My Lords, I shall speak about regulation relating to data privacy in medical research. The UK should have a vision to make an internationally competitive legal framework to support the use of personal data in health research—fully connected law and governance that is easy to navigate, pragmatic and risk proportionate, and regulation that ensures public confidence and trust in the use of personal data in research.
I have five recommendations to achieve this vision. The first is to ensure that movement of research-relevant data between the UK and the EU is not restricted. The UK is a world leader in genomics and research using longitudinal cohorts, medical informatics and data linkage. Research relies on international collaboration and sharing of data across borders. To maintain this position it is important that UK law allows free exchange of data with the EU after Brexit. The most straightforward option is for the UK framework to be considered adequate by the EU through implementing the general data protection regulation or equivalent rules. If adequacy is not achieved, the UK should seek to establish as simple a mechanism as possible for data transfers across Europe.
My second recommendation is to simplify and clarify the UK’s legal framework. The UK’s legal framework for the use of personal data in health research strikes a good balance between permitting research and protecting individuals, but it is highly complex and confusing. The legal framework should be simplified by providing a clear public interest legal basis for research by private and public organisations, and by bringing standards of consent and safeguards for health research in data protection law and the common law duty of confidentiality closer together. Following Brexit and the great repeal Bill, the Government should use the flexibility to review and revise data protection law to ensure it is clear and simple.
My third recommendation is to maintain the UK’s proportionate and pragmatic approach to regulation and governance. The Information Commissioner’s Office takes a pragmatic and risk-proportionate approach to regulation. This is a strength that must be maintained for the UK to be competitive. In particular, the ICO takes a proportionate and context-dependent approach to what is considered personal data.
My fourth recommendation is to ensure that the right governance is in place to manage data flows across the system. The Department of Health should implement the proposal for a national data guardian for health and social care.
My fifth recommendation is to develop an innovative framework for the regulation of data-driven technology. The UK has an opportunity to be a world leader in such regulation. This should allow access to the volume and quality of data required for machine learning to be effective, while ensuring public confidence and accountability. This requires regulating both the release of data and the novelty of a product that self-updates. I hope the Minister can assure us that the Government are looking at this and will work with research organisations and regulators to make sure that our regulation of data privacy in research is a world leader.