Likely Implications of the Data Protection and Digital Information Bill on the Health and Care Sector

In mid-May 2023 the National Health and Care Strategic Information Governance Network, which I am privileged to Chair, put its collective heads together to understand the potential implications of the Data Protection and Digital Information (No. 2) Bill on the NHS, Local Authority Social Care and the wider health and care sector. These are the outcomes of our deliberations.

By utilising a Slido poll we established that the greatest areas to exercise our collective thoughts are as bulleted below. The percentage were based on attendees being asked to select their top five worries from a summary of changes the new law would make to existing Data Protection legislation. It was not an exhaustive list.

• Data protection officer (83%)
• Data protection impact assessment (67%)
• Scientific research (56%)
• Management of complaints (33%)
• Legitimate interests without a balancing test (33%)
• Definition of personal data (33%)
• Marketing soft opt-in (28%)
• Records of processing activities (28%)
• Automated processing (22%)
• Business and customer data (22%)
• Legitimate interests with a balancing test (22%)
• International transfers (17%)
• Subject access requests (11%)
• Information commissioner’s office (6%)
• Adequacy (6%)
• Internet cookies (0%)
• Increase in PECR fines (0%) 

To hone this down, we then worked through our top five, to explain them further. Our conclusions were as follows.

1.    Data Protection Officer

Our understanding is that the requirement to appoint a Data Protection Officer by some public bodies and organisations undertaking high risk processing will be removed. It will be replaced with a need to appoint a ‘Senior Responsible Individual’ for Data Protection.

Our view is that:

• The responsible person may not be as respected by the Board.
• It appears to be little more than a change of terminology, which is only likely to cause confusion, when Data Protection Officer role and title is already embedded.
• The Senior Responsible Individual title does not mention Data Protection, which could equally cause confusion and the need of extra explanation for staff and other stakeholders.
• The removal of the Data Protection Officer could effectively give greater responsibility to Information Governance staff who do not currently hold that level of responsibility.
• There is the potential of causing confusion with other ‘Senior Responsible’ personnel, or those with similar titles, such as the Senior Information Risk Owner.
• It appears to move the role from that of soft-skill Data Protection and process responsibilities to technical IT/Cyber issues. This causes that added concern that whereas IT tools maybe in place, but the new roles does not focus on the data within those tools or the lawfulness of its processing, which is of particular concern currently with the increased prevalence of Artificial Intelligence and technology such as ChapGPT.
• There is a possibility that the more senior the role gets, there will be less understanding of how Data Protection needs to work in health and care organisations.

2.    Data Protection Impact Assessment

Our understanding is that Data Protection Impact Assessments will be replaced with a leaner and less prescriptive ‘Assessments of High-Risk Processing.’

Our view is that:

• Reducing burden is positive for stakeholders but makes it is likely to make it more difficult for Information Governance / Data Protection personnel to assess risk, as granularity of description of processing will be lost. 
• A leaner process may result in less effective risk assessment and potentially greater risk being unwittingly absorbed by Data Controllers.
• Reduction in process implies there is an “opt out” from completing Data Protection Impact Assessments (or Assessments of High-Risk Processing), meaning Data Controllers could start to lose focus on their data flows, which could cause clinical risk to patients.
• The change could result in Information Governance and Data Protection professionals being confident to sign off such assessments as effective due diligence, as may not collect all relevant information to make that assessment.

3.    Scientific research

Our understanding is that scientific research will be redefined to now includes research for the purposes of commercial activity, expanding the circumstances in which processing for research purposes may be undertaken, providing a broader consent mechanism and exemption to the fair processing requirement.

Our view is that:

•  A broader consent definition may lead to higher uptake of non-consent and / or optouts, which could potentially result in a skewed output from research studies.
• Patients may start to lose control over their data as the consent is looser. This is hugely contrary to reason for the General Data Protection Regulation (GDPR) that aimed to strengthen Data Subject control of their own data.
• There is a potential that making consent broader could be implied to be almost a “legitimate interest” usage of personal data.
• Data subjects will have little control over their data once a third party has it.
• It potentially removes protection of data for research.

4.    Management of complaints

Our understanding is that complaints made to the controller will need to be acknowledged within 30 days and responded to substantively without "undue delay". The ICO will not be mandated to accept a complaint if the Data Subject has not complained to the Controller first.

Our view is that:

• This creates a blurring of responsibilities between a Data Protection complaint and that which would normally be managed by a complaints team, leading to a lack of clarity as to who would lead or get involved, and result in an increased pressure on already stretched resources within Information Governance / Data Protection teams.
• Complaints teams are not always necessarily knowledgeable in Data Protection and / or may not recognise a complaint as having a Data Protection element if it is particularly nuanced.

5.    Legitimate Interests without a balancing test

Our understanding is that Data Controllers will be able to rely on legitimate interests without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are “recognised”. These “recognised” legitimate interests cover purposes for processing such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement. 

Our view is that:

• Although Legitimate Interests is little used in the public sector, some other organisations actively use the condition without using a test. This change just serves to legitimise the current potential misuse.
• This raises a concern that the healthcare organisation using GDPR Article 9(2)(h) (direct care) may be incompatible with a partner organisations’ use of LI in this way. This is because public sector healthcare organisations could be conflicted with private organisations who are “legitimately interested” in growing their own business.
• There is a possibility that third parties with access to healthcare organisations IT systems could potentially argue that the data they can see can be used by for their own Legitimate Interests, and the Data Controller and Data Subject may never know this (until something goes wrong).