Nicola Hamilton, Head of Understanding Patient Data, gives an overview of the Data Protection and Digital Information Bill and ten key changes that are relevant to the way in which health data is governed and used.
What is the background?
In the UK, the two main laws governing personal data are the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) (there are other laws specifically for health data on top of these). These laws sit alongside each other and are closely related to the European Union (EU) data protection legislation. So far, despite the UK’s exit from the EU giving the UK the ability to change the law, the UK’s rules have remained very similar to the EU’s. However, in 2021 the Government proposed changing the law, and the Data Protection and Digital Information Bill has since been developed.
What is in the Bill?
There are six parts to the Bill:
Part 1: about data protection. It changes the definitions of some key concepts (e.g. “identifiable individuals”), changes some of the rights of data subjects (people whose data is used), changes organisations’ responsibilities for data protection, and changes some of the ways that the regulator works (at the moment, the Information Commissioner’s Office)
Part 2: about digital identity, and developing a framework for services that check people’s digital identity
Part 3: about ‘smart data’ initiatives, such as Open Banking, where individuals can share their data across different organisations
Part 4: about ‘other provisions’. This includes things like increasing fines for nuisance calls and texts under the Privacy and Electronic Communication Regulations (PECR), website cookies, sharing data for public service delivery and law enforcement, registering births and deaths, and setting information standards for health and adult social care in England
Part 5: about the changes to the regulator, moving from an Information Commissioner’s Office to an Information Commissioner
Part 6: about the powers for the Secretary of State to change the legislation in future
How is it relevant for health data?
It’s difficult to describe everything that might have an impact on health data, so we’ve focused on the top ten areas.
UPD recognises that data regulation can sometimes slow down the pace of data sharing, increase risk aversion, and make research and innovation more difficult. However, we think that patients and the public rightly expect high standards, particularly when it comes to their health data, and we are worried that the effects of this Bill are likely to be more negative than positive. This could damage public trust, which could negatively impact patient care, the running of the health system, academic research and our life sciences industry.
Below we go into further detail about specific changes that may affect data protection in health.
Where has it got to?
The Bill was first introduced to Parliament in July 2022
It was paused in September 2022
A new version was introduced to the House of Commons and had its first reading in March 2023
Since March, it has gone through its other stages in the House of Commons
It has now started its journey in the House of Lords
Changes to the definition of identifiability
At the moment, personal data is defined as ‘information that relates to an identified or identifiable individual’, and what identifies an individual can be data such as a name, address, email address, etc. Through a process called pseudonymisation, data can become less easily identifiable because key bits of information are removed. This is a way to help protect someone’s privacy whilst still offering relevant data for worthwhile analysis. However, the data is still not anonymous (as it is often still possible to re-identify someone) so it’s still personal data. It’s a broad definition, which applies in all circumstances.
The new Bill provides a different definition for identifiable data. It makes it more of a subjective test, with the definition seeming to rely on the judgement of the data controller and what they know. For example, if the data controller or processor has ‘reasonable means’ (e.g. time, effort and abilities) to identify someone at the time of processing, and whether the controller or processor knows, or should know, that another person will be able to obtain the information as a result of the processing and the data will be, or likely to be, identifiable to them.
This may make it easier for some organisations to share data, particularly for research, because if data is deemed not to be identifiable there are often lower thresholds for accessing and using it. However, it could also mean that data isn’t looked after as carefully, it could be shared and re-identified for other purposes, and resolving misuses might not get support from the Information Commissioner’s Office. It could also make it harder to share data, due to fear that it could boil down to judicial interpretation (i.e., was organisation X’s assessment correct? How can we know what they thought and why at the time?)
This also makes the situation regarding pseudonymisation of data less clear. Currently, pseudonymised data is generally treated as personal data, but under the new Bill this could become more open to interpretation.
Re-use of data for commercial research without letting people know
Under current data protection laws, there are transparency obligations, which means information needs to be provided to the data subject which explains the use of their data. They don’t necessarily need to be contacted – it might be enough to put out information on a website or advertise through local news channels.
Re-using data for a different purpose is currently possible but under limited circumstances. It often has additional legislation around it if it’s allowed, e.g., the UK Health Security Agency can re-use data that’s collected by the NHS that relates to infectious diseases so they can monitor these diseases, because there are additional laws. This means that re-use is tightly controlled.
The new Bill states that any data collected for one purpose can be re-used for scientific research, and there isn’t a requirement to tell the data subjects about it. The definition of scientific research here can be commercial or non-commercial, and funded publicly or privately. It also includes technological development.
This could remove some barriers for valuable health research, as we know access to data in a timely way does not always happen and sometimes organisations identify additional uses for the data that weren’t in their original agreements. However, there is a risk of data being re-used for activities that data subjects might not have supported, have no control over, and no knowledge that it’s happening. This feels like it contradicts the ‘no surprises’ Caldicott principle. It’s unclear who would have oversight over all the re-uses to check they are ethical, have the right standards applied, etc.
There are a number of lawful bases for processing personal data. One of these is ‘legitimate interests’, where data processing without consent can happen if it’s judged to be necessary and balanced against people’s interests, rights and freedoms – this is checked through a Legitimate Interests Assessment. Organisations can’t rely on this alone when processing special category data, like health data.
In the new Bill, there is a list of new ‘recognised legitimate interests’. These are activities that the Government has determined do not need legitimate interest assessments anymore, and cover areas such as national security, democratic engagement, and emergencies. As written, it seems like this only relates to organisations that aren’t public bodies.
This could make data processing easier for some organisations, as they might not need to check they can legitimately process data anymore. In the Government’s response to the consultation before the Bill, they suggested that some organisations were concerned about whether they were doing the legitimate interests assessment correctly and this worry meant they didn’t use legitimate interests as a lawful basis, instead opting for consent, which may be over-relied upon. It could also make it easier for organisations in the private sector to provide information to the public sector if they’ve received a request to do so in contexts such as safeguarding vulnerable individuals. However, this may also mean that more data is shared than some people expect, particularly outside of the public sector.
Health and social care information standards
The Health and Social Care Act 2012 defines ‘information standard’. This definition is ‘a document containing standards that relate to the processing of information’, and these standards can be technical, data-related, or information governance related. Public providers of health and adult social care organisations have to give ‘due regard’ to these standards, the law does not set out what exactly they are, or include a legal requirement to follow them.
The Data Protection and Digital Information Bill makes a few changes this part of the Health and Social Care Act 2012: it makes the standards binding, applies them to private health and adult social care providers too, makes organisations providing IT/data services to health and care organisations accountable for meeting these standards, and gives the Secretary of State for Health and Social Care powers to issue notices to suppliers who are suspected of non-compliance.
This could strengthen the protections in place for health data, as it may mean more organisations meet the standards and there could be more enforcement. However, having ‘due regard’ for standards is quite normal, as it enables operational independence and some flexibility in working towards meeting them rather than making any non-compliance unlawful.
Changes to subject access requests
At the moment, people have the right to ask organisations whether they are using or storing their personal information – these are called ‘subject access requests’. You can also ask these organisations for a copy of that data. This includes health and care services. They can be refused, in part or in full, only if they are ‘manifestly unfounded or manifestly excessive’ – e.g., it is obvious that the individual is only intending to cause disruption, is acting maliciously, or doesn’t actually want to exercise their rights (amongst other potential reasons).
The Data Protection and Digital Information Bill suggests replacing this with ‘vexatious or excessive’, and the data holder will be able to consider whether they think the request is intended to cause distress.
The new definition therefore sets a lower bar for refusing requests. This might help organisations in situations where they receive repeated requests that they are unable to deal with, or requests that are inappropriate. However, it is questionable how often this occurs, and there is a risk that this could be used more, intentionally or not, to avoid providing people with access to their data.
Data Protection Officers
The current legislation sets out the need for many organisations to have a Data Protection Officer, and includes their responsibilities and tasks. This individual must be ‘independent, an expert in data protection, adequately resourced, and report to the highest management level’. They are needed in all public bodies, including those in the health sector.
The new Bill removes the need for organisations to have Data Protection Officers and replaces it with a ‘senior responsible individual’. This individual needs to be part of the senior management, and they can share the role with other individuals. There is a list of tasks that they have to do, like dealing with complaints and breaches.
The government states that the appointment of this individual will ensure that responsibility for data protection is at a senior level. However, if the role isn’t as independent and advisory, then it can remove important checks and balances that currently exist and could create conflicts of interest. In healthcare organisations, you might have Caldicott Guardians, and they might need to express views about safeguarding confidential patient data that are different from corporate views. Also, organisations might not have the level of expertise needed for this role within their senior management team.
Data Protection Impact Assessments (DPIAs)
The current legislation states that organisations are required to do Data Protection Impact Assessments for ‘high risk’ data processing, and sets out the criteria that should be included in these assessments. Organisations also have to notify the Information Commissioner’s Office if they process personal data in an automated way, or when a high risk can’t be mitigated.
This requirement is removed in the new Bill. Whilst risk assessments may still need to be carried out for high risk data processing, it is lighter touch, there is more flexibility on what to consider, and the requirement to consult the Information Commissioner’s Office (ICO) is removed.
For some organisations, more flexibility might be welcome, and some organisations might not change how they do these assessments. However, many people think DPIAs are a good, standardised way to identify privacy risks and put in place effective mitigations. Further, if the ICO is aware of all high risk processing that can’t be mitigated, it is better able to support organisations and data subjects.
Record keeping and Records of Processing Activities
Currently, organisations have to keep a record of processing activities (RoPA), unless they fall under an exemption. This means that they keep track of all the different data processing activities that they are doing, which is especially important for organisations working with health data.
The Bill removes this requirement, and is replaced with the need to only keep ‘appropriate records’ for ‘high risk’ data processing. This is in line with the overall direction of the Bill, which focuses more on ‘high risk’ processing.
Having a RoPA is a good way to understand an organisation’s data processing, particularly in healthcare settings where there might be multiple and complex arrangements in place. However, they can be hard to do and maintain, with some organisations already not doing them properly. Focusing on the high risk areas could mean that more attention is given to more sensitive data, but it could also mean that the overall data processing picture is incomplete. Some organisations may continue to keep Records of Processing Activities, particularly if it’s still considered best practice.
Many people are aware of ‘cookies’, which are pieces of data that are created from visiting a website, stored in a web browser, and can be used by that website at a later date. Current legislation states that consent is required to save cookies (individuals are given the necessary information and have to click to say yes/no), and there is a limited exemption for ‘strictly necessary’ cookies.
In the new Bill, the government is proposing to expand the categories of cookies that are exempted, for example website analytics. It also suggests taking away or reducing the need for pop-ups about cookies.
UK GDPR currently includes a right not to be subject to decisions made only on automated decision-making which will have a legal (or similarly significant) effect, unless the data processing falls under a specific set of grounds – where it’s under a contract, where there’s consent, and where it’s provided for in national law.
The new Data Protection and Digital Information Bill allows automatic decision-making but puts in place more explicit safeguards for data subjects only when there is no ‘meaningful human involvement’. It also gives powers to the Secretary of State to amend or remove these safeguards in the future.
The implications of this change are still quite unclear. There are huge potentials for Artificial Intelligence, including automated decision making in healthcare, but there is currently a lack of regulation in this space. Also, whilst safeguards are in place for data subjects, rights don’t exist for people who are affected (e.g. subject to a decision) by automated decision-making which uses data that isn’t theirs. E.g., personal data can be brought together at a group level, and this can be used to make decisions about people who might be deemed to be ‘like them’. In health this could happen in areas of work like ‘population health’, where population-level health data is brought together to target health interventions at people who are deemed to fit the same demographic or health profile.
What does this mean for patients and the public when it comes to health?
In the King’s Speech, the Government has said that this Bill has been written ‘with industry, for industry’. It is possible that some of the changes might result in less work for businesses eventually, including those working in healthcare, but the flexibility of the new regime could result in a more costly, higher risk and non-standardised regime.
This could also cause problems within public sector healthcare organisations. E.g., organisations that have the resources might choose to continue having Data Protection Officers and doing DPIAs, but others might not be able to do this. This could lead to different standards being applied across healthcare organisations in the UK.
There is a real risk in the loss of patient and public trust in data use and sharing, within the health sector but also more widely. For example, there was a suggested amendment in the Commons Report Stage that employers processing sensitive data (including health data) should follow established principles, but this was rejected, with the Government arguing that it’s already covered.
This also comes at a time when we are hearing that the public want more and better regulation of data and data-driven technologies, and more of a say in what happens with their data, particularly in health.
Finally, the Bill could diverge from EU standards, which could risk the free flow of personal data between the EU and UK, which is critical to medical research and innovation.
A bill has to complete five stages in each House of Parliament. This Bill has finished its stages in the House of Commons, and has now started its next stages in the House of Lords. You can keep up to date with its progress here - https://bills.parliament.uk/bills/3430.
We will update this page as we know more.