What the proposed Data Reform Bill could mean for NHS data
A Data Protection and Information Bill, currently passing through Parliament, indicates plans to reduce data protections and ease commercial access to NHS data
In recent times the government has become acutely aware of the commercial value of our personal data, especially our sensitive health data, which it sees as key to growing the economy and making the UK a global data superpower post-Brexit. This raises concerns that existing protections for sensitive patient data may be undermined by new measures to allow greater commercial access.
No ‘Safe haven’ for data
We have already seen that the recently passed Health and Care Act allows the abolition of NHS Digital – a body with statutory independence that is known to have turned down government requests for patient data that it deemed intrusive. Now NHS Digital’s powers will be transferred to NHS England, putting the statutory protection or ‘safe haven’ for patient data at risk.
This point was made by Lord Hunt during a debate of the Act. According to him NHS England is an organisation that:
…has many different responsibilities and priorities so, first, it will clearly not be able to give the same focus to the issue of protecting the safe haven and, secondly, it has many interests which could be deemed to at least be in tension with the concept of the safe haven.
Data Reform Bill – one to watch
Following this, the Queen’s Speech opening the current session of Parliament included plans for a Data Reform Bill that, rather than securing a safe haven for patient data, paves the way for increased government and commercial access.
Initial information says that the Bill’s aims include:
- Creating a data rights regime that reduces regulatory ‘burdens’ on businesses, and promotes scientific innovation
- ‘Modernising’ the Information Commissioner’s Office (the UK’s data watchdog)
- Increasing industry participation in ‘Smart Data Schemes’, i.e., the sharing of personal data with authorised third-party providers. It’s suggested that the Bill will help those who need health care treatments by improving access to data in health and social care contexts.
Reducing paperwork, removing protections
The argument behind the Bill is that existing legislation – the Data Protection Act 2018 and particularly the UK General Data Protection (UK GDPR) – create excessive paperwork and burdens on businesses, with little benefits to citizens. The Bill therefore seeks to reduce regulations governing access to our data – this despite evidence showing that existing protections are already insufficient. For instance, a recent BMJ investigation found that over the past seven years there have been hundreds of instances where companies, universities and commissioners of NHS services have breached patient data sharing agreements (DSAs).
Examples of breaches include identifiable, sensitive patient data being shared without encryption; NHS data being passed to unauthorised analysts; and data being processed and stored in unapproved locations. What’s more, even after breaches were identified, the investigation found that access to the information was allowed to continue.
A long-held ambition
The proposed Bill is not entirely unexpected. In 2021 the Department of Digital, Culture, Media and Sport (DDCMS) held a public consultation on reforming the UK data protection regime (Data: A new direction), suggesting the response would help in drawing up draft legislation. The outcome of the exercise has not been published. However, the questions and phrasing within the DDCMS’s consultation have indicated the Government’s thinking and its ambition to reduce the protections provided by the UK GDPR.
Reading between the lines, it looks like the bill will:
- look to expand the legal definition of ‘scientific research’ so that this could include commercial, profit-motivated activity, potentially damaging public trust that sensitive data collected for research would only be used in the public interest
- reduce clear requirements of those wishing to access data and instead, allow more flexible interpretation of how to comply with regulations
- redefine the concept of consent, so that patient consent for access to personal data for a specific research project could be taken automatically to apply to other, unspecified projects
- undermine the independence of the ICO, while charging it to consider economic growth, innovation and competition when carrying out its duties, implying that the ICO will have to give more weight to the interests of commerce than to the interests, rights and freedoms of data subjects.
Removing regulations that protect our personal health data in order to facilitate commercial access is yet another way in which the NHS is being privatised. We need to be ready to campaign against the Data Reform Bill as soon as it is published.
Jan Savage is a member of Keep Our NHS Public and a member of its Health Data Working Group
 The concept of a safe haven for health and social care data for commissioning, regulatory research purposes and patient care is contained in the Health and Social Care Act 2012.
 The UK GDPR is legislation ‘rolled over’ from the EU following Brexit.
 DSAs aim to help those sharing data to meet data protection regulations, and demonstrate that they have done so.