Data Grab Bill is Government revenge on NHS patients

Health data has become one of the most valued prizes of the surveillance economy, but they aren’t being used to “save lives”. Big pharma wants granular data about NHS patients for marketing purposes and to sell their drugs at a higher price. Insurance companies are leveraging on medical histories to charge heftier policies or cut hospitalisation costs. Advertisers are preying upon our addictions or medical condition.

Avoiding patient consent

Unsurprisingly, private firms can go to great lengths to secure this data — a bit too far at times. In 2016, Google DeepMind hit the headlines for signing an illegal data-sharing deal with the NHS Free Trust and collecting over 1.6 million medical records without NHS patients’ knowledge or consent. The issue was investigated by the Information Commissioner’s Office, which found that Google DeepMind “failed to comply with data protection law”. Recently, a UK law firm announced that they are bringing collective legal action against Google.

All would be well that ends well if it weren’t for the UK Government vicious plans to scrap existing data protection laws and provide unprecedented freedom to weaponise personal data, less transparency, increased bureaucracy for individuals seeking redress, as well as reduced accountability and oversight.

The character of this proposal is even more evident when compared to the Google DeepMind scandal. Behind the fig leaf of “enabling research”, the Government would remove legal barriers for entities like DeepMind to grab, exploit and profit from NHS patients’ data. The result is a legal regime designed to use patients’ data against their consent while shielding unreliable, untrustworthy and unethical corporations from public scrutiny and legal responsibility.

In other words, the proposed data protection regime for research purposes is just another Government attempt to circumvent NHS patients’ long-standing opposition against sharing their health data with private firms.

Falsehood at the heart of this proposal

If you take the word of the DCMS consultation, the existing legal regime they seek to replace has made the UK “second in the world for science and research”. The unsavoury obsession with scrapping a regulation that works is complemented by the UK Government’s false premises to justify their proposal.

For instance, the Government argue that research rules need to be consolidated; but the ICO could issue regulatory guidance for researchers without the need to scrap legal safeguards. The Government also claim that the UK GDPR doesn’t include a definition of “scientific research” and that its recitals are not “operative text”. However, the UK GDPR does have a definition of scientific research at Recital 159, and recitals are already “operative” in that they are interpretative and clarify how the law must be applied in practice.

Further, the UK Government proposes the introduction of “broad consent” to allow individuals’ personal data to be reused for different research projects than the one originally intended. Again, the Government fail to consider that individuals consent for a given purpose, not a given project. If an individual agrees to their data being processed for medical research, this data can likely be reused in different research projects in the field of medicine. On the other hand, this data cannot be used for a different kind of research — say, market research.

NHS patients lose their say, rogue firms welcome

To understand the full impact of this proposal on patients’ rights, it is worth looking at the alleged shortcomings of the Google-NHS Free Trust data deal.

Firstly, Google would have failed to obtain the explicit consent to collect the health records of the NHS patients they didn’t have a direct-care relationship with. Alternatively, they should have submitted a request to access this data to the UK Health Research Authority (HRA), but they didn’t.

This will all sound very sensible and common-sense to us. Patients do expect the doctors taking care of them to rely on their available information, but they also don’t expect this data to be given and exploited by a big tech corporation based in the US. Researchers are also happy with this arrangement: the HRA will give them access to health data if their research project promotes the interest of patients and meets ethical and safety standards.

The Government, however, would allow big tech and shady data brokers to grab and exploit NHS patients’ data, who could rely on a new legal ground for research that bypasses your consent and the approval of the Authority. Furthermore, the Government is planning to amend rules regulating the further use of data for compatible purposes to include incompatible purposes. Indeed, this Government take great pride in being nonsensical.

Other issues surrounding the Google-NHS Free Trust data deal revolved around the lack of contractual safeguards that would limit Google’s discretion in using NHS health data, failure to carry out a Data Protection Impact Assessment, and failure to consult the ICO before authorising the transfer of health data in this manner. The UK Government is determined to scrap these requirements as well. DPIAs and prior consultation to the ICO are all being thrown into a bonfire, as this Government consider the accountability framework “a key driver of unnecessary burdens on organisations”. The same can be expected for contractual safeguards, given the Government stated intention of removing “prescriptive requirements” from the law.

The Government send their regards

It is rather worrying that Government policies start to make any sense only if you take the point of view of a “Bad Actor”.

It all started with care.data, a first attempt to share health data with commercial companies without patients’ consent. The scheme was terminated after more than one million people opted out, and the recent, clumsy NHS data-sharing come back was met by the same resistance. Not so long ago, the Government was forced to bin a software contract with Palantir, a US spy tech giant that managed the UK “COVID datastore”.

From this perspective, DeepMind becomes just one item in a long list, and Government proposal looks less surprising. It has nothing to do with promoting innovation or enabling research. Rather, it is yet another attempt to bypass these impertinent NHS patients, and put put their health data on the market for the taking of tech companies and powerful corporations. Patients’ opinions and fears about how this data will be used against them are, of course, none of this Government concern.