the original perspectives we should highlight in the article: technical privacy protects against exposure; bioethics protects against betrayal. And betrayal, in healthcare, can occur even without data leaks, when a person discovers that the information provided in a care context has been transformed into an instrument of surveillance, classification, profit, or exclusion.

Data trusts and fiduciary duty: perhaps the issue is not ownership, but loyalty.

The discussion about health data is often framed in terms of ownership: who owns the data? The patient? The hospital? The state? The platform? The researcher? The company that organizes it?

This question is important, but perhaps not the most fruitful. In many cases, health data are relational: they result from the interaction between the individual, the professional, the institution, technology, public funding, clinical knowledge, and social context. Reducing them to individual ownership can hinder research; handing them over to the state or companies can dissolve autonomy.

The most promising alternative is to think in fiduciary terms. Burns and colleagues analyze the concept of data trust as an independent governance structure, in which a trustee assumes fiduciary duties towards the beneficiaries of the data, seeking to address the lack of public trust in health data sharing programs (Burns et al., 2024).

The strength of this approach lies in the shift in language: from ownership to care; from access to loyalty; from authorization to responsible stewardship. A data trust doesn't solve all the problems, but it introduces a powerful idea: those who manage health data must act with a duty of loyalty towards the data subjects and communities of origin, not just with a duty of compliance towards regulators.

For the Center for Bioethics Studies, this could be a distinctive line of reflection: health data are not merely informational resources; they are fiduciary fragments of the person. Not because they contain the whole person, but because they can represent them, classify them, predict their future, affect their dignity, and influence opportunities for care.

The perspective that often escapes us: post-consent autonomy.

The most overlooked point in this debate is autonomy after consent.

Bioethics has devoted considerable attention to the moment of authorization. However, in digital systems, most morally relevant events occur afterward: transformation, aggregation, inference, training, sharing, auditing, publication, monetization, reuse, archiving, and eventual future reinterpretation of the data. Consent is merely the gateway. The ethical life of the data begins afterward.

Therefore, a bioethics approach appropriate to the secondary use of health data must propose the concept of post-consent autonomy. This autonomy does not mean that each person must manually approve every technical use of their data. That would be impractical. Rather, it means that the system must preserve real forms of control, transparency, contestation, benefit, and withdrawal throughout the data lifecycle.

Post-consent autonomy requires five conditions. First, traceability: knowing what types of uses were authorized and carried out. Second, intelligibility: explaining the categories of use in understandable language. Third, contestability: allowing opposition, revocation, or limitation when appropriate. Fourth, reciprocity: providing society with information about benefits, discoveries, and impacts. Fifth, fiduciary governance: ensuring that those who manage the data act in the legitimate interest of the data subjects, patients, and the public good.

This perspective allows us to overcome the false opposition between individual consent and public interest. The problem is not choosing between autonomy and solidarity. The problem is building institutions in which solidarity does not require the invisibility of the individual.

Operational application for the work of the Center for Bioethics Studies.

For operational purposes, the theme can be transformed into a line of work for the Center based on six concrete proposals.

First, create a bioethical evaluation model for the secondary use of health data , with mandatory questions about purpose, legal basis, minimization, risk of re-identification, risk of discrimination, public benefit, social return, and challenge mechanisms.

Second, develop a layered consent guide , distinguishing between clinical consent, consent for research, consent for secondary use, dynamic consent, broad consent, and situations where the ethical basis is not individual consent but the public interest with enhanced safeguards.

Third, propose a post-consent autonomy model applicable to hospitals, biobanks, digital platforms, and medical AI projects. This model should require continuous information, usage logs, the possibility of revocation where applicable, public impact reports, and independent auditing.

Fourth, recommend secure processing environments with access control, strong authentication, logs, pseudonymization, minimization, sandbox analysis, limited export of results, and re-identification risk assessment.

Fifth, study the feasibility of fiduciary data governance structures , such as data trusts, patient councils, independent data access committees, or public/non-profit intermediary models.

Sixth, to argue that AI projects in healthcare should be evaluated not only for technical safety, but also for informational justice , that is, for how they distribute risks, benefits, analytical power, and capacity for influence among patients, public institutions, companies, and researchers.

Conclusion

The secondary use of health data is one of the great promises of contemporary medicine. It can enable faster research, smarter public policies, more effective prevention, personalized medicine, and better management of health systems. But it can also create a new asymmetry: the person becomes a permanent source of data, while losing visibility over the destination, value, and consequences of that data.

Panadés and Yuguero are right to argue that digital health requires a cyber-bioethics capable of expanding the classic principles of bioethics to the challenges of AI, privacy, cybersecurity, and digital justice (Panadés and Yuguero, 2025). But the next step is more demanding: we need a bioethics that is not content with formal consents, protective technologies, or abstract regulations.

The crucial question is no longer simply: "Is the data protected?". It becomes: "Does the individual remain morally responsible for how their data is used?".

If the answer is no, then privacy may be technically preserved, but autonomy has already been ethically lost.

References

Burns, E. et al. (2024) on data trusts and fiduciary governance of health data.

Eden, R. et al. (2025) “A scoping review of the governance of federated learning in healthcare”, npj Digital Medicine .

European Commission (2025) “European Health Data Space Regulation”.

Kaye, J. et al. (2015) “Dynamic consent: a patient interface for twenty-first century research networks”, European Journal of Human Genetics .

Mittelstadt, B. D. and Floridi, L. (2016) “The Ethics of Big Data: Current and Foreseeable Issues in Biomedical Contexts”, Science and Engineering Ethics .

OECD (2025) “Facilitating the secondary use of health data for public interest purposes across borders”.

Panadés, R. and Yuguero, O. (2025) “Cyber-bioethics: the new ethical discipline for digital health”, Frontiers in Digital Health .

Prainsack, B. and Buyx, A. (2017) Solidarity in Biomedicine and Beyond .

Teare, H.J.A., Prictor, M. and Kaye, J. (2021) “Reflections on dynamic consent in biomedical research: the story so far”, European Journal of Human Genetics .

van Drumpt, S. et al. (2025) “Secondary use under the European Health Data Space: setting the scene and towards a research agenda on privacy-enhancing technologies”, Frontiers in Digital Health .

Welzel, C. et al. (2025) “Enabling secure and self-determined health data sharing and consent management”, npj Digital Medicine .

WHO Regional Office for Europe (2024) “Improving health-care delivery and innovation through secondary use of health data”.