The General Data Protection Regulation (Regulation 2016/679) is an act of the European Union that attempts to harmonise data protection regimes across Member States. The GDPR replaces the Data Protection Directive (DPD). As a regulation, the GDPR is directly applicable in Member States. That is, from its date of publication, the GDPR is automatically incorporated as a part of each Member States’ national law. The GDPR is important for healthcare, which relies on the use of personal data.
Exists to harmonize and strengthen data subject rights
‘Data controllers’ and ‘data processors’ must comply
Applies to ‘personal data’ and ‘sensitive personal data’
Takes effect from 25 May 2018
Broadly, the GDPR grants rights to data subjects and imposes duties on data controllers and processors.
The GDPR remains relevant to post-Brexit UK for two reasons: firstly, the UK Government has made numerous representations that it intends to fully comply with GDPR standards both before and after exit night. Secondly, even if the UK does exit from the European Union (without a transition period) the GDPR will still capture many UK bodies. It will apply if a body is established in the EU; and/or if EU consumers are targeted or monitored. Hence, post-Brexit, most UK bodies will need to be GDPR compliant. This will include hospital trusts, GP practices and any other providers that deal with personal health data.
So the GDPR will apply in the UK, but to what data and to whom?
In combination, the GDPR captures a broad range of operations and organisations. In short, if you process data that could be used to identify an individual, you have to comply with the GDPR and enact the rights it provides to your data subjects or face substantial sanctions.
If you process personal data you must have a lawful basis to process such data. There are six such legal bases (Article 6). In the context of healthcare and public health, the legal bases most commonly relied upon are:
The GDPR requires a high standard if one relies on consent. In particular, Article 4(11) requires that consent be freely given, specific to certain purposes, informed, and an unambiguous indication of the data subject’s wishes. Although the GDPR heralded consent as its centrepiece, it is a demanding legal basis to rely on – one that is also particularly vulnerable to the rights of data subjects found below.
Interpretation of this legal basis also makes clear that ‘public task’ is to be interpreted narrowly and must be laid down by law through statutory, common law, or other legal power (Article 6(3) and Recital 41). This severely curtails the kinds of task that might be thought of as being in the ‘public interest.’
This legal basis has broad potential application but any legitimate interests must be balanced against the rights and interests of your data subject, which will be interpreted to trump or curtail many of these otherwise ‘legitimate’ interests.
Processing of certain categories of personal data such as health, genetic or biometric data is prohibited unless an exception applies. Exceptions include where processing is necessary for medical diagnosis, the provision of health or social care, treatment or management of health or social care systems in accordance with law or professional obligations (Article 9(2)(h)). Another exception applies where data processing is necessary for public health and in the public interest (Article 9(2)(i)). Thus, data processing which occurs as part of health or social care service provision or public health a likely to be covered by these exemptions. Data processing for other purposes, for example to support improve wellbeing or to promote a healthier lifestyle may rely on other legal grounds such as the explicit consent of the data subject.
Roughly, if a) the GDPR applies and b) the data held is personal data, data subjects are granted a package of rights with which the data controller/processor must comply.
There are eight such rights. A data subject may rectify, erase, or restrict the processing of their personal data; they may access and request ‘fair processing information’ to give effect to such rights; they may also take their personal data to use with other services and object to processing when their data controller relies on certain legal bases.
Applying the right to be informed to automated data processing raises the question of whether the Regulation contains a right to explanation and if so, what form this might take.
Wachter et al. argue that by distinguishing between system functionality, type and timing of decision making, the right to explanation ‘dissolves’ into a right to be informed. If there is merely a right to be informed, this limits what information about the logic and significance of automated decision-making must be provided. Others disagree both with Wachter’s conceptual framework and her interpretation that there is no right to explanation.
If the GDPR contains a right to explanation, does this mean that the logic of all black box algorithms need to explained? A possible solution is to provide what Wachter et al. have described as ‘an unconditional counterfactual explanation’.
By describing the closest scenario in which the outcome sought could be achieved, counterfactual explanations provide a possible solution to the right to explanation/black box dilemma without requiring an understanding of the underlying logic behind the algorithm. However, this approach is legally contested.
PHG Foundation aims to answer these questions and others, through our project, ‘Regulating algorithms in healthcare’.
This briefing note is intended to provide general information and understanding of the law. This briefing note should not be considered legal advice, nor used as a substitute for seeking qualified legal advice.