Article from KONP Data Working group
The Labour government has been quick to introduce new draft legislation, the Data (Use and Access) Bill (DUA), which aims to make data, including our personal health data, widely accessible to public authorities and the private sector.
The Bill is unabashedly pro-business. It will weaken existing protections for data as well as undermine the role of Parliament: many of the DUA’s proposals are short on details but instead give considerable power to the Secretary of State (SoS) to determine these via Statutory Instrument (SI), meaning there is little to no Parliamentary oversight.
The DUA covers a broad range of issues, such as digital identity verification and Smart data schemes. Here we outline just five areas that seem particularly relevant for the NHS and our personal health data.
1. Data sharing and processing
The Bill aims to increase access to your data held by public bodies and make it easier for organisations to share data. This means, for example, that data collected for one reason, such as healthcare, can be shared with commercial companies, the police or government departments such as the Home Office or Department of Work and Pensions. The Bill will also reduce transparency by removing the requirement for police to document their reasons for accessing personal data. At the same time, the DUA will give the SoS a more or less free hand, via SI, to create new grounds for data processing by expanding the list of ‘recognised legitimate interests’ (one of the lawful grounds for processing data). One possible effect of all this is that people’s trust in the use of their data will be undermined, potentially pushing them to ‘opt out’ of data sharing with the result that less data will be available for research and development intended for the common good.
2. New ‘special categories’ of data
Current legislation provides a list of special categories of personal data (e.g. about health or genetic make up), due to their sensitive nature cannot be processed unless certain, limited conditions are met. The DUA will not enable the SoS to change these, but they will be able to add or remove new categories and change the conditions governing their use, arguing that this power will allow the Government to respond quickly to future technological developments or societal change. The proposal could have positive effects. For example, the field of neurotechnology is expanding rapidly and there is a growing need to protect neurodata (i.e. data gathered directly from a person’s brain and nervous system) by making it ‘special category’. However, the DUA would equally enable the SoS to remove new categories from the list or change their conditions of use. The overall impact of these powers is therefore hard to predict.
3. Data processing for research
The SoS will have further powers to add or remove safeguards over the use of personal data for research purposes. In addition, the Bill will amend the definition of ‘scientific research’ and reduce existing restrictions on processing personal data for research, provided that the research
“can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”.
Increasing commercial access to data flies in the face of evidence showing that people are generally in favour of sharing their data in the public interest but not for private profit.
The Bill will also reduce transparency about how personal data is used. Currently, those who consent to their data being used in research must be informed about how their data will be collected and used. But the Bill proposes that consent to the use of data for one research project may also be taken as consent for its use in future (potentially unknown) research if gaining further consent is seen to require ‘disproportionate effort’. This proposal is counter to two of the principles for data protection set out by the Information Commissioner’s Office: that personal data should only be used for the reasons for which it is collected, and that personal data should not be kept for longer than needed.
4. Artificial intelligence
The Bill has surprisingly little to say about AI. However, during the Lords’ second reading of the Bill, fears were expressed that redefining ‘scientific research’ and so blurring the boundary between scientific research and commercial development could encourage AI companies to go beyond the assumed intention of the Bill and process data to create AI products under the guise of scientific research. Others might think that this is precisely the intention of the Bill.
5. Automated decision making (ADM)
ADM refers to the use of data, machines and algorithms to make decisions in a range of contexts, including health care, with little to no human oversight. ADM can involve profiling – where, for instance, ADM uses personal data to analyse or predict someone’s health, personal preferences or behaviour. In the context of the NHS, ADM may be used, for example, in individual patient assessments and triage.
The Bill will expand the lawful base for the use of solely automated decision making and remove the right for human review where a decision based on solely automated processing will have a legal or otherwise significant effect on someone’s life. This is of particular concern in areas such as health, welfare and immigration where such decisions could have life-changing effects. Plus, it appears that the Bill will also enable the SoS to introduce regulations to make particular automated decisions immune from existing safeguards, at the risk that decisions may be made on political grounds.
Unless processing special category data, companies will no longer be required to demonstrate why ADM is permissible. Instead, an individual could be subject to an automated decision without their consent: it will be up to individuals to challenge decisions made about them without any human involvement. But as a Conservative peer said during the Bill’s second reading, “How can somebody effectively assert their right if they do not even know that AI and automated decision-making were in the mix at the time?”.
To conclude
If unamended, the Bill is likely to undermine the public’s trust in the way their personal health data is used at the risk of limiting the data available for the public good. It will make it easier to use our health data for non-health applications, to enable decisions with potentially life changing effects to be made without human review, and to extract our health data for private sector exploitation.
The DUA retains significant elements of the Tories’ draft legislation on data that fell before the general election and that have already been debated, so it’s possible that the Bill will pass rapidly through Parliament with little scrutiny.
Please write to your MP and urge them to ensure amendments to the Data (Use and Access) Bill that will address the concerns above or, if such amendments are not agreed, to vote against the Bill. A template letter and Briefing for MPs is available at https://keepournhspublic.com/labour-data-use-and-access-bill-and-use-of-nhs-data/
Leave a Reply