The UK's Data (Use and Access) Bill (DUA) was introduced to the House of Lords on 23 October 2024, replacing the Conservative government's Data Protection and Digital Information (DPDI) Bill which failed to make it through the last Parliament. The DUA Bill amends some aspects of the UK GDPR that those in the research and health sectors will be interested in. The government is billing these changes as clarifications to help scientists make better use of data for research. So what are the proposed changes?
Clause 67: definition of research
Clause 67 of the DUA Bill inserts new definitions into Article 4 of the UK GDPR relating to processing for research and statistical purposes. It makes it clear that references to processing of personal data for the purposes of scientific research cover processing for the purpose of any research "that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”. The wording "reasonably be described as scientific" is arguably very wide and fairly vague, so it will be interesting to see how this is interpreted, but the assumption is that it intended to be a very broad definition. Clause 67 also specifies that with regards to studies in the area of public health that can reasonably be described as scientific, the study must be conducted in the public interest.
Clause 67 brings the details of a few of the recitals of the UK GDPR into the operative provisions of the DUA Bill. For example, it states that scientific research purposes will include processing for the purposes of technological development or demonstration, fundamental research or applied research, as far as those activities can reasonably be described as scientific, and that historical research includes genealogical research. It also adds clarity that processing for statistical purposes means processing for statistical surveys or for the production of statistical results that are aggregate data that is not personal data and the controller does not use the personal data or information resulting from the processing in support of measures or decisions about an individual that the data is about.
Clause 68: consent for research
Clause 68 builds on Article 4 UK GDPR's definition of consent for research and includes consent given for the processing of personal data for the purposes of scientific research even if at the time that consent is sought it is not possible to know all the purposes for which the data will be processed, as long as seeking consent for that area of scientific research is consistent with recognised ethical standards and the individuals are given a chance to consent only to processing for part of the research. This should give organisations more flexibility to process personal data for research purposes that may change as the research develops.
Clause 85: appropriate safeguards
Clause 85 simplifies the additional requirements that must be fulfilled when relying on the special category personal data condition that the processing is necessary for the purposes of scientific research or historical research, for the purposes of archiving in the public interest or for statistical purposes (RAS purposes). The wording of this clause makes it clear that personal data can only be carried out for the RAS purposes if the processing involves the collection of personal data, is carried out to anonymise the data, or that without the processing, the RAS processes cannot be fulfilled.
It also sets out the appropriate safeguards that must be carried out, which mostly mirror the existing UK GDPR Article 89 and Data Protection Act 2018 (DPA) provisions, and states the scenarios where the safeguards are not satisfied. For example, if the processing is likely to cause substantial damage or substantial distress to an individual to whom the personal data relates, or if the processing is carried out for the purpose of making decisions about the person that the data is about (unless the processing is for the purpose of approved medical research (which Article 84C defines).
Clause 71: purpose limitation and further processing
Clause 71 inserts a new Article 8A to the UK GDPR that helps organisations determine whether additional processing of personal data is compatible with the original processing. It sets out that factors to consider are:
- any link between the first purpose and the new purpose
- the context and the relationship between the individual and the controller
- nature of the processing and whether it relates to sensitive data (i.e. special category personal data or criminal conviction information)
- public consequences of the new purpose on individuals
- whether there are any safeguards e.g. encryption or pseudonymisation.
Clause 71 also sets out specific scenarios where new processing will be compatible with the original processing, which includes where the processing is for RAS purposes.
Clause 77: transparency
Clause 77 of the DUA Bill simplifies the language of Article 14 UK GDPR and provides clarity on what to consider when assessing whether it would involve a disproportionate effort to provide transparency information to individuals. Relevant factors include the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.
Clause 119 and schedule 15: IT standards for health and adult social care in England
The DUA Bill also introduces provision for the Secretary of State to introduce harmonised IT standards for health and adult social care in England, which aims to bring more standardisation of aspects such as IT, functionality, connectivity and security across the sector, with the Secretary of State having oversight of compliance and the ability to publicly censure IT providers that it thinks are not complying with the IT standards. The ultimate aim is to enable sharing of health and social care records across the NHS and create a single digital health record accessible via the NHS app, however, much of the detail will need to be filled in under secondary legislation.
What do these changes mean?
Ultimately the changes to the current regime relating to research and related processing, amount to tweaks and clarifications to the existing provisions, with some further flexibility introduced when relying on consent for research, but none of the changes are particularly ground breaking given that much of this is repeating detail that is already in the recitals of the UK GDPR, DPA and existing guidance.