Only a few days to go: We’re raising £25,000 to keep TheyWorkForYou running and make sure people across the UK can hold their elected representatives to account.

Donate to our crowdfunder

Data Protection Bill [HL] - Second Reading

Part of the debate – in the House of Lords at 5:18 pm on 10th October 2017.

Alert me about debates like this

Photo of Lord Patel Lord Patel Chair, Science and Technology Committee (Lords) 5:18 pm, 10th October 2017

My Lords, many of my comments on the Bill are about data collection, usage and storage, particularly as it applies to research and, in particular, health research. In that respect, I will reference many of the comments on research made by the noble Baroness, Lady Neville-Jones, including health research generally and health research for people with rare conditions and how that data might be collected.

Given the rapid advances of data science and our capacity to collect, process and store vast quantities of data, such as genomic data for individuals, ensuring that data subjects have clear rights regarding how their data is used is vital. The recently published life sciences industrial strategy acknowledges both that fact and the significant potential of the data held within the healthcare system, especially for delivering better care and for the research sector.

The importance of getting the governance of personal data right is increasingly being recognised. The Royal Society and the British Academy recently published a report on data governance, calling for careful stewardship of data to ensure that the power and value of data are harnessed in such a way as to promote better human health and human benefit.

The Government have indicated that they recognise the importance of maintaining data flows across borders post Brexit, and that is positive. For instance, three-quarters of the health-related data flow from the UK is to the EU. As far as research is concerned, the relevant provisions of the Data Protection Bill mirror the GDPR and so should not generate problems for international collaborative research as it stands. However, it is imperative that international research that requires the transfer of personal data can continue without disruption post Brexit, and the example of rare diseases used by the noble Baroness, Lady Neville-Jones, is absolutely appropriate. In such situations, research often has to be co-ordinated and conducted across many countries, as there are few individuals with a particular condition in each country. My noble friend Lord Jay referred to the need for adequacy arrangements, and I think that that applies particularly in this area. Therefore, my question to the Minister is: will the UK, as a third country, seek an adequacy decision from the EU for data transfers in this respect?

I now come to Clause 7, which refers to alternatives to consent. The noble Baroness, Lady Neville-Jones, referred briefly to the problems that arise. For many uses of personal data, explicit consent is absolutely the right legal basis for processing that data, and it is positive that, with the GDPR, data subjects’ rights have been strengthened. Medical research will usually rely on a person providing informed consent for ethical reasons, but it is essential that there are alternatives to consent as a legal basis. That is because GDPR-compliant explicit consent sets a high bar for information provision that it may not always be feasible to meet. In many research resources, such as biobanks—I hope that my noble friend Lady Manningham-Buller will refer to that as the chairman of the Wellcome Trust, which is responsible for initiating the UK Biobank—the participants give consent for their pseudonymised data to be used.

In some studies it is not possible to seek consent, either because a very large sample size is needed to generate a robust result, and that would be practically difficult to obtain, or because seeking consent would introduce bias. The use of personal health data without specific explicit consent is sometimes essential for research for the health of the population. If researchers could not process medical records for research without specific explicit patient consent, they could not run cancer registries, which are extremely important in recording all cases of cancer; they could not monitor the hazards of medical procedures, such as the recently discovered implications of CT scans for long-term disease development; they could not assess the unexpected side-effects of routinely prescribed medicines; and they could not identify sufficiently large numbers of people with a particular disease to invite them to take part in trials for the treatment of that disease. The example I would give is the recruitment of 20,000 suitable people for the Heart Protection Study on statins, which has helped transform medical practice throughout the world. I am sure that many noble Lords use statins. This began with the identification of 400,000 patients with a hospital record of arterial disease and that information could not have been accessed without their permission. There are good examples of how this provision would cause a problem as it is enunciated in Clause 7.

We have a well-established, robust system of governance and oversight for non-consensual medical research in the UK; for example, through the Health Research Authority, a confidentiality advisory group, advising on Section 251 approvals to override the common law duty of confidentiality. Patient groups actively advocated for research exemptions during the passage of the GDPR—for example, through the Data Saves Lives campaign. I hope that, in Committee, we might get an opportunity to explore this further to see whether we can somehow modify the Bill to make this possible.

I come now to the public interest issues in the same clause. I understand that the Government intend the functions listed in Clause 7 not to be exhaustive, and to allow, for example, research conducted by universities or NHS trusts to use the public interest legal basis. Again, the noble Baroness, Lady Neville-Jones, briefly touched on that. It would provide much-needed clarity and assurance to the research community, particularly to those in the universities, if this could be made explicit in the Bill. A huge amount of research will rely on public interest as a legal basis. The Government have recognised the value of making better use of data for research, and the recent life sciences industrial strategy confirms the tremendous potential benefits for patients and the public if we can unlock the value of data held by public authorities and promote its use in the public interest.

There is currently a highly risk-averse culture in data protection, driven in part because people are unclear about the rules and what they can or cannot do with data for their purposes—hence I referred to the need for better governance of the data. This is why the public interest legal basis matters so much for research. The DP Bill is an opportunity to set out very clearly what the legitimate basis for processing personal data can be. Setting out a clear public interest function for research will give researchers confidence to know when they are operating within the law. If necessary, any specification of research in Clause 7 could be qualified by safeguards to ensure that the legal basis is used only when appropriate.

Can the Minister confirm that research conducted by, for example, universities or hospitals could use the public interest legal basis for processing personal data? Again, we may have an opportunity to explore this further in Committee.

I come now briefly to Clause 18 and the issue of safeguards. Where exemptions from data subject rights exist for research, robust safeguards to protect data subjects’ rights and interests are essential. Clause 18 transposes Section 33 of the Data Protection Act into the new Bill, but it will have wider application than it did in the Data Protection Act. Under the Data Protection Bill, all medical research undertaken without consent as the legal basis will be subject to the safeguards of Clause 18. Clause 18 prohibits the processing of personal data to support measures or decisions with respect to particular individuals. This is clearly problematic for any research that involves an intervention for an individual, which forms the bedrock of our understanding of a vast range of treatment for diseases.

Let me give the House some brief examples. Clinical trials and other interventional research will be undertaken with the consent of patients, which is ethically essential. However, the standard of consent may not be GDPR compliant as it is not always possible to specify how the data might be used beyond the purpose of the trial itself. Consent is therefore not the appropriate legal basis for much interventional research. This means that the safeguards built into the Data Protection Bill for processing or research purposes will apply. Clause 18 should not apply to interventional research. That research requires the processing of personal data to make decisions about the data subject as that is part of the necessary research design and oversight. If researchers cannot process data in that way, they will not be able to process information about a patient’s condition to assess whether they are eligible to participate in a clinical trial. They will not be able to process information about a patient’s condition to determine to which arm of the trial they should be allocated. They will not be able to remove individuals from a clinical trial if evidence arises of potential adverse effects during the course of the trial. There are significant implications.

A potential solution to this problem would be to modify Clause 18 to exempt research that has been approved by an ethics committee or some other such established safeguard. Implementation of the GDPR through the Data Protection Bill is an opportunity to provide clarity for researchers about the legal basis for processing personal data and the requirements of accountability, transparency and safeguards. At present, there is a great deal of conflicting advice about the implications of the GDPR and there is a risk that organisations will adopt an unnecessarily conservative approach to data protection for fear of committing breaches.

I should like to make two minor points. The Government have committed themselves in their response to Caldicott 3 to putting the National Data Guardian on a statutory footing by 2019. Do the Government intend to table an amendment to do that in this Bill? If they do not, the opportunity will be lost.

Lastly, the noble Lord, Lord Stevenson of Balmacara, mentioned the age of consent for children. The age of 13 seems a ridiculously low age for consent and I would support any amendments that he might introduce.