Why is fairness and lawfulness important?
It is a fundamental principle of UK and EU data protection law that any processing of personal data must be fair and lawful. As health data benefits from enhanced protections afforded to particularly sensitive categories of data, what counts as 'fair and lawful' requires careful balancing of a number of factors. These include a high standard of transparency, openness, and acting within the expectations of individuals.
These requirements have been thrown into sharper relief by the huge impact of the pandemic on the way the entire health sector looks at data. The focus is now, more than ever, on the potential for artificial intelligence and computer modelling to serve public health goals by leveraging big data and drawing links between datasets (as discussed here).
For the private sector, this offers a real opportunity to generate commercial value from understanding and profiling individual behaviour, using new data linkages for research and development, and gathering unique insights using large populations. For the public sector, it provides the alluring potential to develop more digitised and joined-up services for the benefit of public health, and to inform new policy measures based on expansive data, rather than a narrow focus on individual care.
We are at a fascinating nexus of technology and health data, with "developers" and "innovators" now being mentioned in the same breath as "service users" and "practitioners". In this context, it's easy to see sweeping uses of digital health data as 'fair game' for the purposes of public health, technology advancement and innovation.
In the middle of all this, the NHS is sitting on an unparalleled health dataset that has enormous potential value for generating commercial and public innovation and insights.
So how do we maintain fair and lawful data processing and observe the rights of individuals in such an environment?
What do we mean by fairness?
Ensuring fairness is, at its core, a matter of following EU and UK legal principles that have been present in data protection law for decades.
The UK GDPR refines and updates the concept to be more relevant to the digital age, but the core strand remains: "personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals" (Article 5(1)).
In a nutshell, for processing of health data to meet this principle it should only be handled in ways that people would reasonably expect and, crucially, not used in ways that have unjustified adverse effects.
This means observing the following:
- Applying fairness upfront: in particular, making sure that before any data is collected or sought, an assessment is made of the correct conditions for fair and lawful processing in Article 6(1) UK GDPR and Article 9 UK GDPR (the latter sets out the conditions specific for special categories of data, including health data).
- Fairness at the point of collection: this requires making sure that data subjects receive transparent information on the processing activities, including details of data sharing with third parties and the purposes of the processing. The information provided should be easily accessible and provided in clear and plain language. Article 13 of the UK GDPR describes in detail the transparency requirements for data controllers when they collect personal data directly from the data subject.
- Fairness when the data is not collected directly from the data subject: there are also transparency requirements for controllers of data not collected directly from the data subject. In the context of health data, exemptions may apply but this is a complex area which needs to be carefully considered to help demonstrate fair processing.
- Fairness following data collection: in particular this means not retaining data for longer than is necessary. The right of access (Article 15 UK GDPR) also gives individuals the right to obtain a copy of their personal data, in theory allowing individuals transparent access to how their data is being used (although again, exemptions may apply to health data used for research).
While these may seem familiar and well-established by now, historically practices have often fallen short.
Pre-pandemic lessons to be learned
Several major pre-pandemic issues affected public trust in the fairness and lawfulness of the processing of health data.
Care.data
Readers might recall the ignoble launch of care.data - an NHS England initiative that launched in 2013, aimed at centralising patient health and social care data. There was a failure of upfront consultation and transparency with both GPs and patients, and questionable revelations of onwards sharing of health data with insurance companies and consultancy groups. The plans were thrown into an escalating series of crises until the entire project eventually stalled.
Questions were also asked around the efficacy of an 'opt-out' process, and the ability to protect and maintain anonymity of patient data and the possibilities of re-identification. More recently, similar issues cropped up around the contested implementation and the stalling of the National Data Opt-Out (care.data's successor), and indeed it is hard to see such concerns abating any time soon as datasets grow ever more prevalent and analysis techniques become more and more sophisticated.
DeepMind
More recently there were widely reported failures of fairness with the 2016 engagement by an NHS Trust of the Google DeepMind service. This involved the passing of medical information from the Trust to DeepMind for the development of a clinician support app, however this sharing was carried out without proper consultation and notification to individuals. The sense was that patients would not reasonably expect their data to be used in this way and the issue highlighted public concerns around large-scale access to, and use of, private health data by technology companies.
After the Trust was sanctioned by the ICO, the clinician-support app was eventually scrapped. The concerns highlighted by the Trust's use of DeepMind persist today, with a great deal of scrutiny from privacy specialists being given to the NHS COVID contracts with AI/tech firms such as Faculty and Palantir.
Did the pandemic change attitudes to fairness?
When the pandemic hit, the public broadly backed the idea of urgent and necessary processing by health authorities where there was a direct public health benefit. This period saw the creation of the COVID-19 National Data Store as a government database of health information that could be used to get the measure of hospitalisations, critical care bed and ventilator availability.
The dataset required the initial processing of patient identifiable clinical information before being anonymised and uploaded, but clear health-focused rationales and legal bases were developed and communicated with comment from the regulator and the publication of third party contracts. On that basis, the initiative went ahead, albeit with a great deal of scrutiny, but with an understanding that this was a fair way of processing in a difficult context.
While the ICO took a pragmatic approach during the pandemic, that did not mean it was prepared to overlook non-compliance. In March 2022, the ICO issued a reprimand to the Scottish government and NHS National Services Scotland relating to GDPR failings in relation to sensitive health data used by the NHS Scotland COVID Status app. For a brief period, the app sought consent from users despite the fact that the processing was not predicated on consent. The ICO said this breached the fairness principle by suggesting that users had a greater level of control over their data than was the case.
So where are we now?
With the impressive progress of technology and the urgent necessities of the pandemic response it may be all too easy to forget the lessons of the past, and to strive to open as widely and as innovatively as possible the ability of health services to collect and share data.
Indeed, the UK government is looking ahead and consulting on digital reforms "to unleash the unlimited potential of data in health and care" and to create a new "duty to share" to make data sharing the norm across healthcare services, rather than operating in protective silos (with the accompanying inefficiencies). In March 2022, the Secretary of State for Health and Social Care, Sajid Javid, made a speech setting out an agenda for technological innovations in the UK's healthcare system. These include expanding the rollout of electronic patient records in NHS trusts up to 90% by 2023, and more widespread adoption of the NHS app, up to 75% of adults by March 2024. The government is expected to publish a digital health plan later this year. Among other things, this will cover the use of NHS data to drive innovation.
However as conditions of urgency start to shift back to a health system with more time and resources available to allocate to patient privacy, we are already seeing patients and GPs call for fairness and lawfulness to be back at the forefront when it comes to health data.
The General Practice Data for Planning and Research programme (akin to care.data, involving the extraction of GP patient data for research and planning) has been criticised to the point where the initiative has now stalled. Familiar concerns have been raised regarding the possibilities of data being sold to commercial parties, risk of re-identification, and the fact that patients were not being given enough time to become aware of an opt-out option.
It seems there is still some way to go before there is public confidence now that the pressing needs of the pandemic seem to be subsiding.
Practical steps to fair and lawful processing
In broad terms, data isn't processed fairly and is certainly not processed lawfully if it is processed in breach of any legal requirements. While we're not proposing to run through the entire set of requirements here, there are key practical steps controllers of health data can take to help ensure that processing of health data meets the UK GDPR requirement to be fair and lawful:
- Ensure there is sufficient regard for privacy, ethics and information governance throughout the data lifecycle: this should include the preparation of transparency statements clearly communicating how the health data will be protected and used, and conducting (and making available) impact assessments (NHS COVID example here, which includes privacy statements from its private-sector suppliers). Conversely, any suggestion of commercialisation or NHS data being provided for the benefit of private companies without an accompanying high level of transparency is likely to breach public trust.
- Support individuals in understanding the technology behind any processing: for example, by generating understanding of the security measures in place, anonymisation techniques or use of trusted environments. Bringing individuals along with you by explaining the utility of their data for the ultimate data quality and accuracy of an aggregated dataset, and the overall health benefit is key.
- Support healthcare professionals in understanding and communicating the processing: data opt-out schemes have historically brought GPs into conflict with healthcare bodies on the basis of poor communication and transparency and the risk of impacting professional and patient autonomy. Bringing healthcare practitioners on board with the processing and providing standard materials to support them in communicating it to patients will be a vital element in making sure that processing is fair and lawful.
Clarity in data legislation?
The UK government has proposed measures for added clarity in data protection legislation – "to ensure that our laws keep pace with the development of cutting-edge data-driven technologies" (Data: a new direction). Clearly, following the laws and principles that establish protections for personal data will be the ultimate ingredient in making sure processing is lawful – but it remains to be seen whether the UK can make changes while preserving what we (and our EU neighbours) understand to be fair.