A new direction for UK data protection: the life sciences and healthcare perspective

On 10 September 2021 the UK Government published a consultation on reforms to data protection law in the UK. Data: A new direction (the Consultation) proposes wholesale change to the UK legal framework, including the UK General Data Protection Regulation (UK GDPR).

The changes, if implemented, are wide-ranging and significant and reinforce the Government’s aim to capitalise on the UK’s 'independent status; and create an ambitious, pro-growth and innovation-friendly data protection regime that maintains its high protection standards.

The Consultation, which will help shape future reforms closed on 19 November 2021. Here we consider the most noteworthy proposals from this Consultation for those in the life sciences and healthcare sectors.

The UK Government’s approach

The Government’s ambitions for data are not to be underestimated. The publication of the National Data Strategy in September 2020 sets out their stall, confirming the  intention to reflect “the opportunities and challenges of our new hyper-digital world”. This Consultation builds on that vision by creating a data protection framework that will:

1 Support vibrant competition and innovation to drive economic growth.

2 Maintain high data protection standards without creating unnecessary barriers to responsible data use.

3 Keep pace with the rapid innovation of data-intensive technologies.

4 Help innovative businesses of all sizes to use data responsibly without undue uncertainty or risk, both in the UK and internationally.

5 Ensure the ICO [Information Commissioner’s Office] is equipped to regulate effectively in an increasingly data-driven world.

Impact on data protection practices

We have identified the following as key areas of potential impact on life sciences and healthcare:

  • Increased cooperation with international law enforcement partners to improve public safety.
  • Enhanced methods for lawful international transfers of data.
  • Further collaboration between public and private sectors as proven successful through the UK’s approach to fighting the COVID-19 pandemic.
  • Establishment of the Central Digital and Data Office (CDDO) within the Cabinet Office to lead and co-ordinate the next phase of digital transformation across the public sector.
  • Further empowerment to the ICO to protect data rights including methods for early intervention and encouraging innovation to drive growth.
  • Expansion of lawful bases for processing and sharing personal data such as a public health emergency (inspired by the COVID-19 pandemic).
  • Clarification of the legal test for anonymous data.
  • The requirement for a transparent data protection complaints process to be in place, which will have to be utilised before a complaint is lodged with the ICO.
  • A new structure for data protection accountability with companies running privacy management programmes to replace current requirements such as data protection officers.
  • Simplification of the use of data in scientific research and AI systems.
  • Introduction of new conditions for processing special category personal data within AI systems.
  • Examination of what further measures can be implemented to mitigate algorithmic bias.
  • Clarification and refinement of the scope and requirements of automated decision-making rules.
  • Introduction of charging a fee for subject access requests.

These measures if introduced, will help bolster the UK’s position as a life sciences, healthcare and technology superpower, by simplifying the data usage by researchers and developers of AI and other ground breaking technologies.

Building upon the unparalleled and life-saving use of data to combat the pandemic, the measures should also help lay the foundation for more cutting edge, bias free and data trustworthy life science and medical breakthroughs. For example, researchers at Moorfields Eye Hospital and the University College London Institute of Ophthalmology recently successfully trained machine learning technology on thousands of historic de-personalised eye scans to identify signs of eye disease and recommend appropriate treatment referrals.

These proposals if fully implemented could lead to the creation of “a bold new data regime” with divergence from the current UK GDPR and thus the potential for the UK to be out of sync with EU GDPR. However,  in noting that the expectation of maintaining EU adequacy is both “perfectly possible and reasonable” the government added that:

European data adequacy does not mean verbatim equivalence of laws, and a shared commitment to high standards of data protection is more important than a word-for-word replication of EU law.

Nevertheless, those operating in the UK and across Europe will need to be mindful of any divergence (and the potential impact on maintaining EU adequacy) to ensure compliance with both jurisdictions, and any practical implications thereof.

As far as the public sector is concerned, NHS researchers and policymakers will welcome any measures that allow for easier collaboration with the private sector to help deliver improved health outcomes. However, anyone working in the NHS will be mindful of the strength of public feeling about data confidentiality. The UK government’s recent stalled GP patient data sharing scheme, the General Practice Data for Planning and Research (GPDPR), not only demonstrates public scepticism about any use of NHS data for private corporate gain, but also the fear that any mass data scheme will impose additional burdens on healthcare professionals at a time they are already struggling under unprecedented workloads. The details of any new data protection framework must be fully alive to both public scepticism and the potential benefits of greater data sharing for healthcare innovation.

The extent to which these extensive proposals will be implemented through legislative change remains to be seen, and we will monitor the next steps with interest.

Read other items in Healthcare Brief - December 2021

Related items:

Related content