How should UK healthcare prepare for reforms to the EU data protection?
31 July 2017
One of the Bills announced in the Queens Speech on 21 June was a data protection bill, the main purpose of which is to implement the provisions of the EU General Data Protection Regulation 2016/276 into UK law. Although the legal mechanism to extricate the UK from Europe has been the focus of most attention over recent weeks, until Brexit actually takes effect, the UK is committed to implementing this (and other) European legislation which have already been enacted – even if they will come into force during this transition period.
The EU General Data Protection Regulation is required to be implemented by Member States by 25 May 2018 and is significant for health care and medical research. The primary aim of the legislation is to harmonise the flow of data within Member States by ensuring that “the rights and freedoms of natural persons with regard to the processing of data should be equivalent in all Member States” (Recital 13). However, the Regulation goes much further than ensuring equivalency - it seeks to protect and empower citizens’ data privacy and to provide much more scope for the citizen (or data subject) to control the way that personal data about them is used. The Regulation supports these increased rights through also creating a more effective infrastructure of governance, oversight and sanctions – essentially to provide a more robust regulatory environment which is fit for purpose for our world of digital technologies, enhanced data access and global data flows.
For those processing genetic and genomic data, there are specific changes that are likely to impact on health and social care services and those undertaking medical research.
Firstly, the scope of the Regulation is extended to include some coded data - that is, data which retains a coded identifier to the source individual - thereby allowing through “all the means reasonably likely” the data to be linked with that particular person (Recital 26). Regulators and policy makers are still assessing the significance of this wider scope for health policy and practice. However (as we will highlight in our forthcoming report on Identification and Genomic Data) technological fixes such as coding data (pseudonymisation) or anonymisation, where the identifier is irreversibly removed from data, cannot be regarded as absolute or in isolation, but must be considered in a wider context, where access to novel technologies and other data sources might have an impact on identifiability.
Secondly, the Regulation articulates more specifically the types of personal data which require special protection, for the first time singling out genetic data, along with biometric data. This special protection takes the form of stipulating that “the processing of genetic data..” “for the purpose of uniquely identifying a natural person” “shall be prohibited unless an exemption” applies (Article 9(1)). The exemptions that are most relevant to health and medical research include:
- That the data processing is necessary for medical diagnosis, provision of health or social care or treatment
- That it is necessary “for reasons of substantial public interest” or
- That the person has given explicit consent i.e. “any freely given, specific, informed and unambiguous indication of the data subject’s wishes” .. “by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Article 4(11)).
As many commentators have observed, the requirement for an affirmative action does, in some cases, make it difficult, if not impossible, for those processing data to rely on consent if they are currently relying on inaction to signify willingness to proceed.
What does this mean for data processers and users?
For most health and social care applications however, the inability to affirm a choice (by someone who lacks competence to make a decision – perhaps an elderly person or young child) will not prevent care that is in the best interests of the patient from going ahead, since,this can be justified on other legal grounds (such as either being necessary or being in the public interest as described above).
For that reason, the main messages that are emerging from statutory authorities and policy bodies, highlight the need for those using and processing data to make a careful evaluation of their current practices to ensure that they are in line with what the Regulation will require, but also provide reassurance that significant changes will not be needed if those processing data already comply with the existing law – see for example, the Information Commissioner’s Office updated version of their guidance Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now and the Medical Research Council’s General Data Protection Regulation: preparations for implementation. Both sources of guidance identify that a key requirement for a smooth transition between data protection regimes, is the appointment of a suitably qualified Data Protection Officer who can systematically and rigorously begin that process of evaluation. Since the requirement for a Data Protection Officer applies across all sectors, the premium placed on having expertise in data governance seems set to rise over the next year.