This blog was prepared in collaboration with, and was originally published by, the UK BioIndustry Association, here. We are grateful to the UK BioIndustry Association for collaborating on this blog, and for the opportunity to post it here.

What are the UK’s plans to reform data protection law?

After an extended period of legislative back and forth, the Data (Use and Access) Bill has now received Royal Assent, becoming the Data (Use and Access) Act (we will therefore refer to it as the “Act” in this blog). The Act addresses various matters related to the use of data, and will to an extent distinguish the UK’s approach to data protection from that set out in the EU’s General Data Protection Regulation (“GDPR”). The European Commission will, therefore, assess whether these changes warrant stripping the UK of its adequacy status for data transfers, with a decision due by 27 December 2025. While the Commission is unlikely to withdraw its finding of adequacy, it is possible that a challenge to this finding could be brought before the Court of Justice of the EU, which could reach a different conclusion.

In summary, the Act is not a complete overhaul of data protection law in the UK; instead, it is more a package of targeted amendments. Of the changes most relevant to biotechs, the most significant is the more permissive regime for the use of personal data for scientific research – although, companies must still meet a number of requirements to fall within scope. More significant changes may take place in the future, as key parts of the Act enable the UK Government to pass secondary legislation in areas that may be relevant to biotechs.

A more permissive approach to “scientific research”

The Act defines “scientific research” as “any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity” (s. 67(2)). It also expressly states that processing of personal data for scientific research encompasses “processing for the purposes of technological development or demonstration, fundamental research or applied research, so far as those activities can reasonably be described as scientific,” while noting that “processing for the purposes of a study in the area of public health that can reasonably be described as scientific” will only fall within the scope of “scientific research” where “the study is conducted in the public interest” (s. 67(3)).

This definition broadly tracks the language of Recital 159 UK GDPR, but gives it the force of law (rather than being interpretative guidance in a recital) and explicitly states that scientific research can be “carried out as a commercial or non-commercial activity”. This language represents a divergence from the EU regime, which the European Data Protection Supervisor (“EDPS”) has indicated only covers research that “is carried out with the aim of growing society’s collective knowledge and wellbeing, as opposed to serving primarily one or several private interests.”[1]

In addition, the Act:

  • Allows data controllers to obtain valid consent for the processing of personal data for a broad area of “scientific research” even if, at the time the personal data is collected, it is not possible to identify the specific purposes for which the personal data will later be processed (s. 68). Reliance on such a consent must also be “consistent with generally recognised ethical standards relevant to the area of research.” This puts the existing language in Recital 33 UK GDPR on a statutory footing.
  • Establishes, consistent with Article 89 of the UK GDPR, the circumstances in which there will be “appropriate safeguards” in place for the processing of personal data for scientific research purposes (s. 86). Among other things, this requires that data used for scientific research is pseudonymized unless the purpose of the research could not be achieved without identifiable data. It requires that data is not used to make decisions about an individual except in the context of approved medical research. It also grants the UK Government the power to make regulations specifying when the requirement for “appropriate safeguards” will be met.
  • States that processing that falls within scope of section 86 (described above) will—for the purposes of Article 6(4) UK GDPR—be “compatible” with any purposes for which data was originally collected (s. 71). In other words, processing for scientific research purposes that is subject to appropriate safeguards under the Act will be presumed to be lawful. In addition, in this case, controllers will not be required to proactively provide transparency information to data subjects provided certain conditions are met (s. 77). This may reduce the regulatory burden on companies carrying out this sort of research.

Potential future impacts on the use of NHS data

The Act also creates a framework for the Secretary of State or NHS England to publish standards applicable to IT services used (or intended for use) in the provision of health care (including adult social care) in England (s. 121 and Schedule 15). These standards could include requirements on interoperability, functionality, and data access and storage. The purpose of this framework is to standardise information storage in the NHS in England. This is a welcome change for the sector, who often have to grapple with unstandardised health data.

What is the new data access regime?

The Act creates a further framework that allows the Secretary of State or the Treasury to pass secondary legislation that requires “data holders” (i.e., traders or any person who processes “customer data” or “business data”) to:

  • provide customers (or third-party recipients appointed by those customers) with access to “customer data” on their request; and
  • publish “business data” and to provide “business data” to customers or to third party recipients.

It remains to be seen what form any new data access regime will take, and whether (or how) this will be relevant to the biotech industry—the Government’s focus appears to be on the financial services sector at present.

In summary, there are some welcome clarifications in the Act which should make conducting research with personal data more straightforward. In addition, if implemented well, a standards framework for NHS data could improve the use of NHS data in the sector.

[1] EDPS, A Preliminary Opinion on data protection and scientific research (6 January 2020), p. 12.

Tags: digital health, Health data
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Fredericka Argent Fredericka Argent

Fredericka Argent is a special counsel in Covington’s technology regulatory group in London. She advises leading multinationals on some of their most complex regulatory, policy and compliance-related issues, including data protection, copyright and the moderation of online content.

Fredericka regularly provides strategic advice…

Fredericka Argent is a special counsel in Covington’s technology regulatory group in London. She advises leading multinationals on some of their most complex regulatory, policy and compliance-related issues, including data protection, copyright and the moderation of online content.

Fredericka regularly provides strategic advice to companies on complying with data protection laws in the UK and Europe, as well as defending organizations in cross-border, contentious investigations and regulatory enforcement in the UK and EU Member States. She advises global technology and software companies on EU copyright and database rights rules, including the implications of legislative developments on their business. She also counsels clients on a range of policy initiatives and legislation that affect the technology sector, such as the moderation of harmful or illegal content online, rules affecting the audiovisual media sector and EU accessibility laws.

Fredericka represents right owners in the publishing, software and life sciences industries on online IP enforcement matters, and helps coordinate an in-house internet investigations team who conduct global monitoring, reporting, notice and takedown programs to combat Internet piracy.

Read more about Fredericka ArgentEmail
Show more Show less
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Read more about Paul MaynardEmail
Show more Show less
Photo of Tomos Griffiths Tomos Griffiths

Tomos is an associate working across the firm’s technology regulatory and competition teams, based in the London office. His practice covers technology and digital markets regulation, competition law, and issues that span the two.

His recent experience includes providing regulatory advice on data…

Tomos is an associate working across the firm’s technology regulatory and competition teams, based in the London office. His practice covers technology and digital markets regulation, competition law, and issues that span the two.

His recent experience includes providing regulatory advice on data protection compliance, technology regulatory investigations, and transactional merger control and foreign direct investment screening matters, primarily in the technology and life sciences sectors.

Read more about Tomos GriffithsEmail
Show more Show less