What is the future direction for processing personal data for research purposes in the UK?

Increasing the efficiency and scope of scientific research was a central opportunity of the UK government's National Data Strategy announced in December 2020. Since then, the UK government has invited responses to its consultation 'Data: A new direction' published in September 2021, which touted a bold new data protection regime following the UK's departure from the EU. Among the aims of the proposed reforms was the aspiration to strengthen the UK's position as a science superpower and to simplify data use by researchers. In particular, to improve the availability of data for secondary use purposes.

In the last few weeks the government has published its response to its consultation which sets the new direction for UK data protection law including how personal data can be used for research purposes.  We shortly anticipate a draft Data Reform Bill before Parliament although (in view of recent events) it is not certain that this will happen before the summer recess.

What are the new proposals?

Nothing too radical

The proposals published on 17 June 2022 are more modest than the government's original consultation proposals set out in September 2021. In certain instances, the UK government has decided to clarify or tidy up parts of UK data protection law rather than overhaul the law in any significant way. For instance, the government will simplify the provisions focussed on using personal data for research. Additionally the so called 'broad consent' referred to in recital 33 of the GDPR will be given more prominence in the law to help raise awareness of this more flexible approach for organisations processing personal data for scientific research purposes and relying on consent.  Essentially, this permits organisations which have not been able to specifically identify the purposes of processing for scientific research purposes to ask individuals participating in a research project to give their consent to certain areas of scientific research when in keeping with recognised ethical standards. While some respondents (to the consultation) were concerned that the availability of broad consent could lead to abuse, the government's response indicates that it intends to improve awareness of broad consent's potential and use.

Further processing

The government intends to reform the law to clarify the rules on further processing (or secondary use) of personal data for research. Respondents indicated that there could be confusion on when further processing is lawful. The government will clarify the rules around further processing for an incompatible purpose when based on a law that safeguards important public interest as well as clarify the distinction between new processing and further processing. For instance, it will specify whether a change of controller automatically means the processing of personal data by the new controller is further processing. Additionally, the government will codify that further processing cannot take place when the original lawful basis is consent, other than in very limited circumstances.

Scientific research

The government has decided to introduce a new statutory definition of 'scientific research'. Recital 159 UK GDPR currently includes a description of the type of research that can be considered to be scientific research and it will be moved into the operative text of the legislation. The government considers that this current wording is a suitable base to build its definition on and will also add other statutory definitions for historical research and statistical purposes.  The aim is to provide greater clarity for researchers and individuals concerning what constitutes scientific research.

Public task

The reformed law will enable a non-public body to rely on the public task lawful basis if it is processing personal data to help a public body deliver a public task or function. This development can help private sector bodies assisting a public body with a health research task although this additional flexibility only relates to the Article 6 lawful basis and not Article 9 (for special category data).

Privacy notices

Most respondents to the consultation disagreed with the government's proposal to introduce an exception to the requirement for controllers to provide individuals with a privacy notice when data is re-used for research purposes. However, the government has decided to go ahead with this exception to ensure that research is not prevented in situations when recontacting individuals would constitute a disproportionate effort.

Essentially, this means that the exemption for disproportionate effort found in Article 14 (the obligation to provide a privacy notice when data is not directly collected from individuals) will be replicated in Article 13 going forward. This is likely to be of particular help to researchers carrying out longitudinal studies, especially research into certain complex medical conditions, since they will not have to provide a privacy notice if they can rely on disproportionate effort.  The government also intends to clarify what constitutes disproportionate effort, drawing on recital 62.

Use of AI

One of the government's reform proposals is likely to impact the use of AI in research activities involving special category data. The government supports the need to encourage trustworthy AI systems that detect potential biases in datasets. Since there is current uncertainty about which lawful basis is available for the processing of sensitive data for the purpose of bias monitoring and correction, the government will introduce a new condition to Schedule 1 of the Data Protection Act 2018, to provide a clearer basis for this processing. This will give assurance to researchers using AI tools on sensitive data (such as health data) where they want to ensure that the AI system is accounting for any possible distortion due to bias.

Anonymous data

Another area that the reforms will bring greater clarity to is when it is possible to regard data as anonymous. This has long been an area of debate and confusion (see the ICO's consultation on new guidance on anonymisation). Often the issue is around terminology where reference is made to an 'anonymised dataset' which, in the eyes of data protection law, would only qualify as pseudonymised. Likewise, references to de-identified data can, in certain instances, still mean the data is personal data. Since it is only truly anonymous data that is outside the scope of data protection law, it is important that there is a clear and widely understood position. The government has signalled that it intends to clarify the law to confirm that the test is a relative (rather than objective) one and that the test will be based on the wording set out in the Explanatory Report to the Council of Europe Convention 108 (for protection of individuals with regard to automatic processing of personal data). In particular, the government is keen not to set an impossibly high standard for proving anonymisation.

Rethinking accountability

A number of the GDPR obligations likely to fall on research organisations processing special category data will fall away under the government's proposals. For instance, currently an organisation involved in large scale data processing of health data for research purposes would be required in many cases to appoint a data protection officer (DPO) and carry out data protection impact assessments (DPIA). Both these requirements are being removed in the UK. However, the government will still require a certain degree of accountability since a designated senior individual will effectively have similar responsibilities to a DPO.  And while a full DPIA will not be required, organisations are still expected to identify and manage risks as part of a privacy management programme. But the mandatory obligation to consult the ICO in relation to a DPIA if an organisation identifies a high risk that cannot be mitigated, will become voluntary.

What did the UK government decide not to proceed with?

No specific research lawful basis

The government asked in its consultation whether scientific researchers found it difficult to identify lawful bases under Articles 6 and 9 of the UK GDPR when planning research. Since respondents did not indicate that identifying an appropriate lawful basis under the UK GDPR was a barrier to research, the government is not going to introduce a new lawful basis for research purposes. Significantly, a number of respondents considered a separate lawful basis for research could be vulnerable to misuse. The consequences of this will be that researchers will probably mostly rely on legitimate interest under Article 6 and (where special category data is used) scientific research under Article 9 (and Article 89) going forward.

Legitimate interests

The government decided partially to proceed with a list of carefully defined processing activities where organisations could rely on legitimate interest as a lawful basis without applying a balancing test and without having to rely on consent.  The September 2021 consultation had indicated that there is a degree of uncertainty among businesses in applying the legitimate interest test which can result in an over-reliance on consent. The list of legitimate interests for which no balancing test is required will now be narrowed down and it's not yet clear whether processing personal data for internal research and development purposes (mentioned in the consultation) will be included in the draft Bill.

Data intermediaries

One of the innovative aspects of the data protection reforms proposed in the consultation concerned data intermediaries. Data intermediaries help steward confidential data between those holding it and those seeking to use it in a responsible manner.  This aspect is linked to the government's commitment to enable the development of Smart Data Schemes (the secure sharing of an individual's data with third party providers but under the control of the individual). However, in its response, the government has stopped short of indicating it will legislate in this area.

A number of other areas (not just relevant in the context of research) under the UK GDPR will not be substantially reformed despite hints in the consultation that they would be targeted. For instance, security breach reporting remains. As does the access request regime for individuals (albeit with a new vexatious standard allowing controllers to refuse requests).

What other policy developments concerning research have we seen in the UK?

In April 2022 the Goldacre Review (led by Professor Ben Goldacre) was published - a review commissioned by the UK Secretary of State for Health and Social Care into the use of health data for research and analysis. As part of the terms of reference, the review team was asked to consider how to facilitate access to NHS data by researchers while preserving patient privacy, as well as to consider the technical platforms, trusted research environments and data flows that are most efficient and safe for analytic tasks. The NHS represents a vast and rich data resource of interest to researchers in the UK and globally. The Goldacre Review outlined a number of recommendations including the use of trusted research environments as the default position for NHS data analysis, standardisation for commonly used datasets, governance for approvals to access data and the need for individuals with digital skills.

Following the Goldacre Review, in June 2022, the UK government published the policy paper 'Data saves lives: reshaping health and social care with data'. This policy recognises how key data is as part of research and innovation to power new medical treatments. One of its chapters specifically addresses the need to give researchers the data they need to develop life-changing treatments, diagnostics, models of care and insights. As part of this initiative, there is a push to develop secure data environments where researchers can access health data without breaching privacy rules. Referring to the Goldacre Review's championing of trusted research environments, the policy paper indicates that the government will continue to encourage secure data environments for data access and use based on the Office for National Statistics Five Safes Framework.

What is happening in the EU?

While there is much activity in the UK, there are also recent developments concerning the use of data for research in the EU which are of interest to health research organisations operating across Europe.

As part of the EU data strategy, the European Union is proposing a European Health Data Space (EHDS) to unleash the full potential of health data. One of the central themes in the EHDS is to enable a consistent, trustworthy and efficient framework for the use of health data for research, innovation and policy-making. The EHDS, published in draft by the European Commission in May 2022, is designed to complement other legislative initiatives from the EU – the Data Governance Act and Data Act – as well, of course, as the GDPR. Under the EHDS there are a set of defined purposes for which data can be used for secondary use – scientific research related to the health or care sectors is one. There is also a specific list of prohibited purposes for which organisations cannot use the data for secondary use. The process under the EHDS is designed to incentivise organisations to make data accessible for other parties to use for research purposes.

What to do now

In both the UK and the EU, the research landscape is changing as government's seek to improve access to and use of personal data for research purposes within a regulated framework.  While we don't yet have the finer details, keeping a watching brief will be essential for any business with a focus on research.