On 10 September, the UK Government published its proposal for amending the current data protection regime (the UK GDPR). The aim is to create ‘a pro-growth and pro-innovation data regime whilst maintaining the UK’s world-leading data protection standards’.
At the Ada Lovelace Institute, our mission is to ensure that data and AI work for people and society. In order to explore whether the Government’s plans will enable these aims, we are organising a series of five events, each looking at different sections, questions, statements and framing in the Government’s consultation and asking what benefits and challenges are brought by the proposals.
Session 2: Lessons learned from COVID-19: how should data usage during the pandemic shape the future?
The second event in our series focuses on lessons learned from COVID-19. Through the consultation, the Government suggests that existing regulations are a barrier to sharing data, and considers changes to rules around data processing in the public interest, during times of emergency, and by private companies on behalf of Government (scroll down for a summary of the relevant consultation proposals).
This event will examine evidence to interrogate the successes and failures of data sharing during the pandemic, whether the Government’s proposed reforms provide sufficient safeguards, and discuss questions including:
- What lessons can we learn from the use of data during the pandemic?
- What opportunities and potential challenges are brought by the new proposals?
- What safeguards and limitations need to be put in place for processing data in the public interest and on emergency grounds?
Scroll down for a summary of the key points discussed, and/or watch the event back here:
Associate Director (Policy)
What does the consultation say about the role of data usage during the pandemic?
A common theme throughout the consultation document is the role of data and data-driven innovation in the pandemic response, and the need to instantiate temporary measures adopted during the crisis permanently (or to cure problems encountered during the crisis due to data protection legislation).
The Government has previously said that it wants to learn the lessons of how data was used during the pandemic: the introduction to the National Data Strategy says it ‘seeks to maintain the high watermark of data use set during the pandemic’. The consultation says its reforms ‘build on the unprecedented and life-saving use of data to tackle the COVID-19 pandemic’, and that the pandemic response highlighted how data can be shared to ‘keep people safe and save lives’ but also ‘highlighted some shortcomings of our current data regime: the right ways to share data can be complex to identify and apply quickly, and some existing rules and guidance are either too vague or overly prescriptive’.
Specific reforms include changes to:
Private companies processing personal data to help deliver public tasks (section 4.3, from paragraph 280). The consultation notes that private companies were often involved in supporting public authorities during the pandemic, and proposes that where this is the case, the company can rely on the public body’s lawful grounds for processing the data. Additional safeguards may be necessary.
Public and private bodies processing health data (section 4.3, from paragraph 284). Health data is subject to particular protections under the GDPR (Art. 9 and 6 of the GDPR). The consultation says that during the pandemic, it was sometimes ‘complex’ to identify a lawful ground under Article 9 – this requires a healthcare professional to have oversight, or for the processing to be confidential, and it was not always obvious how to do this where non-healthcare bodies were involved. Given this, the consultation proposes ‘to clarify that public and private bodies may lawfully process health data when necessary for reasons of substantial public interest in relation to public health or other emergencies’.
Processing in the ‘substantial public interest’ (section 4.4, paragraphs 291-297). Sensitive personal data – for example, health data (including genetics and biometrics), information on political opinions or sexual orientation, ethnicity or race – can only be used where the data subject has given their explicit consent, or on other legal grounds such for reasons of ‘substantial public interest’ (Art. 9(g) of the GDPR). The consultation proposes either defining what substantial public interest means in law, or adding or amending the purposes currently listed under Schedule 1 of the UK GDPR as always deemed in the substantial public interest.
Further processing of data (section 1.3, around paragraph 54). When data is collected, it should be for ‘specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’. Further processing includes data sharing. The GDPR sets out some circumstances where data can be reused or further processed where it isn’t incompatible with the original reasons for which it was collected (including scientific or historical research; Article 5 (b) of the GDPR).
Key points discussed during the event:
- Sharing data is not useful unless that data is curated and usable.
- Data sharing during the pandemic worked best when it was done via existing venues and platforms, where both robust governance and trust relationships were in place.
- The GDPR is not a barrier to research, but a lack of guidance and inconsistent interpretations are.
- A lack of trust in public-health data governance undermines public-health goals in general.
- The challenges in sharing data for public health is not in what is permitted or by law, but in making sure there are appropriate governance structures and that the data is high-quality enough to use.
Imogen Parker, Associate Director of Policy at the Ada Lovelace Institute, opened by noting that there are two main narratives around pandemic data sharing at present. First, that the unprecedented use of data in a crisis has set a high-water mark for future data use in the public interest, which the Government is seeking to maintain for the future. And secondly, that this unprecedented use has exposed some of the shortcomings of UK data regulation – some existing guidance is too vague, or too prescriptive and therefore needs reforming.
Asked about lessons learned from the pandemic, Sabina Leonelli, Professor of Philosophy and History of Science at the University of Exeter, talked about the fact that, especially in the first year, we saw narrow trust in very specific and limited data sets. This was coupled with strong levels of trust in mathematical modelling, but difficulties in accessing data that would help to contextualise what was happening in hospitals and in community transmission. As a result, it was hard to find data that was broad enough to address the pandemic, or to help question some of the assumptions that went into models in the first place. In her work collaborating , Sabina said, she had found very little ‘data readiness’ – especially to extract data that would be relevant to the impact of COVID on vulnerable members of the population and on minorities. There was also a dearth of data from medical practitioners and patient groups. She also noted that there was a lot of data that was not usable, not because it could not be accessed, but because there was a lack of metadata and curation.
Where things went well, Sabina said, was where long-standing data infrastructures were already in place. For example, initiatives set up to share data about influenza were effectively deployed very quickly to share COVID data. This proved to be extremely effective because the venue for sharing data – the platforms, the governance structures and the trust relationships, were already in place.
She pointed to examples like the international platform for sharing genomic data on influenza, and the CHESS initiative for severe influenza surveillance. The Research Data Alliance – an existing association of researchers who work with data – was able to produce guidelines for how to share data during the pandemic in July 2020. Other important initiatives that were already in place and which proved effective data-sharing venues included the ONS’s research and data access policy, and the Data Loch in Scotland that had been set up to share routine health and social-care data. There were also the existing patient and lobbying groups that were already sharing data across vast and transdisciplinary research, practitioner and patient communities.
Sabina said that she has found that a good way to enable data access has been to establish effective data-governance structures, to allow people to feel that they can trust the system to which they are providing data. She also noted that simply enabling access, however, did not necessarily guarantee good science or good innovation – what is needed is governance structures that curate and contextualise the data and provide venues for sharing it.
Governance and responsible data practices increase the value of data sharing, as well as the long-term robustness of the data.
Asked about the impact of the GDPR, Sabina responded that rather than the law itself, problems were caused by particular institutions – for example, universities – that interpreted the GDPR as being much more restrictive than it actually is.
Imogen, chairing, noted that the pandemic was a complex time to establish lawful groups for the processing of healthcare data, particularly as more and more non-health bodies were getting involved in personal data and health data. Edward Dove, Lecturer in Health Law and Regulation at the University of Edinburgh, agreed, saying that it was not the GDPR itself that caused problems, but convoluted information governance processes among different data custodians, which do not always prioritise speed, even in a pandemic or public-health context.
Edward said that aspects of the health- and social-care system worked very well. He singled out the Health Research Agency, as well as the overtime put in by many regulatory authorities in order to approve data-sharing initiatives. He also noted that in England and Wales, Regulation 3 of the COPI Regulations (Health Service [Control of Patient Information] Regulations 2002) demonstrated that long-standing regulations can be harnessed for contexts like COVID-19 to enable sharing of health data and/or patient information, with appropriate safeguards in place.
However, Edward also noted that while there is a UK-wide data protection legal framework (namely the UK GDPR and Data Protection Act 2018), the regulations and the common law in related areas diverge. This is particularly the case with information governance with the NHS and the common law duty of confidentiality. In part due to this regulatory divergency, there can be a lack of coordination across different bodies and across the four nations, which the COVID-19 pandemic has demonstrated.
Moreover, sharing health and patient data internationally remains a challenge due to the strict rules under the GDPR. Edward emphasised that research organisations in the UK have demonstrated success in navigating the existing GDPR framework, and that it is a robust legal framework that largely achieves an appropriate balance between protecting the rights of data subjects and facilitating the flow of data, including in research and public health context. But, the challenge is in how the legal framework is interpreted through information-governance processes among individual data custodians (including NHS bodies), and that this is where things can get clogged – including, unfortunately, to the detriment of public health.
On whether some of the emergency measures should remain in place, Edward noted that the World Health Organisation still considers the pandemic to be ongoing. The current COPI Notices are in place until 31 March 2022; Edward suggested that it is appropriate to continue to revisit these Notices periodically given they exceptionally lift the duty of confidentiality owed to patients and enable their confidential patient information to be shared with others (albeit with conditions and safeguards in place), and that each further extension warrants a stronger justification as we carry on into the pandemic.
In different UK jurisdictions, these justification for sharing confidential patient information may look different, but he argued for a very strong public interest test in all jurisdictions, and that should apply in a pandemic or any other public health emergency.
Cori Crider, Director of Foxglove Legal, talked about the relationship between public and private entities. She noted that pandemic data use was not and is not separate from the rest of the public-health system, and that if the public does not have confidence in the public-health data system, this risks undermining the public-health system in general.
She expressed concerns about some public-private partnerships which were waved through at the peak of the emergency, and which risk becoming permanent without any kind of democratic mandate. In particular, she talked about the COVID-19 Data Store – the largest amalgamation of patient data in NHS history – which is managed by a series of private companies, including defence contractor Palantir. As well as concerns about the lawful basis for processing by Palantir, Cori expressed concerns about the trust impact of involving a company that has also assisted border authorities, particularly on vulnerable and/or undocumented communities. Data governance, she pointed out, has a real effect on public health objectives, if for example it inhibits vaccine uptake because people fear their data will shared with border controls.
Cori noted that while many people may be prepared to give the Government some leeway during the emergency, we are emerging from that into a steady endemic state, and so the Government needs to talk to people about what they are doing.
Foxglove Legal has brought legal challenges around publication of contracts and community consultation. Cori also pointed to another system which is not related to the pandemic, but which has been attempted to be brought in during this period: the General Practice system that the Government sought to bring in earlier in 2021. This sought to pull records from 55 million patients in GP practices in England into a permanent data lake. Over three-million people, she said, have so far opted out of the system, which is a clear indicator that even during the pandemic, people have not lost interest in what happens to their data. Judging from the contents of Foxglove Legal’s inbox during their legal challenge, Cori said, many of those opt-outs are from people who are concerned about the relationship between the state and the private sector, and about corporate exploitation of an NHS, publicly funded, data asset.
On the proposed reforms, Cori noted that even the existing provisions of the GDPR are ‘more observed in the breach than in the observance,’ and expressed scepticism that there is a need for additional loopholes.
Pye Nyunt, Head of Insight & Innovation at the London Borough of Barking and Dagenham, has spent the last eighteen months looking after 214,000 residents of East London. Barking and Dagenham is one of the most deprived communities and the health inequalities were already stark before the pandemic – Pye pointed out that it takes only 77 minutes to travel from there to the London Borough of Richmond upon Thames, but there is an eleven-year gap in life expectancy between the two boroughs.
Pye leads a team of data scientists and behavioural scientists. On 16 March 2020, the lead of the council called him in at 9 a.m. to say ‘the country was likely to go into lockdown, what information did we have that could help support vulnerable residents?’ Pye’s team’s job that day was to put a figure on that, based on their long-term systems and partnerships. The team estimated that they had 11,753 people that could be clinically vulnerable. It took the Government four-to-six weeks to pull together their own datasets, and there were 12,000 people on that list.
Data, Pye said, has a gravitational pull – it pulls lots of thing together, including governance and legal structures, issues of ethics and of transparency. In a crisis situation, they had to think about all of those things simultaneously, while also responding to the needs of vulnerable people, and doing things like supporting social workers and making sure people got food parcels on time. Statutory duties of local authorities already existed – these included a duty to share data about children as part of safeguarding, for example.
The GDPR is not the only legal framework governing data sharing in local authorities. Pye talked about the need to ensure that what they were doing was part of existing legal frameworks, and to build relationships quickly with other data professionals in local government, some of whom they were talking to for the first time. They were able to lean on some existing trust relationships, but, as Pye put it, ‘we had to think big, but start small – and act fast.’ As a result, Barking and Dagenham were one of the few local authorities which did not have to relax social-care screening measures – social workers and community partner groups were strong enough to manage demand.
Barking and Dagenham, Pye said, is unusual in that they have an in-house Data Protection Officer (DPO), whereas for lots of local authorities the DPO is a shared role. All local authorities also have a Caldicott Guardian responsible for protecting health- and social-care data – this is usually the director of public health. Pye pointed out that these two people – who can sign off on data sharing – have been some of the busiest and most sought after people during the pandemic. He noted that structures of governance could be improved within organisations, so that accountability is not tied to two very specific roles. This isn’t quite covered by legislation, Pye said, and in practice these governance structures need to be localised much more effectively within organisations.
In the Q&A session at the end of the event, Sabina responded to a question about some studies early in the pandemic that reported higher levels of trust in data sharing with big-tech companies like Apple and Google. She pointed out that this may have been because people did not perceive this to be sharing ‘additional’ data with companies that already hold large amounts of data.
Sabina also noted that this was different in different countries – in Denmark, for example, attempts to share data with the public-health authority were much more successful. Sabina noted that when contact-tracing systems were set up in collaboration with tech companies, they were separate from the public-health system, and so the signals from the contact-tracing system were not of much use because they did not interact with the rest of the system. In contrast, in France, for example, where a lot of effort was put into supporting people who received notifications, this was associated with higher levels of trust in the longer run, because the notifications from the contract-tracing system had an impact on peoples’ lives.
Asked whether the current regulatory and enforcement system ensures that data use – by public or private sector – is fit for purpose and trustworthy, Cori pointed out that this is contextual and can be very localised. Neither trust nor governance may scale well, she said, and perhaps ‘there is something to be said for trying to produce something that is a bit more locally responsible,’ perhaps a structure that can be more responsive than central government, that gives researchers and planners what they need in terms of health data, but that has democratic assent and can command public confidence. She warned that there are contexts in which trust in both public and private institutions is running pretty low.
Pye also talked about localisation. He noted that he works on data science, but reports to a political portfolio on community leadership and community engagement. It’s the right thing to do, he said, because his data supports outreach work, and so he reports to a local, accountable, political member, which adds a layer of scrutiny and responsibility compared to outsourcing to the private sector. He said that resident surveys tend to find that people are positive about the place where they live but negative about the council, but that in fact local authorities are responsible for place-shaping – if you like living in a place, you like what the council has done. He noted that collective action at a local level can build community cohesion – and that this has gotten stronger as a result of the pandemic.
On what good practices the UK can learn from other countries, Edward pointed out that the UK, by and large, is world-leading in ethical and innovative health research, and that this is precisely because of a strong regulatory framework. This in turn supports and sustains public trust.
The research regulatory framework might not be perfect, he said, but there are significant concerns for public trust if this framework is dismantled, including those regarding data-protection law. For large-scale research, the UK is fortunate to have a robust body in the and good regulation in the ICO as well as in the MHRA. There are challenges, however, in interpreting different legal systems, and working through these interpretations across institutions and the four nations, he said, but in general the UK has done an exceptional job and this is demonstrated in the research that has emerged during the COVID-19 pandemic. Consequently, he argued, the UK should keep pursuing improvements on this path, rather than searching for a ‘bold new approach’ and radical reforms to the regulatory framework, which might not be the best route forward and jeopardise the success demonstrated to date, including by damaging public trust in the research enterprise.
Ada Lovelace Institute hosts ‘Taking back control of data: scrutinising the UK’s plans to reform the GDPR’
Exploring the foundational premises for delivering ‘world-leading data protection standards’ that benefit people and achieve societal goals
Exploring the foundational premises for delivering ‘world-leading data protection standards’ that benefit people and achieve societal goals
A framework for involving people in the use of data
Why what we mean by ‘stewarding data’ matters