NHS Digital, England’s healthcare IT service, are hoping to amass the records of millions of English GP patients to improve patient care – a project called General Practice Data for Planning and Research (GPDPR). It is proposed that the records will be available to third parties for research and commercial purposes. The personal data involved is inherently highly sensitive and private as it contains information concerning criminal records, ethnicity, gender, drug and alcohol use, HIV status and sexual health. NHS England have assured the public that the data will be pseudonymised while they alone will hold the keys to the data.
The personal data would be shared unless the relevant patient opted-out – the type of consent that GDPR set out to abolish. The proposal has naturally raised many concerns from patient groups and privacy campaigners alike on fundamental grounds such as the absence of a solid lawful basis and lack of transparency over who the data will be shared with. It appears the project has been pushed back as a result of these privacy concerns and the ICO has confirmed it is assisting the project with a view to upholding the rights of data subjects under the UK GDPR. We must wait to find out how this project will move forward. In the meantime, the matter highlights the wider public awareness of privacy rights and underscores the importance of sharing personal data in a responsible way. This short article discusses some key issues to consider when thinking about sharing data.
Using data for a new purpose
Under UK GDPR data subjects should be informed of the purposes for which data will be processed before it is collected. Data protection law operates under the principle of purpose limitation, meaning that data should not be used for any purpose which is incompatible with the purpose for which it was originally collected. If an organisation wishes to use personal data for a new or incompatible purpose they must notify the data subjects involved and the new purpose must be explained in clear and accessible language.
Organisations must be transparent about their processing. For example, stating that the new processing is for “research and planning purposes” may be a little too vague and the information provided to data subjects ought to be more granular. Furthermore, if you are planning on sharing the data, the third parties with whom you wish to share it, must be named, or at the very least, the categories of third parties should be named. You must make every effort to notify your data subjects, and in cases where it is not practical to do so, your reasoning for not contacting data subjects must be clearly documented.
The importance of completing a data protection impact assessment
NHS Digital have since claimed that it is in the process of delivering a data protection impact assessment (DPIA) in relation to the data sharing project. If a proposed new process involves a high level of risk to the rights and freedoms of the data subject, then a DPIA must be completed. This is essentially a risk assessment for the personal data. The impact assessment identifies the risks, for example, the risk of a data breach or the risk of a person being identified, and seeks to address and mitigate those risks. It is a useful tool for mapping out the data flows and pinpointing the weaknesses. The DPIA does not have to be made public, nonetheless, it helps to reassure your customers that you can demonstrate accountability in terms of your decision-making.
Identifying lawful bases for processing
Personal data must only be processed if you have a specific legal ground for processing the data. The legislation provides certain legal grounds for processing personal data in certain scenarios such as; contract, consent, vital interests and the public interest. Likewise, there are separate legal grounds for processing special category data e.g. health. Therefore, for the processing to be lawful, it must be justified on the basis of one or more of those legal basis. If you cannot demonstrate that the processing is necessary on the basis of at least one of the lawful basis, then you should not proceed with the proposed activity.
Opting out is contrary to principles of data protection
Finally, and perhaps most importantly, there is the issue of consent. If consent is the lawful basis being relied on, it is vitally important to obtain valid consent that is freely given, specific, informed and unambiguous. One of the major criticisms of the NHS Digital project, is that it is based on an opt-out, rather than opt-in consent model. A system based on opt-out, is contrary to the principles of data protection and our understanding of valid GDPR consent. It suggests that the project is obtaining consent by relying on the silence or inactivity of the data subject – the equivalent of a pre-ticked box- making it difficult to prove that genuine consent was given. Any consent based processing of personal data ought to be opt-in by default, allowing data subjects autonomy and agency in terms of deciding what happens to their data. And there should be affirmative action on the part of the data subject to demonstrate valid consent. Data subjects must be allowed to opt-out at any time and it should be just as easy to opt-out as it is to opt-in.
Consent should also be freely given, so for example, if it is claimed the processing is for patient care, implying that you are hindering patient care if you opt-out, that consent would not be valid as you have been shamed into giving consent. Moreover, for consent to be valid it must be informed. This means giving enough information and notice to data subjects to consider their options and to allow for public debate. As the ICO states; “genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”
Trust and Reputation
Trust is a key enabler of any organisation’s work. To build trust, organisations must be able to show lawfulness, fairness, transparency and accountability. Your business also depends on your reputation – having the media claim that you are “scraping” personal data is far from ideal. Notably, NHS England have delayed their project until September and this has been welcomed by the ICO. To avoid the confusion and mistrust arising in the first instance, plan and document your proposed processing well in advance and utilise the tools available under GDPR to demonstrate compliance.
Insight from Loretta Maxfield and Jennifer Breslin Data Protection specialists at Thorntons. For more information contact Loretta or Jennifer on 03330 430350.