Biography

Miranda is a Researcher in Law within the Centre for Health, Law and Emerging Technologies ('HeLEX'). Her work mostly focuses on privacy, confidentiality and data protection in health and life sciences research. 

Her current work centres on the BioGOV project: mapping the laws, standards and policies which collectively regulate new ‘biomodifying’ technologies such as gene editing. This project is funded by the Leverhulme Trust to provide an evidence base for appropriate, flexible and socially responsive governance in the biotechnology sector. She also helps to lead a Legal and Ethical work package in the Horizon 2020 project EU-STANDS4PM, contributing to standards for in silico modelling within personalised medicine. She provides ongoing support to the DIabetes REsearCh on patient straTification (‘DIRECT’) consortium, and has done some consultancy work on Research Council projects. 

She joined HeLEX in 2017, working as part of the Administrative Data Research Network. Prior to this she practised as a barrister, providing advice and representation to the NHS on a range of patient-related issues. Much of her legal work was in a mental health context, involving patients with fluctuating mental capacity. She retains a broader interest in healthcare law

Publications

Recent additions

  • A McKeown , M Mourby, P Harrison and S Harrison , 'Ethical Issues in Consent for the Reuse of Data in Health Data Platforms' (2021) 27 Science and Engineering Ethics
    DOI: https://doi.org/10.1007/s11948-021-00282-0
    Data platforms represent a new paradigm for carrying out health research. In the platform model, datasets are pooled for remote access and analysis, so novel insights for developing better stratified and/or personalised medicine approaches can be derived from their integration. If the integration of diverse datasets enables development of more accurate risk indicators, prognostic factors, or better treatments and interventions, this obviates the need for the sharing and reuse of data; and a platform-based approach is an appropriate model for facilitating this. Platform-based approaches thus require new thinking about consent. Here we defend an approach to meeting this challenge within the data platform model, grounded in: the notion of ‘reasonable expectations’ for the reuse of data; Waldron’s account of ‘integrity’ as a heuristic for managing disagreement about the ethical permissibility of the approach; and the element of the social contract that emphasises the importance of public engagement in embedding new norms of research consistent with changing technological realities. While a social contract approach may sound appealing, however, it is incoherent in the context at hand. We defend a way forward guided by that part of the social contract which requires public approval for the proposal and argue that we have moral reasons to endorse a wider presumption of data reuse. However, we show that the relationship in question is not recognisably contractual and that the social contract approach is therefore misleading in this context. We conclude stating four requirements on which the legitimacy of our proposal rests.
  • M Mourby, '‘Leading by Science’ through Covid-19: the GDPR & Automated Decision-Making' (2021) 5 International Journal of Population Data Science
    DOI: https://doi.org/10.23889/ijpds.v5i4.1402
    The UK government announced in March 2020 that it would create an NHS Covid-19 ‘Data Store’ from information routinely collected as part of the health service. This ‘Store’ would use a number of sources of population data to provide a ‘single source of truth’ about the spread of the coronavirus in England. The initiative illustrates the difficulty of relying on automated processing when making healthcare decisions under the General Data Protection Regulation (GDPR). The end-product of the store, a number of ‘dashboards’ for decision-makers, was intended to include models and simulations developed through artificial intelligence. Decisions made on the basis of these dashboards would be significant, even (it was suggested) to the point of diverting patients and critical resources between hospitals based on their predictions. How these models will be developed, and externally validated, remains unclear. This is an issue if they are intended to be used for decisions which will affect patients so directly and acutely. We have (by default) a right under the GDPR not to be subject to significant decisions based solely on automated decision-making. It is not obvious, at present, whether resource allocation within the NHS could take place in reliance on this automated modelling. The recent A Level debacle illustrates, in the context of education, the risks of basing life-changing decisions on the national application of a single equation. It is worth considering the potential consequences for the health service if the NHS Data Store is used for resource planning as part of the Covid-19 response.
  • M Mourby, M Morrison , H Gowans and S Coy , 'Governance of research consortia: challenges of implementing Responsible Research and Innovation within Europe' (2020) 16 Life Sciences, Society and Policy 13
    Responsible Research and Innovation (‘RRI’) is a cross-cutting priority for scientific research in the European Union and beyond. This paper considers whether the way such research is organised and delivered lends itself to the aims of RRI. We focus particularly on international consortia, which have emerged as a common model to organise large-scale, multi-disciplinary research in contemporary biomedical science. Typically, these consortia operate through fixed-term contracts, and employ governance frameworks consisting of reasonably standard, modular components such as management committees, advisory boards, and data access committees, to co-ordinate the activities of partner institutions and align them with funding agency priorities. These have advantages for organisation and management of the research, but can actively inhibit researchers seeking to implement RRI activities. Conventional consortia governance structures pose specific problems for meaningful public and participant involvement, data sharing, transparency, and ‘legacy’ planning to deal with societal commitments that persist beyond the duration of the original project. In particular, the ‘upstream’ negotiation of contractual terms between funders and the institutions employing researchers can undermine the ability for those researchers to subsequently make decisions about data, or participant remuneration, or indeed what happens to consortia outputs after the project is finished, and can inhibit attempts to make project activities and goals responsive to input from ongoing dialogue with various stakeholders. Having explored these challenges, we make some recommendations for alternative consortia governance structures to better support RRI in future.

Journal Article (15)

A McKeown , M Mourby, P Harrison and S Harrison , 'Ethical Issues in Consent for the Reuse of Data in Health Data Platforms' (2021) 27 Science and Engineering Ethics
DOI: https://doi.org/10.1007/s11948-021-00282-0
Data platforms represent a new paradigm for carrying out health research. In the platform model, datasets are pooled for remote access and analysis, so novel insights for developing better stratified and/or personalised medicine approaches can be derived from their integration. If the integration of diverse datasets enables development of more accurate risk indicators, prognostic factors, or better treatments and interventions, this obviates the need for the sharing and reuse of data; and a platform-based approach is an appropriate model for facilitating this. Platform-based approaches thus require new thinking about consent. Here we defend an approach to meeting this challenge within the data platform model, grounded in: the notion of ‘reasonable expectations’ for the reuse of data; Waldron’s account of ‘integrity’ as a heuristic for managing disagreement about the ethical permissibility of the approach; and the element of the social contract that emphasises the importance of public engagement in embedding new norms of research consistent with changing technological realities. While a social contract approach may sound appealing, however, it is incoherent in the context at hand. We defend a way forward guided by that part of the social contract which requires public approval for the proposal and argue that we have moral reasons to endorse a wider presumption of data reuse. However, we show that the relationship in question is not recognisably contractual and that the social contract approach is therefore misleading in this context. We conclude stating four requirements on which the legitimacy of our proposal rests.
M Mourby, '‘Leading by Science’ through Covid-19: the GDPR & Automated Decision-Making' (2021) 5 International Journal of Population Data Science
DOI: https://doi.org/10.23889/ijpds.v5i4.1402
The UK government announced in March 2020 that it would create an NHS Covid-19 ‘Data Store’ from information routinely collected as part of the health service. This ‘Store’ would use a number of sources of population data to provide a ‘single source of truth’ about the spread of the coronavirus in England. The initiative illustrates the difficulty of relying on automated processing when making healthcare decisions under the General Data Protection Regulation (GDPR). The end-product of the store, a number of ‘dashboards’ for decision-makers, was intended to include models and simulations developed through artificial intelligence. Decisions made on the basis of these dashboards would be significant, even (it was suggested) to the point of diverting patients and critical resources between hospitals based on their predictions. How these models will be developed, and externally validated, remains unclear. This is an issue if they are intended to be used for decisions which will affect patients so directly and acutely. We have (by default) a right under the GDPR not to be subject to significant decisions based solely on automated decision-making. It is not obvious, at present, whether resource allocation within the NHS could take place in reliance on this automated modelling. The recent A Level debacle illustrates, in the context of education, the risks of basing life-changing decisions on the national application of a single equation. It is worth considering the potential consequences for the health service if the NHS Data Store is used for resource planning as part of the Covid-19 response.
M Mourby, 'Anonymity in EU Health Law: Not An Alternative to Information Governance' (2020) 28 Medical Law Review
DOI: https://doi.org/10.1093/medlaw/fwaa010
Data sharing has long been a cornerstone of healthcare and research and is only due to become more important with the rise of Big Data analytics and advanced therapies. Cell therapies, for example, rely not only on donated cells but also essentially on donated information to make them traceable. Despite the associated importance of concepts such as ‘donor anonymity’, the concept of anonymisation remains contentious. The Article 29 Working Party’s 2014 guidance on ‘Anonymisation Techniques’ has perhaps helped encourage a perception that anonymity is the result of data modification ‘techniques’, rather than a broader process involving management of information and context. In light of this enduring ambiguity, this article advocates a ‘relative’ understanding of anonymity and supports this interpretation with reference not only to the General Data Protection Regulation but also to European Union health-related legislation, which also alludes to the concept. Anonymity, I suggest, should be understood not as a ‘technique’ which removes the need for information governance but rather as a legal standard of reasonable risk-management, which can only be satisfied by effective data protection. As such, anonymity can be not so much an alternative to data protection as its mirror, requiring similar safeguards to maintain privacy and confidentiality.
M Mourby, M Morrison , H Gowans and S Coy , 'Governance of research consortia: challenges of implementing Responsible Research and Innovation within Europe' (2020) 16 Life Sciences, Society and Policy 13
Responsible Research and Innovation (‘RRI’) is a cross-cutting priority for scientific research in the European Union and beyond. This paper considers whether the way such research is organised and delivered lends itself to the aims of RRI. We focus particularly on international consortia, which have emerged as a common model to organise large-scale, multi-disciplinary research in contemporary biomedical science. Typically, these consortia operate through fixed-term contracts, and employ governance frameworks consisting of reasonably standard, modular components such as management committees, advisory boards, and data access committees, to co-ordinate the activities of partner institutions and align them with funding agency priorities. These have advantages for organisation and management of the research, but can actively inhibit researchers seeking to implement RRI activities. Conventional consortia governance structures pose specific problems for meaningful public and participant involvement, data sharing, transparency, and ‘legacy’ planning to deal with societal commitments that persist beyond the duration of the original project. In particular, the ‘upstream’ negotiation of contractual terms between funders and the institutions employing researchers can undermine the ability for those researchers to subsequently make decisions about data, or participant remuneration, or indeed what happens to consortia outputs after the project is finished, and can inhibit attempts to make project activities and goals responsive to input from ongoing dialogue with various stakeholders. Having explored these challenges, we make some recommendations for alternative consortia governance structures to better support RRI in future.
K L Mansfield, J E Gallacher , M Mourby and M Fazel, 'Five models for child and adolescent data linkage in the UK: a review of existing and proposed methods' (2020) 23 BMJ Evidence-Based Mental Health
DOI: 10.1136/ebmental-2019-300140
Over the last decade dramatic advances have been made in both the technology and data available to better understand the multifactorial influences on child and adolescent health and development. This paper seeks to clarify methods that can be used to link information from health, education, social care and research datasets. Linking these different types of data can facilitate epidemiological research that investigates mental health from the population to the patient; enabling advanced analytics to better identify, conceptualise and address child and adolescent needs. The majority of adolescent mental health research is not able to maximise the full potential of data linkage, primarily due to four key challenges: confidentiality, sampling, matching and scalability. By presenting five existing and proposed models for linking adolescent data in relation to these challenges, this paper aims to facilitate the clinical benefits that will be derived from effective integration of available data in understanding, preventing and treating mental disorders.
M Mourby and M Morrison , 'Gene therapy regulation: could in-body editing fall through the net?' (2020) European Journal of Human Genetics
DOI: https://doi.org/10.1038/s41431-020-0607-y
Somatic gene therapies may be authorised for marketing in the EU under the advanced therapy medicinal product regulation. These therapeutic compounds are sufficiently novel and complex in their potential effects to require specialist evaluation. However, the current definition of gene therapy medicinal products (‘GTMP’) risks excluding molecules which are not manufactured through techniques involving recombination. We consider the way, in which the ‘recombinant nucleic acid’ aspect of the GTMP definition is challenged by developments in gene-editing technology, and why a broader scope of GTMP regulation may be desirable.
M Mourby, H Gowans, S Aidinlis and H Smith , 'Governance of academic research data under the GDPR—lessons from the UK' (2019) 9 International Data Privacy Law 192
DOI: 10.1093/idpl/ipz010
The General Data Protection Regulation (GDPR) includes a new power for Member States to pass exemptions for the purpose of ‘academic expression’. This may appear to provide greater freedom to researchers working under the new EU data protection regime. Using the UK as a case study, however, it is evident that even a full exercise of the academic derogation is likely to be limited by the GDPR’s requirement of necessity, and by privacy rights wherever they are engaged. Ultimately, the GDPR provisions applicable to universities as public authorities are likely to have greater impact on academic data processing in public institutions; a shift which is not conducive to greater freedom in research data processing.
M Mourby, J Doidge , K Jones and S Aidinlis and others, 'Health Data Linkage for UK Public Interest Research: Key Obstacles and Solutions' (2019) 4 International Journal of Population Data Science 9
DOI: https://doi.org/10.23889/ijpds.v4i1.1093
Analysis of linked health data can generate important, even life-saving, insights into population health. Yet obstacles both legal and organisational in nature can impede this work. We focus on three UK infrastructures set up to link and share data for research: the Administrative Data Research Network, NHS Digital, and the Secure Anonymised Information Linkage Databank. Bringing an interdisciplinary perspective, we identify key issues underpinning their challenges and successes in linking health data for research. We identify examples of uncertainty surrounding legal powers to share and link data, and around data protection obligations, as well as systemic delays and historic public backlash. These issues require updated official guidance on the relevant law, approaches to linkage which are planned for impact and ongoing utility, greater transparency between data providers and researchers, and engagement with the patient population which is both high-profile and carefully considered. Health data linkage for research presents varied challenges, to which there can be no single solution. Our recommendations would require action from a number of data providers and regulators to be meaningfully advanced. This illustrates the scale and complexity of the challenge of health data linkage, in the UK and beyond: a challenge which our case studies suggest no single organisation can combat alone. Planned programmes of linkage are critical because they allow time for organisations to address these challenges without adversely affecting the feasibility of individual research projects.
J Bell, S Wallace, M Mourby and H Gowans, 'Lawful Disclosure of Administrative Data for Research Purposes in the UK' (2019) The Journal of Data Protection and Privacy
M Mourby, E Mackey, M Elliot and H Gowans and others, 'Are 'Pseudonymised' Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK' (2018) 34 Computer Law & Security Review 222
DOI: https://doi.org/10.1016/j.clsr.2018.01.002
There has naturally been a good deal of discussion of the forthcoming General Data Protection Regulation. One issue of interest to all data controllers, and of particular concern for researchers, is whether the GDPR expands the scope of personal data through the introduction of the term ‘pseudonymisation’ in Article 4(5). If all data which have been ‘pseudonymised’ in the conventional sense of the word (e.g. key-coded) are to be treated as personal data, this would have serious implications for research. Administrative data research, which is carried out on data routinely collected and held by public authorities, would be particularly affected as the sharing of de-identified data could constitute the unconsented disclosure of identifiable information. Instead, however, we argue that the definition of pseudonymisation in Article 4(5) GDPR will not expand the category of personal data, and that there is no intention that it should do so. The definition of pseudonymisation under the GDPR is not intended to determine whether data are personal data; indeed it is clear that all data falling within this definition are personal data. Rather, it is Recital 26 and its requirement of a ‘means reasonably likely to be used’ which remains the relevant test as to whether data are personal. This leaves open the possibility that data which have been ‘pseudonymised’ in the conventional sense of key-coding can still be rendered anonymous. There may also be circumstances in which data which have undergone pseudonymisation within one organisation could be anonymous for a third party. We explain how, with reference to the data environment factors as set out in the UK Anonymisation Network's Anonymisation Decision-Making Framework.
M Mourby, S Aidinlis and H Smith , 'THE DATA PROTECTION BILL - VIRTUES OUT OF NECESSITY?' (2017) New Law Journal
A number of claims have been made for the Data Protection Bill, as it serves a number of purposes—modernisation, ensuring data flows post-Brexit, and exercising derogations under the GDPR to create a more ‘nationalised’ law.

Report (1)

Other (1)

Internet Publication (1)

M Morrison, M Mourby, A Bartlett and E Bicudo , 'Reshaping the landscape of science and medicine' (2019) Science Impact Ltd
DOI: 10.21820/23987073.2019.1.63
Developments in biomedical innovation today can be seen in areas such as robotics, digital systems or new imaging techniques - and increasingly in areas marked by highly sophisticated forms of medical biology and biotechnology that involve altering 'natural' biological processes. Three key developments form the focus for this project: the arrival of 'gene-editing' whose goal is to understand and remove disease-related mutations, the creation of induced pluripotent stem cells that can be controlled to create different types of tissue for cell therapy, and the emergence of 3D printing of biological material which aims to create novel structures for bodily repair and renewal. These developments can all be described as 'biomodifying technologies', that is, those that modify living biological tissue in novel and increasingly patient-orientated and customised ways. Not only do these technologies challenge existing governance frameworks in terms of standards for safety, quality control, and traceability of biological materials, equally and perhaps more importantly, they are 'gateway' technologies with wide-ranging applications, significant commercial engagement and high levels of transferability, which open up far-reaching possibilities. We need to understand and anticipate such developments if we are to build an informed and constructively critical social science of biomedical innovation today. More broadly, this contributes towards the ESRC's core priority and delivery plan aim of supporting research that can promote economic growth and development, and to do so in a way that is based on robust, engaged social science that maps and analyses the implications of innovation. The project will use a mixed methods approach for UK fieldwork combining documentary analysis of various literatures, including the academic and grey literatures, with qualitative semi-structured interviews with a range of key stakeholders in each of the fields being studied. These include scientists working in academic laboratories, representatives of SMEs, patient groups, research agencies, regulators, and senior staff in important service organisations (e.g. biobanks). Secondary data from other European, US and East Asian sources will also be secured. The project will result in data, academic papers and policy reports that will offer the first comprehensive social science analysis of these major developments in biomedicine.

Presentation/Conference contribution (1)

M Mourby and H Smith , Engagement and Co-Design: Routes to Lawful Research?, paper presented at Administrative Data Research Conference
DOI: https://doi.org/10.23889/ijpds.v3i2.516
The `deficit' model of engagement, which educates the public about research, has been subject to increasing criticism, as if people's attitudes arise from ignorance which should be corrected. Nevertheless, a number of attempts to understand public views on the use of Administrative Data for research have used informative models. We refer to the findings of an exploratory study of individual attitudes towards Administrative Data Research, which indicate that views and norms around ADR are incipient and ambivalent, especially when compared to perceptions of `conventional' medical research. We consider the legal obligations administrative data controllers have to shape reasonable expectations in light of this uncertainty. Engagement which informs the public about research does have value. It indicates what the attitudes of the public might be, were certain facts about research more commonly known, and thus underscores the importance of public information campaigns. However, this work cannot provide an accurate representation of public opinion as a whole in the absence of wider dissemination of information across society. There will inevitably be a number of facets to public engagement: information, representation and transparency. Each of these will correlate differently with data controllers' legal obligations, and it is essential to understand these connections.

Research projects