Out-Law News 3 min. read
23 Jan 2014, 9:41 am
From March, the Health and Social Care Information Centre (HSCIC) is to start accumulating data from GPs and public health bodies in England. It will have the power to grant third parties access to the data it collects for certain purposes and under certain circumstances. Where access is granted, the third parties, such as medical researchers, would gain access to anonymised, aggregated health data sets.
NHS England is currently in the process of distributing a leaflet to households across the country in an effort to inform the public about the care.data scheme. Individuals will be able to opt out if they do not wish their data to be included in the database and made available for others to use.
However, papers drafted by senior NHS officials warn that the higher standards for obtaining individuals' consent to the processing of their personal data, envisaged under draft EU data protection rules, could impinge on the ability to share the data stored in the new 'care.data' database for wider use, according to a report by the Daily Telegraph.
The Department of Health (DoH) said that the proposed changes would have a "negative impact" on both the care.data scheme and UK research. It said it was working with the Ministry of Justice in an effort to secure changes to the way the data protection reforms are currently drafted, according to the Telegraph's report.
Plans to update the data protection regime in the EU were tabled by the European Commission in January 2012. The Commission's draft General Data Protection Regulation, which would replace the existing Data Protection Directive from 1995, has subsequently been the subject of major lobbying, debate and negotiations within EU circles.
After considering more than 3,000 amendments to the Commission's initial text, the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee finally agreed on a compromise text on which to open further negotiations on the reforms with EU member states. The individual countries, represented through the EU's Council of Ministers, have yet to agree on a common position from which to open those negotiations with the Parliament so it is unclear when, if at all, reforms will be finalised.
However, under the plans backed by LIBE, the processing of personal data would be governed by a complicated legal framework. Strict rules around the processing of health data, as well as other 'special categories' of data, would be created. Separate rules would also apply if the personal data involved belonged to a child.
The LIBE proposals require that personal data is "processed lawfully, fairly and in a transparent and verifiable manner in relation to the data subject" and "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes".
One instance in which adults' health data could be lawfully processed, under the proposals, would be where individuals have given their consent to that activity. Organisations would have to show they have consent to the processing of the data for one or more "specified purposes". Organisations would not be able to rely on consent given previously when the purpose of the processing for which they were granted permission to proceed with changes.
The LIBE proposals, like the Commission's draft Regulation, provide scope for the processing of health data without the need for individuals' consent in certain circumstances.
Rules specific to the processing of health data for health purposes or for scientific research purposes have been approved by the committee. Separate rules would again apply where the processing of health data was taking place in the context of "scientific research activities in clinical trials".
The LIBE proposals, if introduced, would generally require organisations to obtain individuals' consent to process their personal health data even where it is deemed "necessary for historical, statistical or scientific research purposes".
However, in such occasions, the LIBE draft provides individual EU member states with the right to draw up their own rules to permit health data processing without consent where it is "necessary for historical, statistical or scientific research purposes", subject to a number of other conditions being met.
The carve out would only be able to be relied on where the research being undertaken "serves a high public interests" and "if that research cannot possibly be carried out otherwise". Even then the data to be processed would have to be anonymised, or at worst "pseudonymised under the highest technical standards". Organisations would also have to take "all necessary measures" to "prevent unwarranted re-identification of the data subjects" and individuals would retain a right to opt out from having their data used at any time during the research programme.
Personal data processed under such arrangements could not, generally, be processed for other purposes without individuals' consent.