In preparation for the General Data Protection Regulation coming into force on 25 May 2018 the ICO is assessing the GDPR’s key themes to help organisations understand the new legal framework. Profiling is one area in the GDPR the ICO has prioritised for guidance.
PHG Foundation has submitted a response on profiling
and automated decision-making provisions in the General Data Protection
Regulation (GDPR) to the Information Commissioner’s Office (ICO).
In our response, we contrast two
scenarios in which automated processing could have important health
applications: in risk-stratification for screening for disease or infectious
disease surveillance and the use of patient/citizen held devices which are used
to monitor or improve the health of an individual. Although we recognise that a
requirement for individual consent is appropriate in many situations to safeguard
individual rights, this requirement could result in some groups being systematically
excluded from screening and lead to inequitable access to the health benefits that
risk-stratification offers, especially in some public health applications, such
as tackling infectious diseases.
In contrast, we accept that the use of automated decision-making in patient or citizen held devices, which are used to monitor or improve the health of an individual, should usually require the consent of the data subject to be obtained. In our response we outline recommendations for how these consent processes should be approached.
The responses obtained by the ICO on the new profiling provisions will help inform the shape and extent of UK legislation and guidance to support the GDPR.
Read our full response here