The pandemic has taught us many things but one of the most important is the value in sharing health data for research purposes. This does not have to be personal data but it often starts out that way which means controllers and processors have to comply with applicable data protection law.
The European Commission recognised that research data merits both special protection due to its sensitive nature, and exemptions from aspects of the GDPR to prevent data protection law stifling innovation. Did it get the balance right?
Exemptions and protections for scientific research
The GDPR and its UK counterpart, the UK GDPR, stipulate safeguards for personal data processed for scientific research or statistical purposes. Under Article 89, all processing of personal data for scientific research or statistical purposes must be subject to appropriate safeguards to preserve the rights and freedoms of individuals. Key to these is data minimisation, including by pseudonymisation.
Article 89 is the also main source of exemptions and derogations from GDPR compliance for health research data. Member States or the EU itself may provide for derogations from a number of the data subject rights in relation to data processed for scientific research or statistical purposes across the EU, and the UK can do the same under the UK GDPR.
In the UK, the Data Protection Act 2018 covers the Article 89 derogations. To the extent that individuals exercising their rights would prevent or impair scientific research or statistical purposes, controllers to do not have to give effect to:
- Right of access (Article 15(1) to (3))
- Right of rectification (Article 16)
- Right to restriction (Article 18(1))
- Right to object to processing (Article 21(1))
as long as the data is processed in accordance with Article 89(1), as supplemented by section 19 DPA18, and provided, in relation to Article 15(1) and (3), that the results of the research or any resulting statistics are not made available in a form which identifies a data subject.
Further provisions relating to the application of research exemptions are built into the UK GDPR in the:
- Right to be informed when data collected from source other than the individual (Article 14(5)(b)), and
- Right to erasure (Article 17(3)(d)),
and additional provisions are scattered across the DPA 18, making it somewhat confusing to understand when they apply.
Data protection law - a barrier to innovation?
The UK government is concerned that the UK GDPR, inherited from the GDPR, presents a number of barriers to the use of health data for scientific research and, therefore, to innovation. These are identified in the DCMS consultation on data protection reform - 'Data, a new direction' and reflect some industry concerns.
The government's concerns
One of the government's aims is to reduce barriers to responsible innovation which it suggests are created by the current data protection framework. With respect to scientific research, concerns include:
- The rules on use and re-use of personal data are difficult to navigate as they spread out across two statutes and in different parts of them.
- There is no definition of "scientific research" which results in a lack of certainty for researchers as to whether exemptions might apply.
- There is an uncertainty over which lawful basis to use when conducting scientific research which has led to an overreliance on consent.
- It is unclear how universities can rely on tasks in the public interest as a lawful basis.
- Doubts as to whether the concept of broad consent to scientific research (stated in the non-binding Recitals), can be used given that consent needs to be specific.
- A lack of clarity as to how to balance the rights and freedoms of individuals against the legitimate interests of the controller.
- A lack of clarity as to when further processing may be permitted.
What does the government suggest?
Among the government's proposals to deal with these issues are:
- Bringing together research-specific provisions to put them all in the same place, and defining "scientific research", potentially using the definition currently in Recital 159.
- Clarifying the lawful bases to use for research purposes and when they can be used.
- Possibly introducing a new lawful basis for research together with safeguards.
- Widening the scope of consent for re-use of research data for further purposes.
- Clarifying when the legitimate interests lawful basis can be used.
- Clarifying the issue of when further processing is compatible with the original purpose.
UK policy on using data in social and healthcare
In February 2022, the government updated its June 2021 draft Policy Paper, Data saves lives: reshaping health and social care with data which sets out the government's digital health ambitions in the wake of the lessons learned during the COVID-19 pandemic.
The paper does not focus on personal data issues although it does discuss the need to protect privacy through privacy enhancing technologies (PETs) and by using trusted research environments (TREs). Much of the strategy looks at the provision of health and social care and details public health data sharing initiatives, but there is also an emphasis on the importance of health data for research.
In March 2022, the Secretary of State for Health and Social Care, Sajid Javid, made a speech setting out an agenda for technological innovations in the UK's healthcare system. These include expanding the rollout of electronic patient records in NHS trusts up to 90% by 2023, and more widespread adoption of the NHS app, up to 75% of adults by March 2024. The government is expected to publish a digital health plan later this year. Among other things, this will cover the use of NHS data to drive innovation.
The government has commissioned a review into the use of health data for research and analysis, including looking at preserving privacy in this context. The original intention was that this would be published by the end of 2021, but the review is ongoing – perhaps an indication of the complexities involved.
What does the ICO say?
Whether government and industry concerns about restrictions on the use of health data for scientific research are best addressed through reformed legislation, or by regulator guidance, is currently a topic of debate. The ICO has responded to the government consultation, but has also issued draft guidance on research provisions in the UK GDPR and DPA 18, acknowledging that the government is looking to make changes in this area but saying guidance is needed now to give clarity on research provisions.
ICO draft guidance on research provisions in the UK GDPR and DPA 18
The ICO's draft research guidance covers all the research exemptions (for scientific, historical research, archiving in the public interest and statistical purposes), but it aims to add clarity to many of the issues raised by the government as well as to other areas of uncertainty in the context of processing personal health data for scientific research.
As such, it looks at issues around the definition of scientific research, lawful basis, purpose compatibility, data minimisation, storage limitation and what constitutes public interest (read more here). It can, however, only offer guidance on the law as it stands. This means, for example, that it does not address the issue of data exports (which we discuss in more detail here), nor the prospect of introducing a new lawful basis for processing for research purposes.
ICO response to government consultation on data protection reform
The ICO is broadly supportive of the government's proposals to change the law with regard to research purposes although makes the general point that it needs to see detailed proposals before it can reach a final position.
Among its comments, the ICO:
- Agrees the current framework is confusing and would benefit from consolidation.
- Supports a statutory definition of "scientific research" based on Recital 159, but warns that any definition must not go beyond what people would reasonably expect to be covered by the term and must be flexible enough to accommodate any changes in the nature of and approach to research in the future.
- Supports the principle of creating a new separate lawful basis for research, subject to suitable safeguards and taking into account views of stakeholders.
- Favours the approach of a new separate lawful ground for research processing rather than widening or clarifying the scope of consent.
- Strikes a more cautious note in response to addressing uncertainties around further processing. While agreeing greater clarity would be helpful, the ICO stresses the importance of ensuring consent remains meaningful and that people retain control over their data.
- Asks for more detail on proposals to create a list of types of processing for which organisations can use the legitimate interests lawful ground without having to carry out a prior balancing exercise against the rights and freedoms of the data subject.
The EU's approach
The UK is not alone in its concerns over barriers to sharing health data, whether for scientific research or to provide cross-border access to treatment.
The European Data Protection Supervisor published a Preliminary Opinion on Data Protection and Scientific Research in January 2020, which covers similar (although subtly different) territory to the ICO draft guidance. The EU has also published a draft Data Governance Act and draft Data Act to facilitate private and public sector data sharing (personal and non-personal), which are both likely to impact access to health data for scientific research.
Rather than suggesting reforms to the GDPR, the EC proposes creating a Common European Health Data Space (as we discuss here) as a way forward. Depending on the way this is set up, it could well make the use of EU health data for research smoother and more reliable. It would, however, also ringfence that level of access to EU Member States – only providing a partial solution to barriers to international collaboration.
Can the UK go it alone?
The UK government is looking at data protection reform with a view to giving it a competitive advantage in a number of areas including scientific research and it is, of course, free to depart from the UK GDPR. There are, however, concerns that too great a difference between the UK and EU regimes would put the UK's hard-won data adequacy decision (which allows frictionless EU-UK data transfers) at risk.
Issues with international data transfers are already slowing down the use of health data for research and other purposes (as discussed here), but the UK government will find it problematic to expand its adequacy arena beyond the EU's, particularly to the USA. That would almost certainly lead to the suspension of the EU-UK adequacy arrangement, causing a bigger problem than it solves.
It's not all about data protection
Barriers to sharing health data for research aren't just due to legal constraints. As the government's policy paper sets out, there are technical issues to consider. Some of these are privacy-related – there is a need to develop PETs and TREs to enable health data to be stored and shared in a more secure way. Other issues relate to a fragmented oversight regime, interoperability problems, and insufficient processes required to ensure sufficiently high data quality, particularly from the public sector.
Building trust
One of the biggest barriers to sharing health data for scientific research and other purposes, is the issue of trust, as Health Data Research UK noted in its response to the government consultation on the data protection framework. Having a robust framework for data protection and cybersecurity is one of the ways to achieve that. Industry and regulators seem aligned with the UK government on the need for clarification and further facilitation of the use of health data for scientific research, at least in principle. If, however, the government looks to change the UK data protection framework's approach to processing health data for research purposes, it must be careful to ensure that the drive to facilitate innovation in scientific research does not come at the expense of protections for individuals.