The pandemic has taught us many things but one of the most important is the value in sharing health data for research purposes. This does not have to be personal data but it often starts out that way which means controllers and processors have to comply with applicable data protection law.
The European Commission recognised that research data merits both special protection due to its sensitive nature, and exemptions from aspects of the GDPR to prevent data protection law stifling innovation. Did it get the balance right?
The GDPR and its UK counterpart, the UK GDPR, stipulate safeguards for personal data processed for scientific research or statistical purposes. Under Article 89, all processing of personal data for scientific research or statistical purposes must be subject to appropriate safeguards to preserve the rights and freedoms of individuals. Key to these is data minimisation, including by pseudonymisation.
Article 89 is the also main source of exemptions and derogations from GDPR compliance for health research data. Member States or the EU itself may provide for derogations from a number of the data subject rights in relation to data processed for scientific research or statistical purposes across the EU, and the UK can do the same under the UK GDPR.
In the UK, the Data Protection Act 2018 covers the Article 89 derogations. To the extent that individuals exercising their rights would prevent or impair scientific research or statistical purposes, controllers to do not have to give effect to:
as long as the data is processed in accordance with Article 89(1), as supplemented by section 19 DPA18, and provided, in relation to Article 15(1) and (3), that the results of the research or any resulting statistics are not made available in a form which identifies a data subject.
Further provisions relating to the application of research exemptions are built into the UK GDPR in the:
and additional provisions are scattered across the DPA 18, making it somewhat confusing to understand when they apply.
The UK government is concerned that the UK GDPR, inherited from the GDPR, presents a number of barriers to the use of health data for scientific research and, therefore, to innovation. These are identified in the DCMS consultation on data protection reform - 'Data, a new direction' and reflect some industry concerns.
The government's concerns
One of the government's aims is to reduce barriers to responsible innovation which it suggests are created by the current data protection framework. With respect to scientific research, concerns include:
What does the government suggest?
Among the government's proposals to deal with these issues are:
UK policy on using data in social and healthcare
In February 2022, the government updated its June 2021 draft Policy Paper, Data saves lives: reshaping health and social care with data which sets out the government's digital health ambitions in the wake of the lessons learned during the COVID-19 pandemic.
The paper does not focus on personal data issues although it does discuss the need to protect privacy through privacy enhancing technologies (PETs) and by using trusted research environments (TREs). Much of the strategy looks at the provision of health and social care and details public health data sharing initiatives, but there is also an emphasis on the importance of health data for research.
In March 2022, the Secretary of State for Health and Social Care, Sajid Javid, made a speech setting out an agenda for technological innovations in the UK's healthcare system. These include expanding the rollout of electronic patient records in NHS trusts up to 90% by 2023, and more widespread adoption of the NHS app, up to 75% of adults by March 2024. The government is expected to publish a digital health plan later this year. Among other things, this will cover the use of NHS data to drive innovation.
The government has commissioned a review into the use of health data for research and analysis, including looking at preserving privacy in this context. The original intention was that this would be published by the end of 2021, but the review is ongoing – perhaps an indication of the complexities involved.
Whether government and industry concerns about restrictions on the use of health data for scientific research are best addressed through reformed legislation, or by regulator guidance, is currently a topic of debate. The ICO has responded to the government consultation, but has also issued draft guidance on research provisions in the UK GDPR and DPA 18, acknowledging that the government is looking to make changes in this area but saying guidance is needed now to give clarity on research provisions.
ICO draft guidance on research provisions in the UK GDPR and DPA 18
The ICO's draft research guidance covers all the research exemptions (for scientific, historical research, archiving in the public interest and statistical purposes), but it aims to add clarity to many of the issues raised by the government as well as to other areas of uncertainty in the context of processing personal health data for scientific research.
As such, it looks at issues around the definition of scientific research, lawful basis, purpose compatibility, data minimisation, storage limitation and what constitutes public interest (read more here). It can, however, only offer guidance on the law as it stands. This means, for example, that it does not address the issue of data exports (which we discuss in more detail here), nor the prospect of introducing a new lawful basis for processing for research purposes.
ICO response to government consultation on data protection reform
The ICO is broadly supportive of the government's proposals to change the law with regard to research purposes although makes the general point that it needs to see detailed proposals before it can reach a final position.
Among its comments, the ICO:
The UK is not alone in its concerns over barriers to sharing health data, whether for scientific research or to provide cross-border access to treatment.
The European Data Protection Supervisor published a Preliminary Opinion on Data Protection and Scientific Research in January 2020, which covers similar (although subtly different) territory to the ICO draft guidance. The EU has also published a draft Data Governance Act and draft Data Act to facilitate private and public sector data sharing (personal and non-personal), which are both likely to impact access to health data for scientific research.
Rather than suggesting reforms to the GDPR, the EC proposes creating a Common European Health Data Space (as we discuss here) as a way forward. Depending on the way this is set up, it could well make the use of EU health data for research smoother and more reliable. It would, however, also ringfence that level of access to EU Member States – only providing a partial solution to barriers to international collaboration.
The UK government is looking at data protection reform with a view to giving it a competitive advantage in a number of areas including scientific research and it is, of course, free to depart from the UK GDPR. There are, however, concerns that too great a difference between the UK and EU regimes would put the UK's hard-won data adequacy decision (which allows frictionless EU-UK data transfers) at risk.
Issues with international data transfers are already slowing down the use of health data for research and other purposes (as discussed here), but the UK government will find it problematic to expand its adequacy arena beyond the EU's, particularly to the USA. That would almost certainly lead to the suspension of the EU-UK adequacy arrangement, causing a bigger problem than it solves.
Barriers to sharing health data for research aren't just due to legal constraints. As the government's policy paper sets out, there are technical issues to consider. Some of these are privacy-related – there is a need to develop PETs and TREs to enable health data to be stored and shared in a more secure way. Other issues relate to a fragmented oversight regime, interoperability problems, and insufficient processes required to ensure sufficiently high data quality, particularly from the public sector.
One of the biggest barriers to sharing health data for scientific research and other purposes, is the issue of trust, as Health Data Research UK noted in its response to the government consultation on the data protection framework. Having a robust framework for data protection and cybersecurity is one of the ways to achieve that. Industry and regulators seem aligned with the UK government on the need for clarification and further facilitation of the use of health data for scientific research, at least in principle. If, however, the government looks to change the UK data protection framework's approach to processing health data for research purposes, it must be careful to ensure that the drive to facilitate innovation in scientific research does not come at the expense of protections for individuals.
Victoria Hordern looks at what constitutes health data and the lawful bases on which it can be processed under the (UK) GDPR.
1 of 7 Insights
Victoria Hordern looks at the use of big data and AI in medical diagnostics in the context of data protection and AI regulation.
2 of 7 Insights
Elisa-Marlen Eschborn looks at the opportunities created by the planned European Health Data Space, and at whether they can be realised by 2025.
3 of 7 Insights
Ed Hadcock looks at the importance of fair and lawful processing of health data to establish trust as well as data protection compliance.
4 of 7 Insights
Jo Joyce looks at cybersecurity challenges facing health data and at ways to manage risk.
5 of 7 Insights
Victoria Hordern looks at the restrictions on exporting health data and at whether they are really proportional given that potential benefits could well outweigh any risk.
7 of 7 Insights