ICO draft guidance and consultation - health data

16 May 2022 08:49

Sharon Lamb and Michaela Novakova, McDermott Will & Emery, explain what health and life sciences companies should know about ICO Draft Guidance on the UK Data Protection Legislation research provisions.

The Information Commissioner's Office (ICO) published new draft guidance on the provisions in the UK General Data Protection Regulation and Data Protection Act 2018 (collectively, the UK GDPR) relating to processing personal data for research purposes.

The guidance provides clarity to health and life sciences companies and will be broadly welcomed in an area that is often difficult to navigate, not least because the law is contained in various provisions and there has been varying guidance on how to interpret the provisions. The ICO consultation on the guidance closed on 22 April 2022.

The ICO is also consulting on its draft guidance concerning anonymisation, pseudonymisation and privacy-enhancing technologies. This consultation closes on 16 September 2022.

Separately, the UK government is currently considering changes to research provisions as part of its proposals to reform the UK data protection regime and build on its vision of enhancing life sciences in the United Kingdom. In April 2022, the UK government published a review on the use of health data for research and analysis. The ICO acknowledged these proposals but says this guidance is important to support organisations using personal data for research now.

Why is this important?

The guidance is particularly relevant for life sciences, medical device and healthcare technology companies that use health-related data for research purposes, including as part of clinical trials, clinical investigations, or wider research. It’s also relevant to health and life sciences companies that are looking to reuse data sets they already hold.

Is an Organisation Processing Health-Data for Research Purposes? What Is the Definition of Scientific Research?

The UK GDPR references three broad types of research purposes: archiving purposes in the public interest, scientific or historical research purposes and statistical purposes.

In the health and life sciences sector, scientific research is likely the most common purpose, although the guidance also provides helpful pointers on the use of statistical purposes where the primary aim or purpose of the processing is to produce statistical outputs. The ICO notes that there is no definition of scientific research in the UK GDPR and says this term should be understood broadly and extend beyond traditional academic research to research in commercial settings.

How would an organisation show that their processing falls within research purposes?

The guidance says that the key feature of scientific research is to produce new knowledge or apply existing knowledge in novel ways, often with the aim of benefiting the public interest. Examples include advancing the state of the art in a given field or providing innovative solutions to human problems, generating new understandings that add to the sum of human knowledge or producing findings of general application that can be tested and replicated.

What are the indicative activities and features of scientific research?

In the guidance, the ICO produces a non-exhaustive indicative list of activities and features that will help demonstrate that the purpose of processing is scientific research.

While it’s not necessary to meet all of the features, the ICO stated that it would expect an organisation to meet more than one. This, therefore, appears to be somewhat of a balancing test.

Activities could include formulating hypotheses, isolating variables, designing experiments, objective observation, measurement of data, peer review and publication of findings.
Standards could include ethics guidance and committee approval, peer review, compliance with regulatory requirements and involving the public.
Access could include publication of results and commitment to sharing research findings, however, this does not need to be open access publication

These features are likely to be met where a health and life sciences organisation conducts a regulated clinical trial or clinical investigation. However, where the research falls outside of the regulatory formalities and in a commercial setting, including for artificial intelligence (AI) or product development, careful assessment is required.

What lawful basis can an organisation rely on for processing health-related data for research purposes?

Health and life sciences companies processing special category data (such as data relating to health) need both an Article 6 lawful basis and an Article 9 special category condition. The ICO notes that there is no specific Article 6 lawful basis for processing and will depend on the controller’s status and context. For example, public organisations may rely on the task being in the public interest while commercial companies and research organisations could seek to rely on legitimate interest.

To satisfy the special category condition of scientific research, the controller must also only process special category data if the processing is: (1) necessary, (2) subject to appropriate safeguards, (3) not likely to cause substantial damage or substantial distress to an individual, (4) not used for measures or decisions about individuals except in the case of approved medical research and (5) in the public interest.

What about consent as a lawful basis for data processing?

According to the guidance, in most cases, consent will not be the most appropriate lawful basis for processing special category data for scientific research purposes. This is because under the UK GDPR, the individual must be able to withdraw the consent at any time. If an entity is relying on consent as their lawful basis and the individual withdraws their consent, the entity needs to stop processing their personal data immediately. Additionally, if an entity collects data based on consent and wants to reuse it for secondary research, it is likely that they will have to obtain new consent from the data subjects under the UK GDPR to ensure that an individual’s original informed choice to share that data is not undermined.

Informed consent is required for clinical trials and clinical investigations. The guidance confirms that consent as a lawful basis for data processing under the UK GDPR is distinct from, and not to be confused with, consent to participate in a research study.

In practice, consents for clinical investigations and clinical trials can often be muddled. Health and life sciences companies should clearly set out the basis on which they are processing data in any informed consent form.

A new purpose: Can an organisation reuse data it collected for secondary research?

The guidance provides a helpful interpretation of the purpose limitation in Article 5 of the UK GDPR, which has sometimes been narrowly viewed. The guidance states that the purpose limitation requires a processor to be open and honest about their reasons for obtaining data and helps to prevent “function creep.” However, the ICO goes on to say that this limitation specifically does not apply to research. This means an organisation is permitted to reuse existing personal data for research-related purposes if they have appropriate safeguards, such as technical and organisational measures to ensure data minimisation, and the processing is otherwise fair and lawful.

However, the ICO also states that data cannot be repurposed if the original basis of processing was consent.

A new purpose: What about data obtained from another organisation?

The guidance states that if data were obtained from another organisation, then the recipient organisation is collecting new data rather than repurposing data that they already collected. In this case, the recipient organisation cannot rely on the original organisation’s purpose. Instead, they need to identify their own lawful basis for processing and should update their privacy information. Additionally, data subjects should be informed of this practice unless informing them would prove impossible or involve disproportionate effort.

Medical confidentiality: Is consent required for UK GDPR research?

The ICO says that clinical trial or ethical consents should not be confused with UK GDPR consent. This is an important clarification.

However, one thorny question that remains unanswered in the ICO draft guidance is the interplay between medical confidentiality consent and the lawful basis and special category conditions in the UK GDPR.

In 2017, the ICO held that processing by Royal Free London NHS Trust in the context of research on a possible medical device was in breach of the common law duty of confidentiality because patients were not adequately informed that their records would be processed for clinical safety testing and that informed consent was likely to be required. Accordingly, the ICO found that the processing was not lawful under UK GDPR.

Related

UK medtech revolution - how can we secure the future of diagnostics?

The opportunity of AI: Why strategy sits at the heart

Accelerating innovation: Medtech in the Midlands

Entering a new era of drug-free pain relief