Data protection: UK Data Protection Bill starts process through House of Lords
The UK government published the Data Protection Bill (the Bill) on 13 September 2017. Its second reading and initial debate took place in the House of Lords on 10 October 2017. Once the wording is finalised and ratified, the resulting Act of Parliament will replace the Data Protection Act 1998 (the DPA 1998) and provide a comprehensive framework for data protection in the UK. The resulting legislation will be in addition to the General Data Protection Regulation (GDPR), which will apply directly to the UK from 25 May 2018.
While the debate is ongoing, we take this opportunity to further consider some of the aspects of the Bill, including those touched on in the debate.
In August 2017 we commented that compliance with the GDPR was not workable in respect of processing medical information (health data) in an insurance context.
The UK’s NHS data is a valuable asset in medical research and innovation and the Lords’ debate on 10 October 2017 focussed on the importance of not stifling the sharing of health data in the context of medical research, particularly in respect of rare conditions where sharing information overseas is imperative.
The Bill has considered the health data of the extended family of the insured person (Sch 1, Part 2, para 14) and third party data in a group insurance or insurance on the life of another (para 15) but it appears that it has not yet adequately taken on board the practical concerns about consent regarding health data. The use of personal health data without specific explicit consent is sometimes essential for research for the health of the population.
Baroness Ludford highlighted the need for "substantial public interest" (a phrase which appears in Art 9(g) of the GDPR) to be defined in respect of processing special category data.
Accountability and criminal offences
The concept of accountability promotes reviewing and documenting how controllers/processors comply with the data protection legislation. Where there is sensitive processing of special category data (such as health data) the draft Bill sets out detailed requirements for an ‘appropriate policy document’.
Considering (and documenting) how long data legitimately needs to be retained is a new element and it is proposed that there will be an extended criminal offence to include unlawful "retention" of data without the consent of the controller - even if the data was initially obtained lawfully (Section 161).
The Bill proposes two new criminal offences:
- Knowingly or recklessly re-identifying information that is de-identified (anonymised) personal data without the consent of the data controller responsible for the de-identification (s162).
This was recommended by the National Data Guardian for Health and Care. Researchers and innovators use huge data sets, and these are often pseudonymised to protect individual privacy. This clarifies that assaults on individual privacy or on the valuable data assets that are fuelling our innovative industries will not be tolerated.
- Alteration or destruction of personal data to prevent disclosure following a Subject Access Request (s163).
Insurers should therefore review and reinforce best practice in handling Subject Access Requests.
The Bill goes further than the GDPR by including directors’ personal liability where a company breaches data protection legislation (s177). If a company is found to have committed an offence "with the consent or connivance of or to be attributable to neglect" of a director, then the director will be found "liable to be proceeded against and punished accordingly", as will the company.
This - and the concept of accountability and high potential fines - means that data protection will very much be a boardroom consideration.
Exemption regarding the prevention and detection of crime
A practical concern for insurers was the ability to confidentially share information in order to detect and prevent insurance fraud, previously recognised under exemption Section 29(3) of the DPA 1998. The Bill appears to seek to follow the broad approach of the DPA 1998 (see s42(4)(b) and s43(4)(b).
Privacy notices will need consideration in the wake of this Bill, but we recommend that insurers wait before finalising their adaptions until the wording of the Bill is agreed.
On 30 October 2017, the Bill will move to committee stage. This is a detailed, line-by-line examination of each clause. It is likely that questions raised at the second reading including patients’ rights in the use and abuse of medical records will be debated at length. At the end of committee stage, the Bill will move to the report stage for further scrutiny, which is followed by the third reading.
The UK government is motivated to ensure that its’ legislative framework maintains an "adequate level of protection" post-Brexit to maintain global competitiveness. The current aim to pass this Bill into law and replace the DPA 1998 before the end of April 2018 reflects this intention. This is a tight timescale for controllers/processors to ensure compliance. This timescale takes into account that part of the draft Bill relates to transposing the EU Law Enforcement Directive 2016/680 into national law, by the earlier deadline of 6 May 2018.
While recognition by the government of the importance of maintaining data flows across borders post-Brexit is positive – particularly when three-quarters of health data flow from the UK is to the EU - when the Bill moves to the committee stage there are likely to be several amendments proposed, not least to deal with issues post-Brexit.
We will monitor the committee stage closely in the context of its approach to the insurance industry as clarity as early as possible would be favoured.
- Key legislation
- Data protection: Practical problems in processing medical information under the GDPR