The Data Protection and Digital Information Bill was introduced to Parliament last year and then put on hold in September. It has now been revised and reintroduced. The main difference is that the new Bill is even more accommodating to Business than its predecessor.
The Bill continues to have a range of serious consequences, such as
- The abuse of democracy: The Bill includes a number of measures that will allow ministers to change the law without proper scrutiny by Parliament. Granting this type of power has serious constitutional implications.
- The abuse of human rights: The Bill will grant a new power to the Secretary of State to force organisations, including the NHS, to share the personal data they hold on you with the State and its law enforcement authorities.
- The reduction of our rights as citizens by, for example,
- abolishing the independent Information Commissioner’s Office (the regulator that upholds information rights in the public interest) and in its place setting up an Information Commission, allowing the Secretary of State to control the appointment of staff, veto the Commission’s guidance and require it to develop a strategy that takes economic growth, innovation and competition into account.
- Expanding the grounds on which organisations can refuse to respond to ‘Subject Access Requests –i.e. individuals’ requests to know what information an organisation holds on them. These grounds include whether or not the organisation considers the request to be ‘vexatious’ (an abuse of the process or meant to cause harm) or ‘excessive’ (ie where the organisation says it does not have has the resources to respond to requests).
However, our focus is on the use and abuse of our NHS data.
One of the Government’s main motives behind this Bill is to drive economic growth by making the personal data held by the NHS much more accessible to the private sector.
KONP recognises the importance of NHS data for patient care, research and the development of new treatments for the benefit of all. However, we also regard it as imperative to ensure the proper safeguards for patients’ personal data, not least to ensure trust in their NHS care.
This Bill risks compromising patients’ trust. If passed it will reduce existing protections for personal data by, for example:
- giving organisations (including profit making organisations) discretion to decide when personal data can be classified as ‘anonymous’ and so falling beyond data protection law;
- amending the legal definition of ‘scientific’ research to include anything, including commercial activities, that can ‘reasonably’ be described as such, so allowing access to personal data to the private sector and potentially raising uncertainty about legitimate medical research;
- introducing a new type of consent so that when a person gives permission for their data to be used for a specific research project, this consent can be extended (without further permission) to other projects even if these were unknown at the original time of consent.
- removing the rights of individuals to object to solely automated decision making.
This Bill aims to lower safeguards governing data collection and processing in order to reduce the ‘burden’ on business by, for example,
- abolishing the statutory requirement for organisations that process data to have an independent Data Protection Officer. Instead organisations will need to designate an executive level employee as a ‘senior responsible person’ (without necessarily any expertise in data protection) to oversee compliance with the relevant legislation – but only where data controllers or processors are public bodies or carry out ‘high risk’ processing. Other organisations do not need to provide this oversight.
- introducing a new ‘flexible’ accountability regime that allows businesses to decide on the extent of their compliance with legislation, based on their view of the scale and perceived risks of their operations;
- empowering the Secretary of State (SoS) to make regulations approving the transfer of personal data to third countries or international corporations, and allowing transfer without compliance with existing regulations as long as the standard of data protection provided is ‘not materially lower’ than those introduced by the SoS.
- expanding the types of processing accepted in law as “necessary for the purposes of a legitimate interest”, to include processing for any ‘legitimate’ commercial activity. The Bill also gives the SoS powers to create, vary or remove ‘legitimate interests’ in future.
The Data Protection and Information Bill must be stopped. Instead, KONP calls for
- transparency in the use of our health data: we should know who is using our data, on whose say so, and for what purpose. Our rights to opt out must be maintained.
- sound governance of our health data to ensure patients’ trust
- clarity about how to opt out of third party access to our data, and what consent means.
- stewardship of personal health data to rest with the NHS, supported by proper, state-funded investment that will allow the NHS to develop the relevant technologies and staff training .
- meaningful citizen engagement about how NHS data can be used.
- an independent regulator whose primary aim is the rights of citizens rather than the interests of commerce.
- the potential of health data to be used for the benefit of patients, not private profit.
See our page on how to take action, plus campaign materials here