The Data Protection Bill makes provisions for the regulation of processing information in relation to individuals and has a direct impact on how health and social care data is protected, controlled and managed. This data is especially sensitive and given its personal content, requires detailed consideration when looking at data protection legislation in its entirety.
The Bill was introduced on 7th August with the intention to make our data protection laws fit for the digital age. The General Data Protection Regulations come into force in May 2018 and the Bill will ensure that the UK is compliant whilst also preparing for the post Brexit future. The first reading of the Bill took place on 13 September and indicates the start of the formal journey through the House of Lords. On 10th October the debate on all aspects of the Bill will take place in the second reading.
The Bill will have a major impact on how healthcare data is used, which will be the topic of debate as the law takes shape. The key areas affecting healthcare are detailed below.
Rights of data subjects
The Bill includes the GDPR requirements for the rights of data subjects, which will keep its definition from the Data Protection Act 1998 (s1.1). This will mainly be concerned with the principles applicable to subject access requests and reiterates the condition that unless the request is excessive or unfounded, living patients and service users may access their health and social care records with no fee incurred. However, the Bill does allow for the Government to set limits on any fees that may be payable.
By virtue of Article 6 of the GDPR, processing of personal data is only lawful if it meets specified conditions. Article 6(1) GDPR applies where the processing of personal data is necessary in the public interest. Most health service bodies will rely on this to continue to process patient data. However, the Bill also states that this extends to functions conferred under statute, and therefore will also be applicable to local authorities (i.e. Clinical Commissioning Groups) and NHS Bodies.
Special categories of data
Under Article 9 of the GDPR health, genetic and biometric data are all special categories of personal data and must meet certain conditions to be processed. This includes the provision of healthcare or treatment (Article 9(2)(h). The Bill has incorporated this with little modification and appears to be the preferred condition for the processing of such data due to the complexity of valid consent under GDPR.
In addition to these elements, the Bill also deals with the derogations as permitted by the GDPR. Under Article 23 GDPR, Member States can implement derogations in certain circumstances and these broadly reflect the current exemptions from the Data Protection Act 1998. These derogations are permitted where it “respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard”. With regards to health and social care, this means that the current exceptions under Data Protection Act 1998 are incorporated into the Bill in relation to the disclosure of health and social care records to patients, service users and others. Importantly, the Bill takes into account that if the disclosure of health and social care records to a patient or service user would potentially cause serious harm to their physical or mental health or that of another individual then that disclosure is not enforced.
Whilst the full impact on the health and social care sector remains to be seen, the consolidation of such legislation will hopefully ensure patients’ data is necessarily protected.