Data Protection Bill 2022

The Data Protection and Digital Information Bill (2022) has been withdrawn but we believe it may be replaced by legislation that removes even more safeguards for our health data. Although the Bill  may have been withdrawn, this page still explains the Bill’s proposals because, in the absence of further information, it gives an indication of what the Government has in mind.

The page will be updated when it’s clear if the Bill will proceed, or what any new legislation will propose.

The Bill as it currently stands would have a range of serious consequences, such as: 

• The abuse of democracy
The Bill includes a number of measures that will allow ministers to change the law without proper scrutiny by Parliament. Granting this type of power has serious constitutional implications.

• The abuse of human rights
The Bill will grant a new power to the Secretary of State to force organisations, including the NHS, to share the personal data they hold on you with the State and law enforcement authorities. (This could mean, for example, that GPs’ records can be searched to identify migrants or refugees.)

However, our focus is on the abuse of personal data.

One of the Government’s main motives behind this Bill is to drive economic growth by making the personal data held by the NHS more accessible to the private sector. 

KONP recognises the importance of NHS data for patient care, service planning and developing new treatments.

It is also aware of the importance of safeguarding the confidentiality of patients’ data, not least to ensure patients’ trust in their NHS care. 

This Bill risks compromising patients’ trust. If passed, it will reduce existing protections for personal data by, for example:

• giving organisations (including profit-making companies) discretion to decide when personal data can be classified as ‘anonymous’ and so fall beyond data protection law;
• amending the legal definition of ‘scientific research’ to include anything that can ‘reasonably’ be described as such, so allowing access to personal data to the commercial sector and potentially raising uncertainty about legitimate medical research;
• introducing a new type of consent: in future, if a person gives permission for their data to be used for a specific research project, this consent can be extended (without further permission)  to other projects, even if these were unknown at the original time of consent. 

The Bill aims to lower safeguards governing data collection and processing in order to reduce the ‘burden’ on business, by, for example,

• abolishing the statutory requirement for organisations that process data to have an independent Data Protection Officer. Instead, organisations will designate a senior employee (someone who is unlikely to have the relevant expertise but likely to face conflicts of interest) to oversee an organisation’s compliance with data protection rules;
• introducing a new, ‘flexible’ accountability regime that allows businesses to decide on how far they will be compliant, based on the scale of, and their perceived risks of their operations;
• granting the Secretary of State influence over whether personal data can be transferred to other countries or international corporations.It appears that political and economic issues may take precedence over the standards of protection offered and any risk that the data may be sold on. 

The Bill will reduce our rights as citizens, by for example:

• Expanding the grounds on which organisations can refuse to respond to ‘Subject Access Requests –i.e. individuals’ requeststo know what information the organisation holds on them. These grounds include whether or not the organisation considers the request to be ‘vexatious’ or ‘excessive’. ‘Vexatious’ requests include those that an organisation considers to be made in ‘bad faith’, are meant to cause harm, or to be an abuse of process, while what’s deemed to be ‘excessive’ depends on the view of the organisation as to whether it has the resources to deal with requests. 
• giving a data controller the authority to refuse to provide information to an individual inquiring about how their data is being used where there is a duty of confidentiality by a legal adviser to a client – as in commercial contracts used in the development of products. This could have implications, e.g. for judicial reviews.
• undermining the independence of the Information Commissioner’s Office (the organisation that upholds information rights in the public interest) through allowing the Secretary of State to control the appointment of staff, veto the ICO’s guidance and require it to develop a strategy that takes economic growth, innovation and competition into account.

KONP is calling for
• The potential of health data should be used for patients, not profit
• There must be transparency of data use – to know who is using our data, on whose say so, and for what purpose. (We support the use of Trusted Research Environments – safe havens for data that users visit to work on data without it being released, and where data use can be properly monitored)
• The independence of the Information Commissioner’s Office should be strengthened, not brought under political control
• The Data Protection Bill must be stopped.

See our page on how to take action, plus campaign materials here

Additional information

• The Data Bill: context
• The Data Protection Bill: Early fears
• Data saves lives: reshaping health and social care with data.
• KONP’s response to the Government’s consultation on data use